Some of you may already know that brute-forcing a WPA2 ​‌​​​​​‌⁠​‌‌‌​‌​‌⁠​‌‌‌​‌​​⁠​‌‌​‌​​​⁠​‌‌​‌‌‌‌⁠​‌‌‌​​‌​⁠​​‌‌‌​‌​⁠​​‌​​​​​⁠​‌​​​​​‌⁠​‌‌​​​‌‌⁠​‌‌‌​​‌​⁠​‌‌​‌‌‌‌⁠​‌‌​‌‌‌​⁠​‌‌​‌​​‌⁠​‌‌‌‌​​​⁠​​‌​​​​​⁠​‌‌​​​‌‌⁠​‌‌​‌‌‌‌⁠​‌‌​​‌​​⁠​‌‌​​‌​‌⁠​‌‌‌​​‌​⁠​‌‌‌​​‌‌⁠​​‌​‌‌‌​⁠​‌‌‌​​​​⁠​‌‌​‌​​​⁠password takes a very long time but I'm going to show you one of the ways to do this and how this technique can be useful in actual pentesting.

Remember: The hacking tools and knowledge that we share here should not be used on a target without prior mutual consent. It is the end user's responsibility to obey all applicable local, state and federal laws. We assume no liability and are not responsible for any misuse or damage caused by this site.

In this method we will be using both crunch and aircrack-ng inside Kali Linux to brute-force WPA2 passwords. But before we proceed let me quickly introduce you to our tools:

crunch - is a wordlist generator from a character set.

aircrack-ng - a 802.11 WEP / WPA-PSK key cracker.

I assume you already have aircrack-ng installed on your system and you already have a captured handshake ready for offline cracking. If not, I will post another article soon on how to use aircrack-ng to capture WPA2 handshakes.

For now let's get started and open a terminal!

If you don't have crunch yet you can install it by typing:

sudo apt-get install crunch

It usually takes crunch a long time to create a wordlist and consumes a lot of disk space too if you choose to save the ​‌​​​​​‌⁠​‌‌‌​‌​‌⁠​‌‌‌​‌​​⁠​‌‌​‌​​​⁠​‌‌​‌‌‌‌⁠​‌‌‌​​‌​⁠​​‌‌‌​‌​⁠​​‌​​​​​⁠​‌​​​​​‌⁠​‌‌​​​‌‌⁠​‌‌‌​​‌​⁠​‌‌​‌‌‌‌⁠​‌‌​‌‌‌​⁠​‌‌​‌​​‌⁠​‌‌‌‌​​​⁠​​‌​​​​​⁠​‌‌​​​‌‌⁠​‌‌​‌‌‌‌⁠​‌‌​​‌​​⁠​‌‌​​‌​‌⁠​‌‌‌​​‌​⁠​‌‌‌​​‌‌⁠​​‌​‌‌‌​⁠​‌‌‌​​​​⁠​‌‌​‌​​​⁠wordlist to your hard drive. Therefore, this technique can only be useful if somehow you already have an idea of what the password pattern is. The default wifi passwords of modem/routers provided by ISP's for example can be a target.

Let's say that after your research you figured out that the default wifi password is an 8 digit number that always starts ​‌​​​​​‌⁠​‌‌‌​‌​‌⁠​‌‌‌​‌​​⁠​‌‌​‌​​​⁠​‌‌​‌‌‌‌⁠​‌‌‌​​‌​⁠​​‌‌‌​‌​⁠​​‌​​​​​⁠​‌​​​​​‌⁠​‌‌​​​‌‌⁠​‌‌‌​​‌​⁠​‌‌​‌‌‌‌⁠​‌‌​‌‌‌​⁠​‌‌​‌​​‌⁠​‌‌‌‌​​​⁠​​‌​​​​​⁠​‌‌​​​‌‌⁠​‌‌​‌‌‌‌⁠​‌‌​​‌​​⁠​‌‌​​‌​‌⁠​‌‌‌​​‌​⁠​‌‌‌​​‌‌⁠​​‌​‌‌‌​⁠​‌‌‌​​​​⁠​‌‌​‌​​​⁠with the number 7. From that information we can now create a wordlist using crunch and deliver the output directly to aircrack-ng without writing the file to the hard drive.

This can be done using pipes:

crunch 8 8 0123456789 -s 70000000 | aircrack-ng -w - -b AA:BB:CC:DD:00:11 /path/to/handshake.cap

The first command above (the one before the pipe) means that we'll create a wordlist using crunch with a minimum of 8 characters and a maximum of 8 characters (since we know that the password always use 8 digits) using only numbers 0 to 9. The "-s" also tells crunch to start the list from 70000000.

We can then use pipes to make the standard output (stdout) of the first command to be the standard input (stdin) of the second command. Thus, whatever output crunch generates will be used by aircrack-ng as the wordlist.

In the second command, the "-w -" tells aircrack-ng to use the wordlist from stdin (that's what the dash means). The "-b" is used to specify ​‌​​​​​‌⁠​‌‌‌​‌​‌⁠​‌‌‌​‌​​⁠​‌‌​‌​​​⁠​‌‌​‌‌‌‌⁠​‌‌‌​​‌​⁠​​‌‌‌​‌​⁠​​‌​​​​​⁠​‌​​​​​‌⁠​‌‌​​​‌‌⁠​‌‌‌​​‌​⁠​‌‌​‌‌‌‌⁠​‌‌​‌‌‌​⁠​‌‌​‌​​‌⁠​‌‌‌‌​​​⁠​​‌​​​​​⁠​‌‌​​​‌‌⁠​‌‌​‌‌‌‌⁠​‌‌​​‌​​⁠​‌‌​​‌​‌⁠​‌‌‌​​‌​⁠​‌‌‌​​‌‌⁠​​‌​‌‌‌​⁠​‌‌‌​​​​⁠​‌‌​‌​​​⁠the bssid of the targer router (AA:BB:CC:DD:00:11) and the last parameter (/path/to/handshake.cap) is the absolute path to the captured WPA2 handshake. You can also use a relative path depending on your current working directory.

Now the cracking process may take a while depending on your processor speed but I believe it is possible to crack that password pattern within a few seconds to a couple of hours.

In my next articles I will show you how you can create rules with crunch even with complicated patterns such as passwords with common words inside.

How to Protect Your Network from Brute-force Attacks:

  • You must always change the default password of your modem/routers provided by your ISP's after installation.
  • Choose a strong password by using a combination of uppercase, lowercase, numbers, and special characters.
  • The longer the password, the better. (I recommend at least 12 digits)
  • Change your password every once in a while.

Failure to do so may lead ​‌​​​​​‌⁠​‌‌‌​‌​‌⁠​‌‌‌​‌​​⁠​‌‌​‌​​​⁠​‌‌​‌‌‌‌⁠​‌‌‌​​‌​⁠​​‌‌‌​‌​⁠​​‌​​​​​⁠​‌​​​​​‌⁠​‌‌​​​‌‌⁠​‌‌‌​​‌​⁠​‌‌​‌‌‌‌⁠​‌‌​‌‌‌​⁠​‌‌​‌​​‌⁠​‌‌‌‌​​​⁠​​‌​​​​​⁠​‌‌​​​‌‌⁠​‌‌​‌‌‌‌⁠​‌‌​​‌​​⁠​‌‌​​‌​‌⁠​‌‌‌​​‌​⁠​‌‌‌​​‌‌⁠​​‌​‌‌‌​⁠​‌‌‌​​​​⁠​‌‌​‌​​​⁠to serious security risks. If someone gains access to your network, they can easily sniff your traffic and obtain sensitive information. Attackers can also use your connection for malicious purposes and put the blame on you.

If you found this topic helpful or if you have any questions, you may leave your comments below. You may also subscribe to our RSS Feed and YouTube Channel. We will be posting video tutorials soon.