Hacking WPA / WPA2 Encrypted Networks

Part II of my Network Security How-To Series:
1)  ARP Spoofing from a Mobile Device
2)  Hacking WPA / WPA2 Encrypted Networks (This Tutorial)
3)  Defeating SSL / Encrypted Hijacking

Target of Attack:

- WPA/WPA2-PSK Wireless Networks

Tools Required:

- Any Computer with VMware software installed. (Download Here)
- Backtrack 5 VMware Virtual Machine. (Download Here)
- Compatible Network Adapter.






About these ads

180 thoughts on “Hacking WPA / WPA2 Encrypted Networks

  1. So I am in the process of creating a tutorial demonstrating techniques to create your own word list files to be used. Since the brute force is only as good as the word list, it is important to do proper reconnaissance to establish a personality profile of the victim. Of course, since accessing unauthorized systems is illegal, you will have to try it in your own test environment, or with permission. Setup your own “Capture the flag” workshop and try out the attacks with your friends. Hacking is fun!

  2. hey I saw that you would be willing to send me your word list that would be awesome if you can or maybe send me a link to how to build my own or both. I would appreciate it thanks

  3. hey man great tutorial :) it helped me a lot in understanding all the commands .
    and also it will be great if u may send me the file.

  4. Awesome tutorial and video. Your tutorial was very easy to understand for us newbies. I was wondering if you can please send me a word list. Thank you!!

  5. Bryan would u please send me ur word list to me and if u can tell me where to put the word list under would be very thank u for that

  6. Hi Bryan , thanks for your tutorial ,,, Please can you show me how I can make my own word list ? or can you send me your word list ? and if I receive your word list please explain to me how to install it in ( backtrack 5 R3 64bit)


  7. Very interesting tutorial and nice writing. I would appreciate if you could send me the wordlist you were using in this tutorial. Thank you very much.

  8. Thanks for all the support everyone! I apologize it took me so long to respond but there is good news. I am in the middle of creating another blog post which provides a step-by-step process to creating a successful word list. It should be up soon so make sure to check back. And yes, if you do not feel like following the tutorial and making your own word-list, there will be an option to download my own!

  9. Okie – 1st post so 1st off – awesome blog Chief – I’ve picked up a ton of useful stuff in a couple of days for free : I gave your WPA2 hack toot a run-thru on an old router from one of my previous ISPs with your “h4mm3r” wordlist and let it run to the end, this might seem obvious but I’m “kind of” new at this: it occurred to me as the “current passphrase” ran past the 1st few characters of my router’s WPA key that it wasn’t going to turn anything up – indeed, I went away, cooked and ate dinner, came back and it had finished its run of 10M+ passphrases without turning anything up:

    Am I right in saying that this method will not deal effectively (if at all) with routers set to their manufacturer’s default and usually “randomized” hex passphrases, if this is the case, is there an alternate method and if this is the case, could you give some pointers to the alternate method (excepting the “Reaver” WPS hack which I’m trying now)?

    • Thanks @snowgoose for the kind words! Glad I was able to help bring this type of stuff into perspective. Sorry to hear that you didnt uncover any hashes. This type of attack can be very frustrating due to the time it takes to complete, and the inconsistant results. When dealing with a router that is setup with a hex passphrase, you might as well give up and try a different method. Word lists are only good for personalized configured passwords, the only way you can hack a router configured with a hex type password is going to be brute forcing every single possible combinations of letters and numbers both upper and lowercase. You would need some type of supercomputer to run that attack or else it could take years to finish going through all possible combinations. Crunch is great at creating word lists based on your selected criteria. Try looking into running brute force attacks with your GPU if you have a good enough video card it could help a lot. Stay tuned, I have a newer tutorial (project) I am starting called Project Wardrive, gonna be sick! ^-^

  10. hi dude,,,,my worlist file is located on my D drive,,,,,so now how can i link that wordlist in backtrack command,,,,,,what wil b full path i need to specify,,,,,?? my file name is actually WPA_wordlist without any extension ,,,?? plz help man

  11. ok so i tried it once and everything went great just needed a word list now that i have im trying to but instead of getting the wlan0 i get eth0 but i used to get wlan0 no i dont
    can you please help me with that?

  12. theblogofbryan, thanks for this tutorial, this will help a lot. But could you send me your email? I need more details about the process of HOW TO TAKE THE MAC ADDRESS from the AP and STA’s, not by line command, but what happens behind the scenes…

  13. So I would take it that using a WPA2-AES key of 63 characters of all keyable characters on a keyboard (10^127 combinations), which has be generated by four random number generators, using Mac Ids, using static IPs, and limiting the number of connections to the number of active devices which are never off unless they crash, would provide reasonable security against a brute force attack. I can’t see how anything but a back door, physical penetration, extortion or bribery can get through that.

    Please be so kind as to educate me if I am wrong.

    • lol @ bribery Groaker, I think that you would be sufficiently protected against a brute force attack with that complex of an encryption key. Some people I know even write their own ciphers for their passwords and then use their encrypted cipher-text as the password. That way you can take a relatively easy to remember word, run it through your cipher, then it becomes a highly complex string you can use as a password. I am taking an applied cryptography class right now so expect to get some cool posts about that type of stuff soon.

    • Glad I could help. I am still more of a “blue team” infosec guy, and just starting to enter into the “red team” side of things. I hope to be creating much more tutorials on pen-testing type of topics.

  14. Hi Bryan
    I’m saw Interface chipset driver
    no wlan0
    no adapter detail what can i do? I already installed belkin wireless adapter correctly. But i can’t continue my back track. Please show me again thanks.

    • Try this. Unplug your wireless adapter, reboot your VM, wait for it to boot up and then once ready, plug back in the Wireless adapter. A message should prompt you asking if you should connect it to the Virtual Machine and you should hit yes. Otherwise you need to make sure its enabled in the VMware settings.

  15. hello bryan

    I followed your tutorial step by step. I’m in the middle of the decryption process of the password and is progressing. Your procedure has served me well.

    I found several containers of passwords on the network before I need to build one on my own

    will communicate any new developments. thank you very much for everything.

  16. hello bryan

    I have a question. during the process of obtaining the key is necessary to leave the data capture process running on backgrond until it comes to a prudent quantity of data packets?. that amount of data packets would be prudent or sufficient?

    airodump-ng – bssid -c 4-w hackwpa mon0

    thanks again

  17. Hi. i am having a prob in handshake. i cant capture handshake. can u plz tell me where i am goin wrong or what should i o to capture handshake?.

  18. Hi Bryan,
    when i run this command “airodump-ng mon0″, after 20min waiting there is still no any available wireless information, any reason? thanks

  19. I need this word list please and can you please tell me where should i put this wordlist coz i am getting and error when i use my password list which is in /pentest/wireless/aircrack-ng/test directory.
    The error is below when i put this command =>aircrack-ng -w cd /pentest/wireless/aircrack-ng/test/password.lst -b 00:0E:F4:D0:A3:64 hackwpa*.cap

    I get this error=>fopen(dictionary) failed: No such file or directory
    fopen(dictionary) failed: No such file or directory
    Opening /pentest/wireless/aircrack-ng/test/password.lst
    Unsupported file format (not a pcap or IVs file).

    Please help me .

  20. hello man .. thnx alot .. but .. am using my internal wireless card (intel 1000 BGN) .. .. and in the second step .. when i type (if config wlan0 down) it gives me this message:
    wlan0 : ERROR while getting interface flags : no such media.
    am using VMware 8.0
    backtrack 5 r3 x32

    so .. what i have to do ?? should i use Alpha adapter ? or i can find some driver for my internal wireless card????
    plz help me ..

  21. Hello There. I found your blog using msn. This is an extremely well
    written article. I will be sure to bookmark it and return to read more of your useful information.

    Thanks for the post. I’ll certainly comeback.

  22. Dear i really like it please send the worldlist.lst file i am tring to find from such a long time but still failed
    now you are the only who can help me plz any way send me this file .
    Thank you so much .

  23. aireplay-ng -0 30 -a 1C:C6:3C:CA:3D:94 mon0
    16:41:59 Waiting for beacon frame (BSSID: 1C:C6:3C:CA:3D:94) on channel 10
    16:42:09 No such BSSID available.
    Please specify an ESSID (-e).

  24. Hello Bryan, i have been looking for information on how to break key WPA/WPA2, your video i explained it very well, thank you for taking the time to do so, you comment that i now ando using the Oracle VM Virtualbox (do I need to have the VMWare virtual machine? ), do you think your worldlist (what i think buy) serves me for keys in Latin America (Peru), i hope to be able to carefully review soon

    Current Tools:
    1) RTL8187L taiwan chipset – Beini, BT10 suitable – 2100mW – USB 802.11 b/g adapter.
    2) Oracle VM VirtualBox
    3) internet Dictionary.

    Would it be good change to another adapter?
    Did you change the Oracle by the VMWare?

    I hope by lettre soon and thus facilitate my purchase by your wordslist

  25. hai bryan i’m noob… im very interested to be a hacker like you

    where’s i can find the world list ?

  26. Hi Bryan .I actually watched the video more than once to get things right, Your video did a great job and blog great in detail. I have two questions regarding the installation part.
    1. How much space is required for both back track and vmware player in a USB. drive for installation purposes.( because i have a 8GB Kingston Data Traveler G3. will it do)
    2 Do i install backtrack in vmware environment or separately within the same USB drive.
    Keep doing the good work :)

    • HI Bryan. I tried doing everything step by step but still it does not display the interface when i type the command airmon -ng
      The ifconfig and iwconfig commands they dont recognize my wifi network adapter and as your video shows wlan0 my display shows me eth0 but eth0 does work with the commands.
      Whrn i tried looking up to see configuration in vmware player only my web cam is showed but not realtek pci
      What should i do now???

  27. Hi!
    I’ve tried to generate the wordlist file using crunch worldlist generator. The problem is the file would be too big, and it is unable to create.To create file you have to define the length of the combinations,and each characters. If you using almost all of the characters the file size would be: 7136597 TB ( TerraBytes(!!!) )
    Pre calculation here (Linux Mint 13):

    andrew@newboy ~/Desktop/crunch-3.4 $ ./crunch 10 10 1234567890ABCDEFGHIJKLMNOPQRSTUVWXZabcdefghijklmnopqrstuvwxzy Desktop > test8.txt
    Crunch will now generate the following amount of data: 7846772028291708611 bytes
    7483264950076 MB
    7307875927 GB
    7136597 TB
    6969 PB
    Crunch will now generate the following number of lines: 713342911662882601

    As you can see, it is impossible with today’s technology. You can not generate( and or even search in it) a file like this would be.
    Most of the AP(Wireless Routers) are pre configured by the ISP(internet service provider). The minimum length of the password on WPA2-PSK is 8 characters,and most of the routers comes with 10 characters.

    Only chance to hack it when the user defined the password of an easy one.In this chase you can use main password cracking dictionary.
    Search this: CrackStation’s Password Cracking Dictionary
    Size: GZIP-compressed (level 9). 4.2 GiB compressed. 15 GiB uncompressed.
    or an anothe file:

    GZIP-compressed. 247 MiB compressed. 684 MiB uncompressed.

    Good luck.

  28. Hi, nice guide, can i have a big big big wolrdlst.lst ? i searched in google but no download available, where can i found one ? TNX

  29. today I downloaded backtrack 5 r3 and tried to hack a WPA I used getrix WiFi cracker and the wordlist.lst what I got is darkc0de.lst I used this it was just 17 mb at the last stage during recovering password it stated that password not found I your world list , pls help me

  30. hi bryan, thanks for the tutorial with narration rather than instructions in a text editor, where you stress your point by highlighting and strafing a line with the cursor :p

    quick question, if i may: is there an optimum number of deauth packets? in order to get a 4 way handshake, might it be more effective to target a specific client’s MAC, send one or two deauth attacks, wait a moment, then repeat? or is there already a slight delay built in the process that negates the need to do this ourselves? peace

  31. May I have your wordlist please! I have tried so many and they never ever successfully make the crack. It’s no fun if you just toss the passphrase in there… I don’t get it.

  32. Dude, You have errors in you description..

    1. macchanger -m 00:11:22:33:44:55 is missing interface name, I needed to specify wlan0 to change mac address
    2. iwconfig wlan0 up should be: ifconfig wlan0 up

  33. upon entering ifconfig its showing eth0 and as i am trying to get it on monitoring mode its giving me error FOUND ONE PROCESS THAT COULD CAUSE TROUBLE
    IF airodump-ng,,airplay-ng or airtun-ng STOPS WORKS AFTER SOMETIME YOU MAY WANT TO KILL (SOME OF ) THEM !
    what to do now? is its my laptops compatibility issue or something else

  34. Hi Bryan,

    How to do this thing (USB Device with Backtrack + VMware Player) .it sound interesting . can u plz help me with this .Plz forward if u have any link for it


  35. Awesome tuturial, could I request ur wordlist. Can you show me how to create my own with crunch? Thank you in advanced for you time.

  36. I need help every thing is fine until mac changer. When i worte mac changers and new mac address it is wore unknown command. Why is that? Please help me.

  37. guys any help please..i just typed in ifconfig the lo and ethl shows up at upper left corner as the same side of wlan0 of yours but the thing is i cant change the mac of the two of them and i think its wierd..how would i know that my wlan card is supported or not?

    • check if you wireless adapter is connected to you vm player >Player>Removal Devices> and check if the adapter is connected>if ts connected the wlan0 interface should show up now mate :)

  38. I followed all the steps mate, am now stuck because they are no clients connected to the wi-fi.Does it mean ts impossible to crack wpa if they are no hosts connected to give me handshake??? :-( dis where am stuck airodump-ng –bssid 00:23:69:98:AC:05 -c 4 -w hackwpa mon0

  39. Hi Bryan …already bought ur wordlist….it takes hell a lot of time matching passphrase….as my password was only my phone number….it took 32 hours …and still couldn’t find out….what could b wrong????

  40. I really like this tutorial and tried using your video. Really nice!
    I have one question please answer it.
    If Access point has a password like this, how long does it take??? approximately ?
    like these 10 characters: DEXYAL82MS
    Around how long does it take?

    • An uncommon pass-phrase like the one you mentioned would not be found in most word lists. A 10 char password containing only numbers and upper-case letters could be broke fairly easily through a true brute-force attack with distributed processing. Hope that helps

      • Thank you so much for quick reply.
        The tutorial shown in below is Brute-Force right??
        I can get a password if a follow your below tutorial right?


    I will really appreciate to you if you send me any link which is brute force tutorial

  42. These guides contain the same information
    you can find for free via an Internet search.
    It is just because almost all communities are taking interest in new
    Apple i – Phone. The devil in Farmville strategy
    land is someone who will support you cheat while in the online game.

  43. Thanks for the tutorial, very clearly explained……but the key to the whole process is the wordlist……..could I have it please?
    Thanks , and keep up the good work

  44. Nice tutorial
    Can u tell me how to create brute force code?
    Email me if you want to share your wonderful knowledge with me…
    Once again, it is a great tutorial

  45. I don’t usually comment on things but just wanted to say thank you Bryan for this fantastic, easy to read tutorial and video. I ordered your V2 wordlist yesterday, look forward to trying it out when I get it and reading more from you in the future.

  46. Hi, Bryan i want to ask you one question. I can’t hear you in the video when you say pass for log on backtrack. Can you tell me what you say when type root and then pass but i cant understand you. Thanks

  47. Bryan,nice job on the step by step video. i am having one problem it is i can do the ifconfig wlan0 down change the mac address but when i go ifconfig wlan0 up it wont let that step happen? is there a fix?


  48. hi please help me !! whats’s my problem ?
    root@bt:~# aireplay-ng -0 30 -a 1C:AF:F7:B0:29:85 mon0
    16:54:18 Waiting for beacon frame (BSSID: 1C:AF:F7:B0:29:85) on channel 1
    16:54:24 mon0 is on channel 1, but the AP uses channel 6

  49. when go until final step i get no such file or directory and quit from aircrack.Now i get my own wordlist.1st , but it still get same respond.How to i setting the wordlist so i can use aircrack? Need set the 1st file at where? Plese help….Thanks

  50. aireplay-ng -0 30 -a 1C:C6:3C:CA:35:89 mon0
    16:41:59 Waiting for beacon frame (BSSID: 1C:C6:3C:CA:3D:94) on channel 1
    16:42:09 No such BSSID available.
    Please specify an ESSID (-e).
    and also it says Fixed ch -1 while actual channel is 6.
    Please help to solve. Thanks

  51. Hi Bryan,
    I came across lots of video on Youtube showing to crack Wifi WPA protocol only.How about WPA2 with WPS enable.
    Can you check for that please

  52. I got a wifi network near my house and ive been trying to hack it using your video tutorial. But my problem is that there is no clients connected to that wifi, only a PC is connected with direct ethernet cable. Therefore i couldnot obtain a handshake. Can you provide me any solution for this. Please help…

    *****No client connected: How to obtain handshake??*****

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s