Welcome back Duthcode hackers to yet another writeup about the art of hacking, i think i have made it very clear by now that penetration testing is my passion and i always find the time to prepare cool articles and tutorials full of useful information for all of you who share the same passion with me!
In this article i am going to be talking about WPA2 and WPA cracking. I know the title says only WPA2 but cracking WPA is indistinguishable from WPA2 cracking!
As i have said in previous hacking articles that i've written i don't like just copy pasting steps for hacking shit, it doesn't please me. It doesn't fill the dark void inside my heart.. i'm kidding! Or am i? :')
This article will be divided in 3 sections:
I was once living on the street where by things were so hard for me, even to pay off my bills was very difficult for me i have to park off my apartment and start sleeping on the street of Vegas. I tried all i could do to secure a job but all went in vain because i was from the black side of America. So i decided to browse through on my phone for jobs online where i got an advert on Hackers. This is brief guide on how to crack WPA/WPA2 passwords using a new method by cracking PMKID. This new vulnerability makes it a lot more practical and easier to crack the wpa key passphrase and made it easier than ever before. This guide will help you crack wifi password with the new pmkid vulnerability.
- 1 How Wireless Networks Work
- 2 The theory before the cracking (Huge Nerd Alert!)
- 3 Cracking WPA2 with aircrack-ng
You can always skip to the section of your choosing.
1 How Wireless Networks Work
First of all, it would be wise to start with a definition:
Wireless networks operate using radio frequency technology, a frequency within the electromagnetic spectrum associated with radio wave propagation. When an RF current is supplied to an antenna, an electromagnetic field is created that then is able to propagate through space.
In the same way that all you need to pick up a local radio station is a radio, all anyone needs to detect a wireless network within nearby range it a wireless equipped computer. There is no way to selectively hide the presence of your network from strangers, but you can prevent unauthorized people from connecting to it, and you can protect the data traveling across the network from prying eyes. By turning on a wireless network's encryption feature, you can scramble the data and control access to the network.
Why you need encrypted network connection
Encryption enhances the security of a message or file by scrambling the content. To encrypt a message, you need the right key, and you need the right key to decrypt it as well. It is the most effective way to hide communication via encoded information where the sender and the recipient hold the key to decipher the data.
When i was 10 years old me and my best friends came up with a 'new way' of talking to each other, and when we where talking like that to each other in front of others they were unable to understand what we where saying. This is a simple type of Encryption.
Encryption is like sending secret messages between parties, if someone tries to pry without the proper keys, they wont be able to understand the message. So you understand that the stronger the key, the more difficult for the 'uninvited listener' to decrypt the messages.
If you are ever being watched, inadvertently or not, you can hide your data by using implemented crypto systems. According to cryptographer and security and privacy specialist Bruce Schneier, “Encryption works best if it is ubiquitous and automatic. It should be enabled for everything by default, not a feature you only turn on when you’re doing something you consider worth protecting.”
Wireless network hardware supports several standard encryption schemes, but the most common are Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2).
WEP is the oldest and can be hacked VERY EASILY. WPA and WPA2 are good choices, but provide better protection when you use longer and more complex passwords.
All the 3 protocols have their own encryption methods, but of course one's encryption is always better than the previous one's.
- WEP Uses RC4 algorithm for encrypting data packets
- WPA Uses TKIP encryption, based on WEP
- WPA2 Uses AES, most secured and unbroken at this point
I am only going to demonstrate WPA2 cracking in this writeup's tutorial section for 2 reasons:
- WPA cracking the the same exact methodology
- WEPencryption is so broken in 2019 that no AP in the world uses it as a default anymore.
- That is a lie actually.. hehe.. i bought a GoPro look alike a week ago and it had WEP preinstalled.
How is WPA2 different from WPA?
Enough with the general knowledge, it's high time we got a bit mire specific, but first an answer to the question.
- Hardware changed are mandatory for running WPA2
- WPA2 uses AES for packet encryption, whereas WPA uses TKIP encryption
- AES is one of the most secure symmetric encryption algorithms. How secure you ask.. Let's just say that the US Government uses the same encryption for handling information.
- Released as the new standard for Wireless devices and from march 2006 WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.
2 The theory before the cracking
WPA2-PSK, Wi-Fi Protected Access-Pre-Shared Key. This encryption might be the most secured and unbroken at this point, but WPA2 system is still pretty vulnerable to us, the hackers!
Unlike WEP, WPA2 uses a 4-way handshake as an authentication process.
The four-way handshake is designed so that the access point (or authenticator) and wireless client (or supplicant) can independently prove to each other that they know the PSK/PMK (Pairwise Master Key), without ever disclosing the key. Instead of disclosing the key, the access point & client each encrypt messages to each other that can only be decrypted by using the PMK that they already share and if decryption of the messages was successful, this proves knowledge of the PMK.
The actual messages exchanged during the handshake are explained below (all messages are sent as EAPOL-Key frames):
- The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes to construct the PTK.
- The STA sends its own nonce-value (SNonce) to the AP together with a Message Integrity Code(MIC), including authentication, which is really a Message Authentication and Integrity Code (MAIC).
- The AP constructs and sends the GTK and a sequence number together with another MIC. This sequence number will be used in the next multi cast or broadcast frame, so that the receiving STA can perform basic replay detection.
- The STA sends a confirmation to the AP.
The 4-way handshake is plain text, which allows us to capture the plain text information like
- Access Point MAC Address
- Client MAC Address
- ESSID AP Name
We can use these acquired information to perform the best attack we can to the captured 4-Way Handshake(PCAP File), The Dictionary attack!
We could also try a Bruteforce attack, but.. for example an 8 digit password containing upper and lowercase letters and a digit or two with a cracking power of 500.000 passwords per second would take you up to 15years to crack it, add a common punctuation, that's 58 years!
Now if you control a botnet of 100 computers or you have like the latest NVIDIA AMD Super Graphic Ultra 174Kill Machine you could crack this password in minutes.. If again you just own a laptop like me, then..
It all started with Encryption! The art of scrambling, coding, hiding, enciphering or even concealing information (data) attempting to make them crack proof by others, and only the holder of the Decryption key could reverse the process.. Do you see the problem? The process can be reversed! And if it took a Genius to think of a good encryption function it only takes another genius to crack it!
Therefore the Geniuses had to come up with a new way of hiding data, and of course they did! They created one-way functions, these functions have the ability to produce an output where it is impossible from it to find the input.
This is where Hashing comes to play! Hashing is the cryptographic function that produces a hash, a hash is data or a file of an arbitrary length converted to a fixed length of unique nature. Unlike encryption, it is practically impossible to invert or reverse a hash back to the key that was involved in the hashing process.
The exact function used is the following:
To clarify, you can visit Understanding WPA and WPA2.
In short, if we Have an SSID of duthcode_AP and our password is duthcodeRulez then we would get the following key'
That was cool right? And that hash is irreversible, but since it is unique.. That makes it comparable, doesn't it?
In a dictionary attack :
- We create/use a wordlist (a .txt file with possible passwords)
- Take on word at a time from the wordlist
- Produce its hash using the above mentioned hash function
- Compare the produced hash with the existing hash
- If values match, since every produced hash is a unique value that means that we have found the correct password
3 Cracking WPA2 with aircrack-ng
Now that we finally know all the excruciating theory about the networking part, and we have decided upon what attack we will do lets fire up Kali!
I want you to feel pumped up like this guy!
You are about to crack a password! That's real hacking. Beginner level, but real nonetheless.
STEP 1 Open up aircrack-ng
We firstly need to find a target exactly the same way we did on the previous article Deauthentication attack using kali Linux.
Set up wireless card to monitor mode
Start sniffing the air until a target pops up
Our target is duthcode_AP since it's the closest one comparing all the APs and. you know.. it is not illegal to hack yourself. YET!
STEP 2 Sniff the network of our target exclusively and collect data on a file
Now things start to get fresh! By running the following command
We not only monitor the duthcode_AP exclusively but we are also gathering all sorts of information and storing them to a file!
Let's run it!
OK Things go perfectly according to plan!
Careful! Do not stop monitoring! because we need to..
STEP 3 Capture the 4-Way Handshake
In order to capture the handshake we have to be patient for a client to connect to the network we are monitoring, OR!!! We could force someone to lose connection by sending him Deauthentication packets!
Yeap! let's go for it!
Open up a new terminal without closing the previous one running the monitoring and run the command
With that command you take down the entire network! A bit of an overkill but works.
NOTE: The -0 0 option or else --deauth 0 option keeps on sending deauth packets until we manually stop it by pressing CTRL+C. If you feel sure about what you are doing you can easily target a specific device like we did on the previous article and sent him a specific number of deauth packets with --deauth 50 for example.
Now take a look at the other terminal window that you have opened! You should see a new message confirming that you have successfully captured the WPA handshake! ! !
You can now close everything! You own the handshake and you have it stored on the duthcode-01.cap file!
STEP 4 It's all about the Dictionary!
No one ever said that hacking is easy! It needs a certain kinda crazy! The first step of hacking is Reconnaissance , which translates to know your target.
For this attack you have to realize that it all comes down to how good your dictionary is!
For this tutorial i have very carefully crafted a custom dictionary named duthcode.txt that fits my character because i am hacking myself ;)
As you have very well pointed out the password 'happens' to be inside the wordlist.
STEP 5 Running the cracker
What we want to do is simple!
- grab the handshake file
- associate it with our custom dictionary
- check if the dictionary contains the password hidden in the handshake
The command that makes this happen is :
And the very Quick output is :
KEY FOUND! [ duthcodeRulez ]
We have successfully cracked a WPA2 AP password, and we did it by knowing how it works! That is the key point that differentiates a script kiddie from a struggling hacker!
There are a lot of cool scripts for creating Wordlists for Dictionairy attacks.
- Crunch (If you master this tool you are pretty set to go)
- CeWL (for website logins)
- Hatch (Website login bruteforce script)
A note for the ones who read the whole thing!
Since you have read the entire writeup i can easily assume you are like me! You like reading and constantly learning, expanding your knowledge further and further non-stop!
And if you found this topic interesting then you are a sucker for a good crypto story! I could not not recommend to you this Book! The Code Book - The secret history of codes and code breaking
This book is one of my favorites! The cool stories of romance, war and treasure hunts! Unsolved mysteries and endless links to historical cipher nerds! I love it! I really believe you are going to enjoy reading it as much as i did!
That was it! Thank you for reading! Here are some other Articles you might like:
You can show your support by liking our Facebook Page ! Support our efforts on Ko-Fi ! And you can get in contact with us either by sending us a message on Facebook or via the e-mail on the footer of the Page!
Thanks again! Have a lovely day.. Or night!
The information on this site is intended to be used for legal and ethical purposes like research, education, journalism and educating the public. Our intention is to comply with any and all applicable laws.
In this tutorial you will learn how to perform a very simple dictionary attack to a Wi-Fi network using Aircrack in Kali Linux.
What's a dictionary attack
A dictionary attack is a method that consists of breaking into a password-protected computer or server (in this case a Wi-Fi network) by systematically entering every word in a dictionary as a password.
What is this tutorial and what isn't
You won't magically have free Wi-Fi for the rest of your life, if that's what you're looking for. This is just a tutorial with educational purposes that shows how to execute dictionary attacks to a normal Wi-Fi network easily with Kali Linux and Aircrack. You need to know that dictionary based attacks needs a good dictionary, otherwise this kind of attacks are generally innefective as not everybody uses only numbers as passwords and that's precisely one of the goals of this article: you can warn clients, friends etc. that their Wi-Fi password is really weak and shameful.
- You need, obviously Kali Linux (at least 2016.2) installed and working.
- A wireless adapter capable of injection/monitor mode. Some computers have network cards capable of this from the factory. If it isn't available you'll have to buy an external one.
- A wordlist to attempt to 'crack' the password once it has been captured (if you don't have one, create your own in the step 7)
Let's get started !
1. Verify your Wi-Fi network interface
As first step, you need to check if you have an available Wi-Fi card in your computer that allow you to continue with the hack, to list the interfaces use the
ifconfig command. ifconfig is used to configure, or view the configuration of, a network interface. Open a new terminal and execute the following command to list all the network interfaces of your computer:
Then you should get an output similar to:
wlan0 is the name of the first wireless network interface on the system. Additional wireless interfaces would be named wlan1, wlan2, etc. The name is important and you should remember it, in this case we only have 1 Wi-Fi interface, therefore we are going to use the
wlan0 name in the next step.
2. Spoof the MAC address of the wlan interface
Now you need to change the MAC address of the Wi-Fi interface to continue with the hack, but before you need to bring down the interface if it's (obviously) active. Use the command
ifconfig [interface name] down to bring an interface down. In this case as the name of our interface is wlan0, the command to execute would be:
Once the interface is down, you need to change the MAC address of your device using
Execute the following command to change the MAC address of your interface:
This MAC address is known as it's always spoofed. After the execution of the command, the previous MAC address and the new one will be printed as reference:
Now that the MAC address is changed, bring up the interface again using the following command:
You can verify it using ifconfig one more time if you want:
Now the MAC address has been spoofed.
3. Set the Wi-Fi interface into monitor mode
Monitor mode is one of the seven modes that 802.11 wireless cards can operate in: Master (acting as an access point), Managed (client, also known as station), Ad hoc, Mesh, Repeater, Promiscuous, and Monitor mode. The monitor mode sniffes the packets in the air without connecting (associating) with any access point. As this mode doesn't need association to AP needed (and no authentication).
Enable the monitor mode with the following command:
In case you get an exception, a warning or a message that some processes could cause troubles during the execution of this process, be sure to stop the processes using the following command:
Then execute again
airmon-ng start wlan0:
From the 'table' generated by the previous command, you now need to copy the name of the interface in monitor mode, in this case the name is
wlan0mon. This name will be used by the rest of the commands that need access to the interface.
4. Retrieve WPA Handshake
We need to copy the WPA Handshake of the Wi-Fi router to hack it (as a dictionary attack that waits till the signal goes to the router, then comes back, fails and repeats the process again and again is very unproductive .. ). A handshake is basically an automatic process of negotiation between two entities, usually your computer and the network server it wants to connect to. It's the procedure that sets the configurations and parameters needed to make the communication channel run smoothly without manually putting in specifications and whatnot every time you connect heterogeneous systems or machines together.
As first, you need to dump all the Wi-Fi signals available in the environment. To do it we are going to use
airodump-ng that expects as first parameter the name of the interface in monitor mode. Execute the following command to dump the Wi-Fi networks:
This command will dump a table with all the available Wi-Fi networks similar to:
From this table you should copy the information (the row) about the network that you want to hack on in the notepad as you will need this information later (channel-CH and BSSID).
Now let's copy the WPA Handshake with airodump. The following command:
Will copy the WPA Handshake of the modem that you want providing the required parameters. The channel and BSSID arguments can be retrieved from the previously obtained using
airodump-ng wlan0mon. The
w argument needs to be the path of the folder in which you want to save the Handshake of the modem, lastly the name of the interface in the monitor mode (
wlan0mon). So, our command to execute would look like:
We are going to save the files into /root/hacking (this folder needs to be previously created), you are free to save it whereever you want as long as you remember the path later. This process could take several minutes, in our case it took just 4 minutes, however this may vary in every network and devices:
To speed the process of obtain the WPA Hanshake, you can use a mobile device or other computer that is connected to the Wi-Fi network. Just turn off the Wi-Fi in your device and turn it on again, this should speed the process.
Once the process show the WPA hanshake, the required files to start the dictionary attack. As providen in our example command, the files generated should be stored in
The number of files may vary in your computer.
5. Deauthenticate with aireplay
To capture the WPA/WPA2 handshake, we need to force the client to reauthenticate. This can be achieved with aireplay, this attack sends disassociate packets to one or more clients which are currently associated with a particular access point.
The command to do it is:
The recommended number of packages for this kind of attacks is 10 (you need to provide the BSSID of the modem and the name of the monitor interface too). The command to execute should look like:
That should generate the following output (note that in the image the BSSID is wrong, it should be
6. Create (or use) a passwords dictionary
Before proceeding with the attack, you need a passwords dictionary. This dictionary is basically a text file (
filename.txt) with words that aircrack should use to access the network, so basically the following text is a password dictionary (every password is divided by a new line):
For educational purposes, as this is a place to learn to code, we are going to write some C code. Create a new file in the workspace (in our case
/root/hacking) with the name
passwords_generator and extension
passwords_generator.c). This file will contain the following C code that generates a number sequence from 00000000 to 00009999 (a number for every line):
The bigger the number, the more the combinations to try, therefore more time take the process to test.
This should generate an output like:
You only need to save the previous output into a file that will be used as a dictionary for our attack. Execute the following command to save it to a
passwords.txt file (note that the path is up to you, we still using
/root/hacking for it):
gcc is a *nix-based C compiler usually operated via the command line, by default available in Kali Linux
The trick is, that in this 'passwords dictionary' there are 9999 possible combinations that will be tried. Obviously if the network has a secure password, not any of the generated 'numbers passwords' should work, so if you are only testing, you can add the password of your Wi-Fi network to test it in the next step.
Your dictionary is just a text file in which every line is a possible password that aircrack will try to access the network later, in order to test if aircrack really works, you can simply create the
passwords.txt file with the password of your Wi-Fi network inside and in the next step, then the access to the network should be granted (we'll write our own password too to prove that it works).
You can use obviously a 'passwords database' to try with different combinations. Check out this question in the Security Forum of Stack Exchange that offers a lot of sources to get started with a passwords dictionary if you don't want to use simple numbers.
7. Start dictionary attack with Aircrack
Finally, let's start our dictionary attack using the following command:
You need to provide the BSSID, then the w argument that specifies the txt file with all the passwords to try and then the path to the .cap files generated while we retrieved the handshake in the step 5. For example, replacing the values with our examples, the command should look like:
The execution of the command should start the dictionary attack and will try to access the network with every single password in our dictionary. The duration of the process will vary according to the number of passwords in your dictionary.
If the password is found in the dictionary (if found in the dictionary generated by our C code, then it was a really bad password .. ) the message KEY FOUND will appear.
That's it, you've just learned how to perform a dictionary attack to a Wi-Fi network using Aircrack !
If you already followed the tutorial and you will do this again someday, you can simply follow this summary that specifies the commands to execute. In this way you don't have to follow all the steps of the tutorial and you will save some time (as you already know how it works and what every command does, theoretically):
Happy hacking !