THIS TUTORIAL ISN’T FROM ME AND I AIN’T RESPONSIBLE TO ANY OF THIS SO USE THIS FOR YOUR OWN RISK.
Make sure you have the Aircrack suite set up, because that’s the tool we’re going to be using for the first two phases. If you’re on Kali Linux, you probably have it already.
You also need to have a wireless adapter that supports packet injection for this to work. If you’re unsure about the last part, just go through with the first phase and you’ll find out.
You also need to have a wireless adapter that supports packet injection for this to work. If you’re unsure about the last part, just go through with the first phase and you’ll find out.
CAPTURING THE 4-WAY HANDSHAKE
The first thing you need to do is take down your wireless interface and then put it in monitor mode.
For this, find the name of your wireless interface using the ifconfig command.
The first thing you need to do is take down your wireless interface and then put it in monitor mode.
For this, find the name of your wireless interface using the ifconfig command.
Once you have the name, take it down using the following command:
ifconfig wlan0 down
Let’s find out whether injection is working or not.
Type the following in a terminal:
Type the following in a terminal:
aireplay-ng -9 wlan0
If it says “injection is working”, it means your wireless card support packet injection and you’re good to go. Otherwise, well, you’re shit outta luck (get a USB wireless card specifically for packet injection, like the ones provided by ALFA).
Copy the BSSID, the channel number, and the ESSID of the target network and keep it aside for later.
Now let’s take a look at the devices that are connected to the target network. For that, use airodump-ng as follows:
airodump-ng -c<CHANNEL_NO> –bssid<BSSID_VALUE> -w<FILE_NAME> <WIRELESS_INTERFACE>
The STATION column contains the MAC addresses of all the devices connected to the target network.
At this point, you have two options. You can either:
At this point, you have two options. You can either:
Wait for a user to connect/reconnect
Deauthenticate a user and force the device to reconnect
If you want to go for the latter, check out this video: Aircrack Deauthentication Attack where I explain deauthentication attacks in detail.
Deauthenticate a user and force the device to reconnect
If you want to go for the latter, check out this video: Aircrack Deauthentication Attack where I explain deauthentication attacks in detail.
Since I’m testing this on a personal network, I’ll just connect my phone to it.
As soon as a new/existing device connects/reconnects to the network, the WPA handshake is captured.
As soon as a new/existing device connects/reconnects to the network, the WPA handshake is captured.
Once a handshake is captured, it will say so on the top-right.
CONVERTING CAP TO HCCAP
For cracking our handshake in Hashcat, we need to convert the capture file (cap) into the format that Hashcat uses (hccap).
This is relatively simple and takes little to no time at all.
We can either use an online converter, such as the one provided in the official Hashcat website, or simply use Aircrack again for the same.
For this example, I’ll be going for the latter.
This is relatively simple and takes little to no time at all.
We can either use an online converter, such as the one provided in the official Hashcat website, or simply use Aircrack again for the same.
For this example, I’ll be going for the latter.
To convert a cap file into a hccap file, use the J parameter of Aircrack.
aircrack-ng -J <NEW_FILE> <OLD_FILE.cap>
CRACKING HANDSHAKE USING HASHCAT
To crack the handshake, we’ll use a wordlist. Since we’re using Kali Linux, we’re in luck.
Kali comes with a shit-ton of wordlists by default. Just hit the Meta/Windows key and type in Wordlist in the search and hit ENTER. A terminal should popup showing you the list of wordlists available.
Kali comes with a shit-ton of wordlists by default. Just hit the Meta/Windows key and type in Wordlist in the search and hit ENTER. A terminal should popup showing you the list of wordlists available.
Pick a wordlist and copy it’s full path.
Let’s get crackin’.
Open up a terminal and type in:
Open up a terminal and type in:
hashcat -m 2500 <HCCAPFILE> <PATH_TO_WORDLIST>
Here, m sets the type of hash to be cracked, 2500 corresponds to WPA/WPA2.
The default attack mode is a dictionary attack. If you want to perform a different kind of attack, use the a parameter.
The default attack mode is a dictionary attack. If you want to perform a different kind of attack, use the a parameter.
The following table lists all the available modes and their corresponding indices.
Code:
# | Mode
===+======
0 | Straight
1 | Combination
3 | Brute-force
6 | Hybrid Wordlist + Mask
7 | Hybrid Mask + Wordlist
To get a full reference of all the types and attack modes, check out this page.
# | Mode
===+======
0 | Straight
1 | Combination
3 | Brute-force
6 | Hybrid Wordlist + Mask
7 | Hybrid Mask + Wordlist
To get a full reference of all the types and attack modes, check out this page.
Once hashcat gets to work, you can see the progress it makes by pressing S on your keyboard.
As you can see, it went through over 10,000 passwords in less than 3 seconds.
The amount of time it takes to crack the password obviously depends on its complexity.
The amount of time it takes to crack the password obviously depends on its complexity.
Once it’s done, you should get the password as follows:
The password will also be present in a new hashcat pot file present in your home directory.
!!!REMINDER!!!
This Article isn’t from me.
This Article isn’t from me.
Comments
Post a Comment