How to Hack Wi-Fi: Cracking WPA2-PSK Passwords Using Aircrack-Ng'

Welcome back, my cyber hackers.

When Wi-Fi was first developed in the late 1990s, Wired Equivalent Privacy was created to give wireless communications confidentiality. WEP, as it became known, proved terribly flawed and easily cracked. You can read more about that in my beginner's guide to hacking Wi-Fi.

As a replacement, most wireless access points now use Wi-Fi Protected Access II with a pre-shared key for wireless security, known as WPA2-PSK. WPA2 uses a stronger encryption algorithm, AES, that's very difficult to crack—but not impossible. My beginner's Wi-Fi hacking guide also gives more information on this.

The weakness in the WPA2-PSK system is that the encrypted password is shared in what is known as the 4-way handshake. When a client authenticates to the access point (AP), the client and the AP go through a 4-step process to authenticate the user to the AP. If we can grab the password at that time, we can then attempt to crack it.

In this tutorial from our Wi-Fi Hacking series, we'll look at using aircrack-ngand a dictionary attack on the encrypted password after grabbing it in the 4-way handshake. If you're looking for a faster way, I suggest you also check out my article on hacking WPA2-PSK passwords using coWPAtty.

Step 1: Put Wi-Fi Adapter in Monitor Mode with Airmon-Ng

Let's start by putting our wireless adapter in monitor mode. For info on what kind of wireless adapter you should have, check out this guide. This is similar to putting a wired adapter into promiscuous mode. It allows us to see all of the wireless traffic that passes by us in the air. Let's open a terminal and type:

• airmon-ng start wlan0

Note that airmon-ng has renamed your wlan0 adapter to mon0.

Step 2: Capture Traffic with Airodump-Ng

Now that our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air. We can grab that traffic by simply using the airodump-ng command.

This command grabs all the traffic that your wireless adapter can see and displays critical information about it, including the BSSID (the MAC address of the AP), power, number of beacon frames, number of data frames, channel, speed, encryption (if any), and finally, the ESSID (what most of us refer to as the SSID). Let's do this by typing:

• airodump-ng mon0

Note all of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen.

Step 3: Focus Airodump-Ng on One AP on One Channel

Our next step is to focus our efforts on one AP, on one channel, and capture critical data from it. We need the BSSID and channel to do this. Let's open another terminal and type:

• airodump-ng --bssid 08:86:30:74:22:76 -c 6 --write WPAcrack mon0

• 08:86:30:74:22:76 is the BSSID of the AP
• -c 6 is the channel the AP is operating on
• WPAcrack is the file you want to write to
• mon0 is the monitoring wireless adapter*

As you can see in the screenshot above, we're now focusing on capturing data from one AP with a ESSID of Belkin276 on channel 6. The Belkin276 is probably a default SSID, which are prime targets for wireless hacking as the users that leave the default ESSID usually don't spend much effort securing their AP.

Step 4: Aireplay-Ng Deauth

In order to capture the encrypted password, we need to have the client authenticate against the AP. If they're already authenticated, we can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can grab their encrypted password in the process. Let's open another terminal and type:

• aireplay-ng --deauth 100 -a 08:86:30:74:22:76 mon0

• 100 is the number of de-authenticate frames you want to send
• 08:86:30:74:22:76 is the BSSID of the AP
• mon0 is the monitoring wireless adapter

Step 5: Capture the Handshake

In the previous step, we bounced the user off their own AP, and now when they re-authenticate, airodump-ng will attempt to grab their password in the new 4-way handshake. Let's go back to our airodump-ng terminal and check to see whether or not we've been successful.

Notice in the top line to the far right, airodump-ng says "WPA handshake." This is the way it tells us we were successful in grabbing the encrypted password! That is the first step to success!

Step 6: Let's Aircrack-Ng That Password!

Now that we have the encrypted password in our file WPAcrack, we can run that file against aircrack-ng using a password file of our choice. Remember that this type of attack is only as good as your password file. I'll be using the default password list included with aircrack-ng on BackTrack nameddarkcOde.

We'll now attempt to crack the password by opening another terminal and typing:

• aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de

• WPAcrack-01.cap is the name of the file we wrote to in the airodump-ng command
• /pentest/passwords/wordlist/darkc0de is the absolute path to your password file

How 
to Crack Wi-Fi Passwords—For Beginners!

An internet connection has become a basic necessity in our modern lives. Wireless hotspots (commonly known as Wi-Fi) can be found everywhere!

If you have a PC with a wireless network card, then you must have seen many networks around you. Sadly most of these networks are secured with a network security key.

Have you ever wanted to use one of these networks? You must have desperately wanted to check your mail when you shifted to your new house. The hardest time in your life is when your internet connection is down.

Cracking those Wi-Fi passwords is your answer to temporary internet access. This is a comprehensive guide which will teach even complete beginners how to crack WEP encrypted networks, easily.

If it's WPA2-PSK passwords you need to crack, you can use aircrack-ng orcoWPAtty.
Table of Contents
How are wireless networks secured?
What you'll need
Setting up CommView for Wi-Fi
Selecting the target network and capturing packets
Waiting...
Now the interesting part... CRACKING!
Are you a visual learner?
Step 1: How Are Wireless Networks Secured?

In a secured wireless connection, internet data is sent in the form of encrypted packets. These packets are encrypted with network security keys. If you somehow manage to get hold of the key for a particular wireless network you virtually have access to the wireless internet connection.

Broadly speaking, there are two main types of encryptions used.
WEP (Wired Equivalent Privacy)

This is the most basic form of encryption. This has become an unsafe option as it is vulnerable and can be cracked with relative ease. Although this is the case many people still use this encryption.
WPA (Wi-Fi Protected Access)

This is the more secure alternative. Efficient cracking of the passphrase of such a network requires the use of a wordlist with the common passwords. In other words you use the old-fashioned method of trial and error to gain access. Variations include WPA-2 which is the most secure encryption alternative till date. Although this can also be cracked using a wordlist if the password is common, this is virtually uncrackable with a strong password. That is, unless the WPA PIN is still enabled (as is the default on many routers).

Hacking WEP passwords is relatively fast, so we'll focus on how to crack them for this guide. If the only networks around you use WPA passwords, you'll want to follow this guide on how to crack WPA Wi-Fi passwordsinstead.
Step 2: What You'll Need
A compatible wireless adapter:

This is by far the biggest requirement.The wireless card of your computer has to be compatible with the software CommVIew. This ensures that the wireless card can go into monitor mode which is essential for capturing packets. Click here to check if your wireless card is compatible
CommView for Wi-Fi :

This software will be used to capture the packets from the desired network adapter. Click here to download the software from their website.
Aircrack-ng GUI:

After capturing the packets this software does the actual cracking. Click hereto download the software from their website.
A little patience is vital!!
Step 3: Setting Up CommView for Wi-Fi
Download the zip file of CommView for Wi-Fi from the website. Extract the file and run setup.exe to install CommView for Wi-Fi. When CommView opens for the first time it has a driver installation guide. Follow the prompts to install the driver for your wireless card.
Run CommView for Wi-Fi.
Click the play icon on the top left of the application window.

Start scanning for wireless networks.

CommView now starts scanning for wireless networks channel by channel. After a few minutes you will have a long list of wireless networks with their security type and signal. Now it is time to choose your target network.
Step 4: Selecting the Target Network and Capturing Packets

A few things to keep in mind before choosing the target wireless network:
This tutorial is only for WEP encrypted networks, so make sure you select a network with WEP next to its name. If you need to crack a WPA encrypted network, follow this tutorial instead.
Choose a network with the highest signal.
Each network will have its details in the right column.
Make sure the WEP network you are choosing has the lowest dB (decibel) value.

Once you have chosen your target network, select it and click Capture to start capturing packets from the desired channel.

Now you might notice that packets are being captured from all the networks in the particular channel. To capture packets only from the desired network follow the given steps.
Right click the desired network and click on copy MAC Address.
Switch to the Rules tab on the top.
On the left hand side choose MAC Addresses.
Enable MAC Address rules.
For 'Action' select 'capture' and for 'Add record' select 'both'.
Now paste the mac address copied earlier in the box below.

We need to capture only data packets for cracking. So, select D on the bar at the top of the window and deselect M (Management packets) and C (Control packets).

Now you have to save the packets so that they can be cracked later. To do this:
Go to the logging tab on top and enable auto saving.
Set Maximum Directory Size to 2000.
Set Average Log File Size to 20.
Step 5: Waiting...

Now the boring part- WAITING!

NOTE: The amount of time taken to capture enough data packets depends on the signal and the networks usage. The minimum number of packets you should capture should be 100,000 for a decent signal.

After you think you have enough packets (at least 100,000 packets), you'll need to export them.
Go to the log tab and click on concatenate logs.
Select all the logs that have been saved.
Do not close CommView for Wi-Fi.
Now navigate to the folder where the concatenated logs have been saved.
Open the log file.
Select File- Export -Wire shark tcpdump format and choose any suitable destination.
This will save the logs with a .cap extension to that location.
Step 6: Now the Interesting Part... CRACKING!
Download Aircrack-ng and extract the zip file.
Open the folder and navigate to 'bin'.
Run Aircrack-ng GUI.
Choose WEP.
Open your .cap file that you had saved earlier.
Click Launch.
In the command prompt type in the index number of your target wireless network.
Wait for a while. If everything goes fine, the wireless key will be shown.

You may also receive a request to try with more packets. In this case wait until more packets have been captured and repeat the steps to be performed after capturing packets.

BEST OF LUCK!
Step 7: Are You a Visual Learner?

Just in case you didn't understand, you can watch this video walk-through.

Hack Like a Pro: How to Crack User Passwords in a Linux System

Welcome back, my eager hackers!

In recent blogs, I've demonstrated how to grab password hashes remotely using Metasploit's meterpreter and pwdump. Once we have the Windows passwords from the SAM file, we can then crack these hashes using tools such as Cain and Abel.

In this article, we'll look at how to grab the password hashes from a Linux system and crack the hashes using probably the most widely used password cracking tool out there, John the Ripper.

Let's boot up BackTrack and get hacking!

Step 1: Create Some User Accounts

Since our BackTrack system probably doesn't have many users on it other than our root account, let's go ahead and create a couple more accounts.

Let's create user1 with password "flower" and user2 with a password of "hacker".

I've purposely chosen dictionary words as the complexity of the password is inversely related to the time necessary to crack it. One of the nice features of John the Ripper is that it will try to use a dictionary attack first. If that fails, it will try a hybrid attack. And only if that fails will it attempt a brute-force attack, which is the most time consuming.

Step 2: Open John the Ripper

Now that we have a couple of regular users in our system with simple passwords, we now need to open John the Ripper. John the Ripper is a simple, but powerful password cracker without a GUI (this helps to make it faster as GUIs consume resources).

We can access it from BackTrack by going to the BackTrack button on the bottom left, then Backtrack, Privilege Escalation, Password Attacks,Offline Attacks, and finally select John the Ripper from the multiple password cracking tools available.

If you selected the correct menu item, it will open a terminal that looks like this.

By the way, feel free to close our previous terminal as we're finished with it.

Step 3: Test John the Ripper

At the prompt, type:

• bt > john -test

This command will send John the Ripper through a variety of benchmark tests to estimate how long it will take to break the passwords on your system. Your terminal will look something like this.

Now that John has estimated how long each of the encryption schemes will take to crack, let's put him to work on cracking our passwords.

Step 4: Copy the Password Files to Our Current Directory

Linux stores its passwords in /etc/shadow, so what we want to do is copy this file to our current directory along with the /etc/passwd file, then "unshadow" them and store them in file we'll call passwords. So, let's type both:

• bt > cp /etc/shadow ./

• bt > cp /etc/passwd ./

In Linux, the cp command means copy and the ./ represents our current directory. So this command says, copy the contents of /etc/shadow to my current directory. We do the same for the /etc/passwd file.

Step 5: Unshadow

Next we need to combine the information in the /etc/shadow and the /etc/passwd files, so that John can do its magic.

• bt > ./unshadow passwd shadow > passwords

Step 6: Crack!

Now that we have unshadowed the critical files, we can simply let John run on our password file.

• bt > john passwords

John the Ripper will proceed to attempt to crack your passwords. As you can see, it cracked all three of ours in a matter of seconds! Of course, more complex passwords will take significantly more time, but all we need is just one user with a simple password and we have access to the account in seconds.

It's also important to note that any password cracker is only as good as its word list. For more complex or hybrid passwords, you probably want to use a password list containing far more passwords, including hybrid passwords such "p@$$w0rd" that combine special characters into words.

We'll be doing more password cracking among numerous other hacks, so keep coming back! And if you have any questions, feel free to comment below or head to the Null Byte forum for help.

4 Ways to Crack a Facebook Password and How to Protect Yourself from Them

Despite the security concerns that have plagued Facebook for years, most people are sticking around and new members keep on joining. This has led Facebook to break records numbers with over one billion monthly active users as of October 2012—and around 600 million active daily users.

We share our lives on Facebook. We share our birthdays and our anniversaries. We share our vacation plans and locations. We share the births of our sons and the deaths of our fathers. We share our most cherished moments and our most painful thoughts. We divulge every aspect of our lives. We even clamor to see the latest versions even before they're ready for primetime.

But we sometimes forget who's watching.

We use Facebook as a tool to connect, but there are those people who use that connectivity for malicious purposes. We reveal what others can use against us. They know when we're not home and for how long we're gone. They know the answers to our security questions. People can practically steal our identities—and that's just with the visible information we purposely give away through our public Facebook profile.

The scariest part is that as we get more comfortable with advances in technology, we actually become more susceptible to hacking. As if we haven't already done enough to aid hackers in their quest for our data by sharing publicly, those in the know can get into our emails and Facebook accounts to steal every other part of our lives that we intended to keep away from prying eyes.

In fact, you don't even have to be a professional hacker to get into someone's Facebook account.

It can be as easy as running Firesheep on your computer for a few minutes. In fact, Facebook actually allows people to get into someone else's Facebook account without knowing their password. All you have to do is choose three friends to send a code to. You type in the three codes, and voilà—you're into the account. It's as easy as that.

In this article I'll show you these, and a couple other ways that hackers (and even regular folks) can hack into someone's Facebook account. But don't worry, I'll also show you how to prevent it from happening to you.

Method 1: Reset the Password

The easiest way to "hack" into someone's Facebook is through resetting the password. This could be easier done by people who are friends with the person they're trying to hack.

• The first step would be to get your friend's Facebook email login. If you don't already know it, try looking on their Facebook page in the Contact Info section.
• Next, click on Forgotten your password? and type in the victim's email. Their account should come up. Click This is my account.
• It will ask if you would like to reset the password via the victim's emails. This doesn't help, so press No longer have access to these?
• It will now ask How can we reach you? Type in an email that you have that also isn't linked to any other Facebook account.
• It will now ask you a question. If you're close friends with the victim, that's great. If you don't know too much about them, make an educated guess. If you figure it out, you can change the password. Now you have to wait 24 hours to login to their account.
• If you don't figure out the question, you can click on Recover your account with help from friends. This allows you to choose between three and five friends.

• It will send them passwords, which you may ask them for, and then type into the next page. You can either create three to five fake Facebook accounts and add your friend (especially if they just add anyone), or you can choose three to five close friends of yours that would be willing to give you the password.

Method 2: Use a Keylogger

Software Keylogger

A software keylogger is a program that can record each stroke on the keyboard that the user makes, most often without their knowledge. The software has to be downloaded manually on the victim's computer. It will automatically start capturing keystrokes as soon as the computer is turned on and remain undetected in the background. The software can be programmed to send you a summary of all the keystrokes via email.

CNET has Free Keylogger, which as the title suggests, is free. If this isn't what you're looking for, you can search for other free keyloggers or pay for one.

Hardware Keylogger

These work the same way as the software keylogger, except that a USB drive with the software needs to be connected to the victim's computer. The USB drive will save a summary of the keystrokes, so it's as simple as plugging it to your own computer and extracting the data. You can look through Keelog for prices, but it's bit higher than buying the software since you have the buy the USB drive with the program already on it.

Method 3: Phishing

This option is much more difficult than the rest, but it is also the most common method to hack someone's account. The most popular type ofphishing involves creating a fake login page. The page can be sent via email to your victim and will look exactly like the Facebook login page. If the victim logs in, the information will be sent to you instead of to Facebook. This process is difficult because you will need to create a web hosting account and a fake login page.

The easiest way to do this would be to follow our guide on how to clone a website to make an exact copy of the facebook login page. Then you'll just need to tweak the submit form to copy / store / email the login details a victim enters. If you need help with the exact steps, there are detailed instructions available by Alex Long here on Null Byte. Users are very careful now with logging into Facebook through other links, though, and email phishing filters are getting better every day, so that only adds to this already difficult process. But, it's still possible, especially if you clone the entire Facebook website.

Method 4: Stealing Cookies

Cookies allow a website to store information on a user's hard drive and later retrieve it. These cookies contain important information used to track a session that a hacker can sniff out and steal if they are on the same Wi-Fi network as the victim. They don't actually get the login passwords, but they can still access the victim's account by cloning the cookies, tricking Facebook into thinking the hacker's browser is already authenticated.

Image via wikimedia.org

Firesheep is a Firefox add-on that sniffs web traffic on an open Wi-Fi connection. It collects the cookies and stores them in a tab on the side of the browser.

From there, the hacker can click on the saved cookies and access the victim's account, as long as the victim is still logged in. Once the victim logs out, it is impossible for the hacker to access the account.