Main article: How to Protect Your Wireless Network. Cracking a WPA or WPA2 wireless network is more difficult than cracking a WEP protected network because it depends.
May 16, 2011 Wordlist: This Video shows you how to crack a WPA encryptet Wlan with Backtrack5.
Today I am going to teach you how to easily hack WPA/WPA2-PSK enabled networks using Step 2: Install Reaver Skip this step if you are using BackTrack 5.
WPA WPA2 cracking with BackTrack 5 R3 New Video https://www.youtube.com/watch.v Y5_-OW1OQPQ.
Main article: How to Protect Your Wireless Network
Cracking a WPA or WPA2 wireless network is more difficult than cracking a WEP protected network because it depends on the complexity of the wireless password and on the attack method Dictionary Attack or Brute Force Attack. Here you will learn step by step instructions how to crack the WPA2 which uses a pre-shared keys PSK of a wireless network. This also applies to WPA secured network.
Before you begin
You need to have BackTrack installed and running on VMWare Player. How to Install VMWare Backtrack 4
Check if your wireless adapter is compatible with Backtrack 4 from List of compatible adapters
I am using the Alfa AWUS036H which is a very well known usb wireless adapter because of its good performance and cheap price.
Make sure that your wireless adapter is plugged into your virtual machine. In VMWare goto the menu Virtual Machine - Removable Devices - YOUR ADAPTER MUST BE TICKED
Start Cracking the WPA/WPA2 Password
Here are the basics steps we will be going through:
Put your wireless interface in monitor mode on the specific AP channel
Start airodump-ng to collect authentication handshake from the AP
Use aireplay-ng to deauthenticate the wireless client to force a handshake with the AP
Run aircrack-ng to crack the pre-shared key using a dictionary file
Launch the Konsole, which is the BackTrack s built-in command line. It can be found in the lower left corner of the taskbar as showing in the image below.
Run the following command to get a list of your network interfaces:
You may get something like ath1, wlan0, wifi0, or ra0. This is called your interface.
In my case: interface wlan0 see image below
Now run the following command to put your interface in monitor mode.
airmon-ng start interface
In my case
airmon-ng start wlan0
Now we can use the monitor interface which appears below the Driver column, call it monitor. Most of the time monitor mon0 as shown in the image above.
It s time to view the list of available networks and pick one for cracking. Run:
Wait for some time for all the networks to load then press Ctrl C to stop the updates. Now choose the wireless network that you wish to crack which has WPA or WPA2 encryption in the ENC column, and PSK in the AUTH column. OPN means that the network is open and you can connect to it without a key, WEP will not work here but you can check How to Crack WEP Wireless with BackTrack 4 running on Windows which takes less than 5 minutes to crack.
After selecting the network that you want to crack take note of the BSSID, and the channel CH values. In my case: bssid 68:7F::69:C7, and channel 11 as shown in the image below.
Now we are going to monitor and record the data passing through that network to a file. Run:
airodump-ng monitor --channel channel --bssid bssid -w filename
airodump-ng mon0 --channel 1 --bssid 68:7F::69:C7 -w linksys
Replace monitor, channel, and bssid with their respective values noted before. filename can be any name. I usually use a name similar to the name of the network which is linksys in this case.
The data is being collected and recorded now and you should get an output similar to the window in the background shown in the picture below. Leave that window running.
We now need to record the 4-way handshake that happens between the targeted wireless router AP and a client that is already authenticated.
We can either wait for a client to connect or disconnect an already connected user to force him to reconnect. In our case we are going to disconnect an already connected user. Don t forget to note down the client mac address which we ll call station. In my case station 00:C0:CA:25:AC:68. Launch a second Konsole window now and run:
aireplay-ng -0 1 -a bssid -c station monitor
aireplay-ng -0 1 -a 68:7F::69:C7 -c 00:C0:CA:25:AC:68 mon0
After you run this command you should see WPA handshake: bssid in the upper right corner of the first Konsole, in my case it is WPA handshake: 68:7F::69:C7. This means that you have collected the 4-way handshake, and you don t need to be connected to the network anymore.
In case you didn t see the handshake message try to run the same command again. It s time to start cracking the collected password.
Cracking the Password
To crack the password you will need a file that contains list of passwords, this file is called a dictionary file. The more accurate the dictionary file and less complex the WPA or WPA2 wireless password; the better chance you have to crack the password. There are lots of dictionary files on the internet that you can download, for the purpose of the demo I am going to use the dictionary file that comes with aircrack-ng. It can be found under /pentest/wireless/aircrack-ng/test.
You can close all the Konsoles if you want and open a new one. Run:
aircrack-ng -w passwordsfile -b bssid filename-01.cap
aircrack-ng -w /pentest/wireless/aircrack-ng/test/password.lst -b 68:7F::69:C7 linksys-01.cap
The filename should be what you used in filename -01.cap, if you are not sure about the filename enter ls to see list of all the files.
This command will start trying the passwords listed in the dictionary file that you provided until it finds a match. If the password wasn t found then you need to use a better dictionary file. It is possible that the password can not be found at all in case it was long and complex enough. But in case there was a match then you should see something like:
The WPA or WPA2 password is what you see besides KEY FOUND. inside the brackets. In my case: thisisatest
The success of cracking a WPA or WPA2 wireless network is directly related to the complexity of the password and the dictionary file that you have. Another brute force attack method would be to try all possible permutations of letters, numbers, and symbols possible to crack the password. Although it will surely find the password in the end but it might take hundreds of years for the cracking process to complete which is why a dictionary attack is considered more efficient approach, you can check John the Ripper if you are interested in this method.
Feel free to ask questions or let me know if I have missed something by leaving a comment below.
How to Protect Your Wireless Network
No related posts.
A step by step guide to cracking WPA and WPA2 Wifi passwords. Backtrack is a bootable Linux distribution with lots of pen-testing tools and is almost needed for all my. . How to Install BackTrack 5 R3 in VMWare – Step by Step Guide. How to Install BackTrack 5 R3 - Use Reaver to crack Wifi WPA/WPA2 cracking with Back Track 5 - Samiux s Blogsamiux.blogspot.com//howto-wpawpa2-cracking-with-backtrack-5.htmCachedSimilarMay 22, 2011 - Step 5 : airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff --ivs mon0. PWB Am I ready for taking Penetration Testing with BackTrack PWB.
This tutorial explains in detail how to hack WPA / WPA2 encrypted networks using Backtrack 5. Detailed.
- May 04, 2012 The Download link for Backtrack 5 has changed to, For a compete write up on wireless hacking follow this link.
- 7 thoughts on WPA Dictionary crack with Backtrack 5 carlosm August 7, 2011. Do you have any more WPA2 dictinaries that you can share.
Your Wi-Fi network is your conveniently wireless gateway to the internet, and since you re not keen on sharing your connection with any old hooligan who happens to be walking past your home, you secure your network with a password, right. Knowing, as you might, how easy it is to crack a WEP password, you probably secure your network using the more bulletproof WPA security protocol.
You already know that if you want to lock down your Wi-Fi network, you should opt for WPA
Read more Read more
Here s the bad news: A new, free, open-source tool called Reaver exploits a security hole in wireless routers and can crack most routers current passwords with relative ease. Here s how to crack a WPA or WPA2 password, step by step, with Reaver and how to protect your network against Reaver attacks.
In the first section of this post, I ll walk through the steps required to crack a WPA password using Reaver. You can follow along with either the video or the text below. After that, I ll explain how Reaver works, and what you can do to protect your network against Reaver attacks.
First, a quick note: As we remind often remind readers when we discuss topics that appear potentially malicious: Knowledge is power, but power doesn t mean you should be a jerk, or do anything illegal. Knowing how to pick a lock doesn t make you a thief. Consider this post educational, or a proof-of-concept intellectual exercise. The more you know, the better you can protect yourself.
What You ll Need
You don t have to be a networking wizard to use Reaver, the command-line tool that does the heavy lifting, and if you ve got a blank DVD, a computer with compatible Wi-Fi, and a few hours on your hands, you ve got basically all you ll need. There are a number of ways you could set up Reaver, but here are the specific requirements for this guide:
The BackTrack 5 Live DVD. BackTrack is a bootable Linux distribution that s filled to the brim with network testing tools, and while it s not strictly required to use Reaver, it s the easiest approach for most users. Download the Live DVD from BackTrack s download page and burn it to a DVD. You can alternately download a virtual machine image if you re using VMware, but if you don t know what VMware is, just stick with the Live DVD. As of this writing, that means you should select BackTrack 5 R3 from the Release drop-down, select Gnome, 32- or 64-bit depending on your CPU if you don t know which you have, 32 is a safe bet, ISO for image, and then download the ISO.A computer with Wi-Fi and a DVD drive. BackTrack will work with the wireless card on most laptops, so chances are your laptop will work fine. However, BackTrack doesn t have a full compatibility list, so no guarantees. You ll also need a DVD drive, since that s how you ll boot into BackTrack. I used a six-year-old MacBook Pro.A nearby WPA-secured Wi-Fi network. Technically, it will need to be a network using WPA security with the WPS feature enabled. I ll explain in more detail in the How Reaver Works section how WPS creates the security hole that makes WPA cracking possible.A little patience. This is a 4-step process, and while it s not terribly difficult to crack a WPA password with Reaver, it s a brute-force attack, which means your computer will be testing a number of different combinations of cracks on your router before it finds the right one. When I tested it, Reaver took roughly 2.5 hours to successfully crack my password. The Reaver home page suggests it can take anywhere from 4-10 hours. Your mileage may vary.
Let s Get Crackin
At this point you should have BackTrack burned to a DVD, and you should have your laptop handy.
Step 1: Boot into BackTrack
To boot into BackTrack, just put the DVD in your drive and boot your machine from the disc. Google around if you don t know anything about live CDs/DVDs and need help with this part. During the boot process, BackTrack will prompt you to to choose the boot mode. Select BackTrack Text - Default Boot Text Mode and press Enter.
Eventually BackTrack will boot to a command line prompt. When you ve reached the prompt, type startx and press Enter. BackTrack will boot into its graphical interface.
Step 2: Install Reaver
Update: This step is no longer necessary, as Reaver comes pre-installed on Backtrack 5 R3. Skip down to Step 3.
Reaver has been added to the bleeding edge version of BackTrack, but it s not yet incorporated with the live DVD, so as of this writing, you need to install Reaver before proceeding. Eventually, Reaver will simply be incorporated with BackTrack by default. To install Reaver, you ll first need to connect to a Wi-Fi network that you have the password to.
Click Applications Internet Wicd Network ManagerSelect your network and click Connect, enter your password if necessary, click OK, and then click Connect a second time.
Now that you re online, let s install Reaver. Click the Terminal button in the menu bar or click Applications Accessories Terminal. At the prompt, type:
And then, after the update completes:
apt-get install reaver
If all went well, Reaver should now be installed. It may seem a little lame that you need to connect to a network to do this, but it will remain installed until you reboot your computer. At this point, go ahead and disconnect from the network by opening Wicd Network Manager again and clicking Disconnect. You may not strictly need to do this. I did just because it felt like I was somehow cheating if I were already connected to a network.
Step 3: Gather Your Device Information, Prep Your Crackin
In order to use Reaver, you need to get your wireless card s interface name, the BSSID of the router you re attempting to crack the BSSID is a unique series of letters and numbers that identifies a router, and you need to make sure your wireless card is in monitor mode. So let s do all that.
Find your wireless card: Inside Terminal, type:
Press Enter. You should see a wireless device in the subsequent list. Most likely, it ll be named wlan0, but if you have more than one wireless card, or a more unusual networking setup, it may be named something different.
Put your wireless card into monitor mode: Assuming your wireless card s interface name is wlan0, execute the following command to put your wireless card into monitor mode:
airmon-ng start wlan0
This command will output the name of monitor mode interface, which you ll also want to make note of. Most likely, it ll be mon0, like in the screenshot below. Make note of that.
Find the BSSID of the router you want to crack: Lastly, you need to get the unique identifier of the router you re attempting to crack so that you can point Reaver in the right direction. To do this, execute the following command:
Note: If airodump-ng wlan0 doesn t work for you, you may want to try the monitor interface instead e.g., airodump-ng mon0.
You ll see a list of the wireless networks in range it ll look something like the screenshot below:
When you see the network you want, press Ctrl C to stop the list from refreshing, then copy that network s BSSID it s the series of letters, numbers, and colons on the far left. The network should have WPA or WPA2 listed under the ENC column. If it s WEP, use our previous guide to cracking WEP passwords.
Now, with the BSSID and monitor interface name in hand, you ve got everything you need to start up Reaver.
Step 4: Crack a Network s WPA Password with Reaver
Now execute the following command in the Terminal, replacing bssid and moninterface with the BSSID and monitor interface and you copied down above:
reaver -i moninterface -b bssid -vv
For example, if your monitor interface was mon0 like mine, and your BSSID was 8D:AE:9D:65:1F:B2 a BSSID I just made up, your command would look like:
reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv
Press Enter, sit back, and let Reaver work its disturbing magic. Reaver will now try a series of PINs on the router in a brute force attack, one after another. This will take a while. In my successful test, Reaver took 2 hours and 30 minutes to crack the network and deliver me with the correct password. As mentioned above, the Reaver documentation says it can take between 4 and 10 hours, so it could take more or less time than I experienced, depending. When Reaver s cracking has completed, it ll look like this:
A few important factors to consider: Reaver worked exactly as advertised in my test, but it won t necessarily work on all routers see more below. Also, the router you re cracking needs to have a relatively strong signal, so if you re hardly in range of a router, you ll likely experience problems, and Reaver may not work. Throughout the process, Reaver would sometimes experience a timeout, sometimes get locked in a loop trying the same PIN repeatedly, and so on. I just let it keep on running, and kept it close to the router, and eventually it worked its way through.
Also of note, you can also pause your progress at any time by pressing Ctrl C while Reaver is running. This will quit the process, but Reaver will save any progress so that next time you run the command, you can pick up where you left off-as long as you don t shut down your computer which, if you re running off a live DVD, will reset everything.
How Reaver Works
Now that you ve seen how to use Reaver, let s take a quick overview of how Reaver works. The tool takes advantage of a vulnerability in something called Wi-Fi Protected Setup, or WPS. It s a feature that exists on many routers, intended to provide an easy setup process, and it s tied to a PIN that s hard-coded into the device. Reaver exploits a flaw in these PINs; the result is that, with enough time, it can reveal your WPA or WPA2 password.
Read more details about the vulnerability at Sean Gallagher s excellent post on Ars Technica.
How to Protect Yourself Against Reaver Attacks
Since the vulnerability lies in the implementation of WPS, your network should be safe if you can simply turn off WPS or, even better, if your router doesn t support it in the first place. Unfortunately, as Gallagher points out as Ars, even with WPS manually turned off through his router s settings, Reaver was still able to crack his password.
In a phone conversation, Craig Heffner said that the inability to shut this vulnerability down is widespread. He and others have found it to occur with every Linksys and Cisco Valet wireless access point they ve tested. On all of the Linksys routers, you cannot manually disable WPS, he said. While the Web interface has a radio button that allegedly turns off WPS configuration, it s still on and still vulnerable.
So that s kind of a bummer. You may still want to try disabling WPS on your router if you can, and test it against Reaver to see if it helps.
You could also set up MAC address filtering on your router which only allows specifically whitelisted devices to connect to your network, but a sufficiently savvy hacker could detect the MAC address of a whitelisted device and use MAC address spoofing to imitate that computer.
Double bummer. So what will work.
I have the open-source router firmware DD-WRT installed on my router and I was unable to use Reaver to crack its password. As it turns out, DD-WRT does not support WPS, so there s yet another reason to love the free router-booster. If that s got you interested in DD-WRT, check their supported devices list to see if your router s supported. It s a good security upgrade, and DD-WRT can also do cool things like monitor your internet usage, set up a network hard drive, act as a whole-house ad blocker, boost the range of your Wi-Fi network, and more. It essentially turns your 60 router into a 600 router.
Internet data caps are becoming a reality and can seriously suck. If you re stuck with the
Thanks to this post on Mauris Tech Blog for a very straightforward starting point for using Reaver. If you re interested in reading more, see:
Reddit user jagermo who I also spoke with briefly while researching Reaver has created a public spreadsheat intended to build a list of vulnerable devices so you can check to see if your router is susceptible to a Reaver crack.
Have any experience of your own using Reaver. Other comments or concerns. Let s hear it in the comments.
Jan 9, 2012 - Here s how to crack a WPA or WPA2 password, step by step, with As of this writing, that means you should select BackTrack 5 R3 from the.