The hardware and software we will be using are:

  • Alfa Network AWUS036H
  • Arch linux 64 bits
  • Aircrack-ng
  • Airmon-ng
  • Macchanger
  • John
  • Airodump-ng
  • Aireplay-ng

I won’t be writing about patching your driver since I do not need, please take a look if your driver is in aircrack-ng’s list and follow their instructions. I also recommend taking a look at the man page of every tool I use here, having a better understanding about what is really happening here is important. I might sound too grumpy here, but knowing the right commands is what makes a hack look great also having a better understanding for future challenges.

WPA2

First we need to make sure our adapter isn’t been used in any other program;

$ sudo ifconfig {interface} down

To know your interface name, do iwconfig and check the name.

I prefer to change my mac address of my adapter for in case I get caught (well, you never know); they won’t be able to prove you did it, since the mac address won’t match. You may wonder if this is really possible, physically and permanently no, but you can visualize it for the session.

$ sudo macchanger -r {interface} && sudo ifconfig {interface} up

Changes for a random mac-address and puts the interface up again, make sure to Copy your new mac address to a text file.

Luckily my adapter not only has been immediately recognized by aircrack-ng but it also allows me to sniff in monitor mode, which you need to do in wireless devices. Normally, a network card/adapter will only hear packets, in monitor mode it will listen to all the packets in the air. Let’s set our adapter to monitor mode.

$ sudo airmon-ng start wlan0

If no errors, check iwconfig to make sure you have a mon0 (monitor mode) available. Let’s use airodump-ng to check for wireless traffic and see if I can find my home network.

$ sudo airodump-ng mon0

Screenshot

There, I found a network, Sitecom87f550. The best choice is to pick a network that has a lot of data going on, since my wireless connection hasn’t got so much data going on (I do not use wireless except my iPad), we will use Sitecom87f550.

Now that we know the network name, the BSSID and the channel, we can do the same command but then writing the packets to the disk.

$ mkdir /tmp/hack && sudo airodump-ng mon0 --channel {channel} --bssid {BSSID}
-w /tmp/hack/home

At this point you will have 2 options. If there is any client connected we can make a 4-way handshakeor DE-authenticate an existing client and force it to re-associate. I will use the first option using aireplay-ng.

sudo aireplay-ng -0 1 -a {BSSID} -c {Client} mon0
16:21:59  Waiting for beacon frame (BSSID: 00:0C:F6:87:F5:50) on channel 11
16:22:00  Sending 64 directed DeAuth. STMAC: [00:26:B6:79:21:11] [61|64 ACKs]

Screenshot

You can see in the upper right corner “WPA handshake” it worked. You can now stop airodump-ng and check if the right files were written to the disk. image

Screenshot>

Good, now we have the right packets, there is no need to use our wireless adapter anymore, time to break the key. Finding the key of a WPA2 is based on bruteforcing, which can take a long time, and by long time, I mean it. You can use John the ripper to create a dictionary and run with Aircrack-ng to try them all, or you can download a dictionary heree and run with aircrack. Other options would be bruteforcing. I will explain you how both works. Let’s try the dictionary first, I downloaded a file from the website I gave you and saved in my /tmp/hack/dict, then I run Aircrack-ng.

$ aircrack-ng -w /tmp/hack/john.txt -b {BSSID} /tmp/hack/home-*.cap

Screenshot

The dictionary was unsuccessful. It ran very quickly, but I did not catch anything. Let’s try to bruteforce it.

$ john --stdout --incremental:all | aircrack-ng -b {BSSID} -w -
/tmp/hack/home-*.cap

Screenshot

I will leave this bruteforcing for a while then I will update this post with the result.

UPDATE

I have left aircrack-ng for nearly 3 days. I have stopped while it was running for 12 hours, then I started back again. No results, bruteforcing as you see really takes long; being quick is a matter of luck of computer calculation!

Screenshot

WEP

I will be doing this hack into my own network, for a few reasons;

  • I don’t feel like waiting hours/days for a crack
  • I can change the settings from my network so I can show you various methods.
  • I have complete understanding of my home network.

The hard/software I will be using is the same as the hack above. We will be hacking a WEP network which I configured using the password 1234567890 . For hacking a WEP network we need a lot of Initialization Vectors for that we will be using injections to speed up the hacking process. By this time of the tutorial, you know already which WEP network you want to attack, you know the BSSID, ESSID and channel number.

$ sudo airmon-ng start {interface} {channel of the chosen network}

This command will start your monitor mode with the channel of the network. Let’s make sure you are within the good range and can inject packets later on.

$ sudo aireplay -9 -e {ESSID} -a {BSSID} mon0

You should receive a response like this;

Screenshot

Make sure it says 100% or something very high, otherwise you are too far from your access point or too close. If you have 0% then your injection is not working or you need to patch your driver, take a look at Aircrack-ng in the patching section. From now, your patching has been successfully, so we are ready to start capturing the Initialization Vectors generated.

$ sudo airodump-ng -c 9 --bssid {BSSID} -w {path to write the file + name} mon0

Screenshot

Very well, in the screenshot you can see I quit the airodump-ng. Don’t quit, leave it open. I took this screenshot after I’ve been to the whole process.

You can see in the last screenshot there is a client connected to it with the mac address CC:AF:78:08:1E:96 which is my laptop downloading a few stuffs. Let’s make a fake authentication to the access point. My laptop is associated with the access point, so the access point accepts packets from it, if your mac address you are injecting is not associated with the access point, the access point will simply deny the packet and return you a De-authentication packet, in this case, no Initialization Vectors will be created and your hack will fail. Let’s try to associate with the access point;

$ sudo aireplay-ng -1 0 -e {ESSID} -a {BSSID} -h {Client} mon0

Screenshot

Another way to do this would be;

$ sudo aireplay-ng -1 6000 -o 1 -q 10 -e {ESSID} -a {BSSID} -h {Client} mon0

For other variations of authentications, check the wiki at Aircrack-ng At this point of the text, everything should be fine, if you have any errors, please check the Aircrack wiki or forums, Googling is also a great help. Now lets start aireplay-ng to listen to ARP requests then re-inject them back to the network we are hacking to. If you don’t know what arp means, please take a look here before you continue.

$ sudo aireplay-ng -3 -b {BSSID} -h {Client} mon0

Screenshot

There is a bug in my bash so the screenshot looks a little messy. This is how it should look like, leave it re-injecting the packages, while let’s try to bruteforce the key. Start another terminal session. Try:

$ aircrack-ng -b {BSSID} {path to the cap file + name.cap}

Screenshot

If you wish to use FMS/Korek;

$ sudo aircrack-ng -K -b {BSSID} {path to your cap file + name.cap}

I did not explain any of the arguments since you can do this by checking the man page of your Linux distro, try man aircrack-ng and read what the argument does.