The mechanics of WPA cracking is simple and straightforward, the biggest drawback is that you need to have the password in your dictionary file after you get your hands on the spot and the computer must be connected when you want to compromise the AP. I’m using an HP Pavilion Laptop with a Raylink wireless USB antenna, I booted Bactrack 4 from the CD and I’m eady to start.
First I have to disable the wireless card so I can manipulate some settings.
airmon-ng stop wlan0
(wlan0 is a wireless USB antenna), if I use it, I’ll run it on the devices I have
ifconfig -a
to give me all available NIC’s
Now on the wireless card by typing
ifconfig wlan0 down
Now I’m ready to give the fake Mac address to the USB device
macchanger – – mac 00:11:22:33:44:55
I can use any mac email as long as it’s of good length and features this one is easy to use.
Next, you need to know the bssid and the channel you want to crack the AP
airodump-ng wlan0
This will show you all the APs within the wireless card. See what it looks like on the screen
BSSID PWR Beacons #Data #/s CH MB ENC CIPHER AUTH ESSID
00:1C:58:AE:C3:01 -60 124 1 0 1 54 WPA2 CCMP PSK Network
BSSID Station PWR Rate Lost Packets Probe
00:1C:58:AE:C3:01 00:1B:66:AD:C6:00 -57 0- 1 48 Network
You need a bssid and a channel to go to the next level
airodump-ng -c 1 -w wpa1 – – bssid 00:1C:58:AE:C3:01 wlan0
This command starts monitoring the traffic of a specific AP and writes the collected information to a file, in this example the file is called wpa1. This file is in the aircrack minute re password
Now open a new shell and we are ready to start the handshake between the factory and the AP.
air-ng -0 10 -bssid 00:1C:58:AE:C3:01 -c 00:1C:58:AE:C3:01 wlan0
This command sends a reinjection packet to the AP, and forces a new handshake between the server and the AP. When you take that screenshot of your airodump show a message at the top saying you have a Handshake.
Now you are ready to crack the password, now stop both airodump and air shells and open a new shell. By default BackTrack 4 has a file dictionary you can use, although I recommend modifying it with additional Passwords for a more feature-rich attack. It is located under /pentest/wireless/cowpatty and is called You can navigate to it using Konqueror or via command Now in your new console type
aircrack-ng wpa1 -w / pentest/wireless/cowpatty/dict
Now if you have the password in your said file, it will only take a few moments for it to pop and display the password on the screen.
Many APs now change passwords every hour, others have WPA keys with very high encryption values and are very difficult to crack. The bottom line is if your company and WPA are using very advanced encryption, this makes it nearly impossible to crack unless a professional has hours and hours of time and files say hundreds of megabytes in size.
Report:
- https://remoteexploit.org
