WPA2 Wi-Fi Password hacking guide (BT5/Kali linux)

Communities Science, Engineering, & Security
1

This guide is for penetration testing your own network or someone else's, with permission

using someone elses wifi is theft of service and may or may not  be a criminal offence in your area

Logan nor anyone from tek syndicate is liable for your actions, you are so proceed with caution!

EDIT; kali linux is now out as logan said on the tek a few weeks back, as kali is built from the same tools by the same team this guide work with both BT5 r3 and kali,

 

1st step you will need a copy of backtrack 5 so go here http://www.backtrack-linux.org/downloads/

or kali linux from here (guide is same for both) http://www.kali.org/downloads/

and get yourself an iso (32 or 64bit depending on your hardware)

either burn to disc using imgburn http://www.imgburn.com/index.php?act=download

or make a live usb of 4gb + then you can save sessions and not have to start over when you power off, its a good idea as i have had attacks take up to a day and a half (because of weak signal) and with a disc once powered down......

to do this i use this http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/ itll do windows too....

or as a third option you could run it as a virtual machine with vmware from within windows, but if you do that you HAVE to use a usb wifi dongle because the internal wifi card of laptops gets seen as ethernet by the guest os, dont know why but i have found it to be true - vmware is not freeware, there maybe a trial or cripple ware version available here  http://www.vmware.com/uk/ but i sailed away from the pirate bay with my copy, i wont link directly to it as i may get in trouble from logan but you're a smart guy you can find it ;)

ok so now you have a disc/usb or virtual machine so power on, into BIOS (del,f11,f2 another key depending on hardware) and set it to boot from disc or usb, (not applicable to vm) and lets have some fun!

when the first menu comes up you want default text mode

when the cursor becomes available type "startx" without the quotes and it will boot into a desktop

go to the top of the screen and click on the little black screen to open a teminal (looks like a windows cmd window)

now to find out what wifi adaptor you have

type "airmon-ng" no quotes

if it doesnt list anything then your wifi adaptor is not compatible with bt5 it probably has no promiscuous mode or is lacking driver support but most laptop internal wifi i have found to work and most full size usb dongles do too the tp link tl wn821n works for definate.

the output from that is normally wlan0 but if you have multiple adaptors you will get more options

type "airmon-ng start wlan0"

assuming wlan0 was the output from previous command if not put what the output was for the adaptor you would like to use it will output monitoring enabled on mon0 most times unless you have multiple adaptors

so now we have set our adaptor to monitor the airwaves we can have a snoop at all the available networks 

type "wash -i mon0"

and it will list all available networks signal strength encryption type bssid's and other things, we are looking for networks with wpa2/psk WEP is also dooable and much quicker, but as a security standard it is dead and not in common use any more but if you would like a guide for that too, let me know in the thread and when i have a moment.....

anyway choose your victims bssid and

type "reaver -i mon0 -bBSSIDGOESHERE -vv" 

and it will start running through the all the possible wps set up pins randomly, it maybe that you get ap rate limiting detected, this is where a router recognises that it is getting attacked from all the wrong passwords and stops bt5 from accessing it rfor a set amount of time to combat this youi need to add a delay -d command to the reaver command line so it looks something  like this

"reaver -i mon0 -b21.34.56.23.54 -d20 -vv" 

if ap rate limiting still detected keep increasing the delay by 5 seconds untill you stop tripping the ap rate limit

by using the -vv comand you get more verbose output from the termional wich allows you to see if it is channel hopping or ap rate limiting or whatever and it also lets you see when it gets caught in a loop on a particular password when this happens i press cntrl+c to stop session then up cursor for last command and enter and it picks up where it left off and normally carries on without stuttering on the same password again

after time passes it will output the password and pin number copy both down as if the password is changed you can run the reaver command line again with a -pPINHERE and it will break new password in less than a minit as the pin doesnot change this would look like

"reaver -i mon0 -b23.56.76.45. -p123456 -vv"

the password will get changed if your found on a network you are not supposed to be on wich is why i put that command there as i have had it happen a few times

if this goes on and the network admin is savvy they may stop changing the password and start banning mac addresses from connecting to the router but dont fear!

i use this http://www.technitium.com/ to change my mac address as i have had to deal with this problem before

as a side note, if you are going to jump on a network that isnt yours change your pc name to something not identifiable to you mine is called vm.lineupdate32 as the target network is on virgin media....see?

anyway happy hacking, any questions just stick them below and ill answer as best i can, as always if you like it like it!

Popeye

1 Like
2

Nice read, thanks for posting. Sounds interesting, may try on my own connection.

3

thanks for reading tiwo1991 i may do another for cracking wep protectiopn but i really dont think its still in wide enough use to be worth doing, but definately have a go its fun even if you dont need it ;) i dont have an internet connection at my house (shared accomadation in student land) so i use it a fair bit as tehering to my android works but is to slow for anything but emergency use so i had to work out an alternative method of connection and as ive gone on ive boiled it down to that^^ so i thought id share as its one of the few hacks i know and the forum needs to fill out a bit.

4

Just a couple things to add, Not every router has a wps pin (Wifi protected setup) and reaver only works against wps. If the router does have a wps pin, then this way is the best. If not, try looking into cracking via wordlists utilizing your graphics card for processing power. Also if some more people want some wifi tutorials I'd be happy to write some. I'm pretty well versed with wifi and metasploit and some easy stuff like that.

1 Like
5

ghostxwalking,

i agree that this only works against wps protected set up, but where i am (nottingham england, robin hood country)

it seems to be that sky virgin and talk talk (the major broad band companys) all ship routers with protected set up,

as in ive not come accross one yet that doesnt have it,

im in studentland and there are many near me the problems i tend to get is ap rate limiting, so i just add -d20 then increase in 5 sec increments untill i get it, but i also get locked out of a few routers, they seem to be filtering mac addresses because if i change my adaptors mac im back on for a while,so ghostxwalking do you know of a way to connect to a network with out being seen/heard/leaving a trace? id be grateful if you could help round my education ;)

6

Thanks man, ill try it out later. Ive been looking for a (hopefully) proper tutorial to test out my network.

7

well it works against routers with wifi protected set up (push button connections) so thats most modern routers, some have the ability to turn off wps, those made after late last summer i think when the first proof of concept came out on reaver, but they arent really mainstream yet and youd have to know about the vulnerability and care/be savvy enough to turn it off, im also unsure if itll work on routers with custom firmware like dd-wrt or similar, but this works for me again and again,

as for being a propper tutorial? well thats for you to decide not me, ive tryed to write it so it makes sense and is informative too, but the proof of the pudding is in the eating,

i would love some feed back, good or bad if you have used this guide, did it work for you, are there bits that are not clear,yadda yadda

anyway, enjoy ;)

8

You need to be careful however, if caught. You will get a felony for cracking someone elses wifi password. One of my friends did it, but was caught

9

very true, that s why i put it in the first post, if you dont have permission it is theft of service. be careful out there folks,

@ ghostxwalking id be interested in a metasploit tut if you can be arsed to write one, knowledge is power after all and im always up for learning new skills ;)

 

10

interesting stuff thanks for the info

11

no problem bean, glad yopu enjoyed it

as an update the backtrack project has been absorbed into kali linux new name a few new features but this works on both distro's exactly as described

12

Sir , i'm using BT5 r3 and have an inbuilt wireless adapter.

When i type the "airmon-ng start wlan0" command in a terminal, it shown the following:

 

"Found 2 process that could cause trouble

If airodump-ng , aireplay-ng or airtun-ng stops working after a short period of time , you may want to kill(some of) them.

 

PID                  Name

2557               dhclient3

2614               dhclient3

process with PID 2557(dhclient3) is running on interface wlan0

Interface           chipset                          Driver

wlan0             Atheros AR9485              ath9k - [phy0]SIOCSIFFLAGS: Unknown error 132

                                                              (monitor mode enabled on mon0)"

This is what happens to me , please tell me what was wrong.

I'm waiting for your reply, please reply as soon as possible.

 

13

this is normal in certain (but not all) circumstances, just go to the next command

wash -i mon0 to find out what networks you have available to play with ;) ill stay online for a little while to help if i can

popeye

14

interesting

15

i thought so pal,

thats why i wrote the guide,

i mean its a pretty cool thing to have available, reaver is by orders of magnitude, a better tool for wpa2 psk cracking than dictionary or rainbow table attacks,

for this to work though you need to have a strongish signal, or it will keep stuttering and repeating seemingly endlessly (days).

and to protect your self from this all you have to do is log into your router and disable wps protected set up as that is what this guide is targeting.

anyway happy hacking pal ;)

popeye

by the way this works exactly the same in kali linux (backtrack 6) ill edit the title infact

 

16

So no wordlist?

17

no mate, just a few lines of text and a wait of between 2 mins and 8hrs

18

Ah I see, and what if the network doesn't use WPS do you use a wordlist then.

19

yeah, allthough tbh wordlists - meh

time consuming and poor hit rate

of course if its the only option its the only option,

or if you can see a wep network, its christmass, cracks in seconds, i was going to write a guide on that too, but its getting to be an old protocol now and isnt in wide use anymore (at least in the uk)

but yes your assumption is correct ;)

popeye

20

Nah dw about writing a WEP cracking guide, it's so easy you could crack WEP encrypted networks blindfolded. Also as a side note to all, with great power comes great responsibility.