Crack WPA2 PSK with BackTrack [Using airmon-ng, airodump-ng, aireplay-ng and aircrack-ng]

Introduction:

I have had several people come to me and ask about how to crack WPA2 networks using BackTrack. While cracking WPA2 is actually a fairly simple task, it is also VERY time consuming. Once you have the security key, you have to decrypt it. This is usually done using a bruteforce attack on the encrypted data. Bruteforcing a key could take minutes, hours, days or even weeks. This all just depends on how strong your dictionary is.

In this tutorial, I will guide you through the steps of cracking WPA2 using a bruteforce with John The Ripper.

I will assume that you have already booted Backtrack and have a Konsole window open. I will also assume that you know the name of your wireless interface. For this tutorial, I'll refer to the interface as [INT].

Step 1:

The first thing that you need to do is put your wireless card in monitor mode. This will allow the card to capture all of the data we need. To do this, simply issue airmon-ng start [INT] in your Konsole window.

Step 2:

Now that the wireless crad is monitoring, we need to find a wireless network that uses the WPA2 encryption. To do this, just issue airodump-ng [INT] in the same Konsole window. This will display a list of the wireless networks in range. Choose one that has WPA in the ENC column.

Step 3:

Once you have found your target network (For legal purposes, I'll assume this is your network. ), note the BSSID, the channel, and the ESSID of the network. You'll need this information later on.

Now you need to stop airodump. This can be done by pressing Ctrl - C combination on the keyboard. After airodump has been stopped, you'll need to start it again, this time writing the packets it collects to a local file. We will need this later for decryption. You can do this by issuing the following command in the same Konsole: airodump-ng [INT]--channel [CH] --bssid [BSSID] -w /tmp/wpa2 

Step 4:

In order to collect the security key, we need to capture a 4 - way handshake between a connecting client and the access point. This can be done two ways. You can wait for a new client to connect to the network, or you can deauthenticate an existing client and force it to reassociate. We will force deauthentication. In order for this to work, you will need the MAC address of one of the existing clients on the network. This can be found pretty easily, so I will not cover it in this tutorial. After you have the MAC of a client, issue this command in a new Konsole window: aireplay-ng -0 1 -a [BSSID] -c [CLIENT MAC] [INT]

Finally: 

After you have executed the command in step 4, an existing client will be forced to reassociate with the AP and we will be there to collect the 4 way handshake. If this was successful, airodump (in the other Konsole window) will indicate "WPA Handshake:" in the upper right hand corner.

Once airodump has indicated the handshake, we have collected to key and written it to the local file we specified on the end of the command in step 3. The next thing we need to do is decrypt the key. This is an incredibly long, boring task. This is the part that consumes the most time. It could take minutes, hours, days or weeks depending on the speed and performance of your computer. For decryption, we'll use John The Ripper to bruteforce the key. After stopping airodump in the current window, issue the following command:

/pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -b [BSSID -w - /tmp/wpa2*.cap 

This command starts John The Ripper. John The Ripper generates all of the possible combination and feeds them in to aircrack, which actually decrypts the key when the right combination is found. 

Conclusion: 

So, we used John The Ripper, airmon-ng, airodump-ng, aireplay-ng, aircrack-ng and John The Ripper to crack a WPA2 network. As I stated above, the final step can take a VERY LONG time to complete, so allow yourself plenty of time. 

If you have any questions or comments, please feel free to let me know!

Did you know that i7's Guide to hacking can be delivered daily to your kindle devices? Subscribe Now!