- Edited
This tutorial is for educational purpose and I'm not responsible for any misuse of the aircrack-ng tool.
Here's a WEP and WPA cracking tutorial.
Wep Cracking Tutorial:
First of all you need Backtrack Live Cd ( ISO or Vmware Image ) that can be downloaded from :
http://www.backtrack-linux.org/downloads/
Or a Linux Distro with Aircrack-ng installed ( it can be cracked with other tools but this tut is for aircrack ).
And the most important thing is that YOU NEED TO HAVE A WIRELESS CARD that SUPPORTS INJECTION.
Description:
1) To know what interface your wireless card is using, for example wlan0 or mon0 or ath0 .......
type:
2) to set you wireless card on monitor mode you must type:
open a shell and type:
4) To know your wireless card Mac Address, type:
6) Use aireplay-ng to do a fake authentication with the access point.
7)
if succesful then you will get:
"Success! The file “fragment-01234-42132148.xor”= "example.xor" can then be used in the next step to generate an arp packet. "
8) In the previous step, we obtained PRGA. It does not matter which attack generated the PRGA, both are equal. This PRGA is stored in the files ending with “xor”. We can then use this PRGA to generate a packet for injection. We will be generating an arp packet for injection. The objective is to have the access point rebroadcast the injected arp packet. When it rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack the WEP key.
For example, if you used in step 2 -w lebgeek then you used it again same name, your last step will be lebgeeks-02.cap.
=================================================
Cracking WPA:
WPA/WPA2 supports many types of authentication beyond pre-shared keys. aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.
The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.
There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.
IMPORTANT This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key.
Before we start, There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.
1) Start airodump-ng to collect authentication handshake
The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.
Beware - YOU CAN'T CRACK A WPA WITHOUT GETTING a 4-WAY AUTHENTICATION HANDSHAKE.
Same steps in WEP until STEP 4.
type:
In the line above, notice the “WPA handshake: 00:14:6C:7E:40:80” in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake.
2) Use aireplay-ng to deauthenticate the wireless client.
"This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process. The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured. Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step.
This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key."
Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. You need the MAC address for the following.
Open a new shell and type the following:
3)Run aircrack-ng to crack the pre-shared key.
aircrack-ng -w (any worldlist .lst ...) -b (Target mac address) (name in -w in airodump-ng)-01.cap
if you get this error: No valid WPA handshakes found. That means you didn't get any handshake.
Anyway I won't waste my time with WPA cracking because lebanese people use most of the time their phone numbers or strange names as password so its difficult to crack.
WPA cracking could be done by Bruteforcing but imagine how much time it needs to be done ?
check this site to calculate the bruteforcing speed to crack a pass http://lastbit.com/pswcalc.asp
Hope you enjoy it.
Will post some tutorials from time to time.
Here's a WEP and WPA cracking tutorial.
Wep Cracking Tutorial:
First of all you need Backtrack Live Cd ( ISO or Vmware Image ) that can be downloaded from :
http://www.backtrack-linux.org/downloads/
Or a Linux Distro with Aircrack-ng installed ( it can be cracked with other tools but this tut is for aircrack ).
And the most important thing is that YOU NEED TO HAVE A WIRELESS CARD that SUPPORTS INJECTION.
Description:
Tutorial: How to crack WEP with no wireless clients. (it will work even with clients, work for both).Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.
In fact, Aircrack-ng is a set of tools for auditing wireless networks.
1) To know what interface your wireless card is using, for example wlan0 or mon0 or ath0 .......
type:
iwconfig2) to set you wireless card on monitor mode you must type:
airmon-ng start wlan0open a shell and type:
aireplay-ng -9 wlan0 or aireplay-ng --test wlan0airodump-ng wlan04) To know your wireless card Mac Address, type:
macchanger -s wlan0airodump-ng --bssid (Mac address) -c (channel number) -w (any name) wlan06) Use aireplay-ng to do a fake authentication with the access point.
Type:This is a very important step.
In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet. In this state, no new IVs are created because the AP is ignoring all the injected packets.
The lack of association with the access point is the single biggest reason why injection fails.
To associate with an access point, use fake authentication.
aireplay-ng -1 0 -e (Target wireless name or ESSID) -a (Target Mac address or BSSID) -h (your wireless card mac address) wlan07)
Here you can use 2 types of attacks. Either you use ChopChop(-4) or Fragmentation(-5) attack.The objective of the chopchop and fragmentation attacks is to obtain a PRGA (pseudo random generation algorithm) file. This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can be used to create new packets for injection. The creation of new packets will be covered later in the tutorial.
aireplay-ng -5 -b (target Mac address or BSSID) -h (your wireless card mac address) wlan0 aireplay-ng -4 -b (target Mac address or BSSID) -h (your wireless card mac address) wlan0if succesful then you will get:
"Success! The file “fragment-01234-42132148.xor”= "example.xor" can then be used in the next step to generate an arp packet. "
8) In the previous step, we obtained PRGA. It does not matter which attack generated the PRGA, both are equal. This PRGA is stored in the files ending with “xor”. We can then use this PRGA to generate a packet for injection. We will be generating an arp packet for injection. The objective is to have the access point rebroadcast the injected arp packet. When it rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack the WEP key.
packetforge-ng -0 -a (Target mac address or BSSID) -h (your wireless card mac address) -k 255.255.255.255 -l 255.255.255.255 -y (.xor you received in the last step) -w (any name)aireplay-ng -2 -r (name in -w in packetforge) ath0aireplay-ng -3 -r (name in -w in packetforge) -b (target mac address) -h (your wireless card mac address) wlan0 aircrack-ng (name in -w from airodump step 5)-01.capFor example, if you used in step 2 -w lebgeek then you used it again same name, your last step will be lebgeeks-02.cap.
=================================================
Cracking WPA:
WPA/WPA2 supports many types of authentication beyond pre-shared keys. aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.
The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.
There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.
IMPORTANT This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key.
Before we start, There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.
1) Start airodump-ng to collect authentication handshake
The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.
Beware - YOU CAN'T CRACK A WPA WITHOUT GETTING a 4-WAY AUTHENTICATION HANDSHAKE.
Same steps in WEP until STEP 4.
type:
airodump-ng -c (target channel) --bssid (target mac address or BSSID) -w (any name) wlan0In the line above, notice the “WPA handshake: 00:14:6C:7E:40:80” in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake.
2) Use aireplay-ng to deauthenticate the wireless client.
"This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process. The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured. Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step.
This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key."
Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. You need the MAC address for the following.
Open a new shell and type the following:
aireplay-ng -0 1 -a (target mac address) -c (your wireless card mac address) wlan0 16:30:28 Sending DeAuth to station -- STMAC: [00:0F:B5:34:30:30]3)Run aircrack-ng to crack the pre-shared key.
aircrack-ng -w (any worldlist .lst ...) -b (Target mac address) (name in -w in airodump-ng)-01.cap
if you get this error: No valid WPA handshakes found. That means you didn't get any handshake.
Anyway I won't waste my time with WPA cracking because lebanese people use most of the time their phone numbers or strange names as password so its difficult to crack.
WPA cracking could be done by Bruteforcing but imagine how much time it needs to be done ?
check this site to calculate the bruteforcing speed to crack a pass http://lastbit.com/pswcalc.asp
Hope you enjoy it.
Will post some tutorials from time to time.
