Crack Wpa2 Windows
When Wi-Fi was first developed in the late 1990s, Wired Equivalent Privacy (WEP) was created to give wireless communications confidentiality. WEP, as it became known, proved terribly flawed and easily cracked.
How to Crack a Wpa2-Psk Password with Windows:. First you need to be capture the Wpa2, four-way handsake with CommView. Open commView and click on the Start option. How to Hack WPA/WPA2 encryption with Windows. Open CommView and click on the option. Click on the capture option to start the capture. It will show you all available AP. Click on the Tools Select the Node Reassoication option ( if Node Rassociation is not working, then use WiFi Alfa card ).
As a replacement, most wireless access points now use Wi-Fi Protected Access 2 with a pre-shared key for wireless security, known as WPA2-PSK. WPA2 uses a stronger encryption algorithm, AES, that's very difficult to crack—but not impossible. My beginner's Wi-Fi hacking guide also gives more information on this.
The weakness in the WPA2-PSK system is that the encrypted password is shared in what is known as the 4-way handshake. When a client authenticates to the access point (AP), the client and the AP go through a 4-step process to authenticate the user to the AP. If we can grab the password at that time, we can then attempt to crack it.
In this tutorial from our Wireless Hacking series, we'll look at using aircrack-ng and a dictionary attack on the encrypted password after grabbing it in the 4-way handshake. If you're looking for a faster way, I suggest you also check out my article on hacking WPA2-PSK passwords using coWPAtty coming soon.
Step 1: Put Wi-Fi Adapter in Monitor Mode with airmon-ng
Let's start by putting our wireless adapter in monitor mode. For info on what kind of wireless adapter you should have, check out this guide. This is similar to putting a wired adapter into promiscuous mode. It allows us to see all of the wireless traffic that passes by us in the air. Let's open a terminal and type:
kali > airmon-ng start wlan0
Note that airmon-ng has renamed your wlan0 adapter to mon0 (or wlan0mon if you are using a newer version of aircrack-ng).
Step 2: Capture Traffic with airodump-Ng
Now that our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air. We can grab that traffic by simply using the airodump-ng command.
This command grabs all the traffic that your wireless adapter can see and displays critical information about it, including the BSSID (the MAC address of the AP), power, number of beacon frames, number of data frames, channel, speed, encryption (if any), and finally, the ESSID (what most of us refer to as the SSID). Let's do this by typing:
kali > airodump-ng mon0
Note all of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen.
Step 3: Focus airodump-ng on One AP on One Channel
Our next step is to focus our efforts on one AP, on one channel, and capture critical data from it. We need the BSSID and channel to do this. Let's open another terminal and type:
kali >airodump-ng --bssid 58:8B:F3:E6:18:77 -c 11 --write WPAcrack mon0
Where:
58:8B:F3:E6:18:77 is the BSSID of the AP
-c 11 is the channel the AP is operating on
WPAcrack is the file you want to write to
mon0 is the monitoring wireless adapter
As you can see, we're now focusing on capturing data from one AP with a ESSID of TPTV1 on channel 11. The TPTV1 is probably a default SSID, which are prime targets for wireless hacking as the users that leave the default ESSID usually don't spend much effort securing their AP.
Step 4: aireplay-ng deauth
In order to capture the encrypted password, we need to have the client authenticate against the AP. If they're already authenticated, we can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can grab their encrypted password in the process.
Let's open another terminal and type:
kali> aireplay-ng --deauth 100 -a 58:8B:F3:E6:18:77 mon0
Where:
100 is the number of de-authenticate frames you want to send
58:8B:F3:E6:18:77 is the BSSID of the AP
Wpa2 Crack Tool Windows
mon0 is the monitoring wireless adapter
Step 5: Capture the Handshake
In the previous step, we bounced the user off their own AP, and now when they re-authenticate, airodump-ng will attempt to grab their password in the new 4-way handshake. Go back to our airodump-ng terminal and check to see whether or not we've been successful.
If you are successful in capturing the 4-way handshake, the top line to the far right of airodump-ng says 'WPA handshake' .This is the way it tells us we were successful in grabbing the encrypted password! That is the first step to success!
Step 6: Let's Aircrack-Ng That Password!
Now that we have the encrypted password in our file WPAcrack, we can run that file against aircrack-ng using a password file of our choice. Remember that this type of attack is only as good as your password file. I'll be using the large wordlist on Kali named rockyou.txt. You can find it by typing;
Wpa2 Crack Windows 7 Download
kali > locate wordlist
We'll now attempt to crack the password by opening another terminal and typing:
kali > aircrack-ng WPAcrack-01.cap -w /usr/share/wordlists/rockyou.txt
Where:
Wpa2 Cracking Tool
WPAcrack-01.cap is the name of the file we wrote to in the airodump-ng command
/usr/share/wordlists/rockyou.txt is the absolute path to your password file
How Long Will It Take?
This process can be relatively slow and tedious. Depending upon the length of your password list, you could be waiting a few minutes to a few days. On my dual core 2.8 gig Intel processor, it's capable of testing a little over 500 passwords per second. That works out to about 1.8 million passwords per hour. Your results will vary.
When the password is found, it'll appear on your screen. Remember, the password file is critical. Try the default password file first and if it's not successful, advance to a larger, more complete password file such as one of these. You can create a custom password list--that is likely to have a greater probability of success based upon knowledge of the target-- using crunch.
An exploit that has taken the 'protected' out of Wi-Fi Protected Access II (WPA2) means that your wireless network is likely not as safe as you once thought. What security researcher Mathy Vanhoef is calling 'KRACK' attacks the handshake portion of the WPA2 protocol. Mobile Nations Senior Editor Jerry Hildenbrand put together a comprehensive guide on exactly how the exploit works and how you can protect yourself, also mentioning some information on patches containing a fix. To help you stay on top of which vendors are patching the vulnerability, we rounded them up here.
Router vendors that have issued KRACK patches
As mentioned in Hildenbrand's article, the best way to protect yourself from this exploit is to not use Wi-Fi at all until a proper fix has been proven. CERT has released notes on the KRACK problem, including a list of vendors whose equipment is vulnerable.
Some security-minded companies have already worked on fixes and are offering patches for both client and router. Check back often, as we will keep this list updated.
- Arch Linux: WPA Supplicant patch, Hostapd patch
- Cisco Meraki_FAQ)
- Fortinet
- Netgear: Only some products fixed, others remain vulnerable
There are also a number of vendors listed as 'Not affected' on the CERT website without further explanation from the vendors themselves. These include:
Furthermore, some companies have posted bulletins regarding their products that weren't affected.
Last updated: October 20, 2017, 12:21 pm EDT
We may earn a commission for purchases using our links. Learn more.