Another thing to keep in mind about wordlists, Not all wordlists you find online will be created for WPA/WPA2 as they need to start a 8 characters in length. There many wordlists that can be found on the web, But why store them in files when oclHashcat creates them on the fly. It can create wordlists on the go without slowing down and storring massive dictionary files.įirst up we will cover using oclHachcat with a wordlist. It is a versitile tool set and can be used with or without a wordlist. STEP 4 - Here we will make use of oclHashcat/Hashcat. This can easily be done with other hashes MD5 etc.Į.g - If you replace grep WPA with grep MD5 and it will output 0 for that switch.
The oclHashcat site has a page you can upload upto 5mb wpa.cap files and then download the back file back as a.
If your using windows, You could effectively capture a WPA handshake with a Android phone app and a Alfa RTL8187L wifi adapter. hccap format so oclhashcat/hashcat can work with it. Next, Is to convert the WPA capture file containing the WPA/WPA2 handshake to a file to. #~:$gerix-wifi-cracker-ng Step 2: Convert the. hccap via the oclHashcat conversion page and it comes back in a download as a.
For windows users, You can setup a linux in a virtual machine within windows or there is a app for android called 'Wi-Fi PCAP Capture' that makes use of a Alfa RTL8187L wifi adapter. There is aircrack based GUI tools wifite and Fern, I prefer method 1. Method 2 - I'll list a few methods here as the GUI tool are very simple. #:~$:aireplay-ng -deauth 100 -a routerMac -c connectedDeviceMac wlan0mon
Just keep in mind with aireplay-ng the -a switch is for AP/wifi mac address, -b is for the wifi mac address of a device connected to that AP. This aireplay-ng command can fail, You may need to do it a few times for it to function as it should. Once airodump-ng is busy, Pop up another terminal and send deauthentication packets towards the desired access point and connected device so it will disconnect and have to reconnect to the AP and capture the 4 way handshake with aireplay-ng, You can also just leave airodump-ng to capture the handshakes passively without spraying out deauthentication packets with aireplay-ng and over time it will capture handshake/s but generally takes a little longer and end up with a larger capture file. Then sniff the air waves with airodump-ng. First up, Start monitor mode with airmon-ng. First up is to capture a WPA/WPA2 4 way handshake authentication in a. Method 1 - I use kali linux 2.1 myself so will be listing the linux commands. OclHachcat will function in linux and also in windows. The tool Hashcat has been around for sometime and is CPU based, oclHashcat makes use of modern GPU processors and makes use of its physics abilities to crack most modern encrypted user/pass hashes. If WPS is secure I would suggest to then move onto WPA/WPA2 this method or the Evil twin method that clones the AP. I would suggest to test for a WPS/Wifi Protected Setup' using Reaver and more recently the Pixie-dust method as it can effectively crunch the 11,000 WPS pins and extract the WPA pre shared key a lot faster than a complex WPA/WPA2 password. The encryption is really only 64bit but x 4 because of the way the authentication functions as a 4 way handshake.īefore starting with oclHashcat. In short WPA and WPA2 both have a maximum of 256bit encrypted with a maximum of 64 characters in the password.
Most of you lot would be aware what WPA/WPA2 is so I won't bang on about the encryption or protocols a great deal.