Alert icon
We're changing our privacy policy. This stuff matters.  Learn more  Dismiss

Aircrack-ng WPA Network Cracking: In Depth, Part One

Sign in or sign up now!
Alert icon
Upgrade to the latest Flash Player for improved playback performance. Upgrade now or more info.
2,808
Loading...
Alert icon
Sign in or sign up now!
Alert icon

Uploaded by on Sep 14, 2011

Part Two is the below link:
http://www.youtube.com/watch?v=DGaoHf-wUFk

Let me know how you like this tutorial, feedback, corrections, ideas, questions, etc all welcomed. I will be making a tutorial on analyzing the captured .cap files in Wireshark for a little bit more understanding of this process.

This tutorial will give you the rundown of using the Aircrack-ng suites available for download on operating systems.

It is always a good idea to read up on network security and various protocols used.

To Download-
Ubuntu:
Open terminal
sudo apt-get install aircrack-ng
Backtrack: already installed
Other OS
http://www.aircrack-ng.org/downloads.html

For a dictionary or wordlist, check here:
http://www.aircrack-ng.org/doku.php?id=faq
http://forum.aircrack-ng.org/index.php?topic=1373.0

~The Methodology~
First off, cracking a WPA network is much more difficult and potentially more time consuming than cracking a WEP network, not to mention success is not guaranteed.

Rather than initiating a bruteforce attack against the target WPA network, a dictionary attack is generally more feasible. Bruteforcing can take weeks, months or even years depending on the password strength. WPA encrpytion is based off of AES encrpytion which is the leading standard for security. So rather than attack the actual encryption strength or bruteforce, a dictionary attack is the only option. Many dictionaries and wordlists are created with password attacking in mind. The larger the wordlist, the better chance you have.

Most computers can test a wordlist at roughly 1,000 keys per second. It may sound large, but when using a dictionary of hundreds of millions of words, it will take quite some time. But not nearly as long as a bruteforce attack.

You will be able to initiate the dictionary attack when you capture the 4-way handshake, which unfortunately can often be difficult. The simplest way is to initiate the command in Step 3 below and wait for a client to connect to the network. At that point, the Pre-shared Key (PSK) will be intercepted by your computer. However, if a client is already connected, you may initiate a deauthentication and force the client to reauthenticate with the network, thus sending another PSK.

Once you have the PSK, you can begin the dictionary attack outlined in Step 5.

Steps:
1. Enable Monitor Mode
airmon-ng start [interface, i.e. wlan0, eth0]

2. Start sniffing wireless networks
airodump-ng [interface]

3. Sniff the target network
airodump-ng -c [channel] --bssid [target MAC address] -w [filename] [interface]

4. Initiate Deauthentication
aireplay-ng -0 5 -a [target MAC address -c [client MAC address]

5. Perform dictionary attack
aircrack-ng -w [dictionary filename/location]*.cap

So let me give you the rundown of what you are looking at, at least the important stuff...

BSSID: That is the unique address of the router. Each wireless device comes with its own unique BSSID, also called a MAC address. Similar to how a computer has its own IP address.
PWR: This determines how close the network is to you. The lower the PWR, the closer. Anything above -75 PWR might be difficult or impossible to crack
#Data: Shows the amount of data packets your computer is recieving. I believe they are only ACKs right now. Look into network protocals, its a good subject for this
CH: The channel that the router is broadcasting on usually between 1-12
ENC: Encrpytion used, WPA, WEP, OPN (open)
ESSID: the actual phonetic name of the wireless network
STATION: Below you see STATION, the MAC addresses listed below it are clients that are broadcasting. Some are connected to a network, you can see to the left. Those that arent connected to a network display (not associated)


*At the end of part two, my roommate, turned off his computer right as I was about to initiate a deauth. Then he came in pestering me for a ride while I was recording this tutorial, so I got a little distracted for a second, haha*

Category:

Science & Technology

Tags:

License:

Standard YouTube License

  • likes, 2 dislikes

Link to this comment:

Share to:

Uploader Comments (shibby4555)

  • ahhhh, number two isnt available in the USA? :((

    superducky2250 1 week ago

  • @superducky2250 is the link broken?

    shibby4555 1 week ago

  • Hey aftr i type in airodump-ng and my interface it dosetn let me it says like injection not found and stuff like that and i dotn get a page lik you did

    A7xFTWJoseph 2 months ago

  • @A7xFTWJoseph post the exact output you get

    shibby4555 1 month ago

see all

All Comments (6)

Sign In or Sign Up now to post a comment!

  • @shibby4555 no you just need to fake your ip so youtube authenticates it as similar to where the video is available, good luck figuring the location out.

    superducky2250 3 days ago

  • nice thanks alot.

    seanwu159 5 months ago

Loading...

Alert icon
0 / 00Unsaved Playlist Return to active list
    1. Your queue is empty. Add videos to your queue using this button:
      or sign in to load a different list.
    Loading...Loading...Saving...
    • Clear all videos from this list
    • Learn more