Kali Linux : Hacking WPA/WPA2 Wi-fi with Aircrack.ng



As far as you know, I already posted How to Hack WEP with Aircrack.ng right. So now Im going to share How to Hack a WPA / WPA2 using Aircrack.ng in Kali Linux.

Kali Linux can be used for many things, but it probably is best known for its “ability” to hack WPA and WPA2. There are hundreds of tools for windows that claim they can hack into WPA; don’t get them! They’re just scams. There is only one real way to hack into a WPA network, and that is with a Linux-based OS, a wireless card capable of monitor mode, and aircrack-ng. Also note that, even with these tools, Wi-Fi cracking is not for beginners. Hacking it requires basic knowledge of how WPA authentication works, and moderate familiarity with Kali Linux and its tools.

What are the things I need ?
Here are list :
-A successful install of Kali Linux (which you probably already have done).-A wireless adapter capable of injection/monitor mode. You can find a recommended USB wireless cards on google and you can also check if your own is also a compatible ones.-A wordlist to crack the handshake password once it has been captured.-Time and patient.

Important Notice: 
Hacking into anyone’s Wi-Fi without permission is considered an illegal act or crime in most countries. I am performing this tutorial for the sake of penetration testing, and is hacking into my own test router to do so.


So let's Begin ! Follow the Steps carefully.

Step 1
Start Kali Linux and login, preferably as root.



Step 2
Plugin your injection-capable wireless adapter, (Unless your computer card supports it). If you’re using Kali in VMware, then you might have to connect the card via the icon in the device menu.


Step 3 : 
Disconnect from all wireless networks, open a Terminal, and type 
airmon-ng

This will list all of the wireless cards that support monitor (not injection) mode. If no cards are listed, try disconnecting and reconnecting the card and check that it supports monitor mode. You can check if the card supports monitor mode by typing ifconfig in another terminal, if the card is listed in ifconfig, but doesn’t show up in airmon-ng, then the card doesn’t support it.You can see here that my card supports monitor mode and that it’s listed as wlan0.


Step 4 : 
Type airmon-ng start followed by the interface of your wireless card. mine is wlan0, so my command would be: 
airmon-ng start wlan0

The “(monitor mode enabled)” message means that the card has successfully been put into monitor mode. Note the name of the new monitor interface, mine is mon0.


Step 5 : 
Type airodump-ng followed by the name of the new monitor interface, which is probably mon0.



Step 6 : 
Airodump will now list all of the wireless networks in your area, and lots of useful information about them. Locate your network or the network that you have permission to penetration test. Once you’ve spotted your network on the ever-populating list, hit Ctrl + C on your keyboard to stop the process. Note the channel of your target network.



Step 7 : 
Copy the BSSID of the target network

Now type this command: 
airodump-ng –c [channel] –bssid [bssid] –w /root/Desktop/ [monitor interface]
 Replace [channel] with the channel of your target network. Paste the network BSSID where [bssid] is, and replace [monitor interface] with the name of your monitor-enabled interface, (mon0).

A complete command should look like this: 
airodump-ng -c 10 --bssid 00:14:BF:E0:E8:D5 -w /root/Desktop/ mon0

Then Press 'Enter' on your keyboard.


Step 8 : 
Airodump with now monitor only the target network, allowing us to capture more specific information about it. What i'm really doing now is waiting for a device to connect or reconnect to the network, forcing the router to send out the four-way handshake that I need to capture in order to crack the password. Also, four files should show up on your desktop, this is where the handshake will be saved when captured, so don’t delete them!
But I'm not really going to wait for a device to connect, no, that would take too long.

I'm actually going to use another cool-tool that belongs to the aircrack suite called aireplay-ng, to speed up the process. Instead of waiting for a device to connect, I'm going to use this tool to force a device to reconnect by sending deauthentication (deauth) packets to the device, making it think that it has to reconnect with the router.

Of course, in order for this tool to work, there has to be someone else connected to the network first, so watch the airodump-ng and wait for a client to show up. It might take a long time, or it might only take a second before the first one shows. If none show up after a lengthy wait, then the network might be empty right now, or you’re to far away from the network.

You can see in this picture below, showing that a client has appeared on my network, allowing me to start the next step.



Step 9 :
Leave airodump-ng running and open a second terminal. In this terminal, type this command:
aireplay-ng –0 2 –a [router bssid] –c [client bssid] mon0
Explanation :
The –0 is a short cut for the deauth mode
the 2 is the number of deauth packets to send.
-a indicates the access point (router)’s bssid, replace [router bssid] with the BSSID of the target network, which in my case, is 00:14:BF:E0:E8:D5.
-c indicates the clients BSSID, as noted in the previous picture. Replace the [client bssid] with the BSSID of the connected client, this will be listed under “STATION.”
mon0 merely means the monitor interface, change it if yours is different.

My complete command looks like this:
 aireplay-ng –0 2 –a 00:14:BF:E0:E8:D5 –c 4C:EB:42:59:DE:31 mon0



Step 10 :
Upon hitting Enter, you’ll see aireplay-ng send the packets, and within moments, you should see this message appear on the airodump-ng screen.


This means that the handshake has been captured. You can close the aireplay-ng terminal and hit Ctrl + C on the airodump-ng terminal to stop monitoring the network, but don’t close it yet just in case you need some of the information later.


Step 11 : 
This concludes the external part of this tutorial. From now on, the process is entirely between your computer, and those four files on the Desktop. Actually, the .cap one, that is important. Open a new Terminal, and type in this command: 
aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap
-a is the method aircrack will use to crack the handshake , 2=WPA method
-b stands for bssid, replace [router bssid] with the BSSID of the target router, mine is 00:14:BF:E0:E8:D5
-w stands for wordlist, replace [path to wordlist] with the path to a wordlist that you have downloaded. I have a wordlist called “wpa.txt” in the root folder.
/root/Desktop/*.cap is the path to the .cap file containing the password, 
 the * means wild card in Linux, and since I’m assuming that there are no other .cap files on your Desktop, this should work fine the way it is.

My complete command looks like this:
aircrack-ng –a2 –b 00:14:BF:E0:E8:D5 –w /root/wpa.txt  /root/Desktop/*.cap

Then press 'Enter' on keyboard.


Step 12 :
Aircrack-ng will now launch into the process of cracking the password. However, it will only crack it if the password happens to be in the wordlist that you’ve selected. Sometimes, it’s not. If this is the case, then you can congratulate the owner on being “Impenetrable,” of course, only after you’ve tried every wordlist on the internet.

Cracking the password might take a long time depending on the size of the wordlist. Mine went very quickly.
If the phrase is in the wordlist, then aircrack-ng will show it too you like this:


The passphrase to my test-network was not secure, and you can see here that aircrack found it.
If you see a message similar to this, then your tests have penetrated the network. Tell the owner that he needs a stronger password.

Source: pv.4nti
Share on Google Plus

About Blurffy

Just another internet folk who want to share random softwares, movies and any kind of things in the internet.
    Blogger Comment

0 comments:

Post a Comment