- Capture the handshake
- Crack the handshake to get the password
We have already covered WPA-handshake capture in a lot of detail. In this tutorial we will actually crack a WPA handshake file using dictionary attack. Our tool of choice for this tutorial will be aircrack-ng. We will not bother about the speed of various tools in this post. However, in the next post, we will compare various CPU and GPU algorithms for WPA hash cracking. I'd like to add that I already know the password of the network so I'll simply put it into the dictionary that I'm using. A full fledged dictionary attack is quite time consuming.
Also, a lot of people are facing problems with monitor mode in Kali 2.0. I have a post regarding that coming soon.
PS: If you stumbled on this post out of nowhere and find it hard to follow, I recommend you go through some of the easier posts first. How to use this site is a good place to begin.
My current stateI have already captured a WPA handshake for my Wifi. The password is fairly strong so one can't rely on any dictionary. So just for the sake of this exercise, I'll put the password in the dictionary myself.
My handshake capture
The handshake is captured in a file students2-01.cap (you can name yours whatever you want)
wireshark students2-01.capThis command can be used to go through the packets captured. We will learn more about Wireshark later. I will guide you through a complete EAPoL 4-way handshake. For this tutorial, lets move on.
My dictionary file
root@kali:~# cat new.txt
The last line has the password.
root@kali:~# aircrack-ng students2-01.cap -w new.txt
It will ask for index number of target network. Select the network you want to hack.
I chose 13
It didn't take any time at all considering Aircrack had to check a total of 4 keys!!!
[00:00:00] 4 keys tested (589.45 k/s)
KEY FOUND! [ ***************** ]
Master Key : 60 B7 9D 29 26 0F 92 65 ** ** ** ** **
Transient Key : 1C F2 23 FE B3 67 ** ** ** *
EAPOL HMAC : F9 A1 5D ** ** ** ** **
Standard attacks too slow?
The standard attacks against WPA take too long. There a novel alternative. Using the Evil Twin attack to fool a client into giving you the AP's password. Sounds interesting? Take a look-