Cracking WPA/WPA2

Cracking WPA/WPA2

This can be done due to a weakness in the four-way handshake between the client and the access point. In summary, a client will authenticate to an access point and go through a four-step process. This is the time when the attacker is able to grab the password and use a brute force approach to identify it. The time-consuming part in this is based on how unique the network password is, how extensive your wordlist that will be used to brute force against the password is, and the processing power of the system. Unfortunately, the Raspberry Pi lacks the processing power and the hard drive space to accommodate large wordlist files. So, you might have to crack the password off-box with a tool  such as  John the Ripper. We recommend this route for most WPA2 hacking attempts.
Here is the process to crack a WPA running on a Linksys WRVS4400N wireless router using a Raspberry Pi on-box options. We are using a WPA example so that   the time-consuming part can be accomplished quickly with a Raspberry Pi. Most WPA2 cracking examples would take a very long time to run from a Raspberry Pi; however, the steps to be followed are the same to run on a faster off-box system.

The steps are as follow;

1.  Start Aircrack by opening a terminal and typing  "airmon-ng";

2.  In Aircrack, we  need to select the desired interface to use for the attack. In the previous screenshot,  wlan0  is my Wi-Fi adapter. This is a USB wireless adapter that  has been plugged into my Raspberry Pi.

3.  It is recommended that you hide your Mac address while cracking a foreign  wireless network. Kali Linux ARM does not come with the program macchanger. So, you should download it by using the  sudo apt-get install macchanger  command in a terminal window. There are other ways to change your Mac address, but macchanger can provide a spoofed Mac so that your device looks like a common network device such as a printer. This can be an effective way to avoid detection.

4.  Next, we need to stop the interface used for the attack so that we can change our Mac address. So, for this example, we will be stopping  wlan0  using the following commands: "airmon-ng stop wlan0 ifconfig wlan0 down".

5.  Now, let's change the Mac address of this interface to hide our true identity. Use macchanger to change your Mac to a random value and specify your interface. There are options to switch to another type of device; however, for this example, we will just leave it as a random Mac address using the following command: "macchanger -r wlan0".

6.  Now that our Mac is spoofed, let's restart  airmon-ng  with the   following command: airmon-ng start wlan0.

7.  We need to  locate available  wireless networks so that we can pick our target to attack. Use the following command to do this: airodump-ng wlan0.

8.  You should now see networks within range of your Raspberry Pi that can   be targeted for this attack. To stop the search once you identify a target,   press  Ctrl  +  C. You should write down the Mac address, also known as BSSID, and the channel, also known as  CH, used by your target network.
9.  The next step is running  airodump  against the Mac address that you just copied. You will need the following things to make this work: ° The channel being used by the target ° ° The Mac address (BSSID) that you copied A name for the file to save your data Let's run the  airodump  command in the following manner: airodump-ng –c [channel number] –w [name of file] –-bssid [target ssid] wlan0 This will open a new terminal window after you execute it. Keep that window open. Open another terminal window that will be used to connect to the target's wireless network. We will run  aireplay  using the following command: aireplay-ng-deauth 1 –a [target's BSSID] –c [our BSSID] [interface].

NOTE: You  may not  get the full handshake when you run this command. If that happens, you will have to wait for a live user to authenticate you to the access point prior to launching the attack.

10.  The last step is to run Aircrack against the captured data to crack the WPA key. Use the  –w  option to specify the location of a wordlist that will be used to scan against the captured data. You will use the  .cap  file that was created earlier during step 9, so we will use the name  capturefile.cap  in our example. We'll do this using the following command: Aircrack-ng –w ./wordlist.lst wirelessattack.cap. You will see Aircrack start and begin trying each password in the wordlist f ile against the captured data. This process could take a while depending on the password  you are trying to break, the number of words in your list, and the processing speed  of the Raspberry Pi.

If Aircrack doesn't open and start trying keys against the password, you either didn't specify the location of the  .cap  file or the location of the  wordlist.lst  file, or you don't have the captured handshake data. By default, the previous steps store files in the root directory. You can move your wordlist file in the root directory to mimic how we ran the commands in the previous steps since all our files are located in the root directory folder. You can verify this by typing  ls  to list the current directory files.
Make sure that you list the correct directories of each file that are called by each command. If your attack is successful, you should be able to identify the password...