WPA2 Wi-Fi Password hacking guide (BT5/Kali linux)

This guide is for penetration testing your own network or someone else's, with permission
using someone elses wifi is theft of service and may or may not  be a criminal offence in your area
Logan nor anyone from tek syndicate is liable for your actions, you are so proceed with caution!
EDIT; kali linux is now out as logan said on the tek a few weeks back, as kali is built from the same tools by the same team this guide work with both BT5 r3 and kali,

1st step you will need a copy of backtrack 5 so go here http://www.backtrack-linux.org/downloads/
or kali linux from here (guide is same for both) http://www.kali.org/downloads/
and get yourself an iso (32 or 64bit depending on your hardware)
either burn to disc using imgburn http://www.imgburn.com/index.php?act=download
or make a live usb of 4gb + then you can save sessions and not have to start over when you power off, its a good idea as i have had attacks take up to a day and a half (because of weak signal) and with a disc once powered down......
to do this i use this http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/ itll do windows too....
or as a third option you could run it as a virtual machine with vmware from within windows, but if you do that you HAVE to use a usb wifi dongle because the internal wifi card of laptops gets seen as ethernet by the guest os, dont know why but i have found it to be true - vmware is not freeware, there maybe a trial or cripple ware version available here  http://www.vmware.com/uk/ but i sailed away from the pirate bay with my copy, i wont link directly to it as i may get in trouble from logan but you're a smart guy you can find it ;)
ok so now you have a disc/usb or virtual machine so power on, into BIOS (del,f11,f2 another key depending on hardware) and set it to boot from disc or usb, (not applicable to vm) and lets have some fun!
when the first menu comes up you want default text mode
when the cursor becomes available type "startx" without the quotes and it will boot into a desktop
go to the top of the screen and click on the little black screen to open a teminal (looks like a windows cmd window)
now to find out what wifi adaptor you have
type "airmon-ng" no quotes
if it doesnt list anything then your wifi adaptor is not compatible with bt5 it probably has no promiscuous mode or is lacking driver support but most laptop internal wifi i have found to work and most full size usb dongles do too the tp link tl wn821n works for definate.
the output from that is normally wlan0 but if you have multiple adaptors you will get more options
type "airmon-ng start wlan0"
assuming wlan0 was the output from previous command if not put what the output was for the adaptor you would like to use it will output monitoring enabled on mon0 most times unless you have multiple adaptors
so now we have set our adaptor to monitor the airwaves we can have a snoop at all the available networks
type "wash -i mon0"
and it will list all available networks signal strength encryption type bssid's and other things, we are looking for networks with wpa2/psk WEP is also dooable and much quicker, but as a security standard it is dead and not in common use any more but if you would like a guide for that too, let me know in the thread and when i have a moment.....
anyway choose your victims bssid and
type "reaver -i mon0 -bBSSIDGOESHERE -vv"
and it will start running through the all the possible wps set up pins randomly, it maybe that you get ap rate limiting detected, this is where a router recognises that it is getting attacked from all the wrong passwords and stops bt5 from accessing it rfor a set amount of time to combat this youi need to add a delay -d command to the reaver command line so it looks something  like this
"reaver -i mon0 -b21.34.56.23.54 -d20 -vv"
if ap rate limiting still detected keep increasing the delay by 5 seconds untill you stop tripping the ap rate limit
by using the -vv comand you get more verbose output from the termional wich allows you to see if it is channel hopping or ap rate limiting or whatever and it also lets you see when it gets caught in a loop on a particular password when this happens i press cntrl+c to stop session then up cursor for last command and enter and it picks up where it left off and normally carries on without stuttering on the same password again
after time passes it will output the password and pin number copy both down as if the password is changed you can run the reaver command line again with a -pPINHERE and it will break new password in less than a minit as the pin doesnot change this would look like
"reaver -i mon0 -b23.56.76.45. -p123456 -vv"
the password will get changed if your found on a network you are not supposed to be on wich is why i put that command there as i have had it happen a few times
if this goes on and the network admin is savvy they may stop changing the password and start banning mac addresses from connecting to the router but dont fear!
i use this http://www.technitium.com/ to change my mac address as i have had to deal with this problem before
as a side note, if you are going to jump on a network that isnt yours change your pc name to something not identifiable to you mine is called vm.lineupdate32 as the target network is on virgin media....see?

0 comments:

Post a Comment

Statistik

Powered by Blogger.