Hacking: Wi-Fi connections

Ng Tze Keat
5 min readJun 12, 2021

--

Wi-Fi has come from (briefly) being a niche alternative to ethernet to an integral, and indispensable, technology in our everyday lives. Most of you are probably even reading this thanks to a device connected to Wi-Fi.

Currently, most non-enterprise Wi-Fi networks, use the WPA2-PSK/Personal(WiFi Protected Access 2 - Pre-Shared Key/Personal) security standard.

Network and Internet Settings>Properties(of a connected wifi network)

One might find WPA2-Personal being used in home, or public networks. If you want to test the security of your Wi-Fi connection, this guide will teach you how to crack a Wi-Fi network’s encryption key.

Prerequisites:

A Kali Linux machine. https://www.kali.org/

A Wi-Fi adapter.

Access to a Wi-Fi Access Point.

Part 1: Setup

We will be using the Airgeddon program. It can be downloaded from https://github.com/v1s1t0r1sh3r3/airgeddon.

sudo su
git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git

cd into the Airgeddon directory.

Disable processes that interfere with Airgeddon.

service NetworkManager stopairmon-ng check kill

Start Airgeddon.

bash airgeddon.sh
Welcome screen

If you don’t have all the dependencies required, Airgeddon offers to automatically install them for you. This process takes a few minutes.

Enter the wireless adapter you choose to use.

Wireless Adapter connected to Kali via USB

For example, I want to use the USB wireless adapter connected to my Kali machine, so I would enter 2 .

Main menu

Now we arrive at Airgeddon’s main menu. There are multiple options for:

2. Priming your adapter to search for targets and conduct attacks.

3.^vice versa

4. Denial of Service attack tools

5. TCP handshake tools(e.g capture)

6. Wi-Fi password decryption

and more specific attacks. But for now, we will only be using a few options.

Part 2: Obtain TCP Handshake file

First, we want to capture a wireless TCP handshake in the data exchanged between a connected device and an access point.

Select option 5 , Handshake/PMKID tools menu.

Handshake tools menu

First, select 2 to set your adapter to monitor mode, where it can search for targets.

Targets window

Then, select 4 . The program will start scanning for nearby access points, shown in the popup window. Once you see your target AP, hit ctrl+c to end the monitoring.

Network list

The network must have authorized devices connected and using the connection in order for a handshake to be captured. This is usually the case with the networks with clients(*). Proceed to select your target network from the list.

Handshake tools menu

Now back at the handshake tools, select option 6to start capturing a handshake with the target.

Handshake capture menu

Select option 2, the Deauth aireplay attack. This attack sends disassocate packets to one or more connected clients by forcing them to reauthenticate allowing us to capture the subsequently generated WPA/WPA2 handshakes. Use 100 seconds for the timeout value.

Wait for the handshake capture
File path prompt

After (and if) a handshake file was successfully captured, the program will prompt you to declare a path to save the file. It is fine to accept the default root location.

Part 3: Crack Encryption Key

Airgeddon Main Menu

Return to the Airgeddon main menu. and select 6 , offline WPA/WPA2 decrypt.

Offline WPA(2) decrypt menu

Depending on whether we’re attempting to crack WPA(2) Personal or Enterprise encryption. Enterprise level encryption is more secure than personal, and in our case, go for option 1 .

Select 1 to use a dictionary attack which tries a list of known commonly used passwords.

Before we can launch the attack, we need to tailor a dictionary for it.

Kali Linux provides a dictionary as part of it’s standard installation at
/usr/share/wordlists/rockyou.txt.gz.

Open a new terminal in kali.

Copy and unzip the file to home/[user]. For me it would be home/ntk.

cp /usr/share/wordlists/rockyou.txt.gz /home/[yourusername]
gunzip rockyou.txt.gz

To know how many passwords this file:

wc -l rockyou.txt

The passwords inside this file include passwords with more and less than 8 characters, so if you want to use it for WPA password cracking, it is only necessary to include passwords with a minimum of 8 characters.

cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > wpa.txt
Configuring the decryption

Now, accept the preselected data with Y s and state the statement above. If you used the above command, your dictionary filepath should be “/home/[yourusername]/wpa.txt”.

Key found

If the key is in the dictionary, the program will run until it finds it, and output it in the above screen. Otherwise, you can try the brute force method.

Brute force setup

Return to the Offline WPA/WPA2 decrypt menu and select option2 . Continue with the preselected handshake capture, and a key min and max length.

Brute forcing

Brute forcing is a long process, and will likely take days. It is impractical, and generally only used as a last resort. You should try to find more dictionaries to test first.

Congratulations!

Hope you enjoyed this guide. Check out Airgeddon’s other features as well, and have fun testing your home network. https://www.youtube.com/watch?v=0nXqhfry8KQ

--

--