WPA network testing with dictionaries and crunch

In this tutorial I will show you how to test the strength of your WPA network password. This tutorial is for testing purposes only ;). I will show you two methods one using a dictionary attack and two using crunch to generate password combinations to test as a password, this method is helpful for manufacturer/ISP set passwords. I will be using the Gerix WIFI Cracker as others may find it easier than using the terminal.

Tools Needed:

BT5R3
Crunch

Capturing Data Packets

1.
To start open Gerix WIFI Cracker, It is located here:
Applications –> BackTrack –> Exploitation Tools –> Wireless Exploitation –> WLAN Exploitation –> gerix-wifi-cracker-ng

2.
Once open click Configuration
Click Clean old session files to clear any old logs.
Select the wireless device (default wlan0) and click Enable/Disable Monitor Mode to put your wireless device into monitoring mode.
Click Set random MAC address and then select the monitoring device (default mon0) followed by Rescan networks, this should then show you the list of wireless networks around you. If the network you want to crack has a WEP encryption then see here (keepers TUT). What we are looking for is WPA, If the network you want to test is WPA then select it from the list.

3.
Now click the WPA tab, followed by Start Sniffing and Logging. This will now listen to the network and capture packets that are being sent. To have a decent chance at cracking the network it is recommended to have at least 5000 packets of data from one client.

4.
Once you have around this number of packets from one device click WPA attacks followed by Autoload victim clients.
This should load the victims MAC addresses of their devices. Click the MAC address for the client that you have the packets for (MAC address is the STATION ID).
Now click Client deauthentication to try and capture the HandShake. This will open aireplay-ng which will send disassociate packets to the client which in turn will force the client to re-authenticate.

CRACKING

Now to attempt to crack the password, this can be done using a dictionary attack, Rainbow dictionary attack (not shown in this tutorial) or even with programs such as Crunch.

Does the network youre testing have a user set WIFI password or a manufacturer/ISP set password?
User set password = follow step A
Manufacturer/ISP set password = follow step B

A.
If it is a user set WIFI password then we can use a dictionary attack.
For a dictionary attack click the tab Cracking in the Gerix wifi cracker.
Then click WPA brutforce cracking.
Now enter the path to the dictionary or use the one that comes with BT5 located here:
/pentest/passwords/wordlists/darkc0de.lst
and click Aircrack-ng - Crack WPA password.
This will launch Aircrack-ng to try and match the dictionary passwords with the networks. Should it not start to crack the password and instead say Quiting aircrack-ng… then make sure you have a proper HandShake with the victim client or the correct path to your dictionary. Hopefully you will have the networks password in your dictionary and it will get cracked if it fails to find a password then try other dictionaries.

B.
If the WIFI password is one set by the manufacturer or ISP then we could use Crunch. For example a few years ago SKY Netgear routers were supplied with a default WIFI password which consisted of capital letters only and was always 8 letters in length. Most users did not change their default WIFI passwords so it was be possible to generate every combination with Crunch and test them against the network. This method can be applied to other manufacturer or ISP routers. This method is highly likely to take a very long time to complete so it is not always even worth trying, But for the fun of it I’ll show you anyway :D I will use the SKY router scenario as an example.
Firstly download and install crunch. Download from Sourceforge) and save to root.
Extract Crunch using the terminal
tar -xvzf crunch-3.4.tgz
Now make and install crunch
cd crunch-3.4.tgz make && make install cd ..
Now starting from step 4 of this tutorial when you have the packets and Handshake we need to enter the commands for crunch in the terminal,
Crunch ussage: Usage: crunch <min> <max> [options] where min and max are numbers
In this example I am using the SKY scenario described above so we want 8 letters in length and only capital letters so the command would be
/crunch-3.4/./crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ
We dont want to press enter just yet as this will only generate the combinations and not test the combinations against the networks password, to do this we must pass the output through aircrack-ng. Aircrack requires the networks BSSID and dump location.
aircrack-ng -b NetworkBSSID -w - SniffDumpLocation
Once we have this add it to the terminal using the pipe character like this.
/crunch-3.4/./crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ | aircrack-ng -b 7C:4C:A5:01:7D:25 -w - /root/.gerix-wifi-cracker/sniff_dump-01.cap

Crunch will now start generating the combinations, for this scenario the total amount of combinations is shown below (remember me saying it will take a very long time to complete ;) )

You should see aircrack-ng trying the different combinations.

Now you just wait until it finds it (That is if the password is 8 capital letters long). See you in a few days/weeks depending on the speed of your computer :D

I hope this helps you to test the strength of your network password and or find it informative :)