Kali Linux can be used for many things, but it probably is best known for its ability to penetration test, or “hack,” WPA and WPA2 networks. There are hundreds of Windows applications that claim they can hack WPA; don’t get them!
They’re just scams, used by professional hackers, to lure newbie or wannabe hackers into getting hacked themselves. There is only one way that hackers get into your network, and that is with a Linux-based OS, a wireless card capable of monitor mode, and aircrack-ng or similar. Also note that, even with these tools, Wi-Fi cracking is not for beginners. Playing with it requires basic knowledge of how WPA authentication works, and moderate familiarity with Kali Linux and its tools. If you feel you have the necessary skills, let’s begin: These are things that you’ll need:.
A successful install of Kali Linux (which you probably have already done). If not, follow my tutorial here:. A wireless adapter capable of injection/monitor mode. Some computers have network cards capable of this from the factory.
If you’re, like most however, you’ll have to buy an external one. Here is a list of the best:. A wordlist to attempt to “crack” the password once it has been captured. Time and patients If you have these then roll up your sleeves and let’s see how secure your network is! Important notice: Hacking into anyone’s Wi-Fi without permission is considered an illegal act or crime in most countries.
We are performing this tutorial for the sake of penetration testing, hacking to become more secure, and are using our own test network and router. By reading and/or using the information below, you are agreeing to our Step One: Start Kali Linux and login, preferably as root. Step Two: Plugin your injection-capable wireless adapter, (Unless your native computer wireless card supports it). If you’re using Kali in VMware, then you might have to connect the card via the icon in the device menu. Step Three: Disconnect from all wireless networks, open a Terminal, and type airmon-ng This will list all of the wireless cards that support monitor (not injection) mode. Prince do me baby mp3 free download.
If no cards are listed, try disconnecting and reconnecting the adapter (if you’re using one) and check that it supports monitor mode. If you’re not using an external adapter, and you still don’t see anything listed, then your card doesn’t support monitor mode, and you’ll have to purchase an external one (see the link in the ). You can see here that my card supports monitor mode and that it’s listed as wlan0. Step Four: Type airmon-ng start followed by the interface name of your wireless card. Mine is wlan0, so my command would be: airmon-ng start wlan0 The “(monitor mode enabled)” message means that the card has successfully been put into monitor mode. Note the name of the new monitor interface, mon0.
EDIT: A bug recently discovered in Kali Linux makes airmon-ng set the channel as a fixed “ -1” when you first enable mon0. If you receive this error, or simply do not want to take the chance, follow these steps after enabling mon0: Type: ifconfig interface of wireless card down and hit Enter. Replace interface of wireless card with the name of the interface that you enabled mon0 on; probably called wlan0.
This disables the wireless card from connecting to the internet, allowing it to focus on monitor mode instead. After you have disabled mon0 (completed the wireless section of the tutorial), you’ll need to enable wlan0 (or name of wireless interface), by typing: ifconfig interface of wireless card up and pressing Enter. Step Five: Type airodump-ng followed by the name of the new monitor interface, which is probably mon0. If you receive a “ fixed channel –1” error, see the above.
Step Six: Airodump will now list all of the wireless networks in your area, and a lot of useful information about them. Locate your network or the network that you have permission to penetration test. Once you’ve spotted your network on the ever-populating list, hit Ctrl + C on your keyboard to stop the process. Note the channel of your target network.
Step Seven: Copy the BSSID of the target network Now type this command: airodump-ng -c channel -bssid bssid -w /root/Desktop/ monitor interface Replace channel with the channel of your target network. Paste the network BSSID where bssid is, and replace monitor interface with the name of your monitor-enabled interface, ( mon0).
The “–w” and file path command specifies a place where airodump will save any intercepted 4-way handshakes (necessary to crack the password). Here we saved it to the Desktop, but you can save it anywhere. A complete command should look similar this: airodump-ng -c 10 -bssid 00:14:BF:E0:E8:D5 -w /root/Desktop/ mon0 Now press enter. Step Eight: Airodump with now monitor only the target network, allowing us to capture more specific information about it.
What we’re really doing now is waiting for a device to connect or reconnect to the network, forcing the router to send out the four-way handshake that we need to capture in order to crack the password. Also, four files should show up on your desktop, this is where the handshake will be saved when captured, so don’t delete them! But we’re not really going to wait for a device to connect, no, that’s not what impatient hackers do. We’re actually going to use another cool-tool that belongs to the aircrack suite called aireplay-ng, to speed up the process. Instead of waiting for a device to connect, hackers can use this tool to force a device to reconnect by sending deauthentication (deauth) packets to one of the networks devices, making it think that it has to reconnect with the network. Of course, in order for this tool to work, there has to be someone else connected to the network first, so watch the airodump-ng and wait for a client to show up. It might take a long time, or it might only take a second before the first one shows.
If none show up after a lengthy wait, then the network might be empty right now, or you’re to far away from the network. You can see in this picture, that a client has appeared on our network, allowing us to start the next step. Step Nine: Leave airodump-ng running and open a second terminal. In this terminal, type this command: aireplay-ng –0 2 –a router bssid –c client bssid mon0 The –0 is a short cut for the deauth mode and the 2 is the number of deauth packets to send.a indicates the access point/router’s BSSID, replace router bssid with the BSSID of the target network, which in my case, is 00:14:BF:E0:E8:D5.c indicates the client’s BSSID, the device we’re trying to deauth, noted in the previous picture.
Replace the client bssid with the BSSID of the connected client, this will be listed under “STATION.” And of course, mon0 merely means the monitor interface, change it if yours is different. My complete command looks like this: aireplay-ng –0 2 –a 00:14:BF:E0:E8:D5 –c 4C:EB:42:59:DE:31 mon0 Step Ten: Upon hitting Enter, you’ll see aireplay-ng send the packets.
If you were close enough to the target client, and the deauthentication process works, this message will appear on the airodump screen (which you left open): This means that the handshake has been captured, the password is in the hacker’s hands, in some form or another. You can close the aireplay-ng terminal and hit Ctrl + C on the airodump-ng terminal to stop monitoring the network, but don’t close it yet just incase you need some of the information later. If you didn’t receive the “handshake message,” then something went wrong in the process of sending the packets. Unfortunately, a variety of things can go wrong. You might just be too far away, and all you need to do is move closer. The device you’re attempting to deauth might not be set to automatically reconnect, in which case you’ll either have to try another device, or leave airodump on indefinitely until someone or something connects to the network.
If you’re very close to the network, you could try a WiFi spoofing tool like wifi-honey, to try to fool the device into thinking that you’re the router. However, keep in mind that this requires that you be significantly closer to the device than the router itself. So unless you happen to be in your victim’s house, this is not recommended.
Do note that, despite your best efforts, there are many WPA networks that simply can’t be cracked by these tools. The network could be empty, or the password could be 64 characters long, etc. Step 11: This concludes the external part of this tutorial. From now on, the process is entirely between your computer, and those four files on your Desktop. Actually, it’s the.cap one, that is important.
Open a new Terminal, and type in this command: aircrack-ng -a2 -b router bssid -w path to wordlist /root/Desktop/.cap -a is the method aircrack will use to crack the handshake, 2=WPA method.b stands for bssid, replace router bssid with the BSSID of the target router, mine is 00:14:BF:E0:E8:D5.w stands for wordlist, replace path to wordlist with the path to a wordlist that you have downloaded. I have a wordlist called “wpa.txt” in the root folder. /root/Desktop/.cap is the path to the.cap file containing the password. The.
![Backtrack 5 Wpa2 Crack Tutorial Pdf Backtrack 5 Wpa2 Crack Tutorial Pdf](https://img.wonderhowto.com/img/58/16/63475349915823/0/crack-wep-password-with-version-4-backtrack-linux-distribution.1280x600.jpg)
means wild card in Linux, and since I’m assuming that there are no other.cap files on your Desktop, this should work fine the way it is. My complete command looks like this: aircrack-ng –a2 –b 00:14:BF:E0:E8:D5 –w /root/wpa.txt /root/Desktop/.cap Now press Enter.
Step 12: Aircrack-ng will now launch into the process of cracking the password. However, it will only crack it if the password happens to be in the wordlist that you’ve selected. Sometimes, it’s not. If this is the case, you can try other wordlists. If you simply cannot find the password no matter how many wordlists you try, then it appears your penetration test has failed, and the network is at least safe from basic brute-force attacks. Cracking the password might take a long time depending on the size of the wordlist.
Mine went very quickly. If the phrase is in the wordlist, then aircrack-ng will show it too you like this: The passphrase to our test-network was “notsecure,” and you can see here that it was in the wordlist, and aircrack found it.
If you find the password without a decent struggle, then change your password, if it’s your network. If you’re penetration testing for someone, then tell them to change their password as soon as possible. Please use this information only in legal ways Lewis Encarnacion.
If you want to know how to hack WiFi access point – just read this step by step aircrack-ng tutorial, run the verified commands and hack WiFi password easily. With the help a these commands you will be able to hack WiFi AP (access points) that use WPA/WPA2-PSK (pre-shared key) encryption. The basis of this method of hacking WiFi lies in capturing of the WPA/WPA2 authentication handshake and then cracking the PSK using aircrack-ng. How to hack WiFi – the action plan:. Download and install the latest aircrack-ng.
Start the wireless interface in monitor mode using the airmon-ng. Start the airodump-ng on AP channel with filter for BSSID to collect authentication handshake. Optional Use the aireplay-ng to deauthenticate the wireless client. Run the aircrack-ng to hack the WiFi password by cracking the authentication handshake 1.
Aircrack-ng: Download and Install The Latest Version Only: If you really want to hack WiFi – do not install the old aircrack-ng from your OS repositories. Download and compile the latest version manually. Install the required dependencies: $ sudo apt-get install build-essential libssl-dev libnl-3-dev pkg-config libnl-genl-3-dev Download and install the latest aircrack-ng : $ wget -O - tar -xz $ cd aircrack-ng-1.2-rc4 $ sudo make $ sudo make install Ensure that you have installed the latest version of aircrack-ng: $ aircrack-ng -help Aircrack-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe 2. Airmon-ng: Monitor Mode.
Now it is required to start the wireless interface in monitor mode. Monitor mode allows a computer with a wireless network interface to monitor all traffic received from the wireless network. What is especially important for us – monitor mode allows packets to be captured without having to associate with an access point. Find and stop all the processes that use the wireless interface and may cause troubles: $ sudo airmon-ng check kill Start the wireless interface in monitor mode: $ sudo airmon-ng start wlan0 Interface Chipset Driver wlan0 Intel 6235 iwlwifi - phy0 (monitor mode enabled on mon0) In the example above the airmon-ng has created a new wireless interface called mon0 and enabled on it monitor mode. So the correct interface name to use in the next parts of this tutorial is the mon0.
Airodump-ng: Authentication Handshake Cool Tip: Want to have some “fun”? Create a Linux fork bomb! One small string that is able to hang the whole system! Now, when our wireless adapter is in monitor mode, we have a capability to see all the wireless traffic that passes by in the air. Now wait until airodump-ng captures a handshake. If you want to speed up this process – go to the step #4 and try to force wireless client reauthentication. After some time you should see the WPA handshake: 00:11:22:33:44:55 in the top right-hand corner of the screen.
This means that the airodump-ng has successfully captured the handshake: CH 1 Elapsed: 20 s 2014-05-29 12:46 WPA handshake: 00:11:22:33:44:55 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:11:22:33:44:55 -48 212 1536 66 1 54e WPA2 CCMP PSK CrackMe BSSID STATION PWR Rate Lost Frames Probe 00:11:22:33:44:55 AA:BB:CC:DD:EE:FF -44 0 - 1 114 56 4. Aireplay-ng: Deauthenticate Client Cool Tip: Want to stay anonymous? Learn how to use PROXY on the Linux command line. If you can’t wait till airodump-ng captures a handshake, you can send a message to the wireless client saying that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP and we’ll capture the authentication handshake. Send deauth to broadcast: $ sudo aireplay-ng -deauth 100 -a 00:11:22:33:44:55 mon0 -ignore-negative-one Send directed deauth (attack is more effective when it is targeted): $ sudo aireplay-ng -deauth 100 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0 -ignore-negative-one Option Description -deauth 100 The number of de-authenticate frames you want to send (0 for unlimited) -a The MAC address of the access point -c The MAC address of the client mon0 The wireless interface -ignore-negative-one Fixes the ‘fixed channel: -1’ error message Cool Tip: Need to hack WiFi password? Don’t wast your time!
Use “John the Ripper” – the fastest password cracker! Aircrack-ng: Hack WiFi Password. Unfortunately there is no way except brute force to break WPA/WPA2-PSK encryption. To hack WiFi password, you need a password dictionary. And remember that this type of attack is only as good as your password dictionary.
You can download some dictionaries from. Crack the WPA/WPA2-PSK with the following command: $ aircrack-ng -w wordlist.dic -b 00:11:22:33:44:55 WPAcrack.cap Option Description -w The name of the dictionary file -b The MAC address of the access point WPAcrack.cap The name of the file that contains the authentication handshake Aircrack-ng 1.2 beta3 r2393 00:08:11 548872 keys tested (1425.24 k/s) KEY FOUND! 987654321 Master Key: 5C 9D 3F B6 24 3B 3E 0F F7 C2 51 27 D4 D3 0E 97 CB F0 4A 28 00 93 4A 8E DD 04 77 A3 A1 7D 15 D5 Transient Key: 3A 3E 27 5E 86 C3 01 A8 91 5A 2D 7C 97 71 D2 F8 AA 03 85 99 5C BF A7 32 5B 2F CD 93 C0 5B B5 F6 DB A3 C7 43 62 F4 11 34 C6 DA BA 38 29 72 4D B9 A3 11 47 A6 8F 90 63 46 1B 03 89 72 79 99 21 B3 EAPOL HMAC: 9F B5 F4 B9 3C 8B EA DF A0 3E F4 D4 9D F5 16 62 Cool Tip: Password cracking often takes time. Combine aircrack-ng with “John The Ripper” to pause/resume cracking whenever you want without loosing the progress!
NOTE: The Information contained in this Article is only Intended for Educational Purposes. I take no Responsibility for the misuse of this information and the harm brought to you or any one else (specially your neighbour.:) Hello Everyone. This is my Tutorial for WPA/WPA2 Wireless Hacking. This guide is aimed to help you crack WPA/WPA2 Passwords. As said, this is a Total n00b Guide to Wireless Hacking.
The Stuff that you are going to need is: (1) Backtrack (You can get it ) (2) Wireless Card that Supports Packet Injection (3) A Wireless WPA/WPA2 Connection that uses PSK Mode (Pre-Shared Key) (4) A Dictionary that has the Password we are trying to get. But Obviously you wouldn't know it till you complete ' The Dictionary Attack '.
Before we start, I take it for Granted that you are aware of a Few things. I Hope You already have a Live CD, Bootable USB or a Virtual Backtrack Installed in your System. In case of Virtual Machine, You will need an External Wireless Card. And in case you don't already have Backtrack, I suggest you bookmark this page and get it first. Also, I hope you have googled by now to see if your Wireless Card will support Packet Injection or not.
In case you are not sure, Use the Test Mode in Aireplay-ng (-9) to see if it supports packet Injection. Again, if you haven't already done that go and get this done first.
Now that we are Ready. If You are Using a Boot CD, As in my case, You will see the following screen when the CD Loads. As evident from the Image, My Wireless Interface ' wlan0 ' has been enabled for monitor mode at ' mon0 '. Now, We will scan the Area for Presence of WPA/WPA2 encrypted Networks but before we scan for WPA/WPA2 Networks, There is something I want to make a note of here. NOTE: WPA/WPA2 stands for W ireless P rotected A ccess. WPA is a notch up in Security when compared to WEP which was cracked in 2000.
WPA/WPA2 uses Two types of Authentication Methods. TKIP - T emporal K ey I ntegrity P rotocol. TKIP uses a Ever Changing Key which makes it Useless to Crack.
PSK - P re S hared K ey. PSK uses a Key Defined by the Network Administrator. Hence, The Key remains the same. Unless the Administrator decides to change it.
Neck of it all, It is useless to crack a TKIP Authenticated WPA/WPA2. This Tutorial will only help you crack PSK Authenticated WPA/WPA2. Now, We have taken care of What Our Target Should look like. So, We'll go ahead and Scan the Area. The De-Authentication Attack:- Whenever, a Client connects to a WPA/WPA2 Encrypted Network, It exchanges a ' Four-way Handshake ' with the AP.
Its an Authentication Process to allow the Client to be associated with the Access Point. The Point in a De-Authentication Attack is to Forcefully De-Authenticate a Certain or All Stations from an Access Point.
Forcing them/it to Re-Connect and hence, Exchange the Handshake Again. Which will enable us to Capture the Handshake and Initiate a Dictionary Attack. So, Lets De-Authenticate the Client and Get the Handshake.
Crack Wpa2 Windows
WPS is a common feature in almost all of the wireless router is produced in recent years. This feature allows a computer to connect to a wireless network through PIN entry without having to remember passwords that network.
It takes me actually 4 hours to more than 10 hours dealing with Backtrack 5 R3 to crack successfully WPA2 (WPS enabled). 4 Steps to Crack WiFi password using Backtrack 5 We are going to use Backtrack and Wifite. You need to be patient and some kind of luck. Step 1: Download WiFi cracker tools.
Download. An available 4GB USB. Download Backtrack R3 Direct Download Link:. BackTrack 5 R3 Gnome 32 bit ISO Filename: BT5R3-GNOME-32.iso Filesize: 3.07 GB. BackTrack 5 R3 Gnome VMware Image 32 bit Filename: BT5R3-GNOME-32-VM.zip Filesize: 2.39 GB Step 2: Create Backtrack 5 Bootable USB.
Run unetbootin, select backtrack 5.ISO at diskimage, then click on OK. It takes a little while to finish the processing. Step 3: Make the Laptop boot into Backtrack 5 In the rage of this article, we are going to deal with a virtual machine (VMware or Virtual Box). This method leads to better effectiveness to do directly with the Laptop.
At for Macbook, keep holding the Option key to go to the boot menu. For Windows Laptop, go to Bios to make USB boot at priority. Select “ backtrack text – default boot text mode” to boot to backtrack OS. Step 4: Start cracking WiFi password (WEB, WPA, WPA2). Type “startx” then hit Enter to get into Backtrack.
Backtrack
Click on Terminal. Install wifite by the following command line:. Use “chmod +x wifite.py” to set authorisation for wifite.
Execute Wifite by “./wifite.py”. After 10s – 20s loading, you can press Ctrl+C to stop scanning for the WiFi networks around you list.
Choose the number of the targeted WiFi name ( we can only crack the WiFi network which stand with WPS) then wait. At I mentioned, it takes me actually 4 hours to more than 10 hours dealing with Backtrack 5 R3 to crack successfully WPA2 (WPS enabled). At the results: WiFi cracker video: In the case you hacked the WiFi password already, then if the owner change the password, the new Pin can be reveal quickly with reaver.
Wpa2 Crack Fix
Reaver -i mon0 -b BSSID –pin=xxxxxxxx -vv (xxxxxxxx is the 8 Pin numbers you hacked) Similar to this mechanism, you introduced another method We have just updated a better solution to crack WiFi password (WPA and WPA2) by using Linset. Linset will make all clients be disconnected to the targeted WiFi network first, then motivate them to connect to a protected fake WiFi Network in exactly the same name as the targeted one. The software will record the Entered password by clients.
Reaver performs a brute force attack against an access point's WiFi Protected Setup pin number. Once the WPS pin is found, the WPA PSK can be recovered and alternately the AP's wireless settings can be reconfigured. While Reaver does not support reconfiguring the AP, this can be accomplished with wpasupplicant once the WPS pin is known.
Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin number. However, because the last digit of the pin is a checksum value which can be calculated based on the previous 7 digits, that key space is reduced to 10^7 (10,000,000) possible values. The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum. Reaver brute forces the first half of the pin and then the second half of the pin, meaning that the entire key space for the WPS pin number can be exhausted in 11,000 attempts.
The speed at which Reaver can test pin numbers is entirely limited by the speed at which the AP can process WPS requests. Some APs are fast enough that one pin can be tested every second; others are slower and only allow one pin every ten seconds. Statistically, it will only take half of that time in order to guess the correct pin number.
Reaver WPA Cracking Tutorial.