Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To


To crack WPA-PSK, we'll use the venerable BackTrack Live-CD SLAX distro. It's free to download, but please consider donating, since this really is the Swiss Army knife of network security.

As you can see from my system specs in Table 1, it doesn't take much computing power to run WPA cracks.

Attacking System Specs
Model HP Compaq nx6310
Processor Intel Celeron M 410 (1.46 GHz)
Wireless Adapter Netgear WG511T (Atheros)
OS BackTrack v3 beta (build 12.14.07)
BackTrack v2 Final
Target Wireless Access Point Encore ENRXWI-G (SSID: snb)
Target AP MAC 00:18:E7:02:4C:E6
Target AP Client MAC 00:13:CE:21:54:14
Table 1: Attacking System Specs

The folks at Remote Exploit have just released a new beta, BackTrack version 3, which I'll use for this crack. But I've also included notes about relevant differences from BackTrack v2.

First, download, burn and boot the BackTrack ISO. BackTrack v3 now auto logs in as root; BackTrack v2 requires you to login as "root" with the password "toor".

Recon with Kismet

Open up Kismet, the venerable wireless surveillance tool (Backtrack > Radio Network Analysis > 80211 > Analyzer). Version 3 includes a nice little GUI to select the wireless interface, but it didn't work for me.

To fix this, or if you're using version 2, add a line in /usr/local/etc/kismet.conf to manually specify your source (as driver, interface, display name). This is what it looks like for my setup:

/usr/local/etc/kismet.conf -- Line 25:

Then start Kismet from a terminal.

bt ~ # kismet

Kismet is a great surveillance tool, but that is only one of its many talents. It captures raw packets while operating, which we can use later to attack weak PSKs, having captured a client connection while listening. It also has some interesting alerts built in, to warn you of potential evil-doers within wireless range. To top it off, Kismet is completely passive and therefore undetectable.

In Part 1 of our original WEP cracking series, Humphrey Cheung wrote a great introduction to recon with Kismet. Recon for WEP cracking and WPA cracking is largely very similar so I won't repeat that information here. Instead, I'll just point out a few settings and options that I find useful as well as explain a bit of the interface.

I would add, however, that Kismet is very versatile and customizable with great context-sensitive help menus. Pressing "h" just about any time will bring up a help menu with the relevant options for your situation.

In the main network list, access points are color coded. Most networks will show up green. Some, like the one in Figure 1, show up red, indicating that access point has no security mode employed (the "F" in the Flags column indicates that the AP is still configured with the factory defaults, as far as Kismet can tell).

Factory Settings

Figure 1: Factory Settings

The other interesting parts of the Network List display for our purposes include the "W", "Ch" and the "Packts" columns.

The "W" column displays a one-letter code representing the type of security implemented by the access point: None ("W"), WEP ("Y"), or WPA ("O" for Other).

The "Ch" column, as one might expect, is the channel of the access point. We'll need this information later if we employ an active attack.

The "Packts" column lists the number of packets captured by Kismet for a particular access point. While not completely relevant, it gives us a decent ball-park measurement of both network load and proximity. Higher network load usually translates to higher number of connected clients, which increases the chance that we could capture a client association passively.

Kismet defaults to autofit mode, where you can sort the networks and bring up the Network Details page by highlighting an AP and hitting enter. The Network Details page list all sorts of interesting information about the network most notably the WPA encryption scheme, BSSID and number of clients associated with the access point.

Pressing "c" while in the Network Details view will bring up the connected Clients List. The Client List shows all the nodes with traffic associated with the access point. Generally, we're looking for clients with a type (the "T" column) Established ("E") or To DS ("T").

Passive Attack

In a passive attack, all we need to do is listen on a specific channel and wait for a client to authenticate. Kismet is the weapon of choice here, although airodump-ng works too. Kismet gives you much more control and information than airodump-ng, but unfortunately doesn't provide notification to alert you of a successful WPA-PSK association four-way handshake. Airodump-ng does, but gives you less dynamic control of the capture card's behavior and very little information (compared to Kismet).

General Kismet recon and capture steps for a passive WPA-PSK attack are:

  • Start Kismet
  • Sort the networks (Ex: by channel, press "s" then "c")
  • Lock channel hopping onto the channel of interest (highlight the target AP and press "L")
  • Wait until a client connects to capture the association

More Wireless

Featured Sponsors

Top Ranked Routers




Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Hello! I have a VPS server under Ubuntu 15.4 with OpenVPN 2.4 installed. And I have RT-N66U with 380.65_beta1.My current server config is:Code: dev t...
Hello,Having recently gone from just using a AC3200 as an AP to actually configuring it as my primary/internet-facing router = loving the Merlin firmw...
I've read through a bunch of threads about adjusting transmit power but have not yet found an answer to my question.Background: I have no interest in ...
I am using a RT-AC87U in a Windows domain and I would like to use the domain controller as a DHCP and DNS server.How can I set the router to relay the...
​ Synology's DS216j is a good, relatively inexpensive RAID 1 NAS.Read on SmallNetBuilder

Don't Miss These

  • 1
  • 2
  • 3