Aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program. Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ng.This part of the aircrack-ng suite determines the WEP key using two fundamental methods.
- Aircrack-ng: Fixed ignoring -p when specified after -S. Airmon-ng: fixes for openwrt busybox ps/grep issues which do not seem present in other versions of busybox. Use last used directory when selecting another file to crack. GUI (windows): Allow.pcap files too (next to.cap, ).
- The default synatx for aircrack-ng is. Aircrack-ng -w (location of the password list) (cap file.cap) So here we do start the bruteforce on captured 4-way Handshake file. Aircrack-ng -w 'wordlist.txt' WPAcrack-01.cap.
- CHECK WIRELESS INTERFACE- ifconfig.
This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys. I recommend you do some background reading to better understand what WPA/WPA2 is. The Wiki links page has a WPA/WPA2 section. The best document describing WPA is Wi-Fi Security - WEP, WPA and WPA2. This is the link to download the PDF directly. The WPA Packet Capture Explained tutorial is a companion to this tutorial.
WPA/WPA2 supports many types of authentication beyond pre-shared keys. aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.
There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network.Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.
The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.
The impact of having to use a brute force approach is substantial. Because it is very compute intensive, a computer can only test 50 to 300 possible keys per second depending on the computer CPU. It can take hours, if not days, to crunch through a large dictionary. If you are thinking about generating your own password list to cover all the permutations and combinations of characters and special symbols, check out this brute force time calculator first. You will be very surprised at how much time is required.
IMPORTANT This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key.
There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
We all know we can use aircrack-ng to run a wordlist attack to crack WPA/WPA2, in this article I’m going to show you how to do the same using a tool called HashCat, and compare its speed with aircrack-ng.
The advantage of using HashCat is unlike aircrack-ng which uses the CPU to crack the key, HashCat uses the GPU, this makes the cracking process MUCH faster (results below).
Installing & using Hashcat
- First you need to download Hashcat from https://hashcat.net/hashcat/
- Navigate to the location where you downloaded it, and unzip it, personally I like to use 7zip.
- Open the Command Prompt (go to windows search and type cmd).
- Navigate to your Hashcat folder where it’s unzipped.
- Type hashcat32.exe or hashcat64.exe depending on the architecture of your CPU.
- In order to use the GPU, you need to get its id using the following command
mine is #3. Then you need to use the hash type which is 2500 for WPA, I do recommend using
Aircrack No File To Crack Specified Version
to get familiar with the tool.
To specify device use the -d argument and the number of your GPU.
The command should look like this in end
The command should look like this in end
Example:
Where Handshake.hccapx is my handshake file, and eithdigit.txt is my wordlist, you need to convert cap file to hccapx using https://hashcat.net/cap2hccapx/
Aircrack No File To Crack Specified 64-bit
Results:
Test1: Using HashCat, with Asus GTX 1080 OC edition which has GPU Boost Clock with 1936 MHz, total GB ram of 8 Gigabytes, and Cuda cores 2560.
CUDA = Computing performance Boost Clock = Increases the Clock speed.
CUDA = Computing performance Boost Clock = Increases the Clock speed.
Hashcat took 4 mins, 45secs to reach the end of the wordlist and crack the handshake with a wordlist of 100,000,000 passwords.
Test 2:Using Aircrack-ng on Kali installed as main operating system with is i7-7700k CPU – base clock of 4.20, turbo clock 4.50Ghz with 4 cores and 8 threads, it would take 4 hours 22 minutes 14 seconds try all the passwords in the wordlist.
Aircrack Ng File To Crack Specified
Test 3: Kali installed as a virtual machine, in this case it would take 11 hours, 31 minutes and 40 seconds to try all passwords in the wordlist!