Crack WPA/WPA2 Wi-Fi Routers with Airodump-ng and Aircrack-ng/Hashcat.
Wpa2-wordlists - A collection of. Used for dictionary-attacks using a variety of password cracking tools such as aircrack-ng. One-liners for wordlist.
This is a brief walk-through tutorial that illustrates how to crack Wi-Fi networks that are secured using weak passwords. It is not exhaustive, but it should be enough information for you to test your own network's security or break into one nearby. The attack outlined below is entirely passive (listening only, nothing is broadcast from your computer) and it is impossible to detect provided that you don't actually use the password that you crack. An optional active deauthentication attack can be used to speed up the reconnaissance process and is described at the end of this document.
If you are familiar with this process, you can skip the descriptions and jump to a list of the commands used at the bottom. For a variety of suggestions and alternative methods, see the appendix. neal1991 and tiiime have also graciously provided translations to this document and the appendix in Chinese if you prefer those versions.
- They are plain Wordlist dictionaries used to brute force WPA/WPA2 data captures with aircrack-ng. The BIG-WPA-LIST will need to. A file or download a wordlist.
- ★ ★ ★ IMPORTANTE LEGGI DESCRIZIONE ★ ★ ★ Download dizionari / wordlist + 180GB http://ricky1994.altervista.org/download-wordlist-dizionari-brute-forceaircrac.
DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use. Don't be a dick.
Getting Started
This tutorial assumes that you:
- Have a general comfortability using the command-line
- Are running a debian-based linux distro, preferably Kali linux (OSX users see the appendix)
- Have Aircrack-ng installed
sudo apt-get install aircrack-ng
- Have a wireless card that supports monitor mode (see here for a list of supported devices)
Cracking a Wi-Fi Network
Monitor Mode
Begin by listing wireless interfaces that support monitor mode with:
If you do not see an interface listed then your wireless card does not support monitor mode
We will assume your wireless interface name is wlan0
but be sure to use the correct name if it differs from this. Next, we will place the interface into monitor mode:
Run iwconfig
. You should now see a new monitor mode interface listed (likely mon0
or wlan0mon
).
Find Your Target
Start listening to 802.11 Beacon frames broadcast by nearby wireless routers using your monitor interface:
You should see output similar to what is below.
For the purposes of this demo, we will choose to crack the password of my network, 'hackme'. Remember the BSSID MAC address and channel (CH
) number as displayed by airodump-ng
, as we will need them both for the next step.
Capture a 4-way Handshake
WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. You don't have to know anything about what that means, but you do have to capture one of these handshakes in order to crack the network password. These handshakes occur whenever a device connects to the network, for instance, when your neighbor returns home from work. We capture this handshake by directing airmon-ng
to monitor traffic on the target network using the channel and bssid values discovered from the previous command.
Now we wait... Once you've captured a handshake, you should see something like [ WPA handshake: bc:d3:c9:ef:d2:67
at the top right of the screen, just right of the current time.
If you are feeling impatient, and are comfortable using an active attack, you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them. This often results in the capture of a 4-way handshake. See the deauth attack section below for info on this.
Once you've captured a handshake, press ctrl-c
to quit airodump-ng
. You should see a .cap
file wherever you told airodump-ng
to save the capture (likely called -01.cap
). We will use this capture file to crack the network password. I like to rename this file to reflect the network name we are trying to crack:
Crack the Network Password
The final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat
for password cracking. I've created a simple tool that makes hashcat super easy to use called naive-hashcat
. If you don't have access to a GPU, there are various online GPU cracking services that you can use, like GPUHASH.me or OnlineHashCrack. You can also try your hand at CPU cracking with Aircrack-ng.
Note that both attack methods below assume a relatively weak user generated password. Most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the Probable-Wordlists WPA-length dictionary files.
Cracking With naive-hashcat
(recommended)
Before we can crack the password using naive-hashcat, we need to convert our .cap
file to the equivalent hashcat file format .hccapx
. You can do this easily by either uploading the .cap
file to https://hashcat.net/cap2hccapx/ or using the cap2hccapx
tool directly.
Next, download and run naive-hashcat
:
Naive-hashcat uses various dictionary, rule, combination, and mask (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you've cracked the password, you should see something like this as the contents of your POT_FILE
:
Where the last two fields separated by :
are the network name and password respectively.
If you would like to use hashcat
without naive-hashcat
see this page for info.
Cracking With Aircrack-ng
Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist. I recommend using the infamous rockyou dictionary file:
Note, that if the network password is not in the wordfile you will not crack the password.
If the password is cracked you will see a KEY FOUND!
message in the terminal followed by the plain text version of the network password.
Deauth Attack
A deauth attack sends forged deauthentication packets from your machine to a client connected to the network you are trying to crack. These packets include fake 'sender' addresses that make them appear to the client as if they were sent from the access point themselves. Upon receipt of such packets, most clients disconnect from the network and immediately reconnect, providing you with a 4-way handshake if you are listening with airodump-ng
.
Use airodump-ng
to monitor a specific access point (using -c channel --bssid MAC
) until you see a client (STATION
) connected. A connected client look something like this, where is 64:BC:0C:48:97:F7
the client MAC.
Now, leave airodump-ng
running and open a new terminal. We will use the aireplay-ng
command to send fake deauth packets to our victim client, forcing it to reconnect to the network and hopefully grabbing a handshake in the process.
You can optionally broadcast deauth packets to all connected clients with:
Once you've sent the deauth packets, head back over to your airodump-ng
process, and with any luck you should now see something like this at the top right: [ WPA handshake: 9C:5C:8E:C9:AB:C0
. Now that you've captured a handshake you should be ready to crack the network password.
List of Commands
Below is a list of all of the commands needed to crack a WPA/WPA2 network, in order, with minimal explanation.
Appendix
The response to this tutorial was so great that I've added suggestions and additional material from community members as an appendix. Check it out to learn how to:
- Capture handshakes and crack WPA passwords on MacOS/OSX
- Capture handshakes from every network around you with
wlandump-ng
- Use
crunch
to generate 100+GB wordlists on-the-fly - Spoof your MAC address with
macchanger
A Chinese version of the appendix is also available.
Attribution
Much of the information presented here was gleaned from Lewis Encarnacion's awesome tutorial. Thanks also to the awesome authors and maintainers who work on Aircrack-ng and Hashcat.
Overwhelming thanks to neal1991 and tiiime for translating this tutorial into Chinese. Further shout outs to yizhiheng, hiteshnayak305, enilfodne, DrinkMoreCodeMore, hivie7510, cprogrammer1994, 0XE4, hartzell, zeeshanu, flennic, bhusang, tversteeg, gpetrousov, crowchirp and Shark0der who also provided suggestions and typo fixes on Reddit and GitHub. If you are interested in hearing some proposed alternatives to WPA2, check out some of the great discussion on this Hacker News post.
Aircrack-ng is a complete suite of tools to assess WiFi network security.
It focuses on different areas of WiFi security:
- Monitoring: Packet capture and export of data to text files for further processing by third party tools.
- Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
- Testing: Checking WiFi cards and driver capabilities (capture and injection).
- Cracking: WEP and WPA PSK (WPA 1 and 2).
All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily Linux but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.
Requirements
- Autoconf
- Automake
- Libtool
- shtool
- OpenSSL development package or libgcrypt development package.
- Airmon-ng (Linux) requires ethtool.
- On windows, cygwin has to be used and it also requires w32api package.
- On Windows, if using clang, libiconv and libiconv-devel
- Linux: LibNetlink 1 or 3. It can be disabled by passing --disable-libnl to configure.
- pkg-config (pkgconf on FreeBSD)
- FreeBSD, OpenBSD, NetBSD, Solaris and OS X with macports: gmake
- Linux/Cygwin: make and Standard C++ Library development package (Debian: libstdc++-dev)
Optional stuff
- If you want SSID filtering with regular expression in airodump-ng(-essid-regex) pcre development package is required.
- If you want to use airolib-ng and '-r' option in aircrack-ng,SQLite development package >= 3.3.17 (3.6.X version or better is recommended)
- If you want to use Airpcap, the 'developer' directory from the CD/ISO/SDK is required.
- In order to build
besside-ng
,besside-ng-crawler
,easside-ng
,tkiptun-ng
andwesside-ng
,libpcap development package is required (on Cygwin, use the Aircap SDK instead; see above) - For best performance on FreeBSD (50-70% more), install gcc5 (or better) via: pkg install gcc9
- rfkill
- For best performance on SMP machines, ensure the hwloc library and headers are installed. It is strongly recommended on high core count systems, it may give a serious speed boost
- CMocka for unit testing
- For intergation testing on Linux only: tcpdump, HostAPd, WPA Supplicant and screen
Installing required and optional dependencies
Aircrack Ng Commands
Below are instructions for installing the basic requirements to buildaircrack-ng
for a number of operating systems.
Note: CMocka, tcpdump, screen, HostAPd and WPA Supplicant should not be dependencies when packaging Aircrack-ng.
Linux
Debian/Ubuntu
Fedora/CentOS/RHEL
Note: on CentOS and RedHat, HostAPd requires 'epel' repository to be enabled: sudo yum install epel-release
openSUSE
Mageia
Alpine
BSD
FreeBSD
DragonflyBSD
OpenBSD
Aircrack Ng For Windows
OSX
XCode, Xcode command line tools and HomeBrew are required.
Windows
Cygwin
Cygwin requires the full path to the setup.exe
utility, in order toautomate the installation of the necessary packages. In addition, itrequires the location of your installation, a path to the cachedpackages download location, and a mirror URL.
An example of automatically installing all the dependenciesis as follows:
MSYS2
Compiling
To build aircrack-ng
, the Autotools build system is utilized. Autotools replacesthe older method of compilation.
NOTE: If utilizing a developer version, eg: one checked out from source control,you will need to run a pre-configure
script. The script to use is one of thefollowing: autoreconf -i
or env NOCONFIGURE=1 ./autogen.sh
.
First, ./configure
the project for building with the appropriate options specifiedfor your environment:
TIP: If the above fails, please see above about developer source control versions.
Next, compile the project (respecting if make
or gmake
is needed):
Compilation:
make
Compilation on *BSD or Solaris:
gmake
Finally, the additional targets listed below may be of use in your environment:
Execute all unit testing:
make check
Execute all integration testing (requires root):
make integration
Installing:
make install
Uninstall:
make uninstall
./configure
flags
When configuring, the following flags can be used and combined to adjust the suiteto your choosing:
Backtrack Wpa Word List
with-airpcap=DIR: needed for supporting airpcap devices on windows (cygwin or msys2 only)Replace DIR above with the absolute location to the root of theextracted source code from the Airpcap CD or downloaded SDK availableonline. Required on Windows to build
besside-ng
,besside-ng-crawler
,easside-ng
,tkiptun-ng
andwesside-ng
when building experimental tools.The developer pack (Compatible with version 4.1.1 and 4.1.3) can be downloaded athttps://support.riverbed.com/content/support/software/steelcentral-npm/airpcap.htmlwith-experimental: needed to compile
tkiptun-ng
,easside-ng
,buddy-ng
,buddy-ng-crawler
,airventriloquist
andwesside-ng
.libpcap development package is also required to compile most of the tools.If not present, not all experimental tools will be built.On Cygwin, libpcap is not present and the Airpcap SDK replaces it.See --with-airpcap option above.with-ext-scripts: needed to build
airoscript-ng
,versuck-ng
,airgraph-ng
andairdrop-ng
.Note: Each script has its own dependencies.with-gcrypt: Use libgcrypt crypto library instead of the default OpenSSL.And also use internal fast sha1 implementation (borrowed from GIT)Dependency (Debian): libgcrypt20-dev
with-duma: Compile with DUMA support. DUMA is a library to detect buffer overruns and under-runs.Dependencies (debian): duma
disable-libnl: Set-up the project to be compiled without libnl (1 or 3). Linux option only.
without-opt: Do not enable stack protector (on GCC 4.9 and above).
enable-shared: Make OSdep a shared library.
disable-shared: When combined with enable-static, it will statically compile Aircrack-ng.
with-avx512: On x86, add support for AVX512 instructions in aircrack-ng. Only use it whenthe current CPU supports AVX512.
with-static-simd=: Compile a single optimization in aircrack-ng binary. Useful when compilingstatically and/or for space-constrained devices. Valid SIMD options: x86-sse2,x86-avx, x86-avx2, x86-avx512, ppc-altivec, ppc-power8, arm-neon, arm-asimd.Must be used with --enable-static --disable-shared. When using those 2 options, the defaultis to compile the generic optimization in the binary. --with-static-simd merely allowsto choose another one.
Examples:
Configure and compiling:
Compiling with gcrypt:
Installing:
make install
Installing (strip binaries):
make install-strip
Installing, with external scripts:
Testing (with sqlite, experimental and pcre)
Compiling on OS X with macports (and all options):
Compiling on OS X 10.10 with XCode 7.1 and Homebrew:
NOTE: Older XCode ships with a version of LLVM that does not support CPU featuredetection; which causes the
./configure
to fail. To work around this older LLVM,it is required that a different compile suite is used, such as GCC or a newer LLVMfrom Homebrew.If you wish to use OpenSSL from Homebrew, you may need to specify the locationto its' installation. To figure out where OpenSSL lives, run:
brew --prefix openssl
Use the output above as the DIR for
--with-openssl=DIR
in the./configure
line:Compiling on FreeBSD with gcc9
Compiling on Cygwin with Airpcap (assuming Airpcap devpack is unpacked in Aircrack-ng directory)
Compiling on DragonflyBSD with gcrypt using GCC 8
Compiling on OpenBSD (with autoconf 2.69 and automake 1.16)
Automatic detection of CPU optimization is done at run time. This behavioris desirable when packaging Aircrack-ng (for a Linux or other distribution.)
Also, in some cases it may be desired to provide your own flags completely andnot having the suite auto-detect a number of optimizations. To do this, addthe additional flag --without-opt
to the ./configure
line:
./configure --without-opt
Linux/BSD
- Use your package manager to download aircrack-ng
- In most cases, they have an old version.
Best Wpa Word List
Windows
- Install the appropriate 'monitor' driver for your card (standard drivers doesn't work for capturing data).
- aircrack-ng suite is command line tools. So, you have to open a commandline
Start menu -> Run... -> cmd.exe
then use them - Run the executables without any parameters to have help
Documentation, tutorials, ... can be found on https://aircrack-ng.org
See also manpages and the forum.
Aircrack Ng Dictionary
For further information check the README file