Menu
header photo

Never stop Learning.

WIFI PENETESTING

Cracking The WPA/WPA2 Passwords

 

Method:-1 - With Dictionary/hybrid/brute force  attack for both Non-WPS and WPS

There are two types of ways to potentially crack a password, generally referred to as offline and online. In an offline attack, an attacker has a file with data they can attempt to crack. For example, if an attacker managed to access and download a password database full of hashed passwords, they could then attempt to crack those passwords. They can guess millions of times per second, and they’re only really limited by how fast their computing hardware is. Clearly, with access to a password database offline, an attacker can attempt to crack a password much more easily. They do this via “BruteForcing” — literally attempting to guess many different possibilities and hoping one will match.

An online attack is much more difficult and takes much, much longer. For example, imagine an attacker were trying to gain access to your gmail account. They could guess a few passwords and then gmail would block them from trying any more passwords for a while. Because they don’t have access to the raw data they can attempt to match passwords against, they’re limited dramatically.

We tend to think of Wi-Fi as being only vulnerable to the online attack. An attacker will have to guess a password and attempt to log into the WI-Fi network with it, so they certainly can’t guess millions of times per second. Unfortunately, this isn’t actually true.

 

Cracking the WPA2 Handshake

With the raw data captured, an attacker can use a tool like cowpatty or aircrack-ng along with a “dictionary file” that contains a list of many possible passwords. These files are generally used to speed up the cracking process. The command tries each possible passphrase against the WPA2 handshake data until it finds one that fits. As this is an offline attack, it can be performed much more quickly than an online attack. An attacker wouldn’t have to be in the same physical area as the network while attempting to crack the passphrase. The attacker could potentially use Amazon S3 or another cloud computing service or data center, throwing hardware at the cracking process and speeding it up dramatically.

As usual, all these tools are available in Kali Linux , ParrotSec , BlackArch,  Wifislax a Linux distribution designed for penetration testing. They can be seen in action there.

It’s tough to say how long it would take to crack a password in this way. For complicated and difficult, it could take years, possibly even hundreds of years or longer. If the password is “password”, it would probably take less than a single second. As hardware improves, this process will speed up. It’s clearly a good idea to use a longer password for this reason — 20 characters would take a lot longer to crack than 8. Changing the password every six months or every year could also help, but only if you suspect someone is actually spending months of computer power to crack your passphrase. You’re probably not that special, of course!

 

Breaking WPS With Reaver(If Enabled otherwise don't use it)

 

There’s also an attack against WPS(Wifi Protected Setup), an unbelievably vulnerable system that many routers ship with enabled by default. On some routers, disabling WPS in the interface doesn’t do anything — it stays enabled for attackers to exploit!Essentially, WPS forces devices to use an 8-digit numerical PIN system that bypasses the passphrase. This PIN is always checked in groups of two 4-digit codes, and the connecting device is informed whether the four-digit section is correct. In other words, an attacker just has to guess the first four digits and then they can guess the second four digits separately. This is a fairly quick attack that can take place over the air. If a device with WPS didn’t work in this extremely insecure way, it would be violating the WPS specification.

 

Let's Start

Step:1 airmon-ng start wlan0(Where wlan0 is network interface ,whatever you use, in my case wlan0)

Step:2 wash -i wlan0

This shows two networks which are, at least in theory, vulnerable to the WPS brute force attack Reaver uses. Note the “WPS Locked” column; this is far from a definitive indicator, but in general, you’ll find that APs which are listed as unlocked are much more likely to be susceptible to brute forcing. You can still attempt to launch an attack against a network which is WPS locked, but the chances of success aren’t very good.

Step:3 reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv

The only part of the above command that might not be immediately obvious is “-vv”; this enables verbose output which greatly helps when trying to gauge how well Reaper is (or is not) progressing.

Once you’ve started Reaver, you’ll start seeing output like this:

This output shows that WPS pins are successfully being tried against the target (here we see 12345670 and 00005678 are being tested), and Reaver is operating normally.

Advanced Options

Ideally, the basic command works and the attack progresses as expected. But in reality, different manufacturers have been trying to implement protections against Reaver-style attacks, and additional options may be required to get the attack moving.

As an example, the following command adds a few optional switches that can help to get Reaver working on more picky devices:

 

Step:4 reaver -i mon0 -c 6 -b 00:23:69:48:33:95  -vv -L -N -d 15 -T .5 -r 3:15

 

The core command hasn’t changed, the additional switches just change how Reaver behaves:

-L

Ignore locked WPS state.

-N

Don’t send NACK packets when errors are detected.

-d 15

Delay 15 seconds between PIN attempts.

-T

Set timeout period to half a second.

-r 3:15

After 3 attempts, sleep for 15 seconds

 

This is by no means an exhaustive list of Reaver options, but it gives an idea on what kind of things you might want to try.

 

Attack Duration

Even under ideal conditions, Reaver can take a very long time to complete its run. There is an element of chance involved, the brute forcing could theoretically discover the PIN very quickly, but in general it is going to take many hours to even make a dent in the possible pool of PINs.

Luckily, Reaver keeps a progress log file automatically, so you can stop the attack at any time and resume whenever it’s convenient. Spending a few hours a day running Reaver against the same network should uncover its PIN and through that the WPA passphrase…eventually.

 

If WPS is not Enabled, Try This Method

 

Second Method:Cracking WPA2 encryption(NO WPS)

Using wifite (An automation Network Targeting and wireless auditoring tool)

To start wifite for cracking a WPA access point, give it the option -wpa to only target WPA networks. Also, give it a dictionary file as an input for cracking the WPA passphrase with the -dict option. In kali linux, the wordlists are stored at the location /usr/share/wordlists. Wifite will now start scanning for WPA access points.

 

Press Ctrl+C to give a target number. In my case, the target number is 2 which is an access point i have configured for testing purposes. The access point uses WPA2-PSK encryption with the key as “password”.

 

 

Wifite will now start listening for the handshake. Once it has found it, it will automatically start cracking the passphrase using the dictionary file that we supplied.

 

 

And as you can see, Wifite has successfully found the passphrase for the access point.

Sometimes, things may not work as smoothly. In order to capture a WPA handshake between the client and the access point, the client has to connect to the wireless network during that period when we are monitoring the network. If the client is already connected, there will be no handshake that is captured. Wifite does this by automatically sending deauthentication packets to a particular client or a broadcast deauthentication packet if it is required. You can specify the time between deauthentication packets using the -wpadt flag. Hence, when the client tries to reconnect to the access point, the handshake is captured.

You can also specify which tool you want to use to crack the passphrase once the four-way handshake has been successfully captured. By default, aircrack-ng is selected. You can also use cowpatty, pyrit or tshark to crack the passphrase.

 

 

 

 

Tools For Wifi Hacking(For android)

All Tools

1)Network protocol analyzer(Intercepter-ng)

2)WiFI Kill

3)Traffic Sniffer (Droidsniff)

4)All In One  :-Dsploit

5)Zanti(For MITM in Victim's router)

6)Csploit(Type of wifi Exploit)

7)WPS-WPA Tester(An WPS algorithm Exploit)

8)Mac Spoofer(For Changing Your bssid or Mac)

9)bcmon(For enable monitor mode and Malicious Packet injection)

10)RFA(An other Wifi exploitation Tool Like reaver)(WPS Pin braker)

11)Facesniff(Password and credential sniffer)

NOTE:-Some Of these app is not available in play-store!!Some is available but it is paid app.These apps

is very dangerous and fully workable.I am not responsible for any damages is done by these apps.If you have permission of legal breaking  into the wifi network,use these apps otherwise forget this app.Not for Malicious Purposes.All Apps contain one or other type of Malware,So use it carefully.Before started to hacking you must rooted phone and busy box installed on your phone.For BCMON you need to Broad comm Chipset.Which have inbuilt in Samsung galaxy S and J series.

 

SAMSUNG'S  SMARTPHONES IS BEST FOR WIFI HACKING.For Best Results use Samsung Galaxy S3/S4/S5/S6/S6 edge/S7 or J5/J7.Nexus And OnePlus Devices is Fully Compatible With These apps.

For Other Smartphone check It's Compatibility From XDA's Website.