Hack Wi-Fi in 10 mins#101
Crack Wi-Fi routers with Airodump-ng and Aircrack-ng/ Hashcat crack WPA / WPA2.
It is a simple walk-through guide that shows how to hack Wi-Fi networks that use weak passwords. It’s not exhaustive, but you should be given enough details to check the protection of your own network or hack into one nearby. The attack mentioned below is completely passive (only listening, nothing is transmitted from your computer) and can’t be monitored if you don’t even use the password you break. An optional active deauthentication attack can be used and defined at the end of this document to speed up the reconnaissance process.
If you are new to hacking, you must not skip the description and jump to a list of the commands used at the bottom.
DISCLAIMER: This tutorial/software is intended for only educational purposes. It should not be used for illegal activity. The author will not responsible for the use thereof. Don’t be a jerk about it.
Assuming that you know :
- Having a basic knowledge of Linux.
- Running a Debian-based system (Ubuntu, Kali Linux),
- Have Aircrack-ng installed (
sudo apt-get install aircrack-ng) and Hashcat installed (
sudo apt-get install hashcat)
- Having a wireless card that supports monitor mode
- Monitor mode
The first step is to recognize your wireless adapter by typing the following command in your terminal.
If an interface is not mentioned then your wireless card is not identified by the Operating system.
I am using Linux mint OS. Here you can see, wlxc83a35c26727(in your system it may be wlan0) is your wireless interface and it tells that it supports 802.11, ESSID is off and mode is managed.
Now, just type the next command to launch monitor mode, which will turn your wlan0 into wlan0mon. My command will be “airmon-ng start wlxc83a35c26727"
$ airmon-ng start wlan0
- Find the Target
The next tool is airodump-ng which enables us to capture packets of our specifications. Start listening to 802.11 Beacon frames broadcast by nearby wireless routers using your monitor interface:
You should see the output similar to the above screen.
For the purposes of this demo, we will choose to crack the password of my network, “waitt”. Remember the BSSID MAC address and channel (
CH) number as displayed by
airodump-ng, as we will need them both for the next step.
So our BSSID address is 80:AD:16:A7:A9:3E and channel number is 1.
As we can see in the screenshot above, airodump-ng shows all the APs (access points) within their range with their BSSID (MAC address), their capacity, the number of beacon frames, the number of data packets, the frequency, the size, the encryption process, the type of cipher used, the authentication process used and finally, the ESSID.
The next phase is now to catch a 4-way handshake as WPA/ WPA2 uses a 4-way handshake to authenticate devices into the network. You don’t have to say much about what it details, but to break the network encryption, you must grab one of those handshakes.
These handshakes occur whenever a device connects to the network, for instance, when your neighbour returns home from work.
To capture 4-way handshake, type following command in your terminal.
$ airodump-ng -c 1 — bssid 80:AD:16:A7:A9:3E -w waitt wlan0mon
Command explanation: -c stands for Channel, — bssid stands for Mac address and -w stands for writing the packets into file.
Now we wait… Once you’ve captured a handshake, you should see something like
[ WPA handshake:80:AD:16:A7:A9:3E ]at the top right of the screen, just right of the current time.
If you are feeling impatient, and are comfortable using an active attack, you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them also, If there is no handshake so to get the handshake value instantly, we’ll use deauthentication method in which we’ll force to send the malicious deauthentication packets to the target for reconnecting.
Another important tool in our aircrack-ng arsenal is Aireplay-ng which can be used to produce or boost traffic on the AP. It can be especially effective in threats such as a deauth attack that knocks anyone off the entry point, password threats on WEP and WPA2 as well as intrusion and replay attacks on ARP.
To deauthentication the target, type command in another terminal.
$ aireplay-ng -0 2 -a 80:AD:16:A7:A9:3E -c 7C:67:A2:E7:EE:BF wlan0mon
Here -a stands for BSSID address of the target and -c stands for station address.
Upon receipt of such packets, most clients disconnect from the network and immediately reconnect, providing you with a 4-way handshake as shown below.
So here, our handshake is “80:AD:16:A7:A9:3E“.
Once you’ve captured a handshake, press
airodump-ng. You should see a
.capfile wherever you told
airodump-ngto save the capture (likely called
-01.cap). We will use this capture file to crack the network password. I like to rename this file to reflect the network name we are trying to crack.
Now the final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat for password cracking.
Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist. I recommend using the infamous rockyou dictionary file:
# download the 134MB rockyou dictionary file
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
Note, that if the network password is not in the wordlist you will not crack the password.
-a2 specifies WPA2, -b is the BSSID, -w is the word file
If the password is cracked you will see a
KEY FOUND!message in the terminal followed by the plain text version of the network password.
Hashcat is built to work on Windows, Linux and as well as on Mac. You can go to hashcat.net and download the binaries and follow the instruction for your operating system. What we are going to do here is clone a fresh copy of hashcat from GitHub and manually install it on a Debian based Linux.
Preferably, you should use Kali Or Parrot but a similar distro like Ubuntu will work as well.
Update Your Repo’s and install the following dependencies:
$ apt update $ apt install git build-essential ocl-icd-libopencl1 libcurl4-openssl-dev libssl-dev zlib1g-dev libpcap-dev -y
Either install hashcat by
sudo apt-get install hashcator by cloning it’s repo from github
Clone hashcat from github and move to directory:
$ git clone https://github.com/hashcat/hashcat.git $ cd hashcat/
Finally, compile the binaries and we are all set with hashcat.
$ git submodule update --init $ sudo make && sudo make install
Earlier we have captured 4-way handshake using tool “Airodump”, now we still need the proper format to supply it to hashcat. To convert it to a proper format (hccapx), we need another tool.
There are already some online services that you may use: https://hashcat.net/cap2hccapx/
In this case, I am doing it locally, clone the hashcat-utils repo from GitHub:
$ git clone https://github.com/hashcat/hashcat-utils.git $ cd hashcat-utils/src
Next, compile the binaries.
$ sudo make
After, compiling you will have the binaries under the same directory. The binary file that we need is cap2hccapx.bin. To make sure, you have done it correctly compiled, try to execute the file, it will throw you back the syntax.
Bingo!! You have installed it correctly.
Use the following command to convert the .cap file to .hccapx hashcat capture format.
$ ./capt2hccapx.bin /path/tp/capfile.cap hashfile.hccapx
Cracking WPA/WPA2 (Handshake) with hashcat
There is a probability with hashcat of different attack vectors. We might do a simple dictionary attack, a brute-force attack, a combinator attack or even a mask attack, i.e. create rules to consider various possibilities and attempt different characters at different locations.
- Dictionary Attack
For this to work, you need a wordlist as called. Provided that you have a decent list of potential wifi passphrases, or else you can grab the popular ones: https:/www.wirelesshack.org/wpa-wpa2-word-list-dictionaries.html
I will be using rockyou.txt. You can also download it from here: https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
Launch the following command for dictionary attack:
$ hashcat -a 0 -m 2500 hashfile.hccapx **/path/to/dict.txt
- -a: specifies cracking mode. In our case it’s dictionary mode and “/path/to/dict.txt” is complete path to the wordlist.
- -m: hash mode. Specifies what type of hash we are dealing with.
crack! baby! crack!
The cracked password will be saved to
waitt.pot, so check this file periodically. Once you’re cracked the password, you should see something like this as the contents of your
Where the last two fields separated by: are the network name and password respectively.
- Brute-Force Attack
The Brute-force is distinct from the attack at the dictionary. Here, we are attempting to substitute any character in a specified length from a given charset at any possible location. For eg, we can try every character from A-Z on every position in this string in a string of length 8. This is how the brute force operates and is very time-consuming.
To start your first brute-forcing attempt, launch the following command:
$ hashcat -m 2500 -a 3 hashfile.hccapx ?d?d?d?d?d?d?d?d
- -a: specifies the cracking mode and here the value 3 indicates, we are running a brute-force attack.
- ?d?d?d?d?d?d?d?d: is the brute-forcing rule here. It specifies what kind of values to check, where to replace and also assumes how much time could it take to crack the key.
The above mask i.e. “?d?d?d?d?d?d?d?d” states to check a string of length 8 with a digit at every position. You can study about mask attack here: Hashcat Mask Attack.
Much of the information presented here was gleaned from Lewis Encarnacion’s awesome tutorial,https://www.yeahhub.com/crack-wpawpa2-psk-using-aircrack-ng-and-hashcat-2017/, and https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2. Thanks also to the awesome authors and maintainers who work on Aircrack-ng and Hashcat.