In case you are not sure, Use the Test Mode in Aireplay-ng (-9) to see if it supports packet Injection. Again, if you haven't already done that go and get this done first.

WPA/WPA2 Cracking with Backtrack 5 [NOTE. It is useless to crack a TKIP Authenticated WPA/WPA2. This Tutorial will only help you crack PSK Authenticated WPA/WPA2. 100% working tested. Let's see how to crack WiFi password using a famous WiFi cracker, Backtrack 5, which helps to hack WPA and WPA2 security protocols. Step by Step Backtrack 5 and wireless Hacking basics. Using aircrack and a dictionary to crack a WPA data capture. WPA or WPA2, which are really the.

1 Tutorial: How to Crack WPA/WPA2 Version: 1.20 March 07, 2010 By: darkaudax Introduction This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys. I recommend you do some background reading to better understand what WPA/WPA2 is. The Wiki [ links page has a WPA/WPA2 section. The best document describing WPA is Wi-Fi Security - WEP, WPA and WPA2 [ This is the link [ /articles/hakin9_wifi/hakin9_wifi_en.pdf] to download the PDF directly. The WPA Packet Capture Explained tutorial is a companion to this tutorial. WPA/WPA2 supports many types of authentication beyond pre-shared keys.

The wireless card strength is typically less then the AP strength. So you have to be physically close enough for your transmitted packets to reach and be received by both the AP and the wireless client. You can confirm that you can communicate with the specific AP by following these instructions. You are using v0.9.1 or above of aircrack-ng. If you use a different version then some of the command options may have to be changed. Ensure all of the above assumptions are true, otherwise the advice that follows will not work.

Then just change the values in the examples below to the specific network. Solution Solution Overview The objective is to capture the WPA/WPA2 authentication handshake and then use aircrack-ng to crack the pre-shared key. This can be done either actively or passively.

TKIP - T emporal K ey I ntegrity P rotocol. TKIP uses a Ever Changing Key which makes it Useless to Crack.

Step 3: Now you will need to find the WEP network around you,you can do it by typing the following command: airdump-ng mon0 After typing the coomand you will see all the available WIFI In this,Bssid shows the mac address of the AP, CH shows the channel in which AP is broadcasted and Essid shows the name broadcasted by the AP, Cipher shows the encryption type. Look for the WEP protected network in this tutorial we are taking 'pack' as my target. Step 4: In order to carck the WEP you will need to capture all the data of the target into file.To do this type the folllowing command and you need to speed up the process too. Airodump-ng mon0 --bssid -c (channel ) -w (file name to save ).

It should look similar to this: lo eth0 wifi0 If there are any remaining athx interfaces, then stop each one. When you are finished, run iwconfig to ensure there are none left. Now, enter the following command to start the wireless card on channel 9 in monitor mode: airmon-ng start wifi0 9 Note: In this command we use wifi0 instead of our wireless interface of ath0. This is because the 3 of 10 07/08/:02 PM 4 madwifi-ng drivers are being used. The system will respond: Interface Chipset Driver wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enabled) You will notice that ath0 is reported above as being put into monitor mode. To confirm the interface is properly setup, enter iwconfig.

Before we start, I take it for Granted that you are aware of a Few things. I Hope You already have a Live CD, Bootable USB or a Virtual Backtrack Installed in your System. In case of Virtual Machine, You will need an External Wireless Card. And in case you don't already have Backtrack, I suggest you bookmark this page and get it first. Also, I hope you have googled by now to see if your Wireless Card will support Packet Injection or not.

PSK - P re S hared K ey. PSK uses a Key Defined by the Network Administrator.

WPS is a common feature in almost all of the wireless router is produced in recent years. This feature allows a computer to connect to a wireless network through PIN entry without having to remember passwords that network. It takes me actually 4 hours to more than 10 hours dealing with Backtrack 5 R3 to crack successfully WPA2 (WPS enabled). 4 Steps to Crack WiFi password using Backtrack 5 We are going to use Backtrack and Wifite. You need to be patient and some kind of luck.

You will be very surprised at how much time is required. IMPORTANT This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key. There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.

Forcing them/it to Re-Connect and hence, Exchange the Handshake Again. Which will enable us to Capture the Handshake and Initiate a Dictionary Attack. So, Lets De-Authenticate the Client and Get the Handshake.

The exact procedure for enabling monitor mode varies depending on the driver you are using. To determine the driver (and the correct procedure to follow), run the following command: airmon-ng On a machine with a Ralink, an Atheros and a Broadcom wireless card installed, the system responds: Interface Chipset Driver rausb0 Ralink RT73 rt73 wlan0 Broadcom b43 - [phy0] wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) The presence of a [phy0] tag at the end of the driver name is an indicator for mac80211, so the Broadcom card is using a mac80211 driver. Note that mac80211 is supported only since aircrack-ng v1.0-rc1, and it won't work with v Both entries of the Atheros card show madwifi-ng as the driver - follow the madwifi-ng-specific steps to set up the Atheros card. Finally, the Ralink shows neither of these indicators, so it is using an ieee80211 driver - see the generic instructions for setting it up. Step 1a - Setting up madwifi-ng First stop ath0 by entering: airmon-ng stop ath0 The system responds: Interface Chipset Driver wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed) Enter iwconfig to ensure there are no other athx interfaces.

I would like to acknowledge and thank the Aircrack-ng team [ for producing such a great robust tool. Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. 1 of 10 07/08/:02 PM 2 Assumptions First, this solution assumes: You are using drivers patched for injection. Use the injection test to confirm your card can inject. You are physically close enough to send and receive access point and wireless client packets. Remember that just because you can receive packets from them does not mean you may will be able to transmit packets to them.

Because it is very compute intensive, a computer can only test 50 to 300 possible keys per second depending on the computer CPU. It can take hours, if not days, to crunch through a large dictionary. If you are thinking about generating your own password list to cover all the permutations and combinations of characters and special symbols, check out this brute force time calculator [ first. You will be very surprised at how much time is required. IMPORTANT This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key. There is no difference between cracking WPA or WPA2 networks.

Remember that just because you can receive packets from them does not mean you may will be able to transmit packets to them. The wireless card strength is typically less then the AP strength. So you have to be physically close enough for your transmitted packets to reach and be received by both the AP and the wireless client. You can confirm that you can communicate with the specific AP by following these instructions. You are using v0.9.1 or above of aircrack-ng. If you use a different version then some of the command options may have to be changed.

Aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it. There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack.

The De-Authentication Attack:- Whenever, a Client connects to a WPA/WPA2 Encrypted Network, It exchanges a ' Four-way Handshake ' with the AP. Its an Authentication Process to allow the Client to be associated with the Access Point. The Point in a De-Authentication Attack is to Forcefully De-Authenticate a Certain or All Stations from an Access Point.

Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change ath0 to the interface name which is specific to your wireless card.

Actively means you will accelerate the process by deauthenticating an existing wireless client. Passively means you simply wait for a wireless client to authenticate to the WPA/WPA2 network. The advantage of passive is that you don't actually need injection capability and thus the Windows version of aircrack-ng can be used. Here are the basic steps we will be going through: Start the wireless interface in monitor mode on the specific AP channel Start airodump-ng on AP channel with filter for bssid to collect authentication handshake Use aireplay-ng to deauthenticate the wireless client Run aircrack-ng to crack the pre-shared key using the authentication handshake 2 of 10 07/08/:02 PM 3 Step 1 - Start the wireless interface in monitor mode The purpose of this step is to put your card into what is called monitor mode. Monitor mode is the mode whereby your card can listen to every packet in the air.

At for Macbook, keep holding the Option key to go to the boot menu. For Windows Laptop, go to Bios to make USB boot at priority. Select “ backtrack text – default boot text mode” to boot to backtrack OS. Step 4: Start cracking WiFi password (WEB, WPA, WPA2) • Type “startx” then hit Enter to get into Backtrack • Click on Terminal • Install wifite by the following command line: • Use “chmod +x wifite.py” to set authorisation for wifite • Execute Wifite by “./wifite.py” • After 10s – 20s loading, you can press Ctrl+C to stop scanning for the WiFi networks around you list. • Choose the number of the targeted WiFi name ( we can only crack the WiFi network which stand with WPS) then wait. At I mentioned, it takes me actually 4 hours to more than 10 hours dealing with Backtrack 5 R3 to crack successfully WPA2 (WPS enabled). At the results: WiFi cracker video: In the case you hacked the WiFi password already, then if the owner change the password, the new Pin can be reveal quickly with reaver.

Hence, The Key remains the same. Unless the Administrator decides to change it. Neck of it all, It is useless to crack a TKIP Authenticated WPA/WPA2. This Tutorial will only help you crack PSK Authenticated WPA/WPA2. Now, We have taken care of What Our Target Should look like. So, We'll go ahead and Scan the Area.

I would like to acknowledge and thank the Aircrack-ng team [ for producing such a great robust tool. Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. 1 of 10 07/08/:02 PM 2 Assumptions First, this solution assumes: You are using drivers patched for injection. Use the injection test to confirm your card can inject. You are physically close enough to send and receive access point and wireless client packets.

Finally, the Ralink shows neither of these indicators, so it is using an ieee80211 driver - see the generic instructions for setting it up. Step 1a - Setting up madwifi-ng First stop ath0 by entering: airmon-ng stop ath0 The system responds: Interface Chipset Driver wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed) Enter iwconfig to ensure there are no other athx interfaces. It should look similar to this: lo eth0 wifi0 If there are any remaining athx interfaces, then stop each one. When you are finished, run iwconfig to ensure there are none left. Now, enter the following command to start the wireless card on channel 9 in monitor mode: airmon-ng start wifi0 9 Note: In this command we use wifi0 instead of our wireless interface of ath0.

Step 1: Download WiFi cracker tools • Download. • An available 4GB USB • Download Backtrack R3 Direct Download Link: • BackTrack 5 R3 Gnome 32 bit ISO Filename: BT5R3-GNOME-32.iso Filesize: 3.07 GB • BackTrack 5 R3 Gnome VMware Image 32 bit Filename: BT5R3-GNOME-32-VM.zip Filesize: 2.39 GB Step 2: Create Backtrack 5 Bootable USB • Run unetbootin, select backtrack 5.ISO at diskimage, then click on OK. It takes a little while to finish the processing. Step 3: Make the Laptop boot into Backtrack 5 In the rage of this article, we are going to deal with a virtual machine (VMware or Virtual Box). This method leads to better effectiveness to do directly with the Laptop.

By hearing every packet, we can later capture the WPA/WPA2 4-way handshake. As well, it will allow us to optionally deauthenticate a wireless client in a later step. The exact procedure for enabling monitor mode varies depending on the driver you are using. To determine the driver (and the correct procedure to follow), run the following command: airmon-ng On a machine with a Ralink, an Atheros and a Broadcom wireless card installed, the system responds: Interface Chipset Driver rausb0 Ralink RT73 rt73 wlan0 Broadcom b43 - [phy0] wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) The presence of a [phy0] tag at the end of the driver name is an indicator for mac80211, so the Broadcom card is using a mac80211 driver. Note that mac80211 is supported only since aircrack-ng v1.0-rc1, and it won't work with v Both entries of the Atheros card show madwifi-ng as the driver - follow the madwifi-ng-specific steps to set up the Atheros card.

The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key. The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length.

The authentication methodology is basically the same between them. So the techniques you use are identical. It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.

The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key. The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols. The impact of having to use a brute force approach is substantial.

Reaver -i mon0 -b BSSID –pin=xxxxxxxx -vv (xxxxxxxx is the 8 Pin numbers you hacked) Similar to this mechanism, you introduced another method We have just updated a better solution to crack WiFi password (WPA and WPA2) by using Linset. Linset will make all clients be disconnected to the targeted WiFi network first, then motivate them to connect to a protected fake WiFi Network in exactly the same name as the targeted one. Emc utl laptop setup. The software will record the Entered password by clients.

Because it is very compute intensive, a computer can only test 50 to 300 possible keys per second depending on the computer CPU. It can take hours, if not days, to crunch through a large dictionary. If you are thinking about generating your own password list to cover all the permutations and combinations of characters and special symbols, check out this brute force time calculator [ first.

It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.

• Find and exploit unmaintained, misconfigured, and unpatched systems • Perform reconnaissance and find valuable information about your target • Bypass anti-virus technologies and circumvent security controls • Integrate Nmap, NeXpose, and Nessus with Metasploit to automate discovery • Use the Meterpreter shell to launch further attacks from inside the network • Harness standalone Metasploit utilities, third-party tools, and plug-ins • Learn how to write your own Meterpreter post exploitation modules and scripts.

In the examples below, you will need to change ath0 to the interface name which is specific to your wireless card. Equipment used In this tutorial, here is what was used: MAC address of PC running aircrack-ng suite: 00:0F:B5:88:AC:82 MAC address of the wireless client using WPA2: 00:0F:B5:FD:FB:C2 BSSID (MAC address of access point): 00:14:6C:7E:40:80 ESSID (Wireless network name): teddy Access point channel: 9 Wireless interface: ath0 You should gather the equivalent information for the network you will be working on.

Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols. The impact of having to use a brute force approach is substantial.

[NOTE: The Information contained in this Article is only Intended for Educational Purposes. I take no Responsibility for the misuse of this information and the harm brought to you or any one else (specially your neighbour.:)] Hello Everyone. This is my Tutorial for WPA/WPA2 Wireless Hacking. This guide is aimed to help you crack WPA/WPA2 Passwords. As said, this is a Total n00b Guide to Wireless Hacking. The Stuff that you are going to need is: (1) Backtrack (You can get it ) (2) Wireless Card that Supports Packet Injection (3) A Wireless WPA/WPA2 Connection that uses PSK Mode (Pre-Shared Key) (4) A Dictionary that has the Password we are trying to get. But Obviously you wouldn't know it till you complete ' The Dictionary Attack '.