Once as many IVs as required have been captured using the airodump packet capture utility the resultant [filename].cap file can be imported into aircrack to break the static WEP or WPA-PSK keys.
To view all available switches:
cd c:aircrack-ng-[version]
aircrack-ng.exe
2 The theory before the cracking. WPA2-PSK, Wi-Fi Protected Access-Pre-Shared Key. This encryption might be the most secured and unbroken at this point, but WPA2 system is still pretty vulnerable to us, the hackers! Unlike WEP, WPA2 uses a 4-way handshake as an authentication process. 4-Way handshake. A better method for cracking WPA/WPA2 encryption (which uses PSK) is to go after the WPS (Wifi-Protected Setup) pin, and use that to get in. If you want to do this stuff, go download the latest distribution of the Backtrack OS; it's free, comes with Aircrack-ng (which can do WEP quickly), and also Reaver (which can crack WPA/WPA2 using the method I outlined above. Today i am going to show you how to a crack a Wp2-psk password with windows machine. Software Requirement for this lab:-1. CommView for Wifi 2. The attack technique can be used to compromise WPA/WPA2-secured routers and crack Wi-Fi passwords which have Pairwise Master Key Identifiers (PMKID) features enabled. Security researcher and developer of the Hashcat password cracking tool Jens 'Atom' Steube made the discovery and shared the findings on the Hashcat forum earlier this month.
There are many different types, such as WEP (easiest to crack/hack), WPA, and WPA2. 7 Best Wi-Fi Password Cracker Software Tools for Windows Wireless networks are based on IEEE 802.11 standards defined by IEEE (Institute of Electrical and Electronics Engineers) for.
Wpa2-psk
Basic usage: aircrack -q -n [WEP key length] -b [BSSID] [filename].cap
Breaking WEP
As you can see the capture file in use below (capture1.ivs) was created with airodump capture option “Only capture WEP IVs (y/n)” set to “y” as the resultant file is in the .ivs format. If n had been selected the resultant file would be in the .cap format.
Whilst this will work, we can could have cut down the cracking options for Aircrack-ng by specifying the WEP key length (-n) or by specifying the target AP MAC address (-b) on the command line:
aircrack -a 1 -q -n 128 -b 11:11:11:11:11:11 capture1.ivs (Where 11:11:11:11:11:11 = Target AP’s MAC address)
As you can see aircrack found the WEP key for our 1008195 IV capture file (capture1.ivs) in only 4 seconds.
The capture file itself (capture1.ivs) is included here to test your own aircrack installs (note: the file is a 5.77mb download).
Breaking WPA
In order to be carry out the WPA dictionary attack using aircrack-ng we either have to:
- Wait for a WPA client to associate to the network (This could take a while)
- Force a WPA client off the network, forcing it to reassociate.
Either of these two method allows us to capture the WPA handshake, which is what we require to perform a dictionary attack.
The downside to using this Windows version of aircrack-ng is that there are not any freely available tools to perform this attack. So we have to either use a Linux tools (e.g. aireplay or void11) or wait for an association to occur.
Which ever way we gather the WPA handshake we still use the same tool; airodump.
Once we think we have captured the WPA handshake, we simply run the capture file through aircrack for confirmation:
If have confirmed we have the WPA handshake (as above) we can attempt the dictionary attack:
As you can see above aircrack found the WPA PSK of “passphrase”
The capture file itself (capture2.cap) is included here to test your own aircrack installs
