Quick Contact


    Creating a Wordlist

    Now we’ve captured the handshake, all we need to do is create a wordlist to crack the WPA key. A wordlist is just a list of words that aircrack-ng is going to go through, and trying each one against the handshake until it successfully determines the WPA key. If the wordlist is better, the chances of cracking the WPA key will be higher. If the password is not in our wordlist file, we will not be able to determine the WPA key.

    To create the wordlist, we’re going to use a tool called crunch. The syntax is as follows:

    crunch [min] [max] [characters] -o [FileName]
    or
    crunch [min] [max] [characters] -t [pattern] -o [FileName]
    where
    • crunch is the name of the tool.
    • [min] specifies the minimum number of characters for the password to be generated.
    • [max] specifies the maximum number of characters for the password.
    • characters specify the characters that we want to use in the password. For example, you can put all lowercase characters, all uppercase characters, numbers, and symbols.
    • -t is optional. It specifies the pattern.
    • -o option specifies the filename where the passwords are going to be stored.

    If we know the part of the password, -t option is very useful. For example: if we’re trying to guess the password of someone and we have seen him typing the password, we know that the password starts with a and end with b. Now we can use the pattern option and tell crunch to create passwords that always start with a and end with b and put all possible combinations of the characters that we put in the command.

    We’re going to use crunch, and then we’re going to make a minimum of 6 and maximum of 8. We’re going to put 12ab, and store it in test.txt. The crunch is going to create a combination of passwords (minimum of 6 characters and maximum of 8 characters), and it’s going to create all possible combination of 12ab. It’s going to store all the combination in a file called test.txt. The command will be as follows:

    The following output will be shown after executing the above command:

    Using cat test.txt command, we can see all of the passwords that are stored in the file test.txt. The following screenshot shows all the passwords:

    Now let’s take a look at the pattern option. We will go to crunch, using a minimum of 5 and maximum of 5, so all password will be five characters long. Then we will put the characters, which are abc12 and we will add the -t option, which is the pattern option, then we will put a@@@b that means the password starts with an a and end with b. Through this, we will get all possible combination of characters between a and b. Then, we are going to specify the output file -o, let’s call it sample.txt. The command will be as follows:

    OUTPUT

    It creates 125 passwords. Now let’s take a look at them. In the following screenshot, we can see that they always start with an a and always end with b.

    We can use crunch to create the wordlist. In the next section, we’re going to use the handshake file and the wordlist to determine the actual WPA key.

    Wordlist cracking

    To crack WPA or WPA2, we need to first capture the handshake from the target AP and second have a wordlist which contains a number of passwords that we are going to try. Now we’ve captured the handshake, and we have a wordlist ready to use. Now we can use aircrack-ng to crack the key for the target AP. The aircrack-ng will be going through the wordlist file, combine each password with the name of the target AP, and create a Pairwise Master Key(PMK) . This PMK is created by using an algorithm called PBKDF2. It is not like just combining the password and the BSSID. It is encrypted in certain way, and compare the PMK to the handshake. The password that was used is the password for the target AP if the PMK is valid. If the PMK wasn’t valid, then aircrack-ng tries the next password.

    We will use aircrack-ng, the file name that contains the handshake, wep_handshake-01.cap, -w and the name of the wordlist, text.txt. The command is as follows:

    Now click Enter, and aircrack-ng is going to go through the list of the password. It will try all of the passwords, and will combine each password with the name of the target AP to create a PMK, then compare the PMK to the handshake. If the PMK is valid, then the password that was used to create the PMK is the password for the target AP. If the PMK is not valid, then it’s just going to try the next password.

    In the following screenshot, we can see that the key was found:

    Copyright 1999- Ducat Creative, All rights reserved.