How to Hack a WPA/WPA2 encrypted wireless Network with Backtrack 5 for WPS disabled Access Points

Hacking a WPA/WPA2 encryped network for WPS disabled Access Points

Caution:The contents below may be used only for educational purposes. If anyone uses it for illegal purposes, he/she may be responsible for its outcomes themselves.

 

         Previously, I posted on Hacking a WPA/WPA2 wireless network with Reaver. Using Reaver is a great method for hacking a WPA/WPA2 network. But, its drawback is that WPA/WPA2 networks are vulnerable to Reaver only if they are WPS enabled. If the network is not WPS enabled, Reaver cannot help you hacking that access point. So in this tutorial, I'll be teaching you to hack a WPA/WPA2 encrypted wireless network for WPS disabled access points. I've posted a tutorial on hacking a WEP wireless network on Hacking a WEP Network with Backtrack 5.

        So, what we're gonna do in this tutorial is capture the packets from the targeted  AP (Access Point) and try to capture a WPA Handshake. Once we obtain a WPA Handshake, we attack using a dictionary attack. Dictionary attack means using a list of probable passwords and testing each of them. There are a lots of wordlists out there. Search for them in google. Be patient and you'll get it hacked.

  First Things First

        First, you will need to have a Wireless Network Adapter that supports Monitor Mode and Packet Injection. You can see a list of such compatible wireless adapters in my previous post Compatible Wireless Adapters. If you already own a wireless adapter and want to test if it supports Packet Injection or not, see my post on Testing Compatibility of Wireless Adapter.

       You will also need Backtrack 5. You will need to create a Live USB/DVD (bootable) to boot Backtrack 5. I have demonstrated on that on my post Hacking a WPA/WPA2 wireless network with Reaver. 

Lets Get Started 

       After you're all set, lets get started and boot Backtrack 5. After booting up Backtrack, open a terminal and type in:

iwconfig

      This command will show you the list of interfaces of your PC. Note the name of  your wireless interface. In most cases, the wireless network interface name is "wlan0". Now we need to put our network adapter in Monitor mode. For enabling the monitor mode, type:

airmon-ng start wlan0

       Once you enable the monitor mode, your network adapter will now be capable of interfering with other networks and capture their packets. Also note that after enabling monitor mode, your interface name will be "mon0". Now lets monitor all the access points around your locality. Type:

airodump-ng mon0

      Entering this command will make your network adapter search for all the available networks in the vicinity. Keep searching until your victim (your targeted access point) appears. After that, you can stop searching by pressing Ctrl+C in your keyboard. It will show many informations about the access point. Informations like Bssid, Channel No.,Essid should be noted, which we shall use in our next command. Now all we need to do is capture a WPA Handshake from the AP (access point). So we start an airodump to capture the packets from the AP. For starting airodump to capture packets type:

airodump-ng -c (channel no.) --bssid (bssid of victim) -w (o/p filename) mon0

      After entering the above command, it will start capturing packets from the AP. In order to capture the WPA Handshake, we need to deauthenticate a client that is connected to the AP. Wait till a station/client appears. Sometimes it takes a little time for the station to show up. After a station shows up, start a deauthentication attack on that station. Keep airodump-ng running, open a new terminal and start a deauthentication attack by typing in:

aireplay-ng -0 5 -a (bssid of victim) -c (mac address of station/client) mon0

      After we enter the above command, it will start sending DeAuthenticating Packets. It may take a while for you to deauthenticate the client. Be patient and wait. A message should appear on the top right corner your airodump-ng window notifying that WPA Handshake is obtained. I've shown a snapshot on how it looks below.

       Now that we have obtained a WPA Handshake, the next step is to initiate a dictionary attack on the capture file. For a dictionary attack, we'll need a wordlist which is all over the internet. Open a new terminal and type "ls" to see the files in your current directory (directory is root by default). Note the name of your capture file. Then, initiate a dictionary attack by typing in:

aircrack-ng -w (path to wordlist file)  (capture filename)

     

     

         If you get confused about how to enter the path to the wordlist file, type "aircrack-ng -w " and drag the file into the terminal. Once you hit enter to this command, it will start testing all the words present in the wordlist.  If your wordlist contains the correct paraphrase, it will be hacked. A snapshot of how it looks is given below:

 So this is how you hack a WPA/WPA2 network with dictionary attack. This method can hack any WPA/WPA2 network provided that your wordlist contains the correct paraphrase.

         Now, here's little sad part. For hacking the password, your wordlist must contain the exact phrase of the password. Its a little frustrating trying it out. But there is a huge collection of wordlists out there. Try them out, and be patient with it. Good Luck!!

Please leave a comment below and if you have any problems regarding this, feel free to ask in the comment section.

Thanks!!

Hack Network Security Key

Hacking WEP Network with Backtrack 5

          This tutorial will show you how to hack a WEP network. Its relatively easy to hack a WEP(Wired Equivalent Privacy) network than a WPA/WPA2 network. That's the reason, most people choose WPA/WPA2 to secure their wireless network. However, if you want to hack a WEP network, this tutorial will be teaching you how to do it. It takes from 30 mins to 3 hrs to hack a WEP network depending on the signal strength of the network you're trying to hack. I have posted tutorial for hacking a WPA/WPA2 secured wireless network in my previous post.

Lets get Hacking

        First you will need to have a Wireless Network Adapter supporting packet injection. Download Backtrack and create a Live USB/DVD. Then, boot Backtrack.

Open a Terminal. Type in:

iwconfig

        This command will show all the available interfaces in your PC. Note the interface name of your wireless network adapter. Generally it is named "wlan0". A wireless network adapter can be operated in two modes. One is the normal mode that you normally use for surfing the net. The next mode is the Monitor mode that we will be using for hacking. In monitor mode, we monitor all the available access points in the location and interfere their packets. Now lets put our network adapter to Monitor mode. For that type in:
airmon-ng start wlan0

      After this command, our network adapter will be in monitor mode and the interface name is changed to "mon0". Note this that in monitor mode, your interface name will be "mon0" not "wlan0".
    After enabling the monitor mode, we now search for access points in the location. For this, type in:

 

airodump-ng mon0

        This command will monitor all the available networks in your area. And it also show many information about the access points that we'll need for later commands like the channel no. ,bssid,etc. After running airodump-ng, wait till your victim (WEP network) appears. After that, hit Ctrl + C to stop airodump-ng. 

          Note the channel no. and bssid of your victim. Now you need to capture the packets from the access point. Type in:

airodump-ng -c (channel no. of victim) --bssid (bssid of victim) -w (capture file name) mon0

       The above command will start capturing packets from the access point you are targeting. The captured packets are saved in the caputre file (.cap). We will use this capture file to crack the password. After entering the above command, note the amount of Data that is being received. All we have to do is wait for the Data to reach about 10000 to 20000. The data rate may be slow because your network adapter is not associated with the access point. So we use "Fake Authentication" to authenticate and associate with the access point. Keep airodump-ng  running, capturing data. Open a new terminal and Type:

aireplay-ng -1 0 -a (bssid of victim) mon0

         This command will start a Fake Authentication with the victim's access point. On success, it will show "Association successful". Sometimes, this attack may not be successful. If so, try moving nearer to the access point and use your luck the next time. Once you're associated with your victim's access point, you send an ARP Request.

Type:

aireplay-ng -3 -b (bssid of victim) mon0

          This command sends an ARP Request to the victim. An ARP Request starts a type of network communication request between two computers. If your request is acknowledged, ACK signals are received. If your ARP Request is acknowledged, you will notice that the Data received will increase rapidly. Once the data reaches 5000, start aircrack-ng. First, look up what's the name of your capture file. For that, open a new terminal, type "ls" and hit enter. And note the name of your capture file.

Type:

aircrack-ng (capture file name.cap)

           Once you enter this command, it will start testing keys. Depending on the password strength of the victims' access point, it will require more packets (data) from the access point. Generally, aircrack-ng can surely crack the password if you obtain 25000 IVs (packets) from the access point. Just start aircrack-ng after receiving 5000 IVs. Even if it fails to crack password at 5000 IVs, the attack will auto-start after receiving 10000 IVs. It will keep on attacking until the password is cracked.

       Once it cracks the password, it will show "Key Found![victims' password]". Remove all the ":" from the key, and now you have the password. Cheers!!
    So, this is how you hack a WEP network using Backtrack 5. Please leave a Comment, rate and share my post guys!! And if you have any problem, please ask freely in the comment section below.

Thanks!!

 

Hacking a WPA/WPA2 network

Hacking a WPA/WPA2 network

 Caution:The contents below may be used only for educational purposes. If anyone uses it for illegal purposes, he/she may be responsible for its outcomes themselves.

Lets Get Started

          It doesn't require you to be an expert or a Computer Engineer to hack  a password protected wifi. Provided that you have patience and you are willing, anyone can. But it doesn't mean you to be a jerk and hack others' wifi. If you have been into programming (C,C++,Java,etc) you will find this a piece of cake. And those of you not familiar with programming, you need not worry cause I've described each and every steps briefly as much as possible. However, this hacking tutorial is effective only for WPS enabled networks.

First Things First

         In this Tutorial, I will be using Backtrack 5 for craking the wifi password. It is open-source and you can download your own copy from the link http://www.backtrack-linux.org/downloads/.

Backtrack 5 R3 is the latest version. But I'll be using Backtrack 5. Be sure to select GNOME in the Window Manager tab and make sure you download a .iso file. We will be using this file later to create a Live USB (or a Live Bootable DVD).

         You will also need a Wifi network adapter for this. The network adapter should be capable of packet injection. Packet injection means interfering with other networks by means of constructing packets to appear as if they are part of the normal communication stream. Packet injection allows us to intercept the packets from the other networks. But you may not need to know what it is in order to hack a wifi. All you need to know is if your network adapter is capable of injecting packets or not.

There is a list of Network Adapters that are compatible with Backtrack and capable of injecting packets. You may visit the following link:

http://keep-it-sim.blogspot.com/compatible adapters

          The good thing about Backtrack 5 R3 is that it has pre-installed tools "reaver" and "wash" which we will be using for craking WPA/WPA2. So if you don't have Backtrack, it is recommended to download Backtrack 5 R3 (you will not have to install reaver). If you have Backtrack 5,then you will need to download "reaver" and install it. I will discuss about it later.
           First you need to download Backtrack 5.

Backtrack Download Page1

 This is the preview of http://www.backtrack-linux.org/downloads/. You may or may not register for downloading your copy of Backtrack. If you wish to download without registering, just hit the "Download" button and proceed. If you wish to register, enter your details and hit "Register and Download" button.

           After you hit the download button, the above page will show up. Choose the Backtrack Version you wish to download. Backtrack 5 R3 is recommended as I mentioned earlier. However, I will be using Backtrack 5. There is not much difference between the two versions except that R3 version has extra pre-installed tools (reaver,wash,etc). Select the GNOME Window Manager. You may choose 32-bit or 64-bit architecture as you may desire. And be sure to select the ISO image type because we are going to boot backtrack in a live usb/dvd. There are other softwares like Virtual Box,VMWare Workstation that simulates a virtual machine. It means that you can boot any Operating System from your Windows. We can also boot a virtual Backtrack on VMWare Workstation but it shows network driver issues and can be a mess. But provided that you have a compatible Wifi Adapter, you may boot a virtual machine using Virtual Box or Vmware Workstation.

          After you have downloaded Backtrack 5, the next step is to create a live USB or live DVD for booting up Backtrack. First I'll be showing you how to create a live USB.

          For creating a Live USB you'll need a software Unetbootin. You may use any other software that can create a Live USB. I'll be using Unetbootin to create my Live USB. Click the link below to donwload Unetbootin.

http://unetbootin.sourceforge.net/

Creating a Live USB

          After you download the file from the site, connect the USB thumb drive. Then double-click the file you just downloaded . In the Unetbootin window, select Backtrack Distribution as in the snapshot shown.

       Then, in the version tab, select the version 5R 1-GNOME

      Then, click on Diskimage, and browse to the Backtrack iso file you downloaded.

      

       Seclect the USB Drive of you thumb drive (pen-drive).

        Then, Click OK

        It will take around 10 mins for your Live USB to be ready. Be patient, it might take a while.

Creating a Live DVD

        For creating a live DVD, you will need ISO burning software. I will use Power ISO. You may use any other software. I'll be demonstrating for Power ISO. If you do not have this software, just google it and download it.

        All you need to do is burn the ISO file into a blank DVD. The ISO file is bootable itself so you need not bother about anything else. Insert a blank DVD into your DVD Drive. Then open up Power ISO. The snapshot of Power ISO window is shown below:

       Click on Open tab, and browse to your Backtrack iso file and open the iso file.

 

        After you've opened your iso file in Power ISO, just click on Burn.

         

        This will take around 10 to 15 mins depending on your DVD Drive. After the burning is over, your live DVD is ready. And you're all set for hacking.

Download Reaver

         This is only for those of you who will be using Backtrack 5. Those of you using Backtrack 5 R3 do not need to download it. There are several version of reaver. We will be using version 1.4. Click on the link below to donwload Reaver-1.4

download reaver-1.4

         After downloading Reaver-1.4,  you will have a tar.gz file. Copy this file to one of your local drives in your Hard Disk other than your Windows Drive (i.e drive where your Windows is installed).

Now You're all set for hacking.

           Connect your Live USB or insert your Live DVD into your DVD slot. Then, restart your PC. Boot your PC from the Live USB or Live DVD (not your Hard Disk). For this, you'll have to bring up your Boot Options, which can be summoned by pressing button F8 or F10 or F12 (or any other Function key) depending on your PC. In the Boot Menu, select either USB Mass Storage if you're using Live USB or select your DVD drive if you're using Live DVD. Once you've booted correctly, a screen will pop up as in the snapshot below.

            Press Enter. As you press enter, it will start loading files and a menu will be shown on the screen. Just select the Default Boot Text Mode and hit enter.

            Then, wait till the welcome screen is shown. Type "  startx " and hit enter as in picture below.

             Now, you have booted your Live USB/DVD. Lets quickly move on and open a terminal. The location of Terminal tab is shown in the picture below.

             Once you've opened the terminal, type:      iwconfig

            This command lets you see all the interfaces available in your PC, including your wireless network interface. As in the snapshot, the wireless network interface name is wlan0 (Mostly it is wlan0, but it is dependent of network adapter.If a different name appears for your adapter, use that name). Interface name is wlan0 and its currently working in Normal Mode.

             Now type:      airmon-ng  and hit Enter.

         This command will show all of your wireless network interfaces. As in snapshot above its showing wlan0. Now lets put our network adapter into Monitor Mode.

           Type:        airmon-ng start wlan0

 

              This command will put your adapter in Monitor mode.(If your interface name is other than wlan0, type that name instead of wlan0 in above command) Now that your adapter is in Monitor mode, your interface name will now be changed to mon0. From here onwards, you will now use mon0 wherever you will have to put your interface name.

               Now type:          airodump-ng mon0

              Then press Enter:

             Airodump-ng will now monitor all the wireless networks available in your area. It gives detailed information about its BSSID, Encryption type, channel, etc. Hit Ctrl +C to stop searching for networks. But as I stated earlier, not all of these  networks can be hacked by Reaver. Reaver requires the network to be WPS enabled. So, we need to analyze which of the networks (Access Points) is WPS enabled. For that we use the "wash" tool. If you're using Backtrack 5 R3, you need not install anything. But for Backtrack 5, you'll need to install Reaver.

 Installing Reaver

               For installing Reaver, you'll need to copy the reaver-1.4.tar.gz file into the root folder. Go to Places at the top left corner, a drop-down box will appear. Click on the Drive where you saved your reaver-1.4.tar.gz file. Then, your local drive will be mounted in Backtrack and you can use the files in your hard drive. 

1.Copy and paste reaver-1.4.tar.gz into the folder "root" as shown in the picture below:

  

2. In the Terminal, type:        cd /

3. Type:    tar zxvf    and drag the reaver-1.4.tar.gz file into the terminal window like in picture   below:

  

4. Type:    cd reaver-1.4

5. Type:     cd src

6. Type:     ./configure

  7. Type:      make

 8. Type:        make install

        Once you enter the 8 commands, your reaver is now installed and ready to use.

 The Real Hacking Part

         Lets analyze the available networks that are WPS enabled. As I stated earlier, we shall use "wash" tool for this.

  In the Terminal, type:          wash -i mon0

        Now, as you can see in the above picture, wash shows you all the WPS enabled Network. Wait until your target network shows up. Once your target network shows up, hit Ctrl + C to stop searching for other Access Points. Note the bssid and the channel no. of your victim. We'll use this data to track the victim's Access Point.

           Now moving on to the final command, type:

reaver -i mon0 -b (victim's bssid) -c (channel no.) -vv

          Now, Reaver will associate with your victim's network and try the pins for hacking their Router. It takes around 4 to 10 hours to hack the network. The time required solely depends on the signal strength of the victim's wireless network. Just be patient and wait. Reaver will do the rest. Below is the snapshot what happens after you type the final command.

            It takes time, a lot of it. Be patient cuz at last its all worth it. It may show many warning like "Received TimeOut" , "WPS Transaction Failed" , etc. You just leave it on its own. Reaver will do its job. Many times you may end up trapped in a loop for the same pin. In that case, start again. And move nearer to the access point.

After a lot of waiting

 

      This is how it looks once you have successfully hacked the wireless network. Good Luck to you guys!!

       For hacking WPA/WPA2 for wireless networks which have WPS disabled, visit my post for hacking wpa/wpa2.
           For hacking a WEP encrypted wireless network visit my post hacking wep.

If you have any sort of problem, comment below. I'll try my best to solve your problem. Thanks!!