Friday, May 20, 2016

Cracking WPA/WPA2 Passwords Using Airmon-ng in Kali Sana

Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II(WPA2) are the most used Wi-Fi security algorithm to secure wireless networks. Wired Equivalent Privacy(WEP)standard was the initial security algorithm used but over time numerous security flaws were discovered and as computing power increased over the years, it became easier and easier to exploit them.

Disclaimer: The contents of this article are for ethical and educational purposes.

You will need a working Kali Linux machine and an external wireless card with packet injection capability or wireless card inside your laptop.
First open your the terminal and type airmon-ng to view the interfaces, another command that basically does the same is ifconfig
           


The wireless network interface mostly will be listed as wlan0 in some cases as wlp2s0.
Next you start the airmon-ng application with the wireless interface;
airmon-ng start wlan0
      

The command enables the monitor mode that makes you view the network traffic around. Their may be a warning showing process that are running and my cause problems, they need to be killed. Kill the processes with the kill command or airmon-ng check kill and run the command again to enable the monitor mode.

After successfully killing the processes, you check the available wireless networks around to find an access point;
airodump-ng wlan0mon

Let it run for a while,after seeing the name of the victim network, note its channel(CH) and the bssid number. Next we do;
airodump-ng -c channel_no -w wireless_name --bssid bssid_no wlan0mon

for my case it is;
airodump-ng -c 11 -w Yell --bssid 30:39:26:E3:8B:93 wlan0mon
This enables you to listen specifically to that wireless network.




You will note the number of devices connected to the network and what you are basically doing is waiting for a 4-way handshake that will be shown at the right top corner. We will kick out one of the computer or devices connected to the wireless network and technically as the device tries to reconnect to the wireless network it will give us the 4-way handshake that we are looking for. So we send out a deauthentication package, open a new terminal , note one of the bssid number of one device and type;
aireplay-ng -0 0 -a bssid_no wlan0mon
            
After a while you will then successfully get a WPA handshake(see on the top right side of the terminal).

Close one of the terminal then type ls to view the saved file that contains details of the victim wireless network(.kismet.csv, .kismet, .netxml, .cap, .csv).

You will be using the one with .cap extension to brute-force with a wordlist.



In Kali Linux the default wordlist rockyou.txt is situated in /usr/share/wordlists/ you can extract and use it if you do not have a custom wordlist for yourself.
With the available wordlist, downloaded or custom made, you will use it on the next step ;
aircrack-ng -w /root/Desktop/wordlist.txt wirelessname.cap

For my case it is;
aircrack-ng -w /root/Desktop/wordlist.txt Yell-02.cap

My wordlist is saved in root/Desktop directory.
The passwords on the lists will be tried at different rates depending on whether it is the GPU or the CPU used to crack the password.
       

After a while the key phrase is found :)
 


Brute-force takes a while depending on the password used. WPA allows password length of up to 64 characters with mixture of uppercase,lowercase, numbers and special characters.
Although passwords can be hacked, their are a number of ways to make them nearly impossible or hard to crack;
    • Use long passwords lengths, more characters make it stronger. A 10 numeral long password has got 1000 Million combination and it may take a hacker about 28 hours to crack it using class A(10,000 Passwords/sec) type of Class. Click here to check out the password recovery speeds depending on your type of password combination.
    • Mix Upper case and Low case letters.
    • Add special characters and symbols.
    • Use substitution cipher or leet speak i.e replacing alphabets with similar looking characters for example a with @, s and 5.
    • Change your password often and never use the same password on different password protected accounts/sites.
    • Never use birthday dates, pet names, phone numbers as your password.
    • Avoid using dictionary names as your passwords, it is susceptible to password dictionary attacks even if you add digits after it.
      [root@e13olf]# exit