Definitely worth trying to crack. Once one has the handshake they just need to be able to crack it. So this is how you would do it: Say you have been hired by a company to do a penetration test on their wireless infrastructure. Once you begin this you should see John start to generate passwords for aircrack to use against the capture file. But wait, this is probably just a random hotspot probably not on the network. When we run John with mangling rules in a few seconds this will tell it to go through every possible combination of seven digits.
Now that we have this handshake we can take the cap file back to wherever we want to crack it. The next step in cracking this password is to run John the Ripper against it. For example lets say we know there are only eight digits in the password. Most hotspot owners probably don't worry about changing the password because they only turn it on when they need it. To deauthenticate a client run aireplay-ng -0 1 -a -c mon0. Alright, ctrl+c your airodump session and stop your airmon session as well with airmon-ng stop mon0.
Most of the time there is some sort of default password. So set the laptop aside and go grab your axe and start shredding some riffs and crank that amp to eleven. Since most people tend to reuse passwords you can then try logging in to the domain with their creds. Any avenue that will help you get closer to getting on their domain is always welcomed. To monitor channel 2 run airmon-ng start wlan0 2. So the list will look like this: Now we are all set to start cracking the captured handshake. Mine happens to be broadcasting on channel 2.
Since you read this how to you know that this hotspot could potentially have a default password. Come back in the morning before you head back for day two of pentesting. We wouldn't want to crack the encryption on anyone's personal device. If you must carry one of these hotspots with you changing the password is just as easy as it is on your home router. This time start your card in monitor mode on the channel of the hotspot.
There are a few things we need to set up first to ensure the quickest possible cracking. A lot of people I know carry them with them as well. That gives us a total of 100,000,000 possible combinations. This can be done with the following command airodump-ng -c --bssid -w mon0. Before you begin cracking make sure to find out if this is a company hotspot and get permission from the hiring company to try and break the password. My laptop can crank out about 2,000 password attempts per second so that equals out to around 14 hours of cracking time to go through every possible combination. We use seven digits here because we need to create a passlist file for John to use as a base.
Nano a new file called numlist. I have seen quite the influx in 4G hotspots recently. Just as an example let's say the model has a default 8 digit pin. You first boot up and plug your wireless card in. Like I said before this can take up 14 hours with a decent laptop to crack. You need to kill any processes that may interfere with the wireless card.
Instead using John the Ripper to compute on the fly will will be quicker as you may crack the password by brute force. Follow that command with airmon-ng start wlan0 followed by airodump-ng mon0. Also, if you allow hotspot's in your companies environment make sure the that the default passwords are changed. I had the chance to look at one a little closer recently. . Some actually print the password on the router to make it easy to remember. .
. . . . . . .