How To Crack Wpa Wpa2
Steps to Hack WPA/WPA2 Secured WiFi Network. Hacking into WPA/WPA2 WiFi Network is very tough, time & resource consuming. The technique used to crack WPA/WPA2 WiFi password is 4-way handshake for which there is a requirement to have at least one device connected to the network. Here's how to crack a WPA or WPA2 password, step by step, with Reaver—and how to protect your network against Reaver attacks. In the first section of this post, I'll walk through the steps. Crack WPA/WPA2 Wi-Fi Routers with Airodump-ng and Aircrack-ng/Hashcat. This is a brief walk-through tutorial that illustrates how to crack Wi-Fi networks that are secured using weak passwords. It is not exhaustive, but it should be enough information for you to test your own network's security or break into one nearby. However, WEP passwords are no longer popular (because they are so easy to crack), and Reaver only works if a network has enabled WPS. So today, we will be interested in Aircrack and use it to break into a WPA network (with the help of a password list). Here is the method to hack wifi password WPA/WPA2 secuirty. Step 1: Configure your wireless card. Crack WPA/WPA2 Wi-Fi Routers with Airodump-ng and Aircrack-ng/Hashcat. This is a brief walk-through tutorial that illustrates how to crack Wi-Fi networks that are secured using weak passwords.
Crack WPA/WPA2 Wi-Fi Routers with Airodump-ng and Aircrack-ng/Hashcat.
This is a brief walk-through tutorial that illustrates how to crack Wi-Fi networks that are secured using weak passwords. It is not exhaustive, but it should be enough information for you to test your own network's security or break into one nearby. The attack outlined below is entirely passive (listening only, nothing is broadcast from your computer) and it is impossible to detect provided that you don't actually use the password that you crack. An optional active deauthentication attack can be used to speed up the reconnaissance process and is described at the end of this document.
If you are familiar with this process, you can skip the descriptions and jump to a list of the commands used at the bottom. For a variety of suggestions and alternative methods, see the appendix. neal1991 and tiiime have also graciously provided translations to this document and the appendix in Chinese if you prefer those versions.
DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use. Don't be a dick.
Getting Started
This tutorial assumes that you:
- Have a general comfortability using the command-line
- Are running a debian-based linux distro, preferably Kali linux (OSX users see the appendix)
- Have Aircrack-ng installed
sudo apt-get install aircrack-ng
- Have a wireless card that supports monitor mode (see here for a list of supported devices)
Cracking a Wi-Fi Network
How To Crack Wifi Wpa/wpa2 Using Waircut
Monitor Mode
Begin by listing wireless interfaces that support monitor mode with:
If you do not see an interface listed then your wireless card does not support monitor mode
We will assume your wireless interface name is wlan0
but be sure to use the correct name if it differs from this. Next, we will place the interface into monitor mode:
Run iwconfig
. You should now see a new monitor mode interface listed (likely mon0
or wlan0mon
).
Find Your Target
Start listening to 802.11 Beacon frames broadcast by nearby wireless routers using your monitor interface:
You should see output similar to what is below.
For the purposes of this demo, we will choose to crack the password of my network, 'hackme'. Remember the BSSID MAC address and channel (CH
) number as displayed by airodump-ng
, as we will need them both for the next step.
Capture a 4-way Handshake
WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. You don't have to know anything about what that means, but you do have to capture one of these handshakes in order to crack the network password. These handshakes occur whenever a device connects to the network, for instance, when your neighbor returns home from work. We capture this handshake by directing airmon-ng
to monitor traffic on the target network using the channel and bssid values discovered from the previous command.
Now we wait.. Once you've captured a handshake, you should see something like [ WPA handshake: bc:d3:c9:ef:d2:67
at the top right of the screen, just right of the current time.
If you are feeling impatient, and are comfortable using an active attack, you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them. This often results in the capture of a 4-way handshake. See the deauth attack section below for info on this.
Once you've captured a handshake, press ctrl-c
to quit airodump-ng
. You should see a .cap
file wherever you told airodump-ng
to save the capture (likely called -01.cap
). We will use this capture file to crack the network password. I like to rename this file to reflect the network name we are trying to crack:
Crack the Network Password
The final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat
for password cracking. I've created a simple tool that makes hashcat super easy to use called naive-hashcat
. If you don't have access to a GPU, there are various online GPU cracking services that you can use, like GPUHASH.me or OnlineHashCrack. You can also try your hand at CPU cracking with Aircrack-ng.
Note that both attack methods below assume a relatively weak user generated password. Most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the Probable-Wordlists WPA-length dictionary files.
Cracking With naive-hashcat
(recommended)
Before we can crack the password using naive-hashcat, we need to convert our .cap
file to the equivalent hashcat file format .hccapx
. You can do this easily by either uploading the .cap
file to https://hashcat.net/cap2hccapx/ or using the cap2hccapx
tool directly.
Next, download and run naive-hashcat
:
Naive-hashcat uses various dictionary, rule, combination, and mask (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you've cracked the password, you should see something like this as the contents of your POT_FILE
:
Where the last two fields separated by :
are the network name and password respectively.
If you would like to use hashcat
without naive-hashcat
see this page for info.
Cracking With Aircrack-ng
Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist. I recommend using the infamous rockyou dictionary file:
Note, that if the network password is not in the wordfile you will not crack the password.
If the password is cracked you will see a KEY FOUND!
message in the terminal followed by the plain text version of the network password.
Deauth Attack
A deauth attack sends forged deauthentication packets from your machine to a client connected to the network you are trying to crack. These packets include fake 'sender' addresses that make them appear to the client as if they were sent from the access point themselves. Upon receipt of such packets, most clients disconnect from the network and immediately reconnect, providing you with a 4-way handshake if you are listening with airodump-ng
.
Use airodump-ng
to monitor a specific access point (using -c channel --bssid MAC
) until you see a client (STATION
) connected. A connected client look something like this, where is 64:BC:0C:48:97:F7
the client MAC.
Now, leave airodump-ng
running and open a new terminal. We will use the aireplay-ng
command to send fake deauth packets to our victim client, forcing it to reconnect to the network and hopefully grabbing a handshake in the process.
You can optionally broadcast deauth packets to all connected clients with:
Once you've sent the deauth packets, head back over to your airodump-ng
process, and with any luck you should now see something like this at the top right: [ WPA handshake: 9C:5C:8E:C9:AB:C0
. Now that you've captured a handshake you should be ready to crack the network password.
List of Commands
Below is a list of all of the commands needed to crack a WPA/WPA2 network, in order, with minimal explanation.
Appendix
The response to this tutorial was so great that I've added suggestions and additional material from community members as an appendix. Check it out to learn how to:
- Capture handshakes and crack WPA passwords on MacOS/OSX
- Capture handshakes from every network around you with
wlandump-ng
- Use
crunch
to generate 100+GB wordlists on-the-fly - Spoof your MAC address with
macchanger
A Chinese version of the appendix is also available.
Attribution
Much of the information presented here was gleaned from Lewis Encarnacion's awesome tutorial. Thanks also to the awesome authors and maintainers who work on Aircrack-ng and Hashcat.
Overwhelming thanks to neal1991 and tiiime for translating this tutorial into Chinese. Further shout outs to yizhiheng, hiteshnayak305, enilfodne, DrinkMoreCodeMore, hivie7510, cprogrammer1994, 0XE4, hartzell, zeeshanu, flennic, bhusang, tversteeg, gpetrousov, crowchirp and Shark0der who also provided suggestions and typo fixes on Reddit and GitHub. If you are interested in hearing some proposed alternatives to WPA2, check out some of the great discussion on this Hacker News post.
When it comes to securing your Wi-Fi network, we always recommend WPA2-PSK encryption. It’s the only really effective way to restrict access to your home Wi-Fi network. But WPA2 encryption can be cracked, too — here’s how.
As usual, this isn’t a guide to cracking someone’s WPA2 encryption. It’s an explanation of how your encryption could be cracked and what you can do to better protect yourself. It works even if you’re using WPA2-PSK security with strong AES encryption.
Your Passphrase Can Be Cracked Offline
RELATED:Brute-Force Attacks Explained: How All Encryption is Vulnerable
There are two types of ways to potentially crack a password, generally referred to as offline and online. In an offline attack, an attacker has a file with data they can attempt to crack. For example, if an attacker managed to access and download a password database full of hashed passwords, they could then attempt to crack those passwords. They can guess millions of times per second, and they’re only really limited by how fast their computing hardware is. Clearly, with access to a password database offline, an attacker can attempt to crack a password much more easily. They do this via “brute-forcing” — literally attempting to guess many different possibilities and hoping one will match.
An online attack is much more difficult and takes much, much longer. For example, imagine an attacker were trying to gain access to your Gmail account. They could guess a few passwords and then Gmail would block them from trying any more passwords for a while. Because they don’t have access to the raw data they can attempt to match passwords against, they’re limited dramatically. (Apple’s iCloud wasn’t rate-limiting password guesses in this way, and that helped lead to the huge theft of nude celebrity photos.)
We tend to think of Wi-Fi as being only vulnerable to the online attack. An attacker will have to guess a password and attempt to log into the WI-Fi network with it, so they certainly can’t guess millions of times per second. Unfortunately, this isn’t actually true.
The Four-Way Handshake Can Be Captured
RELATED:How an Attacker Could Crack Your Wireless Network Security
When a device connects to a WPA-PSK Wi-Fi network, something known as the “four-way handshake” is performed. Essentially, this is the negotiation where the Wi-Fi base station and a device set up their connection with each other, exchanging the passphrase and encryption information. This handshake is WPA2-PSK’s Achilles’ heel.
An attacker can use a tool like airodump-ng to monitor traffic being transmitted over the air and capture this four-way handshake. They’d then have the raw data they need to perform an offline attack, guessing possible passphrases and trying them against the four-way-handshake data until they find one that matches.
If an attacker waits long enough, they’ll be able to capture this four-way handshake data when a device connects. However, they can also perform a “deauth” attack, which we covered when we looked at how your Wi-Fi network could be cracked. The deauth attack forcibly disconnects your device from its Wi-FI network, and your device immediately reconnects, performing the four-way handshake which the attacker can capture.
Image Credit: Mikm on Wikimedia CommonsCracking the WPA Handshake
With the raw data captured, an attacker can use a tool like cowpatty or aircrack-ng along with a “dictionary file” that contains a list of many possible passwords. These files are generally used to speed up the cracking process. The command tries each possible passphrase against the WPA handshake data until it finds one that fits. As this is an offline attack, it can be performed much more quickly than an online attack. An attacker wouldn’t have to be in the same physical area as the network while attempting to crack the passphrase. The attacker could potentially use Amazon S3 or another cloud computing service or data center, throwing hardware at the cracking process and speeding it up dramatically.
As usual, all these tools are available in Kali Linux (formerly BackTrack Linux), a Linux distribution designed for penetration testing. They can be seen in action there.
How To Crack Wpa/wpa2 Wifi
It’s tough to say how long it would take to crack a password in this way. For a good, long password, it could take years, possibly even hundreds of years or longer. If the password is “password”, it would probably take less than a single second. As hardware improves, this process will speed up. It’s clearly a good idea to use a longer password for this reason — 20 characters would take a lot longer to crack than 8. Changing the password every six months or every year could also help, but only if you suspect someone is actually spending months of computer power to crack your passphrase. You’re probably not that special, of course!
Breaking WPS With Reaver
RELATED:Don’t Have a False Sense of Security: 5 Insecure Ways to Secure Your Wi-Fi
There’s also an attack against WPS, an unbelievably vulnerable system that many routers ship with enabled by default. On some routers, disabling WPS in the interface doesn’t do anything — it stays enabled for attackers to exploit!
Essentially, WPS forces devices to use an 8-digit numerical PIN system that bypasses the passphrase. This PIN is always checked in groups of two 4-digit codes, and the connecting device is informed whether the four-digit section is correct. In other words, an attacker just has to guess the first four digits and then they can guess the second four digits separately. This is a fairly quick attack that can take place over the air. If a device with WPS didn’t work in this extremely insecure way, it would be violating the WPS specification.
WPA2-PSK likely has other security vulnerabilities we haven’t discovered yet, too. So, why do we keep saying WPA2 is the best way to secure your network? Well, because it still is. Enabling WPA2, disabling the older WEP and WPA1 security, and setting a reasonably long and strong WPA2 password is the best thing you can do to really protect yourself.
Yes, your password can probably be cracked with some amount of effort and computing power. Your front door could be cracked with some amount of effort and physical force, too. But, assuming you use a decent password, your Wi-Fi network will probably be okay. And, if you use a half-decent lock on your front door, you’ll probably be okay as well.
READ NEXTCrack Wpa
- › How to Use Port Knocking on Linux (and Why You Shouldn’t)
- › What Is a “Hot Take,” and Where Did the Phrase Come From?
- › How Windows 7’s “Extended Security Updates” Will Work
- › Windows 10’s Phone Calls Will Support All Android 7+ Phones
- › What Is Patch Tuesday for Windows, and When Is It?