Disclaimer Hey Everyone! Today, I am going to show you, how to crack WPA and WPA2 WiFi Password using Pyrit in Kali Linux.
I already made a tutorial about crack WiFi password with aircrack, hashcat, PMKID and WiFi Phishing Attack, if you are interested, you should watch.
Before you start, you need a “Wireless Network Adapter” that supports Monitor Mode and Packet Injection. I am using an “External USB Wireless Network Adapter”, that supports these. So, enable monitor mode on it.
Now monitor mode has been enabled on this wlan interface. Now scan WiFi Networks in your local area with airodump tool. Execute airodump-ng then monitor mode enabled wlan interface, then press enter.
And keep running this, until this scan available WiFi Networks in the area. When you get your victim’s network, then press “Ctrl + C” to stop scanning. And remember any WiFi Network you pick, that must have at least one connected device for De-authentication attack.
If no-one is connected to that WiFi,then you should try PMKID Attack. Otherwise, if you want to use this method, you need at least one device connected to that WiFifor capture handshake file. First, we set a wireless card to capture packets for a specific WiFi Network.
So, type –bssid, then copy mac address of the victim’s WiFi, and paste that after –bssid and now, -c, then enter the channel that WiFi is working on.
In my case, that WiFi is working on channel 11. Now -w, option for where you want to save the capture file. Here, I want to save the capture file on Desktop,and name of the capture is, “capture”. And, after press enter.
Packets capturing will start for that WiFi, and you will find, some files are created on Desktop, with the given name. So, capturing process is running, and we need to wait for someone to connect to this WiFi, and we get a handshake. And, other thing, we sent De-authentication packets to WiFi for disconnect a device, when that device reconnects to the WiFi, then we get the handshake. We use aireplay for De-Authentication attack, and -0, an option is for DeAuth, and 20 packets to sent for disconnect device.
And -a, then put Access Point or WiFi mac address, then -c, that client’s device mac address that you want to disconnect. Ok, so, now this scan my second device. Not a big deal, copy the device mac address and paste that after -c. And put monitor mode enabled wlan interface command line, then press enter. So, I have been got the handshake, and aireplay didn’t send all 20 packets.
Remember, if you are so far from the WiFi, then there are more chances that packets will lose, so, try to WiFi would be near you. Now we have the WPA Handshake, so you can stop monitor mode, because, we don’t need this now.
We have the handshake, and time to crack it. Before I go for any further information, you need wordlists for brute force attacks. If you don’t have wordlists, I put some wordlists command for download, go down below and check the pinned comment.
So, I have some wordlists. That contains most used and potential passwords if your victim has the worst password, and that password exists in these wordlists, then that password will crack. If the password doesn’t exist in these wordlists,brute force attack will fail. Or, if the victim has a simple and small password, but the password doesn’t inside the wordlist, the attack would fail.
This is a demonstration tutorial, and that is my wifi password. If I search my password in these wordlists, and if I get the output, that means that the password is inside the wordlist. And, I got nothing. So, these wordlist doesn’t contain that password.
And, I am going to put my wifi’s password in one of these wordlists. So, if you hate to wordlists, and your victim is not that kind of smart, you should try a wifi phishing attack. In WiFi Phishing attack you don’t need any wordlist, you just ask your victim hey! what’s your WiFi password? If he is an idiot, he would easily tell you the password.
So, now my WiFi password is in this wordlist. I need to do this, if I don’t put that password in the wordlist, then cracking with pyrit will fail.
Now we need capture file, that contains WiFi Password in the hash. When we capture packets from a WiFi, it’s capture all packets, like images, audios, videos, and any packets for a specific WiFi that is in the air. But only we need 4-way handshake to crack, not others packets.
So, if I analyze this capture file. OK!, this capture file contains handshakes more than I thought. This capture file has 25 handshakes, and all these handshakes are from this station. It doesn’t matter, how much we get the handshakes if that handshake is only for a specific WiFi.
that means is that handshakes have the same hash. And there are other packets in this file,we don’t need these. So, first, we would remove all unnecessary packets from this capture file. We use “wpaclean” tool for this process. So, type wpaclean, then output capture file for save a new capture file, and then input capture file, that we captured early, then press enter.
Now, we have another capture file. Let’s look on it, is it clean, or not. As you see, it doesn’t have unnecessary packets, it only has a handshake, and we need it, to crack the password. But, we need only new capture, not all capture files that we captured. So, I’m gonna delete old captured files, but you should keep these files, or also delete these, all depend on you.
Now, we crack WiFi password with that handshake file. I think you already have downloaded the wordlists, that I provide on the pinned comments. If you did, then dig in. First, type, pyrit -r, then enter captured handshake file path, and, after it, -i, and enter the wordlist path.
My suggestion you should pick “rockyou” and “darkc0de” wordlists, these are bigger, contains a lot of passwords. And, put, “attack_passthrough” in end of the command line, this option is for brute force attacks on a handshake with the wordlist. And cracking process depends on your PC speed, wordlist size, and password position in the wordlist.
As you see, the password has been cracked, because this password I already put in the wordlist. If the password does not exist in this word list, then this process will fail. So, this is the first method, a little bit slow, but works. In the next method, we will create a database with WiFi ESSID and wordlist. The next method is fast, but first, we need the ESSID of the WiFi. Somehow get the ESSID of WiFi from the capture file we have and copy it. First, we need to create a new ESSID in pyrit database.
So, type pyrit,-e, and enter the ESSID of WiFi, if ESSID has space, then put it in quotes. And, type “create_ESSID” then press enter.
After creating the ESSID, import passwords from your favourite wordlist, by executing this command pyrit -ithen wordlist path, that you are going to use.
And type “import_passwords”, then press enter. Now execute “pyrit batch” command, for computing the PMKs using the ESSID and passwords. And, This process will take time, if your chosen wordlist has a lot of passwords, like “rockyou” wordlist. This is quick because that wordlist is not big. Now, the final step for crack the password. Type, “pyrit -r”then capture file path, then, “attack_db”, and, press enter.
And, that WiFi password has been cracked, and cracking with database(dB) is faster than the last one. So, I hope this is helpful.