WPA2 Cracking with BackTrack 5 R2 and Aircrack-ng This is a basic tutorial with all the information you need

to be able to crack WPA2 with BackTrack 5 R2 and Aircrack-ng. All commands to be written into the terminal will be written in Courier New. What you will need before starting this tutorial: 1. BackTrack 5 R2 OS (which comes with Aircrack-ng preinstalled) 2. A wordlist (well talk about this more soon) 3. Something to take notes with (a text editor or just a plain old pen and paper) Before you begin WPA2 cracking, youll need to download a wordlist to your computer. This wordlist will be an .lst file containing the words from a book, dictionary, etc. Many wordlists are available for download online. Here is a list of websites containing downloadable wordlists (list adopted from aircrack-ng.org): ftp://ftp.openwall.com/pub/wordlists/ http://www.openwall.com/mirrors/ http://ftp.sunet.se/pub/security/tools/net/Openwall/wordlists/ ftp://ftp.ox.ac.uk/pub/wordlists/ http://gdataonline.com/downloads/GDict/ http://www.theargon.com/achilles/wordlists/ http://theargon.com/achilles/wordlists/theargonlists/ ftp://ftp.cerias.purdue.edu/pub/dict/ http://www.outpost9.com/files/WordLists.html http://www.securinfos.info/wordlists_dictionnaires.php http://www.vulnerabilityassessment.co.uk/passwords.htm http://packetstormsecurity.org/Crackers/wordlists/ http://www.ai.uga.edu/ftplib/natural-language/moby/ http://www.insidepro.com/eng/download.shtml http://www.word-list.com/ http://www.cotse.com/tools/wordlists1.htm http://www.cotse.com/tools/wordlists2.htm http://wordlist.sourceforge.net/ Most come in .zip file format. Extract the files and you will only need the .lst file. If there are multiple .lst files, you can open them in a text editor (Notepad, Notepad++, etc) and combine them together into one large word list. In our example, we have named the wordlist wordlist.lst and it is saved to our Desktop. Lets begin. This tutorial will show the step-by-step instructions to crack WPA2 on the ya mamma network. Once you have BackTrack 5 R2 up and running, youll need to make sure that you are not connected to the internet. To do this, go to Applications > Internet > Wicd Network Manger and make sure that it states Not connected in the bottom left-hand corner. If you are connected to a network, click Disconnect All located at the top of the window.

Once you have confirmed that your computer is not connected to the internet, run the command: airmon-ng : This command shows the interfaces status. You need to change the status from managed mode to monitor mode. This allows you to capture packets without being associated with an access point or ad-hoc network. You are now able to monitor all traffic received from the wireless network.

Now we will run the command: airmon-ng start wlan0 : This command enables monitor mode on the wireless interface. This also creates mon0, which is the same interface, just in promiscuous mode.

Now we will run the command: airodump-ng mon0: This displays information of the networks it has found about the access point and the client.

This is where you will locate the: BSSID: Channel (CH): Station: MAC address of the access point. Channel number (taken from beacon packets). MAC address of each associated station or stations searching for an AP to connect with (client).

Copy and paste each of these items into a text editor or write them down.

Now we will run the command: airodump-ng w capture-packages bssid (accesspoint) c (channel) mon0 for our example, it would look like: airodump-ng w capture-packages bssid 00:22:75:E7:6E:0B c 11 mon0 Then you have to wait for activity on the network. Once there is a valid handshake, it will display WPA handshake: (BSSID), as shown below. This has created a capture file of information from the handshake. In our example, the capture file will be prefixed with capture-packages and saved on the root directory.

Now we will run the command: aireplay-ng --deauth 1 a (accesspoint) c (client) mon0 for our example, it would look like: aireplay-ng --deauth 1 a 00:22:75:E7:6E:0B c F0:CB:A1:2A:FB:62 mon0 If you need to force traffic on the network to be able to obtain handshake information, you can deauthenticate clients associated to the access point, so they will need to reauthenticate.

Now we will run the command: aircrack-ng capture-packages-01.cap w /root/Desktop/wordlist.lst This will use aircrack-ng to go through the capture-packages handshake capture file we created from an earlier step. It will run the wordlist we have saved as wordlist.lst located on our desktop. Once it has found the network password, it will display: KEY FOUND! [ (network password)]

Here we are confirming that the password is correct:

And were connected!

All information found at http://www.aircrack-ng.org/.