Crack WPA Handshake using Aircrack with Kali Linux

Today’s tutorial will be looking into how you can crack the password of the 4 way handshake of someone that is re-authenticating themselves to a wireless router. The goal is to gain access to the router.

As always guys, these posts are for Penetration Testing purposes and not to be used on real networks without permission.

$199 ENROLLS YOU INTO OUR SELF PACED COURSE – LFS264 – OPNFV FUNDAMENTALS!

So let’s get started, first we need to fire up our Kali Linux machine and get our WiFi card into monitor mode so we can monitor local connections to local routers. Then we will need to de-authenticate a user from the WiFi connection, this will give us time to capture the re-authentication (the 4 way handshake). Once we do that we will try to crack the password to that WiFi router to gain access.

Once you are logged into Kali Linux, open a command shell. Type

iwconfig

This will tell you the interfaces that are connected to the internet over a wireless connection.

wifi1.PNG

We can see that our interface wlan0 is our listening interface, at the moment it’s in Managed Mode. We want to change that to Monitor Mode to scan for local devices trying to connect to local routers.

ENROLL TODAY IN THE SELF PACED COURSE – LFS263 – ONAP FUNDAMENTALS FOR $199!

It does this by packet capture over the airwaves. Kali does it with a range of tools. Airmon allows us to start monitor mode on this interface.

airmon-ng start wlan0

wifi2.PNG

That seemed to work, no errors, so let’s check to see that the interface is in monitor mode.

iwconfig

wifi3

Cool, the interface is set. Once you have that set up we can now grab packets from the airwaves on this interface.

airodump-ng wlan0mon

 

wifi4.PNG

This process is knows as Channel Hopping and you will see the monitor change channels on the top left hand corner. It’s trying to find the devices that are trying to connect to all access points in the vicinity no matter what channel they are on.

$299 REGISTERS YOU FOR OUR NEWEST SELF PACED COURSE! LFD201 – INTRODUCTION TO OPEN SOURCE DEVELOPMENT, GIT, AND LINUX!

Now let’s say we want to target this AmIRootYet channel then we can stop the packet capture.

wifi5.PNG

Now that we have our target router, let’s see what devices are trying to connect to it. As we can see from above, the BSSID is being broadcast for devices to detect their presence and underneath, the Stations (clients) are associated with the access points.

Now that we know the channel to the access point we are interested in we can just filter everything else out. Airodump will help us do that.

airodump-ng -c2 -w capture -d DE:EF:CA:CA65AF wlan0mon

The -c tag is the channel, the -w tag is writing the packet capture to a file called ‘capture’ and then we need to specify the BSSID. Then the interface at the end.

wifi6.PNG

Now it is fixed on the channel we want (2) and the access point we are trying to crack. On the bottom line we can see the access point and the Station beside it, that is a device that’s connected to that router.

REGISTER TODAY FOR YOUR KUBERNETES FOR DEVELOPERS (LFD259) COURSE AND CKAD CERTIFICATION TODAY! $499!    $299 now!!

Our purpose now is to knock that Station, or any other device that’s connected to this access point, off of it, so that they have to reconnect. This will enable us to capture the re-authentication handshake and then we will try to crack the password offline.

To knock the client off the network we need to firstly de-authenticate them from the access point. Airplay in Kali let’s us do exactly this. So grab the BSSID of the Station or client, we will need that for the next command.

aireplay-ng --deauth 0 -a DE:EF:CA:CA:65:AF -c 10:A5:D0:EB:99:E6 wlan0mon

The -c flag is the client we want to knock off the network, if we didn’t specify this we would knock all clients from the network and raise suspicion.

wifi7.PNG

Perfect, we are sending de-authentication packets to the client now. Now we wait to see if it got knocked off the network. This may take some time so be patient.

wifi8

What we are waiting for in the top right hand corner is for the WPA handshake to show up. Once we capture it we are good to go.

wifi9.PNG

BOOM! There it is!! We were able to knock the client off the network and we have captured the handshake in our file that we called ‘capture’.

wifi10

As we can see we have the capture file, so let’s open it up in Wireshark and see what it gives us. Wireshark comes as a default tool in Kali Linux.

wireshark capture-01.cap

Wireshark is a network protocol analyser but you could use another tool if you are more comfortable with something else.

$299 WILL ENROLL YOU IN OUR SELF PACED COURSE – LFS205 – ADMINISTERING LINUX ON AZURE!

wifi11

There are a lot of packet captures we don’t want to see here, so let’s use the filter to just show us the 4 way handshake. In the filter filed type:

eapol

This stands for Extensible Authentication Protocol Over LAN (Local Area Network) and will filter just what we want.

wifi12.PNG

Look at that, 4 packets. That is the 4 way handshake we are looking for. So let’s dig into the packet a bit and see what’s in here. Click on the arrow beside 802.1X Authentication and this should give us the WPA Key.

wifi13

Marvelous, just one more thing to do now is to try and crack the key to get a password from it. We will be using a built in wordlist that we made for this post. Aircrack will help us achieve this with a brute force dictionary attack.

BUNDLE CLOUD FOUNDRY FOR DEVELOPERS COURSE(LFD232) AND THE CFCD CERTIFICATION FOR $499!

So it’s going to fire all passwords in the list at the target to see if we can guess the correct password eventually.

aircrack-ng capture-01.cap -w /usr/share/dict/words

wifi14.PNG

This could take days, weeks or even months depending on the combination of letters and numbers and special characters that you use in the wordlist. For this demonstration though, we just used an easy passphrase to get access.

Once we get the password Aircrack will et us know that it was found successfully.

wifi15.PNGWe cracked the password as we can see and it is the word ‘community’. This is why you should always use strong passwords for access to any network.

Thank you so much for reading until the end. Please like, subscribe or comment, we’d love to hear from you. Also, give us some of your own ideas that you’d like us to cover.

Peace!! 🕊️

Quits 2019-10-29

banner2

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.