(this tutorial uses a method that involves WPS)
So for whatever reason, you’re interested in cracking a secured wireless access point. We all know (or may not know) how easy it is to crack WEP encrypted wireless access points, but what about the new WPA encryption? Well this is a little more tricky. Instead of cracking the actual WPA key, We are going to be focused on something called “WPS” This stands for Wi-Fi Protected Setup.
Tools You Will Need:
Copy of Backtrack 5 http://www.backtrack-linux.org/downloads/
Laptop with DVD ROM and Wireless Card
Wireless Access Point with WPA & WPS Enabled
Step One:Insert Backtrack DVD and boot off the drive. Google if you don’t know how to do this step
Step Two:Select “BackTrack Text – Default Boot Text Mode” and press Enter.
Once you are prompted type “startx” this will get you booted into BT5 GUI. (the default login credentials for BT5 are username: root password: toor
Step Three:Install Reaver, Reaver is new to Backtrack so as of Backtrack R2 it does not come installed on the Live DVD, but I believe it does in BTR3.
if it doesn’t, follow these simple steps:
1. Make sure you have internet connectivity by going to Applications > Internet > Wicd Network Manager.
2. Select your wireless network and connect to it.
3. Open a terminal window and type “apt-get update” without quotations this will update all the different repositories from apt-get (including Reaver)
4. Now type “apt-get install reaver” without quotations Reaver will now be installed.
Step Four:we need to get your wireless cards interface name. To do this open up terminal and type “iwconfig”
As you can see from the screen shot above my wireless card is identified by Backtrack as “wlan0″ This is most likely what yours will be unless you are using multiple wireless cards, then it may be a different networking schema.
Step Five:Now we need to put your wireless card into something called “Monitor Mode” this is just a mode used for the wireless card to be able to survey access points around it and collect and inject packets from the access point. To do this simply type “airmon-ng start wlan0 ” without quotations.
This is going to create ANOTHER interface called “mon0″ (See Screen Shot Below)
Step Six:The next thing we want to do is find the BSSID of the access point we are trying to gain access to. To do this type “airodump-ng mon0″ without quotations, the wireless interface mon0 is going to then complete a survey of all the access points it’s able to see around it.
(See Screen Shot Below)
Step Seven:Now that we have the BSSID and the wireless card in monitor mode we are ready to go.
Step Eight:Input this command into terminal:
“reaver -i mon0 -b 30:46:9A:7C:BB:8F -vv” without quotations. (Where mon0 is your interface you’re using, and replace “30:46;9A:7C:BB:8F” with the BSSID of the router you’re actually trying to hack.