Hacking: Wi-Fi connections
Wi-Fi has come from (briefly) being a niche alternative to ethernet to an integral, and indispensable, technology in our everyday lives. Most of you are probably even reading this thanks to a device connected to Wi-Fi.
Currently, most non-enterprise Wi-Fi networks, use the WPA2-PSK/Personal(WiFi Protected Access 2 - Pre-Shared Key/Personal) security standard.
One might find WPA2-Personal being used in home, or public networks. If you want to test the security of your Wi-Fi connection, this guide will teach you how to crack a Wi-Fi network’s encryption key.
Prerequisites:
A Kali Linux machine. https://www.kali.org/
A Wi-Fi adapter.
Access to a Wi-Fi Access Point.
Part 1: Setup
We will be using the Airgeddon program. It can be downloaded from https://github.com/v1s1t0r1sh3r3/airgeddon.
sudo su
git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git
cd into the Airgeddon directory.
Disable processes that interfere with Airgeddon.
service NetworkManager stopairmon-ng check kill
Start Airgeddon.
bash airgeddon.sh
If you don’t have all the dependencies required, Airgeddon offers to automatically install them for you. This process takes a few minutes.
Enter the wireless adapter you choose to use.
For example, I want to use the USB wireless adapter connected to my Kali machine, so I would enter 2
.
Now we arrive at Airgeddon’s main menu. There are multiple options for:
2. Priming your adapter to search for targets and conduct attacks.
3.^vice versa
4. Denial of Service attack tools
5. TCP handshake tools(e.g capture)
6. Wi-Fi password decryption
and more specific attacks. But for now, we will only be using a few options.
Part 2: Obtain TCP Handshake file
First, we want to capture a wireless TCP handshake in the data exchanged between a connected device and an access point.
Select option 5
, Handshake/PMKID tools menu.
First, select 2
to set your adapter to monitor mode, where it can search for targets.
Then, select 4
. The program will start scanning for nearby access points, shown in the popup window. Once you see your target AP, hit ctrl+c
to end the monitoring.
The network must have authorized devices connected and using the connection in order for a handshake to be captured. This is usually the case with the networks with clients(*). Proceed to select your target network from the list.
Now back at the handshake tools, select option 6
to start capturing a handshake with the target.
Select option 2
, the Deauth aireplay attack. This attack sends disassocate packets to one or more connected clients by forcing them to reauthenticate allowing us to capture the subsequently generated WPA/WPA2 handshakes. Use 100
seconds for the timeout value.
After (and if) a handshake file was successfully captured, the program will prompt you to declare a path to save the file. It is fine to accept the default root location.
Part 3: Crack Encryption Key
Return to the Airgeddon main menu. and select 6
, offline WPA/WPA2 decrypt.
Depending on whether we’re attempting to crack WPA(2) Personal or Enterprise encryption. Enterprise level encryption is more secure than personal, and in our case, go for option 1
.
Select 1 to use a dictionary attack which tries a list of known commonly used passwords.
Before we can launch the attack, we need to tailor a dictionary for it.
Kali Linux provides a dictionary as part of it’s standard installation at
/usr/share/wordlists/rockyou.txt.gz.
Open a new terminal in kali.
Copy and unzip the file to home/[user]. For me it would be home/ntk.
cp /usr/share/wordlists/rockyou.txt.gz /home/[yourusername]
gunzip rockyou.txt.gz
To know how many passwords this file:
wc -l rockyou.txt
The passwords inside this file include passwords with more and less than 8 characters, so if you want to use it for WPA password cracking, it is only necessary to include passwords with a minimum of 8 characters.
cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > wpa.txt
Now, accept the preselected data with Y
s and state the statement above. If you used the above command, your dictionary filepath should be “/home/[yourusername]/wpa.txt”.
If the key is in the dictionary, the program will run until it finds it, and output it in the above screen. Otherwise, you can try the brute force method.
Return to the Offline WPA/WPA2 decrypt menu and select option2
. Continue with the preselected handshake capture, and a key min and max length.
Brute forcing is a long process, and will likely take days. It is impractical, and generally only used as a last resort. You should try to find more dictionaries to test first.
Hope you enjoyed this guide. Check out Airgeddon’s other features as well, and have fun testing your home network. https://www.youtube.com/watch?v=0nXqhfry8KQ