Cracking WPA2 Personal PSKs

Below is the process I use for testing the strength of a wireless network’s password (WPA2 Personal in this example). This guide is intended for someone who already has a working knowledge of Kali Linux and an external WIFI adapter that is capable of operating in monitor mode and also capable of packet injection.

With my WIFI adapter connected, we can see that it’s listed as wlan0.

Capture1

We type airmon-ng to make sure our adapter is listed in the output.  If not, resolve that issue before proceeding.

Capture2

We gathered the name of the wireless interface from the first step, so we can now type the below command.  Notice the the interface name has now changed to wlan0mon.  Make note of what it changes to, as it it will be needed later.

Capture3

Ifconfig confirms the interface name change as mentioned above.

Capture4

The below command will list all of the wireless networks in the vicinity of the wireless adapter.

Capture5

Below is the list of available wireless networks.  In this example, we are targeting the wireless network named “Nick’s iPhone”.  We need to make note the the BSSID and the channel.

Capture6

We copy out the BSSID so that we don’t have to type it in manually.

Capture7

To monitor only the target network (Nick’s iPhone in this example), issue the below command:

Capture8

We can see that there is a single device connected (listed under station).

Capture9

From here, we need to open a new terminal and issue the below command.  The command will send two “deauth” packets to the device/station connected to the wireless network named Nick’s iPhone.  When this happens, the device will be disconnected and will typically try to automatically reconnect.  When the device reconnected, we should (hopefully) capture the WPA2 4-way handshake.

Capture10

In the top right hand side of the original terminal window we should see “WPA handshake” when the device has successfully reconnected. There will also be capture files on the desktop as well.

Capture11

Issue the below command.  Note: When using wpaclean, you must list the name of the OUTPUT file first.  This is confusing.  The name can be anything, but the output file comes first.

Capture12

As we are using hashcat to brute force the PSK, we need to convert the capture files into a format that is usable by hashcat.

Capture13

A continuation of the above screen shot:

Capture14

Below is the hashcat command needed to attempt to brute force the PSK against your favorite wordlists.  As we can see below, the password was found in the wordlist and the WIFI password for the target is: wireless123.

Capture15

Advertisements

2 thoughts on “Cracking WPA2 Personal PSKs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s