If you open the output_file.pcap file with the Wireshark, filter by “ eapol“, which stands for Extensible Authentication Protocol (EAP) over LAN, to see the 4-way handshake. On the airodump terminal, you may see at the top “ WAP handshake: FF:FF:FF:FF:FF:FF“, which means the handshake was captured and the process can be stopped. The first argument 0 is the rate of the packets to be sent, -a is the access point, and -c is the client. sudo aireplay-ng -deauth 0 -a FF:FF:FF:FF:FF:FF -c EE:EE:EE:EE:EE:EE wlan0mon Then in another terminal try to disconnect one of the clients.
Note that -c1 means channel 1 and FF:FF:FF:FF:FF:FF represents the MAC address of the desired router. sudo airodump-ng -c1 -w output_file -d FF:FF:FF:FF:FF:FF wlan0mon The tool will do a channel hopping and will find out all the reachable routers and the devices connected to them. The hash cracking part is more critical because it can use a public passwords list, or another passwords list you created using tools like CUPP in combination or not with Mentalist.Ĭhanging the wireless adapter to monitor mode, check the mode changed, and start grabbing packages: sudo airmon-ng start wlan0 To capture the handshake a device has to connect to the network, and this can be a long waiting process or maybe kick one device off and wait for it re-connect.
The basics about cracking a WIFI that uses WPA/WPA2 are capturing the 4-way handshake and use the acquired data into hashcat to recreate the password using brute force.
Once you know the channel and the BSSID (MAC of the router) you run the following commands in two different terminals: airodump-ng wlan0 -c 1 -b FF:FF:FF:FF:FF:FFĪirodump will be capturing packets in one terminal while aircrack will be re-checking the file every 5000 packets until it gets enough information to crack the password. wep.pcapĪnother way may take a bit longer because the is no packet injection to speed up the process, but works fine too. It is going to give you the hex version of the password, so use it to get the ASCII version of it: aircrack-ng. First, it does injection and then later it does flood. The preview command keeps capturing IV packages, which are the type of packages used to crack WEP. Replace the channel number ( 1 in the example) and the MAC address ( FF:FF:FF:FF:FF:FF in the example) with the data from airodump: basside-ng wlan0 -c 1 -b FF:FF:FF:FF:FF:FF Hacking WIFI with WEP encryption is very simple.įirst, listen for any WIFI running WEP nearby: airodump-ng wlan0 -encrypt wep The name of the file that contains the authentication handshakeĬool Tip: Want to have some “fun”? Create a Linux fork bomb! One small string that is able to hang the whole system! Read more → Aircrack-ng: RESUMEĬontinue cracking from where it was stopped (resume session foo): $ john -restore=foo | aircrack-ng -w -b 00:11:22:33:44:55 WPAcrack.This whole blog and including this post is just for educational purposes and do not do anything to a WIFI network that does not belong to you or that you have written permission to do so.
Start cracking WPA/WPA2-PSK key, using John The Ripper and aircrack-ng: $ john -session=foo -stdout -wordlist=wordlist.dic | aircrack-ng -w -b 00:11:22:33:44:55 WPAcrack.cap Option Let’s use John The Ripper to create a session foo, pipe its output to aircrack-ng, try to PAUSE and then RESUME the cracking. To continue an interrupted session, run the John with -restore= option. When you press Q or Ctrl + C, John The Ripper aborts/pause cracking and saves the information about the progress of the current session to a file ~/.john/john.rec (by default).
If you crack WPA/WPA2-PSK key with John The Ripper, you can press any key to check the current status.