I've heard that http://www.aircrack-ng.org/ is fairly good..

As far as I knew, aircrack could only crack wpa networks using pre-shared keys.
http://www.aircrack-ng.org/doku.php?id=cracking_wpa&s[]=wpa

Here is a good paper on the overall security of wireless networks to help you better understand your situation.
http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf

I am downloading the backtrack iso right now... I will see how this all works out... Thanks guys...

I wish to gain access to my neighbors WPA secured WiFi. What do I need and how do I go about it? They have all this bandwidth that they never use EVER. It's sad when I could be donating the bandwidth to good causes. Please help me. Contacting me is available of several different means to talk about this and I can use Win7 or Ubuntu. Thanks ahead of time.

The simplest way to describe the problem with your situation is that every single WPA password is encrypted specifically for it's ESSID (the wi-fi's name).


Example: If I name my wireless lan "test" and set a password "1234567890", with all those tools around (for example aircrack-ng) you could get the encrypted password and store it for later decryption. The day after if I just change my wlan's name to "test2" and you go capture again the encrypted password you will see that it is different from the initial, even though the password itself haven't changed!


Therefore, unless the targeted ESSID is a common one, you will have to decrypt that password your self, being unable to benefit of the pre-calculated passwords for common ESSIDs which are out there on the net. This procedure could take even years with a common PC.


I don't have major experience on the field so if i have said something wrong, corrections are more than welcome

To crack WPA I and II using Aircrack-ng you need to use a wordlist I believe.

True...you can pipe JTR's incremental option with standard output (standard output being the maximum length in which to brute force...the default I believe is eight if no arguments are supplied) into Aircrack like so...

./john --incremental --stdout | aircrack-ng -b "bssid" -w - /.cap_handshake_file_location

but a password over six characters long is useless to brute force (it would take years with a normal computer)...unless you had a quad GPU set up or something...even then still is sketchy...you might be better off doing some social engineering...

maybe you could find out (through social engineering) what characters he/she uses for the password (i.e., if they use just lowercase or numbers, etc.). Then you could tailor your JTR brute force to be more effective...in other words you could leave out symbols if he/she does not use them in the password...this will decrease your brute force time significantly.

Then again...if s/he uses a good strong password...your pretty much screwed unless you compromise a machine within his/her network another way.

OR you could use MDK3 to continuously deauth his 'real' router and set up a fake one with airbase-ng...then load a passive payload from Metasploit with SET...although this takes some time to set up.

A little side note...MDK3 will truly piss some people off if it is not used properly...make sure you spoof your MAC so your 'real' card does not show up in any logs...

This is defiantly the best way to hack into a wpa secured network, otherwise its grab a handshake and bruteforce your way in.

However, if your target has a "2WIRExxx" (where xxx= 3 numbers) your in luck. you'll just need a wordlist that is 10 numbers tat wont start with a 0 so your wordlist would look something like this:

1000000
1000001
1000002
1000003
1000004
etc

but idk how to generate a wordlist like that.

Well anyways thats here in america if its default setup, which believe me, most are