With the gradual maturity of wireless technology and the popularization of the price of wireless devices, more and more families are using WLAN to surf the Internet anytime, anywhere. However, the network security problem also emerged. Although some users with certain computer and network security levels began to use WEP or WPA keys to encrypt transmitted data packets, WEP cracking is quite easy, it is said that foreign professionals can intercept WEP encrypted data packets and parse the WEP Key within two minutes. In the past, we never had to worry about the security of WPA encryption. Today, we will learn how to brute force crack the WPA encryption key, so that users can feel the best of the hacker.
1. network topology of the experiment environment:
This article mainly adopts the method of brute force cracking the WPA encryption key, which requires that there are enough packets encrypted by WPA in the network, therefore, I chose a computer dedicated to providing this encrypted data packet, that is, the computer and the wireless router in the network through WPA authentication without stopping communication. On this basis, another computer is used to steal encrypted data packets and crack them. The specific device is as follows.
AP: D-LinkDWL-2000AP + A, responsible for setting WPA encryption information.
Wireless Client: notebook + D-Link DWL-G122Wireless Network CardTo ensure continuous WPA data communication.
Listening/cracking machine: Laptop + NetGear wagelist V2 wireless network card, used to capture and log onto the 'handler' session and CrackKEY.
2. Teach you how to brute force crack WPA ciphertext:
Whether cracking WPA encrypted data or WEP encrypted data, we need to find specialized monitoring and analysis software, similar to sniffer In a wired network. In a wireless network, we mainly use a powerful tool named WinAirCrack.
WinAircrackPack -- Download
Step 1: Download and decompress the WinAirCrack program, and then download the driver corresponding to your wireless network card according to the previous article, and upgrade the driver to a wireless network card based on the atheros chip. The specific method needs to go to www. wildpackets.Com/SupportThe/downloads/drivers address downloads a driver suitable for your wireless Nic brand.
Step 2: Open the winaircrackprogram installation directory and run airdump.exe.
Step 3: first select the listening network card as your wireless network card, then select the chip type used by your wireless network card, "o" is hermesl/realtek, "a" is aironet/atheros, only these two types are supported. Because the author's products are centered on atheros, select. Step 4: select the signal to be monitored. As I know that the wireless network uses 10 channels, select 10 directly. If you want to crack WPA in the future and do not know its transmission channel, you can select 0, which means scanning all channels.
Step 5: Set the scan information to save the file name. Just give yourself a name that can be identified.
Step 6: after entering all the information, we start to capture data. From the window display, we can see the SSID information, channel and rate of the current wireless network scanned by airdump.exe, and display the encryption method used by the wireless network in the ENC column as WPA.
Step 7: during this time period, make sure that a WPA-PSK client with a normal logon WLAN exists and that the client must be logged on to the WLAN, in other words, airodump must capture the entire "Request/challenge/response" Process of the client logging on to the WLAN. Of course, the time required for success and success is not measured by the listening time, but determined by the amount of communication.
Step 8: Listen and catch long enough time before we press ctrlw.cstop to run the winaircrack.exe analysis program under the winaircrackdirectory.
Step 9: Select WPA-PSK from the Encryption type drop-down menu on the General page; in the Capture files column, select the CAP file that is captured through airodump. Click "Wpa" in the left-side main menu to go To the WPA settings page. In the "Dictionary file" input column, enter the path of the Dictionary file with the lst suffix. Here we will focus on this dictionary file. The WinAirCrack program itself does not include a dictionary file, but we can manually create a dictionary file by using tools or ourselves.
TIPS:
Dictionary files can be set by ourselves, as long as one dictionary is cracked per line. For example, keep the following format --
111
222
333
444
Step 10: After the dictionary file is set, we start to crack it. Of course, the key to success is to check whether the dictionary file is powerful and whether there is more information. One thing to note here is that the password string used by the WPA-PSK can be any character that can be expressed in ASCII code, but the length of the string must be greater than or equal to 8 characters.
Step 2: After the code is mounted, we will return to the winaircrack.exe program and press "Aircrack the key…" at the bottom right of the interface ..." Button. At this time, the system will automatically pop up a CMD console, according to the actual input parameters of some CAP files, for example, the path of the CAP file, the number of packets captured by the CAP, and the BSSID | ESSID | encryption method of the AP to which the packets belong. Next, the software will automatically analyze the captured data packets and compare the information in the dictionary file to brute-force cracking. If the attack succeeds, the key found prompt will appear.
If no brute-force cracking is successful, there are two possibilities. The first is that there are not enough data packets to be monitored, and the listening time needs to be extended to increase the traffic between the test machine and the wireless router. The second is that the dictionary file to be cracked is not powerful enough, insufficient brute force cracking characters do not include actual WPA keys.
Iii. Summary:
In any case, brute-force cracking is a "labor and financial loss" task. He needs to test the user's endurance. In many cases, we may not be able to collect enough data packets after listening for 24 hours or even more, in other cases, we may have attempted to crack tens of thousands of keys. However, the brute-force cracking method is feasible. as long as the conditions are met, you can find the key used by WPA. Of course, the brute-force cracking introduced in this article depends on luck. After all, WPA is much safer than WEP or even non-encrypted.