Hacking WPA networks
||11.27.2009, 8:27 PM|
Well HF, I have procrastinated about this for a long time but I finally
sat down and did it. Here is the full noob friendly start-to-finish
tutorial on cracking WPA encrypted networks. I know that others have
done this and I applaud their efforts. I still am getting many
requests, though, to post a WPA cracking guide so here it is.
Here is the key for this guide:
Black text = regular info
Blue text = important notes to remember
Red text = ACTUAL commands you type in
Yellow = extra info behind what you're doing
Standard Disclaimer: Breaking anyone's wifi encryption is illegal even
if you do not use their internet. I take no responsibility for anything
you do with this guide. This is meant for informative purposes only.
There is a major difference
between WEP encryption and WPA encryption. That difference is security.
WEP encryption can be broken just about every time. It doesn't matter
A. people are on the network or not
B. password is easy like "football" or hard like "anw034n98ns0NG"
C. SKA (Shared Key Authentication) is used or not
Regardless of these factors, WEP encryption can be broken. I've already
written a guide for that. The link to it is in my signature.
IMPORTANT NOTE: WPA, on the
other hand, is another story. There are 2 MAJOR factors that MUST BE
PRESENT in order for you to break WPA encryption. They are:
A. There ABSOLUTELY MUST be someone wirelessly connected
B. The password MUST be in your dictionary file
Let's get started.
For this guide, you will need the free linux distribution known as Backtrack 3. It can be downloaded here:
IMPORTANT NOTE: Once you download it, burn the iso image to a cd. Don't
just drag and drop the file to the cd and burn it. Actually burn the
image file using image burning software so it will work correctly.
ImgBurn is excellent free image burning software. It can be found here:
Now put the cd in and reboot your computer. It should automatically begin to load up Backtrack 3. Pay
attention, though, because it will pop up some boot options for only
about 4 seconds. I have ALWAYS picked the VESA/KDE option for booting
into Backtrack 3. It has always been the most compatible with
the systems I've tested it on. If it doesn't work well for you, try
some of the other boot options.
Once Backtrack 3 loads up, click the little black box that is in the
bottom left next to where the "start button" would be in Windows. This
will open up a Konsole window. Go ahead and open up 2 different Konsole
windows. We will need both of them.
In the first Konsole window, type:
This will tell you what you're wireless interfaces are. They will
typically be something like wifi0, ath0, ath1, eth0, eth1, etc.
(mine are wifi0 and ath0) From here on out, when I tell you a command to type in, replace "ath0" with whatever interface your computer uses.
Once you know your wireless interfaces, type:
airmon-ng stop ath0
ifconfig wifi0 down
airmon-ng start wifi0
It should look something like this:
What this did, is it reset your
wireless interface and brought it back up in what's called "monitor
mode". This is necessary in order for you to be able to "monitor" the
airwaves and pick up the wireless handshake later on. (you'll learn
what a "wireless handshake" is!)
This will start the airodump-ng program that will begin to rapidly list
all of the wifi networks within range of you. Look under the "ENC"
heading in this list. This is telling you the type of encryption that
these networks are using. "OPN" means there is no encryption. WEP and
WPA are self explanatory. Look through the networks and zero in on
those that are using WPA encryption.
Now, once you have found your
WPA networks, look below into the client list. This is the list of
computers that are using the various networks. The far left set of
numbers/letters is the bssid of the router that they are connected to.
Look through these and see if any of these match the bssid of the
network that you want to crack. If none of these match the network you
are trying to break, then come back another day because YOU CANNOT
PROCEED WITHOUT A CLIENT CURRENTLY CONNECTED TO THE NETWORK YOU WANT TO
If someone IS on the network you want to break, then congrats because you are one step closer to your goal.
Here is a picture explaining what you should be looking for:
Now, go to the second Konsole window that you opened earlier. It's time to try and capture the handshake.
A handshake is the term that relates to what happens when a computer is
wirelessly authenticated on a network. Basically, the computer tells
the router it wants to connect, and then the router and computer
compare keys to see if they match up. If they match up, then the router
authenticates the computer and gives it access to the network. This is
what we are after. The key to the network is heavily encrypted in the
handshake file. Without the handshake, we are stuck.
The way that you capture the handshake is to send a signal to the
router that will very briefly disconnect the computer that is already
connected. That computer will automatically try and reconnect with the
router and when it does, we will be there monitoring the airwaves to
try and pick up the handshake file. Type this command:
aireplay-ng â€"deauth 10 -a Mac_of_Router -c Mac_of_Client ath0
What this command will do is send the disconnect command to the router
TEN times in a row. The Mac_of_Router is the bssid of the network. The
Mac_of_Client is the mac address of the currently connected computer.
This is all illustrated in the picture below:
While that command is running it should look like this:
If we are successful in capturing the handshake file, the words â€œWPA
Handshakeâ€ should pop up in the top right corner of our first Konsole
window. It will look like this:
If you have successfully made it this far, congratulations! Don't get
too excited yet though, the biggest roadblock of all is still ahead. It
all comes down to how much effort they put into their password AND how
good your dictionary file is!
IMPORTANT NOTE: I am going to
upload my personal dictionary files and provide the links at the bottom
of this tutorial. I have compiled these files from all over the web,
deleted most of the duplicates, and split them into several smaller
files so that they could each be run at different times rather than one
massive file that takes up your computer for several days.
Now that you have the handshake file, you can close one of the Konsole
windows and just use one. The Aircrack-ng program will be used now to
test the handshake file against each entry in your dictionary word
lists. However, since Backtrack 3 runs off of a live cd, it is somewhat
slow in testing the keys. (typically around 100-200 words tested per
second) I downloaded the windows version of Aircrack-ng so that I could
reboot into Windows and have it run MUCH faster. (typically testing
400-450 words per second) The windows version of Aircrack-ng can be
Don't worry about it saying you
must develop your own dll's and whatnot in order to use the features of
the program. It will run dictionary attacks straight out of the
installation so no extra setup is needed.
Now you can run aircrack-ng straight from Backtrack 3 or save your handshake files to a flash drive and reboot into windows. If
you are wanting to reboot into Windows, your handshake files are
located in one of the two directories that is on the desktop of
Backtrack 3. When you are ready, open up the command prompt and navigate to the directory where Aircrack-ng is located. (In
Backtrack 3 you can run aircrack-ng straight from the default directory
of the Konsole window. In Windows, you must navigate to the directory
that it is installed to. You will have to get into the â€œbinâ€
subfolder of the main Aircrack-ng directory.) Once you are ready, type this command:
aircrack-ng location-of-handshake -w location-of-dictionary-file
This command starts aircrack-ng,
then tells it where to find the handshake file. The â€œ-wâ€ command is
letting it know we are doing a dictionary attack which is followed by
the location of our dictionary file. It will then pop up a list of all
networks that had packets capture in this one file. It will also let
you know which networks have verified handshake files captured. After
this command is typed in, you type in the number of the handshake file
you want to crack, and it begins.
Here is a picture of this command in Backtrack 3:
After this is done, you simply
sit back and wait. Probably not at your computer either. A good
dictionary file can take hours (or days) to crunch through) I have mine
broken down in a way that each one takes around 5 â€" 8 hours to run
from start to finish. This way I can leave it running overnight and if
it fails, fire up the next list on the next night.
If all is successful with your aircrack-ng command, you will see this
screen pop up as it rapidly tries every password you have against the
handshake file. It will look like this:
This about wraps it up for the tutorial. Below are the links to my various dictionary files.
Download Dictionary Files Here
They all range from around 100 mb to 500 mb.
I tried to compress them to be more manageable and easy to download.
I'm not posting a virus scan of all of them. I have good rep and if you
won't just test it yourself, then look elsewhere for your dictionary
Category: Hacking tutorials | Added by: h4ckz0r
|Views: 3973 | Downloads: 0
| Comments: 4
| Rating: 0.0/0||