How to crack WPA/WPA2 encryption
Hello everyone, I hope who is reading this post is doing well and great he and his family and everyone.
In this blog i am going to explain about the both encryptions WPA & WPA2 and how can we cr4ak them by learning some methods, Also note that you need a wireless adapter connected to the machine so you can run these methods, You can find some reliable adapter recommended below.
Alfa
【New Version Type-C WiFi USB】 ALFA AWUS036ACH 【Type-C】 Long-Range Dual-Band AC1200
Buy here
Alfa
Alfa AWUS036NHA — Wireless B/G/N USB Adaptor — 802.11n — 150Mbps — 2.4 GHz — 5dBi Antenna
Buy here
At the beginning i want to identify each meaning of these encryption and what’s the differences between them.
So WPA stands for Wi-Fi Protected Access.
and WPA2 is the same as WPA but its more secure.
- Both can be cr4cked using the same methods
- the reason why this encryption is created is to solve WEP encryption problem
- its much more secure than WEP
- WPA & WPA2 each one of them is encrypted using a unique temporary key.
WPA uses TKIP and WPA2 uses an encryption called CCMP.
At the beginning before we start into cr4cking WPA / WPA2 i want to talk about the WPS feature in the router if it was enabled in the router we will be able to connect to the network using 8 digits only and not using the actual password of the network, this 8digits can be cr4cked in minutes using a a program that will bruteforce the pin for us using a wordlist.
To discover networks that has WPS , we will use the following command: wash — interface wlan0
wash: is the name of the program
— interface: we are telling the program that we want to specify an interface
wlan0: this is our adapter name (interface) in monitor mode
But before doing that make sure your interface is on monitor mode and i will show you how to do it:
- First we will turn down the interface
2) We will change the wlan0 which is the interface to monitor mode
3) Finally we will bring back the interface by running
Now if you run the ifconfig command you should see this:
THIS MEANS THAT THE INTERFACE IS ON MONITOR MODE
And one thing to note that we must run the att4ck and check if it fails it means that the router has not enabled this feature (WPS).
As we saw before in the previous blogs i have talked about associating with the target network using aireplay-ng so that the network dont ignore us and communicate with us. So here we are going to use a fake authentication att4ck by typing the following:
sudo aireplay-ng — fakeauth 0 -a C0:25:E9:42:7E:A6 -h 00:13:EF:F2:08:F9 wlan0
USAGE EXAMPLE: aireplay-ng –fakeauth 0 -a <bssid> -h <wireless adapter MAC>
What each command means:
aireplay-ng : the program name
0 : tells that we want to run De-authentication
-a: specifies the MAC Address of the router
–h: specifies the MAC Address of the wireless adapter, And the MAC address is located after unspec (12digits) make sure you remove the (-) minus.
Hint: you can run ifconfig command to check your MAC address
Then we are going to use a program called REAVER that will allow us to bruteforce pins.
Also there is a problem in the new version of reaver it will cause some errors, so download this older version and use it.
Now you have downloaded reaver , navigate to the downloads by typing cd Downloads/. Once you are in the downloads directory now we can run reaver:
./reaver -i wlan0 -b C0:25:E9:42:7E:A6 -vv — no-associate
So here we typed ./reaver so we can run the program (reaver) , Hence: that you can use reaver — help for help , {-i} is for specifying an interface like wlan0 , {-b} is for specifying an bssid , {-vv} shows us the errors while the process is running and last but not least is the — no-associate we are telling that we dont want reaver to associate because as i have shown you above that we are going to do an fake authentication attack manually to associate and communicate to the target network.
Now run reaver and after running reaver associate to the target network as shown above using Fake-authintication attack.
Finally, you should be able to cr4ck the pin of the network, Note that this method when i tried it on modern Wifi-networks it Didn’t work so this method might not work on some modern wifi-routers.
Creating a Dictionary Wordlist using crunch
Note: That the handshake that we captured as shown in the previous blogs that this handshake just contains a data that checks Whether the key is valid or not but not getting or recovering the key! So that’s why in this post i am going to show you how to create a wordlist so we can use it to cr4ck the wifi network and get the key.
So now let’s start:
As you can see in the picture above , Using the tool is very easy so the syntax of crunch is: crunch <min> <max> <characters> -t <pattern> -o <filename>
so <min>: stands for minimum number and <max> is for maximum number that you want to generate.
<Characters>: stands for specifying characters like you want all the characters to be in upper case or lower case or just numbers or letters etc…
and also an optional option is the < -t >: its used to specify the pattern of the wordlist like you want to generate characters that starts from A and ends with C.
last but not least the < -o > : is used to specify a name of a file that you want your wordlist to be stored in example: Wordlist.txt
And you can use (man crunch) to get more helpful information about the tool.
And enter (q) to exit out of the help.
As you can see we have generated a wordlist that has minimum length of 2 and maximum of 6 and the patterns are ac69 and we saved the file and called it Wordlist_test.txt, And crunch is saying that it generated 5456 different password combination and we can use cat <filename> to preview the wordlist.
Finally u can use aircrack-ng <file.cap> -w <wordlistfile.txt>
Note: it may be time consuming but there is different ways that you can speed up the cracking process, Comment down below if you want a post about it.
