Welcome, Guest | RSS
Sunday, 08.20.2017, 6:29 PM
Main » Files » Hacking tutorials

Hacking WPA networks
11.27.2009, 8:27 PM
Well HF, I have procrastinated about this for a long time but I finally sat down and did it. Here is the full noob friendly start-to-finish tutorial on cracking WPA encrypted networks. I know that others have done this and I applaud their efforts. I still am getting many requests, though, to post a WPA cracking guide so here it is.

Here is the key for this guide:
Black text = regular info
Blue text = important notes to remember
Red text = ACTUAL commands you type in
Yellow = extra info behind what you're doing

Standard Disclaimer: Breaking anyone's wifi encryption is illegal even if you do not use their internet. I take no responsibility for anything you do with this guide. This is meant for informative purposes only.

There is a major difference between WEP encryption and WPA encryption. That difference is security. WEP encryption can be broken just about every time. It doesn't matter if:
A. people are on the network or not
B. password is easy like "football" or hard like "anw034n98ns0NG"
C. SKA (Shared Key Authentication) is used or not
Regardless of these factors, WEP encryption can be broken. I've already written a guide for that. The link to it is in my signature.

IMPORTANT NOTE: WPA, on the other hand, is another story. There are 2 MAJOR factors that MUST BE PRESENT in order for you to break WPA encryption. They are:
A. There ABSOLUTELY MUST be someone wirelessly connected
B. The password MUST be in your dictionary file

Let's get started.

For this guide, you will need the free linux distribution known as Backtrack 3. It can be downloaded here:

IMPORTANT NOTE: Once you download it, burn the iso image to a cd. Don't just drag and drop the file to the cd and burn it. Actually burn the image file using image burning software so it will work correctly. ImgBurn is excellent free image burning software. It can be found here:

Now put the cd in and reboot your computer. It should automatically begin to load up Backtrack 3. Pay attention, though, because it will pop up some boot options for only about 4 seconds. I have ALWAYS picked the VESA/KDE option for booting into Backtrack 3. It has always been the most compatible with the systems I've tested it on. If it doesn't work well for you, try some of the other boot options.

Once Backtrack 3 loads up, click the little black box that is in the bottom left next to where the "start button" would be in Windows. This will open up a Konsole window. Go ahead and open up 2 different Konsole windows. We will need both of them.

In the first Konsole window, type:
This will tell you what you're wireless interfaces are. They will typically be something like wifi0, ath0, ath1, eth0, eth1, etc.
(mine are wifi0 and ath0) From here on out, when I tell you a command to type in, replace "ath0" with whatever interface your computer uses.
Once you know your wireless interfaces, type:
airmon-ng stop ath0
then type:
ifconfig wifi0 down
then type:
airmon-ng start wifi0

It should look something like this:
[Image: one-f.jpg]

What this did, is it reset your wireless interface and brought it back up in what's called "monitor mode". This is necessary in order for you to be able to "monitor" the airwaves and pick up the wireless handshake later on. (you'll learn what a "wireless handshake" is!)

Now type:
airodump-ng ath0

This will start the airodump-ng program that will begin to rapidly list all of the wifi networks within range of you. Look under the "ENC" heading in this list. This is telling you the type of encryption that these networks are using. "OPN" means there is no encryption. WEP and WPA are self explanatory. Look through the networks and zero in on those that are using WPA encryption.

Now, once you have found your WPA networks, look below into the client list. This is the list of computers that are using the various networks. The far left set of numbers/letters is the bssid of the router that they are connected to. Look through these and see if any of these match the bssid of the network that you want to crack. If none of these match the network you are trying to break, then come back another day because YOU CANNOT PROCEED WITHOUT A CLIENT CURRENTLY CONNECTED TO THE NETWORK YOU WANT TO CRACK.

If someone IS on the network you want to break, then congrats because you are one step closer to your goal.

Here is a picture explaining what you should be looking for:
[Image: three-f.jpg]

Now, go to the second Konsole window that you opened earlier. It's time to try and capture the handshake.

A handshake is the term that relates to what happens when a computer is wirelessly authenticated on a network. Basically, the computer tells the router it wants to connect, and then the router and computer compare keys to see if they match up. If they match up, then the router authenticates the computer and gives it access to the network. This is what we are after. The key to the network is heavily encrypted in the handshake file. Without the handshake, we are stuck.

The way that you capture the handshake is to send a signal to the router that will very briefly disconnect the computer that is already connected. That computer will automatically try and reconnect with the router and when it does, we will be there monitoring the airwaves to try and pick up the handshake file. Type this command:
aireplay-ng â€"deauth 10 -a Mac_of_Router -c Mac_of_Client ath0

What this command will do is send the disconnect command to the router TEN times in a row. The Mac_of_Router is the bssid of the network. The Mac_of_Client is the mac address of the currently connected computer. This is all illustrated in the picture below:

[Image: four-f.jpg]

While that command is running it should look like this:

[Image: five-f.jpg]

If we are successful in capturing the handshake file, the words “WPA Handshake” should pop up in the top right corner of our first Konsole window. It will look like this:

[Image: six-f.jpg]

If you have successfully made it this far, congratulations! Don't get too excited yet though, the biggest roadblock of all is still ahead. It all comes down to how much effort they put into their password AND how good your dictionary file is!

IMPORTANT NOTE: I am going to upload my personal dictionary files and provide the links at the bottom of this tutorial. I have compiled these files from all over the web, deleted most of the duplicates, and split them into several smaller files so that they could each be run at different times rather than one massive file that takes up your computer for several days.

Now that you have the handshake file, you can close one of the Konsole windows and just use one. The Aircrack-ng program will be used now to test the handshake file against each entry in your dictionary word lists. However, since Backtrack 3 runs off of a live cd, it is somewhat slow in testing the keys. (typically around 100-200 words tested per second) I downloaded the windows version of Aircrack-ng so that I could reboot into Windows and have it run MUCH faster. (typically testing 400-450 words per second) The windows version of Aircrack-ng can be found here:


Don't worry about it saying you must develop your own dll's and whatnot in order to use the features of the program. It will run dictionary attacks straight out of the installation so no extra setup is needed.

Now you can run aircrack-ng straight from Backtrack 3 or save your handshake files to a flash drive and reboot into windows. If you are wanting to reboot into Windows, your handshake files are located in one of the two directories that is on the desktop of Backtrack 3. When you are ready, open up the command prompt and navigate to the directory where Aircrack-ng is located. (In Backtrack 3 you can run aircrack-ng straight from the default directory of the Konsole window. In Windows, you must navigate to the directory that it is installed to. You will have to get into the “bin” subfolder of the main Aircrack-ng directory.) Once you are ready, type this command:

aircrack-ng location-of-handshake -w location-of-dictionary-file

This command starts aircrack-ng, then tells it where to find the handshake file. The “-w” command is letting it know we are doing a dictionary attack which is followed by the location of our dictionary file. It will then pop up a list of all networks that had packets capture in this one file. It will also let you know which networks have verified handshake files captured. After this command is typed in, you type in the number of the handshake file you want to crack, and it begins.

Here is a picture of this command in Backtrack 3:
[Image: seven-f.jpg]

After this is done, you simply sit back and wait. Probably not at your computer either. A good dictionary file can take hours (or days) to crunch through) I have mine broken down in a way that each one takes around 5 â€" 8 hours to run from start to finish. This way I can leave it running overnight and if it fails, fire up the next list on the next night.

If all is successful with your aircrack-ng command, you will see this screen pop up as it rapidly tries every password you have against the handshake file. It will look like this:

[Image: eight-f.jpg]

This about wraps it up for the tutorial. Below are the links to my various dictionary files.

Download Dictionary Files Here

They all range from around 100 mb to 500 mb.
I tried to compress them to be more manageable and easy to download. I'm not posting a virus scan of all of them. I have good rep and if you won't just test it yourself, then look elsewhere for your dictionary files.
Category: Hacking tutorials | Added by: h4ckz0r
Views: 3973 | Downloads: 0 | Comments: 4 | Rating: 0.0/0
Total comments: 0
Name *:
Email *:
Code *:
Copyright MyCorp © 2017 | Free website builderuCoz