Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How To Crack WPA / WPA2

Discussion in 'Wireless Article Discussions' started by thiggins, Sep 24, 2008.

  1. thiggins

    thiggins Mr. Easy Staff Member

    May 18, 2008
    Wireless networks secured by WPA / WPA2 can be cracked. But it's not as easy as cracking WEP. [article link]
  2. Ash-lee

    Ash-lee Guest

    WEP crackin:easy...WPA its solid. how is it done?

    im a newbie to this hackin lark really. its them live help vids that got me successful at the WEP crack. with the permition of my neighbour, i had a go of there WEP network and succeeded. Now im tryna do the dreaded WPA network and i cant seem to get it off the ground. i cant even get the 'handshake' thing. Does that only happen when the user is logging on or can it work if there online, period? or doesnt it matter? and how do i know in the program kismet/airodump that they are; going online/online already/not online? ive tried doin the dictionary thing aswell by puttin a text file in root directory called dictionary, filled it up with 5,200 words, one word per start line, used it in the commands and it just says: 'no such directory'. Its doin me nut in! what am i doin wrong? email me @ [email protected] or reply to this thread if u can help. thanx alot...

  3. jdabbs

    jdabbs Super Moderator

    May 28, 2008
    Set up a network of your own and play around with the tools. A hour or two to familiarize yourself will help you understand what's going on in the background.
  4. Esurnir

    Esurnir New Around Here

    Sep 30, 2008
    The original handshake will happen when one of the users connect to the wifi network (typically, when he start his computer or after a connection loss).

    You can check if you captured an handshake by going in wireshark opening the dump files and using the filter eapol.
  5. Unregistered

    Unregistered Guest

    Erm, call me silly but

    "..poor little laptop can only crunch about 35 hashes a second.."

    is commented at one point, and then:

    "..testing 3740 keys took 35 seconds.."

    One's 35, the other is 100... So which is correct?
  6. ronnald smith

    ronnald smith New Around Here

    Nov 22, 2008
    hi,crack wpa very difficult to me because want read the password very long time.1 time i read 12hour around 8million key but fail.
    now i just focus for wep.very simple to get the key.
    i use vmware in windows+usb wifi..no need type command.just type 1,2,3,4 and finish..i can crack around 3 minute..
    for newbie can find here Tutorial WEP Cracking In 3 Minute

    can someone help me what the best software to read the handshake very fast?i use aircrack but just 200key/second.take long time to read the hankshake.i use dual core processor and aircrack make my notebook cpu 100% usage..helpp...
  7. jdabbs

    jdabbs Super Moderator

    May 28, 2008
    Deauthing a client is a fast way to force an EAPOL handshake.
    If by "read" you meant "crack," the fastest method is the Church of WiFi's WPA hash tables, located here. The tables are precomputed hashes of one million passwords, for a thousand of the most common SSIDs.

    If your target network isn't one of the thousand SSIDs in the hash tables, you'd have to manually compute the hashes, which is what it sounds like you're doing now. The recently-introduced Pyrit allows hash computation to be performed by CUDA-supporting GPUs (newer Nvidia cards). The current top of the line card, the GTX 280 (~$450), can break 11k keys/second.
  8. Unregistered

    Unregistered Guest

    WPA Help

    I've followed the instructions for cracking WPA w/ no clients;
    airmon-ng stop...start ....
    airodump-ng ....
    aireplay-ng -0 5 -a"" ath0
    aircrack-ng -w ....

    I've never gotten a handshake can someone please help me through the steps.

  9. jdabbs

    jdabbs Super Moderator

    May 28, 2008
    Reread the tutorial; you won't find a clientless technique as the handshake is conducted between the client and the AP.
    You won't get very far without a client.
  10. Unregistered

    Unregistered Guest

    capturing the handshake

    im very new at this, and I dont actually have any of this stuff running...but once a client authenticates, how do you capture the handshake into the .dump file? or does it do it automatically?
  11. Unregistered

    Unregistered Guest

    new at this need help

    Can anyone recommend what kind of wireless card to get for my laptop that run the backtrack or Auditor Security Collection? email me at [email protected]
  12. sin4me

    sin4me New Around Here

    Feb 12, 2009
    The list of supported devices for BacktTrack is located here.

    I'm currently using a Hawking HWUG1 which uses the RT73 chipset - it works right out of the box with BackTrack 3 Final. So far, I've only setup my test AP with WEP to get familiar with the aircrack-ng suite; however, I was able to crack the password I created in less than 1 min. WPA will obviously take longer, but at least I know all the tools support my adapter without having to install updated drivers or patches.

    This is another great article - very concise & easy to follow. Thanks again SNB!
  13. worto03

    worto03 New Around Here

    Apr 8, 2009


    Good article, if I'm getting no clients showing up at all when I know there is one connected whats the likely cause?

    I have picked up all of the network info like the channel & Encryption type ect but clients always reads 0

    I get the below info back from a iwconfig of my network card & if I'm getting as far as seeing the packet count going up and getting the channel info does that mean my card is working OK & is supported?

    Thanks for any help,

    edit - I have the Intel(R) PRO/Wireless 3945ABG Network card which doesn't seem to be in the above list - do I need to look at getting another network card?
    Last edited: Apr 8, 2009
  14. spankky

    spankky New Around Here

    May 11, 2009
    wpa hacking

    hello everyone.i am a newbie at this thought id never say it lol. anyways i put in a random password to my next door friends wpa network and got limited connection. it gave me the physical address and ip and subnet but i couldnt get it to give me a ip. so anyways if the user has access to 1 ip can more then one connect to it? dam wish there was a program just click and it hooks ya up lol . well any info i will aprechiate:eek::eek:
  15. dakykilla

    dakykilla New Around Here

    Feb 17, 2010
    Online WPA Password Cracker Available

    After you capture a WPA/WPA2 handshake you can use the Question Defense Online WPA Password Cracker to run a dictionary attack against the capture. There is a fairly high success rate in cracking WPA/WPA2 passwords since most people use short passwords only reaching 8 characters in length as required by WPA.

    If you are unfamiliar with how to capture WPA handshakes there are directions to do so here.
  16. Unregistered

    Unregistered Guest


    You can test your injection capabilites by using aireplay-ng -9 option by sending packets and waitng for ACKs back. %100 is what should be strived for
  17. hceuterpe

    hceuterpe Occasional Visitor

    Aug 9, 2010
    There's no sure fire bet that WPA/WPA2 can be cracked like this. It's only if the user who setup the target WiFi AP was stupid and set a very weak password. This is opposed to WEP that's crackable regardless of the complexity of the key.

    This is why I fire:
    head -c 32 /dev/random | sha256sum -b

    in a linux console window, for my WPA2 keys.
    Last edited: Apr 25, 2011
  18. techieguy

    techieguy Guest

    Cracking WPA/WPA2 is Jst DRAMA,


    Cracking WPA is Jst DRAMA. . Part 1


    Cracking WPA/WPA2 is highly IMPOSSIBLE.


    lemme explain you , cracking WPA means jst capturing encrypted information and applying dictionary/wordlist. bt the key should be min 8 to 63 digits in length., so number of possible combinations of 8 digit lenngth password : 218,340,105,584,896 . Is it possible check all des words??

    Cracking WPA is jst kind of DRAMA - part 2


    in SOME VIDEOs , ppl are cracking within 1min. how is it POSSIBLE ?

    Simple they write the actual PASSWORD in dictionay file( and the file contains very less words ) nd appply this word list ..

    thats they show ' WE CRACKED WPA/WPA2 WITH IN 60 SECONDS' .

    this is one kind of CH*ATING..

    BIG D R A M A , Cracking WPA/WPA2 - part 3

    For Suppose , your computer check da 500 keys/second ,

    den it will take 218,340,105,584,896/500/60/60 = ??

    it will take YEARS to crack the password.. So its better NOT to try..

    NB : I am NOT abusing anyone , Jst telling da FACT.

  19. Unregistered

    Unregistered Guest

    "Cracking WPA/WPA2 is Jst DRAMA," urmm noo

    techieguy your post is complete and utter bullsh*t..

    1. yes there are (26+26+10)^8 theoretical combinations for a WPA/2 passphrase however the owner of the AP may not have been smart enough to change his passphrase to something like Iiss1337 which contains numbers, lower_alpha and upper_alpha and indeed something longer than 6 chars. it is far more likely, due to human tendencies, to choose a password someone can remember, eg a word with only letters in. which we can cover with a dictionary file!

    if the dictionary attack fails we have to resort to brute force.

    The if someone has bought a router from a specific ISP eg. sky (im from the uk) then the passphrase is guaranteed (if it hasnt been changed) to contain only upper_alpha characters. i am not sure about other ISPs but i think this is true for sky routers/APs. so the poss combinations is "only" 26^8 (in this specific example).

    2. its always good when cracking to use a dictionary file first.... cheaper in terms of electricity and computational power... plus i would be kicking myself if i found out that the APs passphrase was "password" (in any dictionary file) after waiting hours by doing a brute force.

    3. 500 k/s is very slow... i can usually achieve around 1000 k/s using my 4gb ram and 2ghz processor speed. p/s will get bigger and bigger the more ram and proc. speed you have.

    It is poss to use this along with GPU cracking if you have a graphics card (Nvida, Radeon etc) using a program called pyrit. ive seen people achieve speeds of well over 20,000 p/s and you can speed this up further by using cowpatty which uses procomputed hashes of all the passphrases in a list (could be every poss combination) based on a specific APs BSSID/ESID. This reduces the time to hours :D

    also you can pay to have the handshake cracked online (few hours ~$20 last time i checked)

    aircrack-ng suite, cowpatty, pyrit, proper penetration-testers and hackers
  20. Unregistered

    Unregistered Guest

    Try gpuhash.com

    I have just discovered new online WPA cracking service - gpuhash.com
    Amazing true success rate - 20%!

Share This Page