How to Crack WPA2 WiFi Networks using the Raspberry Pi
Cracking WPA and WPA 2 networks is still very difficult and solely dependent on using a brute force attack with a good dictonary. Depending on the word-list that you use will improve the success rate of cracking WPA2 WiFi networks. In this tutorial I will be showing you how to grab the 4-Way handshake from a WPA2 WiFi network and how to do an offline brute-force cracking attempt at find the password for the WiFi network. The Raspberry Pi 3 can check around 500 keys per second which is not really fast when you have a word-list with over 10 millions passwords to check.
The Raspberry Pi 3 can check around 1.8 million passwords an hour which again it doesn’t gurantee that it will be able to find the correct password for a WPA2 WiFi network. The best use of the Raspberry Pi in hacking WiFi networks is that you can use it to collect a 4-Way handshake and then transfer the handshake for cracking to a more powerful computer. The reason the Raspberry Pi is good for a scenrio like this is because of its mobility. You can easilly attach a battery to your Pi and put it in a backback and walk around collecting handshakes to crack.
Today’s tutorial will show you how to capture a 4-Way Handshake and then use our Raspberry Pi 3 to crack the password. We will be using the aircrack-ng suite to collect the handshake and then to crack the password. You will need a good word-list for cracking. There are many word-lists out there. One of the biggest word-lists I have seen is the CrackStation Wordlist which has over 1.5 Billion passwords that have been put together from many data breaches like Linked In and MySpace. Let’s get started.
To capture a 4-Way Handshake from a WPA2 WiFi network and crack the password using a brute-force method
You will need the following:
- Raspberry Pi
- 8GB Micro SD Card (You can use a bigger SD Card to store more videos on your server)
- 2.5A Power Supply
- A WiFi Adapter capable of going into Monitor Mode (You can find a list of my favorite WiFi adapters here)
I will be running a freshly installed version of Raspbian Jessie on my Raspberry Pi. You can use Rasbian Jessie Lite on your Raspberry Pi since we will just needing the terminal and I will be using SSH to run all my commands. Go ahead and connect to your Raspberry Pi and lets begin by installing the aircrack-ng suite on our Raspberry Pi. Run the following command to install the dependencies for the aircrack-ng suite:
sudo apt-get -y install libssl-dev libnl-3-dev libnl-genl-3-dev ethtool
Now that we have the libraries downloaded and installed, run the following commands to download the latest version of aircrack-ng and then we’ll unzip it and install it. You may want to check out the aircrack-ng download page here and verify the url of the latest linux version. I tested this tutorial with aircrack-ng 1.2-RC4.
tar -zxvf aircrack-ng-1.2-rc4.tar.gz
sudo make install
After we have built aircrack-ng from the source and installed it we will need to update the IEEE OUI file. The OUI is most often used to create IEEE 802-defined MAC addresses and we need it to run aircrack-ng
Now that we have aircrack-ng installed we can begin searching for targets. I will be hacking my own WiFi network today for demonstation purposes. Lets begin by putting our WiFi adapter into monitor mode. You will need a USB WiFi adapte to put into monitor mode for this to work. The onboard WiFi adapter that is on the Raspberry Pi 3 will not work. I use the Alfa AWUS036H in this tutorial.
You can view all your WiFi adapters with the ‘iwconfig‘ command. Your USB adapter will most likely be ‘wlan1‘. Let’s put our WiFi adapter into monitor mode with the following command, be sure to replace wlan1 with your interface:
sudo airmon-ng start wlan1
This will put our WiFi adapter in monitor mode and it will create a new interface for us to use, in my case the new interface is wlan1mon. Now let’s see what WiFi connections are around us by running the following command:
sudo airodump-ng wlan1mon
You can see my network name is ‘dayz’ and you can see that my network is running on Channel ‘3‘ and the BSSID is ‘DC:EF:09:C6:BD:BD‘. Be sure to write down the BSSID and the Channel since we will need this for the next step.
The next step is when we will try to capture the handshake so that we can use it to crack the WiFi password. The way we will capture the handshake is we will sit and monitor all the data that is being passed with the WiFi network and we will look for when a new device connects or reconnects with the network. We can run ‘deauth‘ commands to speed things up by booting devices off the network and having them reestablish with the network to capture the handshake.
Let’s start by monitoring all the data for the network we are trying to capture the handshake. We will be using airodump-ng to write all the data to a file. We will need the channel number and the BSSID. Edit the command below to fit your needs, the ‘write‘ argument will be the filename we are using to save to, I like to use the SSID. Replace the BSSID with your BSSID. The -c argument is the channel and -write argument is your filename to save to.
sudo airodump-ng --bssid XX:XX:XX:XX:XX -c X --write dayz wlan1mon
You should get a similar screen like above and it will be monitoring all the data on the network. Next to speed things up lets run some ‘deauth’ commands to capture a handshake. Open a new terminal window or a new SSH connection and type the following command. We will need the BSSID this time. The -a argument is the BSSID and the 10 next to -deauth is the number of deauth commands to send to the network.
sudo aireplay-ng --deauth 10 -a XX:XX:XX:XX:XX wlan1mon
You should see the deauth command being sent. After the command finishes go back to your other window that is monitoring the data and look to see if you have captured a handshake. You should see a ‘WPA Handshake‘ appear in the top right corner. Look at the image below for the handshake being captured.
Once you have captured you can hit CTRL+C to stop capturing data. You can also close the other SSH connection or terminal that you performed the deauth commands since we will not need it anymore.
We are now ready to attempt to crack the WPA password. Remember all your success lies in the word-list that you use. The Raspberry Pi 3 is pretty slow so I would not suggest running a huge word-list on the Raspberry Pi but you can use a small word-list that has common passwords fairly quickly.
All you will need is the filename that you used above, in my case it was called ‘dayz’. You can use the ‘ls’ command to find the files that were written. The handshake will be stored in ‘dayz-01.cap’. Run the following command to begin cracking the WPA WiFi network using the word-list you have. This can be run offline so you do not need to be next to the WiFi network to crack it.
sudo aircrack-ng dayz-01.cap -w ./yourwordlist.txt
That’s basically it once you run that command aircrack-ng will begin checking all the passwords in your word-list trying to see if any of them match the hash from the 4-Way Handshake. The Raspberry Pi can check around 250-500 keys per second which is fairly slow. As you can see in my example it will take over an hour to check against 1.25 Million passwords, which is a small word-list to being with.
NOTE: You can use an online hash cracking service like cr4ck.me which you can upload your captured handshake and they will attempt to crack the password. It will work A LOT faster then using your Raspberry Pi as well as faster then using your own computer.