13

Cracking WPA/WPA2 with KisMAC and Aircrack-ng

Posted January 11th, 2013 in Featured, Technology and tagged , , by Dennis

Ah, yes. Hacking is one of the penultimate pastimes of newbie HakZ0Rz wannabies. :)

Still, it is something that you (the WiFi person on-the-go) need to realize… as the ease with which one CAN crack your WiFi password should cause you some fear and trepidation… (but, it comes with some caveats.)

If you are using WEP for your WiFi security, let me simply tell you that you should quit it. STOP! Switch to WPA/WPA2. Now. Understand? No? Well, switch to WPA/WPA2 NOW! Don’t even bother reading the rest of this article until you have. OK? Cool. Really? You did? Awesome…

When it comes to WiFi security, WEP is already known for its “insecurity”. Still, it is used quite often as it still works across-the-board for nearly every WiFi enabled PC/Laptop/Mobile Device. There are still a handful of laptops that are unable to upgrade their WiFi cards to the latest version of WPA/WPA2, leaving them unable to connect to anything less than a WEP or older WPA-only secured wireless APs (Access Point). This is (in of itself) is one of the main reasons why WEP is still utilized amongst the plethora of Wireless Enabled Cafes.

Still. It is a bad habit.

However, this post is NOT about WEP, but WPA/WPA2… and how easily it can be cracked with a laptop using Apple’s OSX (well, at least 10.5).

KisMAC

KisMAC is a well-regarded Mac OSX WiFi “stumbler”, with the ability to not only log nearby WiFi Access Points, but their MAC Address (BSSID), their Encoding Type (WEP, WPA or WPA2), and the 4-Way “Handshake” to decode the AP’s password.

Aircrack-ng

Aircrack-ng is a collection of tools with which one can digest the KisMAC logs and successfully spit-out the AP’s password. Aircrack-ng does not run “natively” on Mac OSX 10.5 (it’s a Linux application), so their are a few pieces that need uploaded/installed in order to get it to work properly.

Let Us Start

The KEY to all of this will be to grab a “4-Way Handshake” from KisMAC and utilize Aircrack-ng to decode the Pre-Shared Key (PSK). Rather than “Actively” garnering a “4-Way Handshake”, I’ve chosen to do so in “Passive” Mode… waiting for a “4-Way Handshake”… rather than forcing it to happen. :) How Nice of me. :) Besides, it would require two quality wireless cards to be installed… and I don’t want to buy another single-purpose USB WiFi device. Blech! :(

Aircrack-ng & Pre-Shared Key

Now that we have a full “4-Way Handshake”, we’ll need to start Aircrack-ng to decode the key.

We start with this:

  1. Start a Terminal application.
  2. We’ll need a good “dictionary” file to brute-force the WPA/WPA2 key.
  3. Make sure that the “dictionary” file and the kisMAC log file are in the SAME directory.
  4. Do yourself a favor and rename the kisMAC log file to something like… IDK… “DumpFileX”… where “X” is a numeric value. Why fluster yourself withing typing a rather large filename at the Terminal? Know What I Mean?
  5. If you are smart, your terminal typing will look something like this:
  6. aircrack-ng -w password.txt -b CC:1B:59:86:53:A4 -e belkin.999 DumpLog9
  7. DumpLog3 and password.txt HAVE to be in the same directory. Just do it. OK?
  8. password.txt MUST contain the password for the WiFi WPA/WPA2 enabled Access Point. Each line must be seperate… I suggest using UTF-8 as the final text format.
    For this example: Dumplog3 MUST contain a “4-Way Handshake” for the AP you wish to crack.
  9. The
    -b CC:1B:59:86:53:94

    option MUST contain the MAC Address of the device you wish to crack. Alter as necessary.

  10. The
    -e belkin.999

    option MUST contain the SSID of the device you wish to crack. Alter as necessary.

Simple, eh?

What everyone needs to realize is that in order to crack WPA/WPA2… you MUST have the correct password in your “password.txt” file… else Aircrack-ng will simply fail.

Did you catch that? This is a brute-force attack. One simply cannot generate a short list of passwords to try and exepct that they’ll be surfing FREE on their neighbors WiFi internect connection. :)

Here’s the math: Given an 8-charachter password (lower, upper and numeric) AND you can check passwords at 500k/second… it will take you 15 years to go through ALL iterations. If you choose a 9-character password… it grows to 871 years. Not to mention the size of your dictionary file. Oh, It’ll be larger than a few Gigabyes. Hope you’ve got something else to do to pass the time. :)

Don’t ask me HOW to use KisMAC. There are already a bunch of tutorials online. For more information on Aircrack-ng, again… do a Google Search. There’s plenty on it as well.

So, if you are worried about someone hacking your home WiFi, use WPA/WPA2 and choose a sizable password (between 9 and 64 characters). If you notice your neighbor growing a rather lengthy beard… I wouldn’t worry. You’ll probably move before he cracks your WiFi password. :)

13 Responses so far.

  1. anyone says:

    If it would take at least 15 years to check, why the japanese did it in 5 minutes?

    • Dennis says:

      Good question.

      The simplest answer is “horsepower”. WPA/WPA2 can be cracked rather easily. You just need the password… and that password needs to be in the dictionary you are using. With enough “horsepower” or CPU’s working the task, then one can crack the WPA/WPA2 password in minutes. However, you will need several computers with the latest generation multi-core CPU’s to brute-force the password within any reasonable time-frame. That is why it is so difficult to crack by the ordinary hacker sitting in a coffee shop.

  2. wp4h4x3r says:

    hacking wpa using password is wasting your valuable time.
    its useless.. dictionary only common and standard name inside..i.e god, love, password, 123456 etc..
    dont waste..
    first thing u need to know is scan the ap with wps active, 100% u can get the password with simple computer, no need high end gpu.
    i successfully crack the pass between 6 to 8 hours!!

    http://www.youtube.com/watch?v=AtP4gFhNgVo

    • Dennis says:

      I call BS upon your post. Unless the password is located within your dictionary file… there is NO chance of hacking WPA/WPA2. None. None what-so-ever. There-in lies the thing with cracking WPA/WPA2… You are SCREWED… unless you can locate the password within your “dictionary” file.

      Wish you MUCH luck,
      ~Dennis

      • Jonathan says:

        Dennis, I’m not going to ‘call BS’ on your reply, but I feel I should point out to other readers that you are uninformed about the crackability of wpa/wpa2.

        1. Any scanner (most now) that supports WPS vulnerability detection will let you get in to wpa/wpa2 in a few minutes, not including the learning curve and setup time. It’s a pretty big problem with a ton of newer routers supporting it.

        2. You absolutely do not need the password in a dictionary with the proper tools. John the Ripper, for example, is just one of many that allows you to auto-magically generate and compare passwords on the fly. These password utilities can also be ‘salted’ which greatly increases the speed at which they can crack passwords. Yes, it’s still brute force, but it’s not as radically difficult as you make it sound.

        3. Generating a dictionary (unless auto-generated as above) is ridiculous. There’s a 4 GB torrent that’s constantly udpated and takes about 20 min to download.

        • Dennis says:

          Jonathan,

          Well, I DO appreciate you for NOT calling “BS” on my reply. However, I will tackle your thoughts individually:

          1) Scanning for WPS vulnerabilities IS a problem… as they do exist. This I will certainly agree. But, what if your Wi-Fi card/USB/AP does not support that type of scanning? Well, your still screwed.

          2) You ABSOLUTELY need the password in the dictionary. You stated this yourself: “Yes, it is still brute force…” Now, I DO understand that “Jack/John the Ripper” will help build your dictionary… but, they do not increase the speed of actually “cracking” the router. Even if you “salt” your potential dictionary with possible password combinations… you either need the actual password IN the dictionary, or rely on “Jack/John the Ripper” to add the correct combinations from your dictionary.

          3) A 4GB dictionary torrent is impressive. But, that password better be in there… or else the method I’d originally stated will not work as the password Still.Has.To.Be.In.There.

          I do NOT wish to offend. There ARE ways to increase the chances of cracking WPA/WPA2:
          1) Using “Jack/John the Ripper”… at least it’ll make the process less tedious.
          2) Faster Computer… that goes without saying.
          3) A “hint” as to what the password MIGHT be…
          4) Discovering a WPS vulnerability.

          We ALL wish/desire that password to be easy… simple… like: admin456, password, or 123456789. But, people are getting smarter… and therein lies the rub. At least… from MY opinion. :)

          Happy Cracking,
          Dennis

          • G@rdD0g says:

            I have successfully cracked WPA2 encryption utilizing cowpatty to generate my dictionary and John/Jack the Ripper to crack. What most are missing is the focus on the type of router. Take for example 2-Wire by At&t. These routers have a standard setup of a 10 digit password, all digits are numbers. The are also easy to spot since their SSIDs are broadcasting 2Wire___. Creating a dictionary file of only numbers and attacking with John I successfully pulled the key. Good times. :)

  3. You are either dumb or just plain ignorant, but you have a blog and a website!.
    yeah wpa2 is damn hard to crack, could be damn near imposible without the proper know how, a brain and cpu/gpu power but if you know so much about it to make a post called cracking wpawpa2 with kismac and aircrack-ng you should at least make proper examples of the technique/s described, and damn you for not mentioning the vulnerability in wps.
    nuff said enjoy wasting your time reading my post as i did reading yours.

    • Dennis says:

      Yes. I read your Post… and found it rather enjoyable.

      I did NOT create the Post as a “How To” instruction-able account of how to crack WPA/WPA2. No. Far from it.

      I am neither “dumb” nor “ignorant” in this regard.

      Proper examples and techniques for “hacking” WPA/WPA2 are all OVER the net… so , I suspect you read through ALL of them. I suspect what you were REALLY looking for… was a competent “dictionary” file to crack the WiFi AP you wish to utilize. Sorry… but, you won’t find that here.

      However, that was not my original thought when writing this post… which you have to so vicously maligned. I apologize for disappointing you. I am very sorry for not providing the “dictionary” that you were so hopefully attempting to download. Meh!

      That is NOT what this post was all about anyway.

      Good Luck in your continued Hacking,
      ~Dennis

  4. FAN says:

    lol Dennis I like your enthusiasm. way to go

    • Dennis says:

      Besides, I found creating my “dictionary” so freaking tedious… that I simply gave up trying to do so. We’re talking about Gigabytes and Gigabytes of text files. Holy Moly! The idea that one could crack WPA/WPA2 in a matter of minutes is just… well… incredulous. I don’t have a PC or laptop capable of hacking an AP within ANY reasonable time. I’d be better off just getting my own Internet Access from a local provider. :)

      ~D

  5. So… I beat you all… cracked in 10 minutes.

    B.S. you say?!

    Here’s how it went down…

    Me: Hey! How are you? You know, my internet just went down “You know how that is”, a huge monopoly, let me not get started… Either way, you think I could hop on your network while so I can try to work this mess out?

    Neighbor: Sure! Omg, no big deal, mine is always going out also so I can’t guarantee it will stay on either! Haha, here is the password…

    Me: Omg, you’re a life saver, thank you! If yours goes out we come on over as well.

    Done.

    Moral: Social hacking is still at the top of my list. Nuff’ said.
    Happy Cracking! :)

Leave a Reply