Brute force cracking is an exhaustive method, matching each password in the password dictionary with the password in the handshake packet in turn until the match is successful
注意:私自破解他人WiFi属于违法行为,本教程仅供学习与参考。
crack tool
Cracking tool: kali linux system, the linux system installed on the physical machine used in this tutorial (the virtual machine is used in the same way)
-
The wireless network card that supports monitor mode, this textbook uses the 3070L network card purchased by a certain treasure.
-
Dictionary file (if you don't have a dictionary, no problem, I will teach you how to use cruncl to create a password file later)
Whether the wifi password can be successfully cracked depends on whether the password dictionary itself contains this password.
The cracking time depends on the computing speed of the CPU and the complexity of the wifi password itself.
Even with a good password dictionary, it can take hours or even days to crack WiFi passwords if they are complex enough.
crack start
Use ifconfig
the command to view the name of the local network card
eth0 is a wired network card, wlan0 (physical machine) and wlan1 (external connection) are wireless network cards.
Use airmon-ng
the command to check whether the network card supports monitor mode
All NICs can be in monitor mode.
Use airmon-ng start wlan1
the command to enable network card monitoring
The network card is more self-selected. I choose an external network card here.wlan1
Use ifconfig
the command to check whether the monitor mode is enabled
If the wireless interface wlan0
becomes , wlan0mon
it means that the monitor mode is enabled.
Use airodump-ng wlan1mon
the command to scan nearby wifi
After scanning, get some wifi information. BSSID is MAC address, PWR is signal strength (the smaller the signal, the stronger it is), CH is the channel.
Press ctrl+c to pause scanning.
Use the command airodump-ng -c 5 -w /root/cap/er8 --bssid C8:3A:35:8B:EA:40 wlan1mon
to connect to the WiFi hotspot:
Tenda_8BEA40 for packet capture
In a new terminal: enter the commandaireplay-ng -0 5 -a
C8:3A:35:8B:EA:40 wlan1mon
0 is the number of times to attack WiFi devices with deauth flood, 0 is infinite, -0 5 is 5 attacks. The attack principle is: let the device go offline first, the device will automatically connect again, and the automatic connection process will perform a three-way handshake and send a tcp packet (which contains encrypted password data)
Return to the previous terminal at this time, and you can see the captured tcp package
At this point, the package has been captured, and you can open the folder to view it.
crunch
Open the dictionary generation software with the command
Enter crunch 10 10 012 xy>>/root/12345.txt
(10 10 means to make a 10-digit password, 012 means that the password contains elements such as numbers 012xy, /root/12345.txt means the path and name of the password text storage)
Use aircrack-ng -w /root/12345.txt /root/cap/er8-01.cap
(ircrack-ng -w dictionary path handshake packet path) for wifi password cracking
The system is brute-forcing the password
Password cracked successfully
The wifi password is: xxyy0011