24 April 2014

How to Crack WPA & WPA2 Wireless with BackTrack 4 running on Windows

Main article: How to Protect Your Wireless Network

Cracking a WPA or WPA2 wireless network is more difficult than cracking a WEP protected network because it depends on the complexity of the wireless password and on the attack method (Dictionary Attack or Brute Force Attack). Here you will learn step by step instructions how to crack the WPA2 which uses a pre-shared keys (PSK) of a wireless network. This also applies to WPA secured network.

Before you begin

  1. You need to have BackTrack installed and running on VMWare Player. How to Install VMWare & Backtrack 4
  2. Check if your wireless adapter is compatible with Backtrack 4 from List of compatible adapters
  3. I am using the Alfa AWUS036H which is a very well known usb wireless adapter because of its good performance and cheap price.
  4. Make sure that your wireless adapter is plugged into your virtual machine. In VMWare goto the menu “Virtual Machine” -> “Removable Devices” -> “YOUR ADAPTER MUST BE TICKED”

Start Cracking the WPA/WPA2 Password

Here are the basics steps we will be going through:

  1. Put your wireless interface in monitor mode on the specific AP channel
  2. Start airodump-ng to collect authentication handshake from the AP
  3. Use aireplay-ng to deauthenticate the wireless client to force a handshake with the AP
  4. Run aircrack-ng to crack the pre-shared key using a dictionary file

Launch the Konsole, which is the BackTrack’s built-in command line. It can be found in the lower left corner of the taskbar as showing in the image below.

BackTrack Konsole

Run the following command to get a list of your network interfaces:

airmon-ng

You may get something like “ath1″, “wlan0″, “wifi0″, or “ra0″…. This is called your interface.

In my case: (interface)=wlan0 (see image below)

Now run the following command to put your interface in monitor mode.

airmon-ng start (interface)

In my case

airmon-ng start wlan0

WPA2 Cracking 01

Now we can use the monitor interface which appears below the Driver column, call it (monitor). Most of the time (monitor)=mon0 as shown in the image above.

It’s time to view the list of available networks and pick one for cracking. Run:

airodump-ng (monitor)

In my case

airodump-ng mon0

Wait for some time for all the networks to load then press Ctrl+C to stop the updates. Now choose the wireless network that you wish to crack which has “WPA” or “WPA2″ encryption in the “ENC” column, and “PSK” in the “AUTH” column. “OPN” means that the network is open and you can connect to it without a key, WEP will not work here but you can check How to Crack WEP Wireless with BackTrack 4 running on Windows which takes less than 5 minutes to crack.

After selecting the network that you want to crack take note of the BSSID, and the channel (CH) values. In my case: (bssid)=68:7F:74:06:69:C7, and (channel)=11 as shown in the image below.

Now we are going to monitor and record the data passing through that network to a file. Run:

airodump-ng (monitor) --channel (channel) --bssid (bssid) -w (filename)

In my case

airodump-ng mon0 --channel 1 --bssid 68:7F:74:06:69:C7 -w linksys

Replace (monitor), (channel), and (bssid) with their respective values noted before. (filename) can be any name. I usually use a name similar to the name of the network which is “linksys” in this case.

WPA2 Cracking 02

The data is being collected and recorded now and you should get an output similar to the window in the background shown in the picture below. Leave that window running.

We now need to record the 4-way handshake that happens between the targeted wireless router (AP) and a client that is already authenticated.

We can either wait for a client to connect or disconnect an already connected user to force him to reconnect. In our case we are going to disconnect an already connected user. Don’t forget to note down the client mac address which we’ll call station. In my case (station)=00:C0:CA:25:AC:68. Launch a second Konsole window now and run:

aireplay-ng -0 1 -a (bssid) -c (station) (monitor)

In my case

aireplay-ng -0 1 -a 68:7F:74:06:69:C7 -c 00:C0:CA:25:AC:68 mon0

WPA2 Cracking 03

After you run this command you should see “WPA handshake: (bssid)” in the upper right corner of the first Konsole, in my case it is “WPA handshake: 68:7F:74:06:69:C7″. This means that you have collected the 4-way handshake, and you don’t need to be connected to the network anymore.

In case you didn’t see the handshake message try to run the same command again. It’s time to start cracking the collected password.

Cracking the Password

To crack the password you will need a file that contains list of passwords, this file is called a dictionary file. The more accurate the dictionary file and less complex the WPA or WPA2 wireless password; the better chance you have to crack the password. There are lots of dictionary files on the internet that you can download, for the purpose of the demo I am going to use the dictionary file that comes with aircrack-ng. It can be found under “/pentest/wireless/aircrack-ng/test”.

You can close all the Konsoles if you want and open a new one. Run:

aircrack-ng -w (passwordsfile) -b (bssid) (filename-01.cap)

In my case

aircrack-ng -w /pentest/wireless/aircrack-ng/test/password.lst -b 68:7F:74:06:69:C7 linksys-01.cap

The filename should be what you used in (filename) + “-01.cap”, if you are not sure about the (filename) enter “ls” to see list of all the files.

This command will start trying the passwords listed in the dictionary file that you provided until it finds a match. If the password wasn’t found then you need to use a better dictionary file. It is possible that the password can not be found at all in case it was long and complex enough! But in case there was a match then you should see something like:

WPA2 Cracking 04

The WPA or WPA2 password is what you see besides “KEY FOUND!” inside the brackets. In my case: thisisatest

Conclusion

The success of cracking a WPA or WPA2 wireless network is directly related to the complexity of the password and the dictionary file that you have. Another brute force attack method would be to try all possible permutations of letters, numbers, and symbols possible to crack the password. Although it will surely find the password in the end but it might take hundreds of years for the cracking process to complete which is why a dictionary attack is considered more efficient approach, you can check John the Ripper if you are interested in this method.

Feel free to ask questions or let me know if I have missed something by leaving a comment below.

References

  • Abdullah Miqdad

    I just want to say, this is a very informative article, I have a query in relations to the brute force method of attacking using a dictionary method. Should a list of passwords be compiled in a notepad format or is there a compatible dicitonary software that can be used instead. On the whole ifinity thumbs up mate.

    Cheers

  • michael

    hey did anyone found this hack work or not

  • Zach E.

    When I get to the password cracking step I get an error stating opening /pentest/wireless/aircrack-ng/test/password.lst unsupported file format (not a pcap or IVs File). Any help would be most appreciated thanks in advance.

    • http://www.banbouk.com Basil Banbouk

      Hi Zach, I think you forgot to include the linksys-01.cap in the end of your command. Your command should look similar to:
      aircrack-ng –w /pentest/wireless/aircrack-ng/test/password.lst -b 68:7F:74:06:69:C7 linksys-01.cap

      • Zach E.

        I included it but still same error

        • http://www.banbouk.com Basil Banbouk

          Hi Zach, I am not sure which step you are missing… However you can try the GUI edition which easier than the manual one. You can find it here: http://www.technozoid.com/211/how-to-crack-wep-wpa-wpa2-wireless-with-backtrack-4-nocode/

          • Chris Hopkins

            I am getting the same error using backtrack 5

          • rabrabber

            Hi Chris, I am thinking of publishing a step by step video on how to do it on BackTrack 5 if I get 10+ likes.

  • Panos

    i want to to say that this is a very detailed article but i have a question..i am running backtrack 5 gnome 32bit on vm and my OS is windows 7..so here is my question

    i’ve download a wordlist and i want to type the path to my hard drive for password cracking step but i don’t know what to type..could you please help me?

    • http://www.banbouk.com Basil Banbouk

      First you need to copy the file from windows 7 to the backtrack 5 VM (drag & drop should work), then follow the steps in “Cracking the Password”

  • Alternate4

    I followed this article,but when I type airmon-ng

    but there are no interfaces shown. How to fix that? I have HP Pavilion g6

    • rabrabber

      You need to get a compatible wireless network like “Alfa AWUS036H”. It seems your wirless card on the HP Pavilion is not supported.

  • YAGHOOTCO

    When i run aireplay comand it say : mon0 is on channel 10 but the AP uses channel 11 . What shoud i do? please help me. Thanks.

    • http://www.hackedin.com Basil Banbouk

      1) What is the full command that you are using
      2) Make sure that you are selecting the correct channel in: airodump-ng (monitor) –channel (channel) –bssid (bssid) -w (filename)

  • sam

    i am using a dell inspiron 15R laptop. I am running backtrack 4 r2 live os disk. When i am using the command airmon-ng it is ony displaying ‘interface’ ‘chipse’ ‘driver’ and not any name besides it. Plz tell me what to do

    • http://www.hackedin.com Basil Banbouk

      1) make sure that the network card that you are using is compatible with backtrack
      2) make sure it is plugged-in to the vm machine

  • Macor

    My dictionary can´t found the passphrase :S Can you say to me why?

    • http://www.hackedin.com Basil Banbouk

      try to use another dictionary file

  • BHASKAR

    After finding the key for WPA/WPA2 PSK what is the procedure to get the clear password. please any one help me to crack the password for the key. please send the procedure to my email account.
    Awaiting for your reply.

    Bhaskar.

    • http://www.hackedin.com Basil Banbouk

      In order to find the clear password after collecting the 4-way handshake you need to follow the “Cracking the password” section. And remember that you need a good dictionary file.

  • http://www.wannazaw.blogspot.com wannazaw

    Help me!I have a problem that i don’t know how to connect to wireless connection on back track 4 at vmware.Please tell me how i connect it.

    Best Regard…..

    • http://www.hackedin.com Basil Banbouk

      Click on ‘Virtual Machine’ -> ‘Removable Devices’ -> click on the your network adapter to connect it to backtrack.

  • kripal

    When i am using the command airmon-ng it is ony displaying ‘interface’ ‘chipse’ ‘driver’ and not any name besides it. and i have lenovo laptop and i hav successfully hacked the wep key using benini software but cant use this backtrack hacking!!is there any way please tell!!!!!!please help!!!!!!

    • http://www.hackedin.com Basil Banbouk

      Your wireless adapter should be compatible with Backtrack!

  • kripal

    Is there any other way from where i can easily hack wpa wpa2 other than backtrack ya giv me appropriate solution to my problem

    • rabrabber

      The main reason that Windows is difficult to be used for cracking WEP is the driver that gets installed on windows is usually protected for security purposes. There is another method in Windows where you can use “AirPcap” with “Cain and Abel” software, but your adapter also needs to be supported by AirPcap. BTW you can order the Alfa adapter for around $30 online.

  • http://www.facebook.com/rolando.blunt Rolando Kush Blonte
  • zela

    Guys please help. When i type in airodump-ng (monitor) –channel (channel) –bssid (bssid) -w (filename) (With my Personal config)( PICTURE 3) it does not showssecond line of SSID and this STATION under STATION nothig appears and it have collected about 2000 beacons.

    Pls PM on email pls. Thanks

  • FAYYAZ

    need help , i do all steps as instruted in the article and it worked too , but at last shows ( passpharse not in dictionary ) !! , what to do now ??

    • rabrabber

      This means that the passphrase was not found in the dictionary file which you have provided. You need to get another dictionary file. Doing some research on google for wordlists should help.

  • fsfdsfds

    i used the livecd to do this and alot got that ‘passpharse not in dictionary’ error..

    is this guide working only on VMWare Player maybe? i see there are some other people complaining about the the same error in the comments here also…..
    where should we get an another dictionary file u mean? i know to use google but what do i search for?

  • gnrsu

    i have to say the CDlinux + minidwep may be the Best (fastest & easiest) way to crack wireless WPA/2 passwords: appnee.com/cdlinux-minidwep/

  • Jeffy John Tomarong

    Hi. please help me with this. I installed BT5 GNOME 32 in VMWARE. When i executed the “airmon-ng” command, no list/result was shown. My laptop is acer and my wireless adapter is Atheros AR5B97. Is this compatible with BT5? What Network setting should i use in VMWare, NAT or bridged? Any suggestions anyone? do me a favor pleaasee..

    • rabrabber

      It seems that the AR9285 is compatible but not the AR5B97, check http://www.backtrack-linux.org/wiki/index.php/Wireless_Drivers

      You can purchase a very cheap usb Alfa AWUS036H adapter online which is compatible with backtrack.

      • valapsp

        when i type airodump-ng (monitor) it doesn’t list any networks. any ideas? I have Alpha AWUS050NH. Using BT5R3

        • Basil Banbouk

          It looks like you have a driver problem, please check the Backtrack forums http://www.backtrack-linux.org/forums/forum.php for compatibility of your AWUS050NH

          • valapsp

            thank you,i ran these commands and it fixed the error. apt-get update & apt-get upgrade

            Now after running the aircrack-ng command i get this error:

            No valid WPA handshakes found..

            Quitting aircrack-ng…

            Is it because I’m entering wrong directory for the dictionary file? If yes what is the directory in BT5R3?

          • Basil Banbouk

            This means that you have not captured the WPA handshake as shown in pic #4

          • valapsp

            Well I have. WPA handshake is shown on the upper right like your pic.

          • Basil Banbouk

            Then make sure you have selected the correct cap file. You will get a different message if the password wasn’t found in the dictionary.

          • valapsp

            im doing it from the beginning but this time WPA handshake doesn’t appear.

          • valapsp

            help. I’m not getting the WPA handshake anymore.

  • kiril

    hello please i want to crack wpa2 how to cracking ? tanks

  • kukoo

    tried found key from cap fle 3days-no result(dictionary attack).than tried reaver -8 hours and found key (64 symbols) ,so this metod would take lifetime