Cracking WPA/WPA2 Passwords
This test was carried out using the Alpha Long Range USB Adapter (AWUS036NHA)
In this article, I will explain how to crack WPA/WPA2 passwords by capturing handshakes, then using a word list, to crack the password protected the access point. This is known as a dictionary attack. In this example, I will be cracking An iPhone personal hotspot which is password protected with the password being “password”.
This article is for educational purposes only!
Creating a wordlist
|The command crunch 1 2 123 = The 1 is the minimum length of the password. The 2 is the maximum length of the password. The 123 is the data which passwords can be created from, the passwords can only contain the numbers 1, 2 or 3. As shown below.|
|The command crunch 2 2 123 –t [email protected] will create passwords which all start with “1”. The @ sign is replaced by a number but the 1 always stays. This method is used to generate a list of passwords with a pattern IE all the passwords starting with a “1”.|
|The minimum & Maximum Length must match the values after the –t in the command.IE if minimum = 3 & maximum = 3 there must be 3 numbers, letters or @ symbols after the –t IE crunch 3 3 1234 –t [email protected]@. As shown in the command below the password will be 3 digits long, with the password always beginning with a “1”, the passwords being created can only contain the numbers “1,2,3 or 4”.|
|The command to create a word list and save the results into a file = -o insertfilename the file name can be whatever you chose. As shown below in this example the wordlist will be saved into a file called “skyinpwlist” shown highlighted in red.|
Check if wireless card/adapter is connected
|Iwconfig = shows if the wireless card is up & connected to Wi-Fi as shown my Wi-Fi card is currently in managed mode, shown highlighted in red.|
Change the Adapter to Monitor Mode
The Wi-Fi adapter must be changed into monitor mode in order to run this attack, this is done using the commands highlighted in green. Monitor mode allows the Wi-Fi adapter to monitor all nearby Wi-Fi signals
Running the Brute Force Password Gaining Attack
Scan for Wi-Fi Using Wifite & capture Handshake
|Wifite = this will display all nearby Wi-Fi signals (shown below). All other nearby access points have been hidden for security purposes. The access point which will be attacked is number 1 on the list “James’s iPhone”|
|Enter the number of which Wi-Fi you want to crack. IE in this example we are cracking number 1 in the
wifite list. Once this is entered the handshake will be captured. As shown below. The handshake is captured and saved in the pathname hs/handshake_JamessiPhone_3E-2E-FF-2D-DB-D8_2019-07-21T20-08-07.cap
Create a password list using crunch
|A password list will be created, the password list which is created will contain the password for “James’s Iphone” which is “password”. The command to create the password list & save it into a file = crunch 8 8 abcdefghijklmnopqrstuvwxyz -t [email protected]@[email protected]@ -o iphonepasslist|
|The saved password list in file form is shown below. Shown highlighted in yellow is the word “password” within the iphonepasslist.txt document.|
Run the attack using Aircrack-ng
|Aircrack-ng is used to run the brute force password cracking attack. The command to run the attack = aircrack-ng hs/handshake_JamessiPhone_3E-2E-FF-2D-DB-D8_2019-07-21T20-08-07.cap -w iphonepasslist. The path where the captured handshake file was saved is inputted into the command (hs/handshake_JamessiPhone_3E-2E-FF-2D-DB-D8_2019-07-21T20-08-07.cap) shown in red font. With the name of the password list also being inputted into the command (-w iphonepasslist shown in blue font).
Once the command is inputted it will run and will display that the password has been found as shown below.
Article by: James C Billson