CRACKING WPA AND WPA2 ENCRYPTION.

 Hi there, i'm going to be continuing from my previous post which was learning how to deauthenticate a device from a router, in this post we will both be learning how to crack WPA & WPA 2, i would love to also discuss about WEP but modern devices don't use WEP encryption what is used now is  WPA & WPA 2   encryption and in more recent times WAP3 encryption. But in cracking WEP you capture the packets with airodump-ng just like we did in the deauth attack followed by sending a fake authentication to the target next step you flood the target with IV packets so it can start repeating IV's which hold the keystream and finally using aircrack-ng to analyse and crack the encryption to get the passkey. There you have it.

There are various ways to cracking WPA and WPA2 firstly lets chat about using the WPS feature in the router which uses a 8 number key as it passkey. For checking for routers using the WPS use this command "sudo wash --interface wlan0"  mind you  i used wlan0 because that's my wireless adaptors name yours might be different, the next step is followed by a fake authentication attack/request and then cracking it with a tool called reaver to get the passkey, I won't be taking this project because my router uses a PBA (push button authentication) allowing you to press the button on the router before you can connect to it so they fixed the flaw but not all routers uses the PBA so its also a skill you should master. For this project i'll be showing you an easier way with capturing the WPA handshake and using aircrack to get the passkey with a wordlist. There are different methods to cracking the wifi password in my next post i'll be introducing you to an attack called the evil-twin attack,.

This was done in a controlled environment in my home lab and for educational purposes only.

 

Lets get started.

Step 1: Selecting and probing target.

If you've been following up from the deauth attack in my previous post then you know the command used in the above image to identify wifi around i'll be selecting my router with the essid  name "?????" which is WPA 2 encrypted like i highlighted earlier there are different ways to crack WPA 2 in this project i'll be using the handshake we capture to decrypt the  WPA2 encryption. 

Step 2: Deauthentication attack to capture  wpa handshake.

In the first image we see in the terminal on the top right we see it says interface wlan0 down after the deauth attack we should see an indication that the handshake was captured the reason i'm carrying out a deauth attack is to disconnect the device from the router to be able to capture it in most cases you wouldn't need to deauthenticate the device due to a new device connecting to the router and it would automatically capture the handshake  but in a real world sincero where no other device might  be connecting to the router you would need to carry out one. 

 

The second image i'm carrying out the deauth attack on my router and personal device with bssid 36:A5:B4:47:37:A5 and essid 20:16:D8:2D:6D:7F sending 700 deauth packets, if you look at the second image in the terminal on the left just on the top right you can see that it was successful and the WPA handshake was captured. you can go ahead and quit. If you find yourself confused about how i got here visit my previous post as this is the continuation.

Step 3: Using Aircrack-ng.

In the image above let me walk you through what's going on we need to access the file where the wpa handshake was saved as you see in the terminal above i used the ls command and there are the saved files from the airodump-ng the file with handshake is saved as firstcrack-01.cap.

The next command is the command used to start the wpa decryption lets me walk you through the command "sudo aircrack-ng firstcrack-ng -w rockyou.txt"  this command were using a tool called aircrack-ng used to wifi encryption cracking followed by the wpa handshake file firstcrack-01.cap next -w which is the wordlist list were going to use aire crack is going to try a list combination is that wordlist we provide until it as a match with the master key ,transient key and eapol hmac as seen as below is a view of aircrack-ng in action,i'm using a 8gb ram so my processing unit is slow and it wont run as fast as it should  and would take up my whole day before i get a match to get the passkey for the wifi but there you learnt how to crack wpa1&2 by capturing the wpa handshake. For more information about wordlist i'll leave that to you to do some more research o how to create your own wordlist in a real world scenario but a quick tool to use on kali linux would be crunch.

In my next post we'll be trying another method using evil-twin method and discuss what really is evil-twin and a little on  rouge access points assigning ips with a dhcp server and many more see in the next bye for now.

This was done in a controlled environment in my home lab and for educational purposes only.