The Hackr

Cracking WPA2-PSK Passwords Using Aircrack-ng

Hello fellow hackers! Today we are going to hack Wifi passwords using Aircrack-ng. Aircrack-ng is widely used tool which can hack wifi networks within minutes depending on the strength of the password which is used.

The most common types of wireless security are Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is a notoriously weak security standard. The password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WPA was a quick alternative to improve security over WEP.
Cracking of wireless networks is the defeating of security devices in Wireless local-area networks. WLANs – also called Wi-Fi networks are inherently vulnerable to security lapses.
There are two basic types of vulnerabilities associated with WLANs: those caused by poor configuration and those caused by weak encryption.

So lets get to the demo! The actual process goes in the way described below,

The weakness in the WPA2-PSK system is that the encrypted password is shared in what is known as the 4-way handshake.
When a client authenticates to the access point (AP), the client and the AP go through a 4-step process to authenticate the user to the AP. If we can grab the password at that time, we can then attempt to crack it.

STEP 1Put Wi-Fi Adapter in Monitor Mode with airmon-ng

Let’s start the whole process by putting our wireless adapter in monitor mode. This is similar to putting a wired adapter into observation mode. It allows us to see all the available wireless traffic aka Wi-Fi networks around us. So let’s open a terminal and type:

airmon-ng start wlan0

Now you can observe that airmon-ng has just changed your wlan0 adapter id to wlan0mon or mon0 as per your wireless adapter. If you get any sort of processes that’re conflicting, kill those processes by typing

kill process_id

STEP 2Capture available Wireless Traffic using airodump-ng

As our wireless adapter is in monitor mode, it can see all the wireless traffic nearby. We can capture the required traffic using airodump-ng command.

airodump-ng grabs all the traffic nearby and displays critical information of the wireless networks including the BSSID or the MAC address of the AP, Power, Number of Beacons, Number of Data Frames, Channel, Transfer Rate, Encryption status (if any) , and finally the ESSID or the name of the wireless network which most refer as the SSID. We can use airodump-ng by typing

airodump-ng wlan0mon

Now we can the see the APs’ which are to the near proximity of our hacking station. All the visible APs are listed in the upper part of the screen and the clients who are connected to the respective APs are listed in the lower portion of the screen.

STEP 3Force airodump-ng to use on required AP and One Channel

In this step, we focus airodump-ng to work on single AP, and on one channel which we’re trying to hack and capture critical data from it. We need the BSSID and the channel of the AP to do this. So, open another terminal and type

airodump-ng --bssid 5C:F1:88:89:7F:E2 -c 1 --write WPAhack wlan0mon
  • 5C:F1:88:89:7F:E2 is the BSSID of the AP
  • -c 1 is the channel the AP which we are working on
  • WPAhack is the file we want to write to
  • wlan0mon is the monitoring wireless adapter

As you can see from the above screenshot, we’re now focusing on capturing data from on AP with a ESSID of sredsredsred on channel 6. We get damn critical information by forcing the airodump-ng on a single channel rather than jumping around all the channels.

STEP 4Kick the Client(s) of the victim Wi-Fi using airplay-ng

For capturing the packet which consists the password which is usually encrypted. For this to happen, first we’ve to kick off a client from the victim’s Wi-Fi network for a four-way handshake to happen. So, we usually DOS the network to kick all the users or a single user using the IP of the victim client. So, for this to happen, let’s type

aireplay-ng --deauth 100 -a 5C:F1:88:89:7F:E2 wlan0mon
  • 100 is the number of de-authenticate frames you want to send
  • 5C:F1:88:89:7F:E2 is the BSSID of the AP
  • wlan0mon0 is the monitoring wireless adapter

STEP 5Capturing the 4-way Hand Shake

In the previous step, we bounced the user off their own AP, and now their device usually tries to re-authenticate automatically. Now airodump-ng will attempt to capture their encrypted password which is usually 4-way handshake. We can check the progress in the top right corner of the airodump-ng screen as “WPA handshake”.

STEP 6Crack the Password Captured using aircrack-ng

As we have the encrypted password, lets try decrypting it using aircrack-ng tool available in Kali as aircrack-ng or darkc0de in BackTrack. We had already saved the encrypted password as WPAhack. So, lets start it by typing

aircrack-ng WPAhack-01.cap -w /usr/share/wordlists/rockyou.txt.gz

WPAhack-01.cap is the name of the file we’ve previously saved our captured encrypted password file

  • /usr/share/wordlists/rockyou.txt.gz is the path to our passsword file or the wordlist

So Finally!

The whole process of cracking could be relatively slow.

Depending upon the length of the password list, our CPU resources and complexity of the password, we could be waiting a few minutes to a few days or even few years!
Usually it depends on what type of CPU we are using so that it could work on number of  passwords per second. Hence results may vary.

When it successfully cracks the password, we’ll be able to see it on the screen. If the password file or the word list is critical, better use the default word list such as rockyout.txt usually default in Kali. It could save some time in this area.


The hacking trend these days has definitely turned criminal because of e-commerce ¯\_(ツ)_/¯