Using Wireshark To Crack Wpa2 With Windows

• Using Wireshark To Crack Wpa2 With Windows 8.1
• How To Crack Wpa2 Psk
• Using Wireshark To Crack Wpa2 With Windows Xp
• Using Wireshark To Crack Wpa2 With Windows 7

by hash3liZer . 20 August 2018

Since many of the last years we are continuously trying to stipulate with the same technique over and over again to somehow crack the WiFi passphrase. Unfortunately, this quest of ours has been invariabily one of those which usually have lesser outcomes and we usually end up with something like Rogue AP.

This guide is about cracking or brute-forcing WPA/WPA2 wireless encryption protocol using one of the most infamous tool named hashcat. A Tool perfectly written and designed for cracking not just one, but many kind of hashes. About hashcat, it supports cracking on GPU which make it incredibly faster that other tools. We will learn about cracking WPA/WPA2 using hashcat. For WPA2 decryption to work in wireshark, you will need to capture the 4 authentication packets at the beginning of the connection to the AP. So, disconnect from the SSID, start capturing packets in wireshark, connect to the SSID and you should be able to see the IP (decrypted) traffic. For Wireshark to decrypt the traffic it needs the capture the four way handshake (From here it takes the ANounce, SNounce and MIC to verify if the PTK matches the conversation) and provide the PMK. To provide the PMK just add the passphase to the 802.11 key list in Edit-Preferences-IEEE 802.11 with the right syntax.

How To Crack Wpa2 With Wireshark cinurl.com/1321d6. Once Wireshark is loaded, just type eapol into the filter tab and you should see each of the 4 handshakes captured as below. 4-way handshake capture in Wireshark To use Hashcat to crack the password you need to convert the.cap file into a.hccapx file. This is a format Hashcat understands stripping out anything it does not need from the capture.

However, with the uncovering of this new vulnerability now named PMKID, it's quite surprising that we can skip one of the most crucial steps in the traditional WPA/WPA2 cracking.

What was the way before this uprising PMKID cracking? You see, we try to capture a 4-way handshake by forcing the clients to re-authenticate with the Access point by forging those savage de-authentication frames. The later part is cracking the key (MIC) by comptuing hashes which are mingled through the 4 packets (HANDSHAKE).

Up until now, the process was same. But with the uncovering of this hostile vulnerability, thanks to Jen Steube, we can save quite a time of ours. Not just it decreased the time taken, rejected the need of a handshake but also increased the performance in terms of computing the cracking keys. With not dwelling more on to the topic, here's a logical statement to precisely compute the PMKID:

Jens Steube not just publicly published the vulnerability with his tool hashcat but also disclosed much wider information and allowed us to dissect our own frames to acheive much bigger aims. Now, if I had been planning on writing efficient code to crack WPA2 with PMKID, Python with scapy would have been my priority. Let's just focus on cracking WPA/WPA2 with what we now know as PMKID.

STEP 1

Cloning and Interface

Clone into the repository with git clone and move to the directory:

Previously, in this tutorial we had covered doing the same attack through a different perspective, basically following the foot-steps of Jens Steube through different tools. With WiFiBroot, which is a tool written in Python we can do the same task with a single command.

WiFiBroot is built on the foundation of scapy, a well known packet forging library and tool. However, with upgradings and the continuous evolving of scapy, the layers and the fields within are slightly displaced from their orignal places. So, until a suitable version is released, the recommended version to install is 2.4.0 and so we will:

With hcx scanning tool, we had a very limited choice of supported adapters for injecting the right frames. Now, in this case, a simple adapter like WN722N would be enough the produce the PMKID. Put your wireless adapter in monitor mode:

STEP 2

Kick-Sart WiFiBroot

WiFiBroot support multiple modes and has multiple usages. If you had happened to get through the manual of WiFiBroot, you would have known all the names and the purpose of each one of them.

If you supply -h/--help argument with a valid mode, you will get all the available options for that mode. For Example, to print the options for de-authentication mode:

To get along in simple steps without wasting our time, we can kick-start the tool:

• -m, --mode: Mode to use. Possible values: 1, 2
• -i, --interface: Monitor Interface to use.
• -d, --dictionary: Wordlist for cracking.
• -w, --write: Write output to a file.

There is a small wordlist included in the directory with WiFiBroot. Besides, just the wordlist, wifibroot will attempt to guess the key by making assumptions through default passwords and further reshuffle them in a way the most companies does with their routers.

Now, coming back to point; this will initiate the scanning of your sorrounding area, trying to discover the nearby wireless access points with 2.4 GHz frequencies. Before we proceed further, we need know what part of WPA/WPA2 is actually vulnerable. For the record, if you happen to have a WiFi with WPA only as it's encyption, you are safe from PMKID attack. It's WPA2 that on the spot is actually vulnerable. Choose your target network:

STEP 3

Wait for the EAPOL

What makes this attack effective is the rejection of 4-way handshake as a need to crack WPA/WPA2 passphrases. EAPOL frames commence as successors to Authentication and Association requests. If both of the requests are to be successfully performed, both the station and the access point have to be agreed upon some terms. It is then after these requests that the access point dispatch the first EAPOL frame which contains the PMKID in RSN layer.

You can see the following events happening in series:

• Open Authentication
• Association
• 4-way handshake

Here, we got the PMKID:

If an empty PMKID is received, you will be informed of the event and will be notified that access point is not fallible to this attack.

STEP 4

Cracking

Once we have the first handshake, we can crack the password right then and there. WiFiBroot does that as well. You will be notified that EAPOL first message has been captured and immediatly the cracking would start as can be seen in the screenshot. However, with the consideration in mind, we must conlude the fact that we are not going to acheive much speed with python as can be done through hashcat. So, we can also save the PMKID in the same format as of hcxpcaptools:

The output file can then be resued with both WiFiBroot and hashcat, if you prefer cloud computing. I personally prefer hashcat for cracking. To reuse the file with WiFiBroot, you can simple launch:

STEP 5

Output

The file can be reused in a number of other cases including the famous hashcat tool. People usually prefer using hashcat when computing keys at a very high speed, usually in cloud servers nowadays. In the past couple years, cloud computing has become the most widespread norm among the computer industries and now people are using it to mine websites and data. Recently, this idea emerged of cracking WPA2 in cloud servers. You can setup your own server and use hashcat to crack the keys:

Conclusion

WPA/WPA2 has been dwindling after the discovery of WPA2 key-reinstallation attack (KRACK) and while testing the new WPA3 protocol, Jens Steube stumbled upon on another vulnerability in WPA2 protocol, rejecting the need for a handshake to be in place. This highly visualized the traditional WPA/WPA2 cracking through MIC code into a new more robust EAPOL capture. The outcome of this is that now we are better able to crack WPA2 without handshake and can acheive more perfect performace.

In this hi-tech life, we always need a working internet connection to manage both our professional and personal life. The most comfortable way to access internet everywhere anytime is by buying mobile data recharges but they are very expensive. Another good way to connect to free WiFi if it's luckily available at your workplace, college or home. But everyone is not that lucky.

Everybody might have many fast WiFi hotspots available in their smartphone's range, but they don't have access to those WiFi connections because they are password protected and you don't have access to them so, you can't use those WiFi hotspot to access internet in your smartphone or laptop. But, what if you can hack a WiFi?

Yes, I am not joking. What if you can hack any WiFi available in your range and crack it's password to access free and unlimited internet? IMO, if you can learn a way to hack a WiFi network then you can access free internet everywhere. Right?

So, I am telling you the method to hack a secured WiFi network, crack its password and enjoy free internet using it.

Before moving directly to the methods to hack WiFi networks lets first see what type of security and authentication methods are implemented in WiFi networks.

WiFi Security & Encryption Methods

• Open – This is WiFi networks with no authentication. Anyone in the WiFi range can connect his device to the network without any password in enjoy free internet. However, these networks are rarely available and also risky.
• WEP – Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN.
• WPA – WiFi Protected Access (WPA) is improved and more secured security protocol which arrived with lots of improvements in encryption and authentication methods of WEP.
• WPA2 PSK – It is short of Wi-Fi Protected Access 2 – Pre-Shared Key which is the latest and most powerful encryption method used in WiFi networks right now.

Hacking WiFi Networks with WEP, WPA and WPA2 PSK Security

As security features have been improved from WEP to WPA to WPA2 PSK WiFi authentication protocol, so obviously, WEP WiFi networks are very easy to hack compared to WPA and WPA2 PSK Security methods.

Almost every password-protected WiFi networks support both WPA/WPA2 PSK authentication. If somebody is already connected to the network, you can check in his network properties to see what encryption-type is being using by the targeted WiFi network.

But if you want to know encryption-type of WiFi network which is not connected to any device in your reach, you need Ubuntu operating system to do this.

In Ubuntu, you can use nmcli command in terminal which is command-line client for NetworkManager. It will show you security types of nearby Wi-Fi access points. Enter the following command in terminal:

It will show you the output like this:

Using the above methods, you should have known the encryption-type of targeted WiFi network which you want to hack. So, I am gonna show you how to hack WiFi Network for each of WEP, WPA and WPA2 PSK secured WiFi networks.

Requirements for Hacking WiFi Netwoks

My methods require KALI Linux which is especially designed Linux distrbution for penetration testing and ethical hacking. You can download it for free from its official site. Download Kali Linux ISO from its website either install it as separate operating system in your system or you can use Virtual Machine/VMware to directly run KALI Linux inside Windows.

You will also need Aircrack-ng which is a security suite to assess WiFi network security. It focuses on different area of WiFi security: monitoring, attacking, testing and cracking.

Another important requirement is to check if your wireless card is compatible with Aircrack-ng or not. Because if it's not compatible, you need to have an Aircrack-ng compatible card. Check it directly here: http://www.aircrack-ng.org/doku.php or run aireplay-ng -9 mon0 command inside terminal to view the percentage of injection your card can do.

Install Aircrack-ng using the following command in KALI LINUX

• sudo apt-cache search aircrack-ng (to seach aircrack-ng or any related repositories)
• sudo apt-get install aircrack-ng (to install aircrack-ng repository)

• -m, --mode: Mode to use. Possible values: 1, 2
• -i, --interface: Monitor Interface to use.
• -d, --dictionary: Wordlist for cracking.
• -w, --write: Write output to a file.

There is a small wordlist included in the directory with WiFiBroot. Besides, just the wordlist, wifibroot will attempt to guess the key by making assumptions through default passwords and further reshuffle them in a way the most companies does with their routers.

Now, coming back to point; this will initiate the scanning of your sorrounding area, trying to discover the nearby wireless access points with 2.4 GHz frequencies. Before we proceed further, we need know what part of WPA/WPA2 is actually vulnerable. For the record, if you happen to have a WiFi with WPA only as it's encyption, you are safe from PMKID attack. It's WPA2 that on the spot is actually vulnerable. Choose your target network:

STEP 3

Wait for the EAPOL

What makes this attack effective is the rejection of 4-way handshake as a need to crack WPA/WPA2 passphrases. EAPOL frames commence as successors to Authentication and Association requests. If both of the requests are to be successfully performed, both the station and the access point have to be agreed upon some terms. It is then after these requests that the access point dispatch the first EAPOL frame which contains the PMKID in RSN layer.

You can see the following events happening in series:

• Open Authentication
• Association
• 4-way handshake

Here, we got the PMKID:

If an empty PMKID is received, you will be informed of the event and will be notified that access point is not fallible to this attack.

STEP 4

Cracking

Once we have the first handshake, we can crack the password right then and there. WiFiBroot does that as well. You will be notified that EAPOL first message has been captured and immediatly the cracking would start as can be seen in the screenshot. However, with the consideration in mind, we must conlude the fact that we are not going to acheive much speed with python as can be done through hashcat. So, we can also save the PMKID in the same format as of hcxpcaptools:

The output file can then be resued with both WiFiBroot and hashcat, if you prefer cloud computing. I personally prefer hashcat for cracking. To reuse the file with WiFiBroot, you can simple launch:

STEP 5

Output

The file can be reused in a number of other cases including the famous hashcat tool. People usually prefer using hashcat when computing keys at a very high speed, usually in cloud servers nowadays. In the past couple years, cloud computing has become the most widespread norm among the computer industries and now people are using it to mine websites and data. Recently, this idea emerged of cracking WPA2 in cloud servers. You can setup your own server and use hashcat to crack the keys:

Conclusion

WPA/WPA2 has been dwindling after the discovery of WPA2 key-reinstallation attack (KRACK) and while testing the new WPA3 protocol, Jens Steube stumbled upon on another vulnerability in WPA2 protocol, rejecting the need for a handshake to be in place. This highly visualized the traditional WPA/WPA2 cracking through MIC code into a new more robust EAPOL capture. The outcome of this is that now we are better able to crack WPA2 without handshake and can acheive more perfect performace.

In this hi-tech life, we always need a working internet connection to manage both our professional and personal life. The most comfortable way to access internet everywhere anytime is by buying mobile data recharges but they are very expensive. Another good way to connect to free WiFi if it's luckily available at your workplace, college or home. But everyone is not that lucky.

Everybody might have many fast WiFi hotspots available in their smartphone's range, but they don't have access to those WiFi connections because they are password protected and you don't have access to them so, you can't use those WiFi hotspot to access internet in your smartphone or laptop. But, what if you can hack a WiFi?

Yes, I am not joking. What if you can hack any WiFi available in your range and crack it's password to access free and unlimited internet? IMO, if you can learn a way to hack a WiFi network then you can access free internet everywhere. Right?

So, I am telling you the method to hack a secured WiFi network, crack its password and enjoy free internet using it.

Before moving directly to the methods to hack WiFi networks lets first see what type of security and authentication methods are implemented in WiFi networks.

WiFi Security & Encryption Methods

• Open – This is WiFi networks with no authentication. Anyone in the WiFi range can connect his device to the network without any password in enjoy free internet. However, these networks are rarely available and also risky.
• WEP – Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN.
• WPA – WiFi Protected Access (WPA) is improved and more secured security protocol which arrived with lots of improvements in encryption and authentication methods of WEP.
• WPA2 PSK – It is short of Wi-Fi Protected Access 2 – Pre-Shared Key which is the latest and most powerful encryption method used in WiFi networks right now.

Hacking WiFi Networks with WEP, WPA and WPA2 PSK Security

As security features have been improved from WEP to WPA to WPA2 PSK WiFi authentication protocol, so obviously, WEP WiFi networks are very easy to hack compared to WPA and WPA2 PSK Security methods.

Almost every password-protected WiFi networks support both WPA/WPA2 PSK authentication. If somebody is already connected to the network, you can check in his network properties to see what encryption-type is being using by the targeted WiFi network.

But if you want to know encryption-type of WiFi network which is not connected to any device in your reach, you need Ubuntu operating system to do this.

In Ubuntu, you can use nmcli command in terminal which is command-line client for NetworkManager. It will show you security types of nearby Wi-Fi access points. Enter the following command in terminal:

It will show you the output like this:

Using the above methods, you should have known the encryption-type of targeted WiFi network which you want to hack. So, I am gonna show you how to hack WiFi Network for each of WEP, WPA and WPA2 PSK secured WiFi networks.

Requirements for Hacking WiFi Netwoks

My methods require KALI Linux which is especially designed Linux distrbution for penetration testing and ethical hacking. You can download it for free from its official site. Download Kali Linux ISO from its website either install it as separate operating system in your system or you can use Virtual Machine/VMware to directly run KALI Linux inside Windows.

You will also need Aircrack-ng which is a security suite to assess WiFi network security. It focuses on different area of WiFi security: monitoring, attacking, testing and cracking.

Another important requirement is to check if your wireless card is compatible with Aircrack-ng or not. Because if it's not compatible, you need to have an Aircrack-ng compatible card. Check it directly here: http://www.aircrack-ng.org/doku.php or run aireplay-ng -9 mon0 command inside terminal to view the percentage of injection your card can do.

Install Aircrack-ng using the following command in KALI LINUX

• sudo apt-cache search aircrack-ng (to seach aircrack-ng or any related repositories)
• sudo apt-get install aircrack-ng (to install aircrack-ng repository)

Fulfill only these requirements and you are ready to hack any WiFi network, whether it is a WEP, WPA or WPA2 PSK Wi-Fi.

Steps to hack WiFi Networks

Starting below, I'll be guiding you step-by-step in hacking a secured WiFi network. You can either scroll down to read each and every WiFi hacking method or can directly jump to the required section below using these links:

There are various methods to hack into WiFi network and crack its password for all the above security-types but I am showing only those methods with which I've had success in cracking password of desired WiFi network and hack secured WiFi Access points. So, if you follow these steps correctly, you'll also be able to hack any WiFi hotspot available in your reach.

How To Hack WEP WiFi Network

Using Wireshark To Crack Wpa2 With Windows 8.1

In this method, we are going to hack WEP secured WiFi network using packet injection method inside KALI Linux operating system. So, start KALI Linux in your system. Now follow these below steps:

Step 1: Check Wireless Interface

• Open terminal in Kali Linux and enter the command airmon-ng. It will show you what network interface are you using. In my system, I have only one network interface card wlan0, which is my wireless interface card.
• Create a network interface which runs in monitor mode. To do this enter command airmon-ng start wlan0.Make sure to replace wlan0 in command with the interface name that your card have. Here, mon0 has been created.
• Now, you might or might not get the warning appearing in the below screenshot which tells other processes using the network which can create the problem. So, you can kill them using the syntax: kill PID if you know those processes are not important for you at the moment.

Step 2: Scan available WEP WiFi networks

• Now, enter the command airodump-ng mon0 to scan & list down all the available WiFi networks using created monitor interface (mon0). It can take time to all the available WiFi networks in range.
• Once the process is done,all the available WiFi access points will appear with their important details: BSSID (WiFi Access Point MAC Address), PWR (Signal strength value; the lower, the better), CH (Channel for WiFi), ENC (Encryption type), AUTH, ESSID (Name of WiFi)
• Select the WiFi network with WEP Encryption (ENC) and lowest PWR value.

Step 3: Attack the selected WEP WiFi Network

• Open another terminal concurrently and enter command: aidodump-ng -c 1 -w bell –bssid 64:0F:28:6B:A9:B1 mon0. Here, -c 1 indicates channel number which is 1, -w bell is to write data in file 'bell', –bssid 64:0F:28:6B:A9:B1 is MAC address for my selected WiFi access point and mon0 is monitor interface that was created above. Hit Enter and it will start sending packets (visible in #Data) to the WiFi

• The speed of sending data is very slow but you need to escalate it by attacking the WEP WiFi network. First enter the command airplay-ng -1 0 -a 64:0F:28:6B:A9:B1 mon0 to perform fake authentication (-1 in command) to the network.
• Now we will perform ARP REPLAY Attack to the WiFi network to climb the data to the network at enormous rate. Useairplay-ng -3 -b 64:0F:28:6B:A9:B1 mon0, where -3 is for ARP REPLAY attack. Hit enter and the command will start doing attack to WEP WiFi Access point and you can see the #Data value increasing at enormously fast rate.
• In below screenshot the bell-01.cap is the file where data is being stored that we will use to crack the password of this WEP WiFi network once we have enough data (recommended #Data value should be over 35,000).

• Once you have enough data in the file bell-01.cap, run the command aircrack-ng bell-01.cap. It will test all the data values available in key file and automatically show you the key it found by testing data in file.

• You can see in above screenshot that we have successfully cracked the password of targeted WEP WiFi network
• The key found will not be in those text or alphanumeric format that the WiFi owner has created. It will be in hex format but work just fine.
• Now, to use this key, firstly start the processes you have killed in Step 1 above using the command I have used below.

• Finally enter the cracked key 61:32:58:94:98 (without colon) as the password of targeted WEP WiFi Network and it will be connected.

Steps to Hack WPA/WPA2 Secured WiFi Network

Hacking into WPA/WPA2 WiFi Network is very tough, time & resource consuming. The technique used to crack WPA/WPA2 WiFi password is 4-way handshake for which there is a requirement to have at least one device connected to the network.

In WPA/WPA2 security method, the allowed password can have both large and small alphabets, numbers and symbols. And, allowed size of password is 64 characters. On a rough guess, if we consider password to be only 8 characters long and eliminate the use of symbols even then if you want to crack WPA or WPA2 WiFi password, using the brute force method the password combinations will be: 8^26+26+10=62 which is equals to:

• 98079714615416886934934209737619787751599303819750539264

So, even in fastest computer you can manage to use, it's going to take hours.

Aircrack-ng have all the tools required to crack into WPA/WPA2 PSK WiFi network. It can perform 4-way handshake by disconnecting/connecting the connected device and capturing WPA handshake. It can perform brute-force attack but you can't hope to crack the password if you have wordlist/dictionary for the password (which is already too big in size) with password inside it. I hate to tell you this but yes, doing it on your own can take forever.

However, there is a tricky way to crack WPA/WPA2 WiFi Password quickly which only requires you to be a bit lucky. The tool is fluxion. Fluxion use same 4-way handshake technique to crack secured WPA/WPA2 WiFi access points password but it doesn't require you to have dictionary or perform brute force attack. So yes, it's going to minimize your time to hack WPA or WPA2 WiFi networks password multiple folds.

Instead of doing this, it performs a little bit of phishing where the already connected user is asked to enter password of WiFi network again for security reason and when the user enter the password, first the handshake is checked with the earlier captured handshake of the device, if handshake is correct that means the password entered by user is correct. Once it is successful, Fluxion returns the key required to authenticate the network.

Steps to crack WPA/WPA2 WiFi Password using Fluxion

How To Crack Wpa2 Psk

• Scan the networks.
• Capture a handshake (can't be used without a valid handshake, it's necessary to verify the password)
• Use WEB Interface *
• Launch a FakeAP instance to imitate the original access point
• Spawns a MDK3 process, which deauthenticates all users connected to the target network, so they can be lured to connect to the FakeAP and enter the WPA password.
• A fake DNS server is launched in order to capture all DNS requests and redirect them to the host running the script
• A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password
• Each submitted password is verified by the handshake captured earlier
• The attack will automatically terminate, as soon as a correct password is submitted

I can understand that not all readers will be able to implement the method after reading such summarized version on hacking WPA/WPA2 PSK WiFi Network. So, below is the video tutorial on cracking WPA2 WiFi Access Point password using Fluxion.

Using Wireshark To Crack Wpa2 With Windows Xp

https://youtu.be/4XLUVfoJqo8

Using Wireshark To Crack Wpa2 With Windows 7

Comments below if you face any problem in hacking WEP, WPA and WPA2 PSK WiFi Networks using the above methods.

Must Read –How To Hack a Website using SQL Injection