HOW TO HACK WI-FI

Cracking WPA2-PSK
Passwords Using Aircrack-Ng
BY OCCUPYTHEWEB & 08/27/2013 7:19 PM ' 07/22/2017 9:16 AM

WI-FI HACKING

W elcome back, my greenhorn hackers.

When Wi-Fi was first developed in the late 1990s, Wired

Equivalent Privacy was created to give wireless
communications confidentiality. WEP, as it became
known, proved terribly flawed and easily cracked. You
can read more about that in my beginner's guide to
hacking Wi-Fi
Wi-Fi.

As a replacement, most wireless access points now use

Wi-Fi Protected Access II with a pre-shared key for
wireless security, known as WPA2-PSK. WPA2 uses a
stronger encryption algorithm, AES, that's very difficult
to crack—but not impossible. My beginner's Wi-Fi
hacking guide also gives more information on this.

The weakness in the WPA2-PSK system is that the

encrypted password is shared in what is known as the
4-way handshake. When a client authenticates to the
access point (AP), the client and the AP go through a 4-
step process to authenticate the user to the AP. If we
can grab the password at that time, we can then
attempt to crack it.

Image via Shutterstock

In this tutorial from our Wi-Fi Hacking series

series, we'll
look at using aircrack-ng and a dictionary attack on
the encrypted password after grabbing it in the 4-way
handshake. If you're looking for a faster way, I suggest
you also check out my article on hacking WPA2-PSK
passwords using coWPAtty
coWPAtty.

Step 1

Put Wi-Fi Adapter in Monitor Mode with

Airmon-Ng
Let's start by putting our wireless adapter in monitor
mode.

Need a wireless network adapter? Buy the

Best Wireless Network Adapter for Wi-Fi
Hacking in 2017

For this to work, we'll need to use a compatible wireless

network adapter. Check out our 2017 list of Kali Linux
and Backtrack compatible wireless network adapters in
the link above, or you can grab our most popular
adapter for beginners here.

A roundup of Kali Linux compatible wireless network

adapters.
Image by SADMIN/Null Byte

This is similar to putting a wired adapter into

promiscuous mode. It allows us to see all of the
wireless traffic that passes by us in the air. Let's open a
terminal and type:

airmon-ng start wlan0

Note that airmon-ng has renamed your wlan0 adapter

to mon0
mon0.

Step 2

Capture Traffic with Airodump-Ng

Now that our wireless adapter is in monitor mode, we
have the capability to see all the wireless traffic that
passes by in the air. We can grab that traffic by simply
using the airodump-ng command.

This command grabs all the traffic that your wireless

adapter can see and displays critical information about
it, including the BSSID (the MAC address of the AP),
power, number of beacon frames, number of data
frames, channel, speed, encryption (if any), and finally,
the ESSID (what most of us refer to as the SSID). Let's
do this by typing:

airodump-ng mon0

Note all of the visible APs are listed in the upper part of
the screen and the clients are listed in the lower part of
the screen.

Step 3

Focus Airodump-Ng on One AP on One

Channel
Our next step is to focus our efforts on one AP, on one
channel, and capture critical data from it. We need the
BSSID and channel to do this. Let's open another
terminal and type:

airodump-ng --bssid 08:86:30:74:22:76 -c 6 -

-write WPAcrack mon0

08:86:30:74:22:76 is the BSSID of the AP

-c 6 is the channel the AP is operating on
WPAcrack is the file you want to write to
mon0 is the monitoring wireless adapter*

As you can see in the screenshot above, we're now

focusing on capturing data from one AP with a ESSID of
Belkin276 on channel 6. The Belkin276 is probably a
default SSID, which are prime targets for wireless
hacking as the users that leave the default ESSID
usually don't spend much effort securing their AP.

Step 4

Aireplay-Ng Deauth
In order to capture the encrypted password, we need to
have the client authenticate against the AP. If they're
already authenticated, we can de-authenticate them
(kick them off) and their system will automatically re-
authenticate, whereby we can grab their encrypted
password in the process. Let's open another terminal
and type:

aireplay-ng --deauth 100 -a

08:86:30:74:22:76 mon0

Comandă acasă
Rezistent la caldură, umiditate și activități sportive,
cu un aspect mat non-stop.
avon.ro Cumpărați acum

100 is the number of de-authenticate frames you

want to send
08:86:30:74:22:76 is the BSSID of the AP
mon0 is the monitoring wireless adapter

Step 5

Capture the Handshake

In the previous step, we bounced the user off their own
AP, and now when they re-authenticate, airodump-ng
will attempt to grab their password in the new 4-way
handshake. Let's go back to our airodump-ng terminal
and check to see whether or not we've been successful.

Notice in the top line to the far right, airodump-ng says

"WPA handshake." This is the way it tells us we were
successful in grabbing the encrypted password! That is
the first step to success!

Step 6

Let's Aircrack-Ng That Password!

Now that we have the encrypted password in our file
WPAcrack
WPAcrack, we can run that file against aircrack-ng
using a password file of our choice. Remember that this
type of attack is only as good as your password file. I'll
be using the default password list included with
aircrack-ng on BackTrack named darkcOde
darkcOde.

We'll now attempt to crack the password by opening

another terminal and typing:

aircrack-ng WPAcrack-01.cap -w
/pentest/passwords/wordlists/darkc0de

WPAcrack-01.cap is the name of the file we

wrote to in the airodump-ng command
/pentest/passwords/wordlist/darkc0de is the
absolute path to your password file

How Long Will It Take?

This process can be relatively slow and tedious.
Depending upon the length of your password list, you
could be waiting a few minutes to a few days. On my
dual core 2.8 gig Intel processor, it's capable of testing a
little over 500 passwords per second. That works out to
about 1.8 million passwords per hour. Your results will
vary.

When the password is found, it'll appear on your

screen. Remember, the password file is critical. Try the
default password file first and if it's not successful,
advance to a larger, more complete password file such
as one of these.

CrackStation's Password Cracking Dictionary

SkullSecurity's Password Dictionaries

Stay Tuned for More Wireless Hacking

Guides
Keep coming back, as I promise more advanced
methods of hacking wireless in future tutorials. If you
haven't seen the other Wi-Fi hacking guides yet, check
them out here
here. Particularly the one on hacking WEP
using aircrack-ng and hacking WPA2-PSK
passwords using coWPAtty
coWPAtty.

lizengo
Software original cumpără acum cu descărcare și
utilizare imediată
lizengo Deschideți

If you're looking for a cheap, handy platform to get

started working with aircrack, check out our Kali Linux
Raspberry Pi build using the $35 Raspberry Pi.

A beginner Wi-Fi hacking kit.

Image by SADMIN/Null Byte

Get Started Hacking Today: Set Up a Headless

Raspberry Pi Hacking Platform Running Kali
Linux

And as always, if you have questions on any of this,

please ask away in the comments below. If it's
something unrelated, try asking in the Null Byte forum.

Want to start making money as a white hat

hacker? Jump-start your white-hat hacking career with
our 2020 Premium Ethical Hacking Certification
Training Bundle from the new Null Byte Shop and get
over 60 hours of training from ethical hacking
professionals.

Buy Now (96% off ) >

Cover image via Shutterstock

Our Best Hacking &

Security Guides
New Null Byte posts — delivered straight to your
inbox.

Your Email

! SUBSCRIBE NOW

Related

HH OO W
W TT OO HH AA CC KK W
W II -- FF II
!
HH OO W
"
W TT OO HH AA CC KK W
W

SUBSCRIBE
Selecting a Good Wi-Fi Hacking NOW
Strategy Getting Started
Wi-Fi Hacking T

594 Comments

THELIONKING
6 YEARS AGO 1 $ #

great master OTW...clear as always...great job!

% REPLY

THELIONKING
6 YEARS AGO 1 $ #

Master OTw...will the WPAcrack file be created on the

call to the command or i have to create it somewhere?
$ #
thanks

% REPLY

OCCUPYTHEWEB
6 YEARS AGO 1 $ #

$ #
The command will create the file.

% REPLY

NOOBER1
2 $ #

"
6 YEARS AGO

I have been trying to download backtrack 5 R3 and the "

completed iso file size of BT5R3-GNOME-64 $is 506MB.
#
Did I get it all downloaded?

% REPLY

OCCUPYTHEWEB
6 YEARS AGO 1 $ #

$ #
Adam:

$ #

lizengo
Software original cumpără acum cu descărcare și
utilizare imediată
lizengo Deschideți

It doesn't sound like you got it all. It should be 2-3gb.

OTW

% REPLY

NOOBER1
6 YEARS AGO 1 $ #

Everytime I try downloading it says it failed because

the source couldn't be read. How can I get around
this?

% REPLY

ARCHIBALD TUTTLE
4 YEARS AGO 1 $ #

$ #
First of all, thanks for the great tutorial.
The only problem I have is the following:
14:49:01 wlan0mon is on channel 6, but the AP uses
channel 9
I tried things like "airmon-ng start wlan0mon 9" but it
displayed the same error.
Any Ideas how to fix this?

%$ REPLY
#

LESYK HAYDA
4 YEARS AGO 1 $ #

I am getting the same error now, have you found

anything?

% REPLY

BEN RADOVITZKY
4 YEARS AGO 1 $ #

I ran into a similar problem. The way I solve$it was

#
like this:

Instead of typing airodump-ng --bssid

08:86:30:74:22:76 -c 6 --write WPAcrack mon0 mon0,
after the -c put the channel that the AP uses, in your
case 9. If it doesn't work, run the command a few
times, and you'll notice that the channel might be
$ #
changing, so if you spam it a bit you might land on it
and get lucky.

% REPLY

TH3 L10N
4 YEARS AGO 1 $ #

Or just:

$ ifconfig wlan1 down

$ iwconfig wlan1 channel 9
$ ifconfig wlan1 up

When it doesnt work try a little bit Google there are

severel methods
$ #
to do this.

Or like BEN says, if the channel is everytime

different, than its in Auto-Channel mode so you can
just spam it a little around to hit the correct Channel.

% REPLY

THELIONKING
6 YEARS AGO 1 $ #

when i do, airodump-ng --bssid 08:XX:BB:XX:CC -c 1 -

write WPAcrack what i get is....
Notice: You specified "-write". Did you mean "--write"
instead?
Interface WPAcrack:
ioctl(SIOCGIFINDEX) failed: No such device

so i was thinking -write was a typo..so i did

$ #
airodump-ng --bssid 08:XX:BB:CC:GG:XX -c 1 --write
WPAcrack
and now i get
No interface specified.
"airodump-ng --help" for help.

so what am I doing wrong master OTW?

thanks

% REPLY

JOSH YOUNG
4 YEARS AGO - EDITED 4 YEARS AGO 1 $ #

the syntax you are going for is: airodump-ng --bssid

08:XX:BB:CC:GG:XX -c 1 --write WPAcrack mon0

% REPLY

OCCUPYTHEWEB
6 YEARS AGO 1 $ #

You are right, it should have been --write. Thanks

$ for#
catching that typo.

I forgot to also put in the interface, it appears. You nned

to tell airodump-ng, what interface to use. In this case
mon0.

OTW
$ #
% REPLY

CHARLES SPALDING
5 YEARS AGO 1 $ #

Hello Master OTW!

Thanks so much for ur hard work. People like us are
finding ur tutorials more useful.
I have a little problem. I followed ur tutorials on
cracking WPA/WPA2 and everything worked out fine.
Just the last stage, the aircrack-ng;
When I typed aircrack-ng WPAcrack-01.cap -w
/pentest/passwords/wordlists/darkc0de
$ #
This is what I got:
Opening WPAcrack-01.cap
Please specify a dictionary (Option -w).

Quitting aircrack-ng...
Please could u explain to me what I did wrong?
Thanks...

% REPLY

CYBERHITCHHIKER
5 YEARS AGO 2 $ #

This guide was written against BackTrack 5. You are

using Kali Linux I assume. The file paths are different.

Use : locate wordlists

To find ALL wordlists in your Kali.

Side note: Use rockyou.txt wordlist. You will have

better luck with it.
$ #
% REPLY

THELIONKING
6 YEARS AGO 1 $ #

Ok master OTW...so things went well to the last step... I

get this error..

Opening WPAcrack-01.cap
Opening /pentest/passwords/wordlists/darkc0de
open failed: No such file or directory

i tried it with this time darkcode..changing the zero in

$ #