• Liana Parakesyan

Wi-Fi Hacking: A How To for Penetration Testers


Image Credit: Sebastiaan Stam

DISCLAIMER: Ensure you have permission from the Wi-Fi network owner/operator and are fully authorized before attempting to conduct any Wi-Fi penetration testing and/or hacking activities. Use these tools and techniques at your own risk.

What is Wi-Fi

Wi-Fi is a wireless networking technology that allows devices such as computers, mobile devices, Internet of Things devices, and other equipment like printers and video cameras to be connected to networks to communicate to other devices and the Internet. Wi-Fi allows these devices--and many more--to exchange information with one another requesting and providing information, and providing a gateway to the World Wide Web without wires.

Wi-Fi is everywhere: in coffee shops, at home, at work, at small and large organizations, hotels, airports, and more. And even if there is no Wi-Fi, we look around to check to see if there is so we can connect to it.

What Does This Mean

The fact that Wi-Fi access points are additional gateways into networks increases attack surface. In many cases Wi-Fi access points (or routers) are connected directly to the organization's networks with other devices that may contain sensitive information or may be valuable to attackers. An attacker would be able to crack a weak password for a Wi-Fi access point, and gain a foothold into the organization from a parking lot or a coffee shop across the street.

The following are a few examples of what may lead to a weak Wi-Fi access point that can be hacked:

  • Wi-Fi APs without passwords or keys (open Wi-Fi) usually at public places

  • Wi-Fi APs with weak passwords, usually guessable

  • Wi-Fi APs with moderate strength passwords, usually crackable

  • Wi-Fi APs without guest WiFi enabled, in large organizations

  • Wi-Fi APs using weak encryption algorithms that can be cracked like WEP

Any one of the above can provide an attacker with an attack vector, that if successfully exploited will provide them access to the network, and any other device connected to that same network. Attackers in many cases can then capture traffic on the network, steal passwords, exfiltrate credit card information, and more.

Why Hack the Wi-Fi

Penetration testing Wi-Fi networks is extremely important to learn about the weaknesses and determine if the current configuration and security of the wireless access points pose a high risk to the network, and to test if an attacker would be able to gain access to the network by cracking the Wi-Fi password or key. By understanding the deficiencies and weaknesses that affect access points, it is possible to take steps to remediate them, improve the configurations, and harden the Wi-Fi access points for better overall security.

Hacking Wi-Fi Passkeys

To sniff Wi-Fi, we use an Alfa AWUS036NH USB Wi-Fi adapter which connects to our Kali laptop via USB. For longer range sniffing, the 16 dBi Yagi antenna can be connected to the Wi-Fi adapter, and then to the laptop, as seen in pictures below.

It is important to make sure to have the right Wi-Fi adapter, due to compatability issues with Linux operating systems. In this case we use Kali Linux, and it can be particular about wireless chipset support and not every chipset may support monitor mode (which is needed to captiure wireless packets).

After the Wi-Fi adapter has been connected to the computer check Wi-Fi interfaces by running the command #airmon-ng or #iwconfig to confirm the connection. wlan0 shows the native laptop wireless adapter on the machine, and wlan1 is the adapter that was connected via USB.

After confirming that the computer has recognized the connected adapter, start the wlan1 interface monitoring by running command #airmon-ng start wlan1 as seen in figure below.

If greeted with the output above, run the command #airmon-ng check kill to kill the processes that may interfere with Wi-Fi monitoring and packet capture. Run #airmon-ng start wlan1 again to successfully put wlan1 into monitor mode and get the following output.

[if gte vml 1]><v:rect id="Rectangle_x0020_16" o:spid="_x0000_s1026" style='position:absolute;margin-left:29.95pt;margin-top:17.35pt;width:51.7pt; height:11.1pt;z-index:251663360;visibility:visible;mso-wrap-style:square; mso-width-percent:0;mso-height-percent:0;mso-wrap-distance-left:9pt; mso-wrap-distance-top:0;mso-wrap-distance-right:9pt; mso-wrap-distance-bottom:0;mso-position-horizontal:absolute; mso-position-horizontal-relative:text;mso-position-vertical:absolute; mso-position-vertical-relative:text;mso-width-percent:0;mso-height-percent:0; mso-width-relative:margin;mso-height-relative:margin;v-text-anchor:middle' o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI +gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5 8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEATWyxI8ECAABpBgAA HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWysVVtP2zAUfp+0/2D5HdKWtoyKgLpC 0SQEiIB4PjhOE82xM9sN6X79ji9pK1YxaVsfWp/b5+/c3PPLrhak5dpUSqZ0eDyghEum8kquUvr8 tDz6QomxIHMQSvKUbrihlxefP53DbKWhKStGEEGaGaS0tLaZJYlhJa/BHKuGS7QVStdgUdSrJNfw hsi1SEaDwTSpoZL0Ygd1BRbIWld/ASUU+87zBcgWDEIKNtvXRI6C/TsyzGR7o5usedCOObtrHzSp 8pRi5STUWCKaREN0QzF5F7XaAXSFrp2/KgrSYQdGZ+PT6YSSDZ6n4+lkMgl4vLOEoQNqzlBHmHMY D05Oop2V939AYOX1hxhIMpDBwx5B0zh6sv094+G0T/mRM5yRleAEdX36LqDPvQ82sWz/J+stY5g1 2tgbrmriDinVSMhPFrS3xgYWvYtPRy0rITxTIZ3CKFHlTucFvXpdCE1aENjXq+XJ6NplhdftuaHk Qp0yJmW7zNfKdl9VvnFAr/iL46EVUsL5MA1bVsjvFox9AI0rg0pcPnuPX4VQbylV8URJqfTPQ3rn j2OMVkrecAVTan6sQXNKxDdpUno2HI8R1nphPDkdoaD3La/7FrmuFwqzHHp2/uj8reiPhVb1i9L5 3N2KJpAM704ps7oXFhZlNOGmMz6f+zNTdQP2VmYN7tzQt8LV/6l7Ad3EJlmc6TuVldDwQ70KvqFb 87VVRRUbGarqDMLYzG4E9430tecyd5V9xKoLnMiUcnn0nMXuoQe2a9eeteFZ42Y3NLfvn3GQHl4+ 8gKXG9du5Bn6p41vRwMY49KG7EwJOQ8TMxngpx8Y9xi6CH+1cIAOucBJ22JHgN4zgPTYgVr0d6G8 KJDxNnjwEbEQvI3wNyu5C64rqfQhAIFZxZuDfxj0UBg/8qh498h6l/in4F7yffniFwAAAP//AwBQ SwMEFAAGAAgAAAAhAJJ9h+AdBwAASSAAABoAAABjbGlwYm9hcmQvdGhlbWUvdGhlbWUxLnhtbOxZ S28bNxC+F+h/WOy9sWS9YiNyYMly3MQvREqKHCmJ2mXMXS5Iyo5uRXLqpUCBtOihAXrroSgaoAEa 9NIfY8BBm/6IDrkvUqLiB1wgKGwBxu7sN8PhzOzM7PDO3WcR9Y4xF4TFbb96q+J7OB6xMYmDtv9o sP3Zbd8TEsVjRFmM2/4MC//uxqef3EHrI0qSIUN8PAhxhD0QFIt11PZDKZP1lRUxAjISt1iCY3g2 YTxCEm55sDLm6AQWiOjKaqXSXIkQif0NkCiVoB6Ff7EUijCivK/EYC9GEax+MJmQEdbY8VFVIcRM dCn3jhFt+yBzzE4G+Jn0PYqEhAdtv6L//JWNOytoPWOicgmvwbet/zK+jGF8tKrX5MGwWLReb9Sb m4V8DaByEddr9Zq9ZiFPA9BoBDtNdbFltla79QxrgNJLh+yt1latauEN+bUFnTcb6mfhNSiVX1/A b293wYoWXoNSfGMB3+isdbZs+RqU4psL+FZlc6vesuRrUEhJfLSArjSatW6+2wIyYXTHCV9r1Ldb q5nwEgXRUESXWmLCYrks1iL0lPFtACggRZLEnpwleIJGEJNdRMmQE2+XBCEEXoJiJoBcWa1sV2rw X/3q+kp7FK1jZHArvUATsUBS+nhixEki2/59kOobkLO3b0+fvzl9/vvpixenz3/N1taiLL4dFAcm 3/ufvvnn1Zfe37/9+P7lt+nS83hh4t/98tW7P/78kHjYcWmKs+9ev3vz+uz7r//6+aVD+iZHQxM+ IBEW3j4+8R6yCDbo0B8P+eU4BiEiJsdmHAgUI7WKQ35PhhZ6f4YocuA62LbjYw6pxgW8N31qKdwP +VQSh8QHYWQB9xijHcadVnig1jLMPJjGgXtxPjVxDxE6dq3dRbHl5d40gRxLXCK7IbbUPKQolijA MZaeesaOMHbs7gkhll33yIgzwSbSe0K8DiJOkwzI0IqmkmmHROCXmUtB8Ldlm73HXodR16638LGN hHcDUYfyA0wtM95DU4kil8gBiqhp8F0kQ5eS/RkfmbiekODpAFPm9cZYCBfPAYf9Gk5/AGnG7fY9 OotsJJfkyCVzFzFmIrfYUTdEUeLC9kkcmtjPxRGEKPIOmXTB95j9hqh78AOKl7r7McGWu8/PBo8g w5oqlQGinky5w5f3MLPitz+jE4RdqWaTR1aK3eTEGR2daWCF9i7GFJ2gMcbeo88dGnRYYtm8VPp+ CFllB7sC6z6yY1Xdx1hgTzc3i3lylwgrZPs4YEv02ZvNJZ4ZiiPEl0neB6+bNu9BqYtcAXBAR0cm cJ9Avwfx4jTKgQAZRnAvlXoYIquAqXvhjtcZt/x3kXcM3sunlhoXeC+BB1+aBxK7yfNB2wwQtRYo A2aAoMtwpVtgsdxfsqjiqtmmTr6J/dKWboDuyGp6IhKf2wHN9T6N/673gQ7j7IdXjpftevodt2Ar WV2y01mWTHbm+ptluPmupsv4mHz8Tc0WmsaHGOrIYsa66Wluehr/f9/TLHufbzqZZf3GTSfjQ4dx 08lkw5Xr6WTK5gX6GjXwSAc9euwTLZ36TAilfTmjeFfowY+A75nxNhAVn55u4mIKmIRwqcocLGDh Ao40j8eZ/ILIsB+iBKZDVV8JCUQmOhBewgQMjTTZKVvh6TTaY+N02FmtqsFmWlkFkiW90ijoMKiS KbrZKgd4hXitbaAHrbkCivcyShiL2UrUHEq0cqIykh7rgtEcSuidXYsWaw4tbivxuasWtADVCq/A B7cHn+ltv1EHFmCCeRw052Plp9TVuXe1M6/T08uMaUUANNh5BJSeXlO6Lt2e2l0aahfwtKWEEW62 EtoyusETIXwGZ9GpqBdR47K+XitdaqmnTKHXg9Aq1Wjd/pAWV/U18M3nBhqbmYLG3knbb9YaEDIj lLT9CQyN4TJKIHaE+uZCNIDjlpHk6Qt/lcyScCG3kAhTg+ukk2aDiEjMPUqitq+2X7iBxjqHaN2q q5AQPlrl1iCtfGzKgdNtJ+PJBI+k6XaDoiyd3kKGT3OF86lmvzpYcbIpuLsfjk+8IZ3yhwhCrNGq KgOOiYCzg2pqzTGBw7AikZXxN1eYsrRrnkbpGErpiCYhyiqKmcxTuE7lhTr6rrCBcZftGQxqmCQr hMNAFVjTqFY1LapGqsPSqns+k7KckTTLmmllFVU13VnMWiEvA3O2vFqRN7TKTQw5zazwaeqeT7lr ea6b6xOKKgEGL+znqLoXKAiGauVilmpK48U0rHJ2RrVrR77Bc1S7SJEwsn4zFztnt6JGOJcD4pUq P/DNRy2QJnlfqS3tOtjeQ4k3DKptHw6XYTj4DK7geNoH2qqirSoaXMGZM5SL9KC47WcXOQWep5QC U8sptRxTzyn1nNLIKY2c0swpTd/TJ6pwiq8OU30vPzCFGpYdsGa9hX36v/EvAAAA//8DAFBLAwQU AAYACAAAACEAnGZGQbsAAAAkAQAAKgAAAGNsaXBib2FyZC9kcmF3aW5ncy9fcmVscy9kcmF3aW5n MS54bWwucmVsc4SPzQrCMBCE74LvEPZu0noQkSa9iNCr1AcIyTYtNj8kUezbG+hFQfCyMLPsN7NN +7IzeWJMk3ccaloBQae8npzhcOsvuyOQlKXTcvYOOSyYoBXbTXPFWeZylMYpJFIoLnEYcw4nxpIa 0cpEfUBXNoOPVuYio2FBqrs0yPZVdWDxkwHii0k6zSF2ugbSL6Ek/2f7YZgUnr16WHT5RwTLpRcW oIwGMwdKV2edNS1dgYmGff0m3gAAAP//AwBQSwECLQAUAAYACAAAACEAu+VIlAUBAAAeAgAAEwAA AAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQCtMD/xwQAA ADIBAAALAAAAAAAAAAAAAAAAADYBAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQBNbLEjwQIA AGkGAAAfAAAAAAAAAAAAAAAAACACAABjbGlwYm9hcmQvZHJhd2luZ3MvZHJhd2luZzEueG1sUEsB Ai0AFAAGAAgAAAAhAJJ9h+AdBwAASSAAABoAAAAAAAAAAAAAAAAAHgUAAGNsaXBib2FyZC90aGVt ZS90aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAAAAAAAAAAAAAAAAcwwA AGNsaXBib2FyZC9kcmF3aW5ncy9fcmVscy9kcmF3aW5nMS54bWwucmVsc1BLBQYAAAAABQAFAGcB AAB2DQAAAAA= " filled="f" strokecolor="#0df32e" strokeweight="1pt"></v:rect><![endif][if !vml][endif]Now phy2 shows wlan1mon which means wlan1 is now in monitor mode and the USB connected Wi-Fi adapter now can capture packets. For the purposes of this hacking demonstration, a special AP was created called Crack this AP. Our targeting will focus on this Wi-Fi access point. To start capturing packets we need to make an output file with a .pcap or .cap extension and dump the captured packets to be saved in this file; we do this by running the following command:

#airodump-ng –w crackthisap --output-format pcap wlan1mon

Once satisfied with the sniffed wireless access points, when done with capturing hit CTRL+C to exit out of the active capture. A file will be saved from the previous command called crackthisap.pcap (or .cap) in the current directory.

A successful capture of a four-way handshake (for WPA) will occur when a client authenticates to the target access point. This can be confirmed by indication of WPA handshake: D4:38:9C:B2:70:72 showing at the top of the terminal once it has been successfully captured in the figure above.

The next step is to crack the Wi-Fi passkey. To do so run the following command:

#aircrack-ng -w passwordlist.txt crackthisap.cap

[if gte vml 1]><v:rect id="Rectangle_x0020_25" o:spid="_x0000_s1026" style='position:absolute;margin-left:4.35pt;margin-top:29.75pt;width:351.25pt; height:13.45pt;z-index:251679744;visibility:visible;mso-wrap-style:square; mso-width-percent:0;mso-height-percent:0;mso-wrap-distance-left:9pt; mso-wrap-distance-top:0;mso-wrap-distance-right:9pt; mso-wrap-distance-bottom:0;mso-position-horizontal:absolute; mso-position-horizontal-relative:text;mso-position-vertical:absolute; mso-position-vertical-relative:text;mso-width-percent:0;mso-height-percent:0; mso-width-relative:margin;mso-height-relative:margin;v-text-anchor:middle' o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI +gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5 8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAAzBKccICAABpBgAA HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWysVVtP2zAUfp+0/2D5HZJ2aQsVAXWF okkIEAHxfHCcJppjZ7YbUn79ju2krRjiYVsfWp/b5+/c3LOLrhak5dpUSqZ0dBxTwiVTeSXXKX16 XB2dUGIsyByEkjylW27oxfnXL2cwX2toyooRRJBmDiktrW3mUWRYyWswx6rhEm2F0jVYFPU6yjW8 InItonEcT6MaKknP91CXYIFsdPUXUEKxnzxfgmzBIKRg80NNz1Gwf0eGuWyvdZM199oxZ7ftvSZV nlKsnIQaS0Sj3tC7oRi9i1rvAbpC185fFQXpUno6PZ0mE0q22IzTWTIeTQIc7yxhaE+SaXwyQwfm PGbxyeDAyrvPEVh59TkGkgxk8HBA0DSOnmz/zHiMNELKD5zhjKwFJ6gb0ncBQ+5DsOnL9n+y3jGG eaONveaqJu6QUo2E/GRBe2NsYDG4+HTUqhLCMxXSKYwSVe50XtDrl6XQpAWBfb1cfRtfuazwugM3 lFyoU/ZJ2S7ztbLdd5VvHdAL/uJ4aIWUcD5Mw1YV8rsBY+9B48qgEpfP3uFXIdRrSlV/oqRU+u0j vfPHMUYrJa+4gik1vzagOSXihzQ4QaMkQVjrhWQyG6OgDy0vhxa5qZcKsxx5dv7o/K0YjoVW9bPS +cLdiiaQDO9OKbN6EJYWZTThpjO+WPgzU3UD9kZmDe7cyLfC1f+xewbd9E2yONS3Kiuh4R/1KviG bi02VhVV38hQVWcQxmZ2K7hvpK89l7mr7ANWXeBEppTLo6es7x56YLv27dkYnjVudkNzh/4ZB+nh 5QMvcLlx78aeoX/a+G40gDEubcjOlJDzMDGTGD/DwLjH0EX4q4UDdMgFTtoOuwcYPAPIgB2o9f4u lBcFMt4Fx58RC8G7CH+zkvvgupJKfwQgMKv+5uAfBj0Uxo88Kt49st6l/1NwL/mhfP4bAAD//wMA UEsDBBQABgAIAAAAIQCSfYfgHQcAAEkgAAAaAAAAY2xpcGJvYXJkL3RoZW1lL3RoZW1lMS54bWzs WUtvGzcQvhfof1jsvbFkvWIjcmDJctzEL0RKihwpidplzF0uSMqObkVy6qVAgbTooQF666EoGqAB GvTSH2PAQZv+iA65L1Ki4gdcIChsAcbu7DfD4czszOzwzt1nEfWOMReExW2/eqviezgesTGJg7b/ aLD92W3fExLFY0RZjNv+DAv/7sann9xB6yNKkiFDfDwIcYQ9EBSLddT2QymT9ZUVMQIyErdYgmN4 NmE8QhJuebAy5ugEFojoymql0lyJEIn9DZAolaAehX+xFIoworyvxGAvRhGsfjCZkBHW2PFRVSHE THQp944Rbfsgc8xOBviZ9D2KhIQHbb+i//yVjTsraD1jonIJr8G3rf8yvoxhfLSq1+TBsFi0Xm/U m5uFfA2gchHXa/WavWYhTwPQaAQ7TXWxZbZWu/UMa4DSS4fsrdZWrWrhDfm1BZ03G+pn4TUolV9f wG9vd8GKFl6DUnxjAd/orHW2bPkalOKbC/hWZXOr3rLka1BISXy0gK40mrVuvtsCMmF0xwlfa9S3 W6uZ8BIF0VBEl1piwmK5LNYi9JTxbQAoIEWSxJ6cJXiCRhCTXUTJkBNvlwQhBF6CYiaAXFmtbFdq 8F/96vpKexStY2RwK71AE7FAUvp4YsRJItv+fZDqG5Czt29Pn785ff776YsXp89/zdbWoiy+HRQH Jt/7n77559WX3t+//fj+5bfp0vN4YeLf/fLVuz/+/JB42HFpirPvXr978/rs+6//+vmlQ/omR0MT PiARFt4+PvEesgg26NAfD/nlOAYhIibHZhwIFCO1ikN+T4YWen+GKHLgOti242MOqcYFvDd9ainc D/lUEofEB2FkAfcYox3GnVZ4oNYyzDyYxoF7cT41cQ8ROnat3UWx5eXeNIEcS1wiuyG21DykKJYo wDGWnnrGjjB27O4JIZZd98iIM8Em0ntCvA4iTpMMyNCKppJph0Tgl5lLQfC3ZZu9x16HUdeut/Cx jYR3A1GH8gNMLTPeQ1OJIpfIAYqoafBdJEOXkv0ZH5m4npDg6QBT5vXGWAgXzwGH/RpOfwBpxu32 PTqLbCSX5MglcxcxZiK32FE3RFHiwvZJHJrYz8URhCjyDpl0wfeY/Yaoe/ADipe6+zHBlrvPzwaP IMOaKpUBop5MucOX9zCz4rc/oxOEXalmk0dWit3kxBkdnWlghfYuxhSdoDHG3qPPHRp0WGLZvFT6 fghZZQe7Aus+smNV3cdYYE83N4t5cpcIK2T7OGBL9NmbzSWeGYojxJdJ3gevmzbvQamLXAFwQEdH JnCfQL8H8eI0yoEAGUZwL5V6GCKrgKl74Y7XGbf8d5F3DN7Lp5YaF3gvgQdfmgcSu8nzQdsMELUW KANmgKDLcKVbYLHcX7Ko4qrZpk6+if3Slm6A7shqeiISn9sBzfU+jf+u94EO4+yHV46X7Xr6Hbdg K1ldstNZlkx25vqbZbj5rqbL+Jh8/E3NFprGhxjqyGLGuulpbnoa/3/f0yx7n286mWX9xk0n40OH cdPJZMOV6+lkyuYF+ho18EgHPXrsEy2d+kwIpX05o3hX6MGPgO+Z8TYQFZ+ebuJiCpiEcKnKHCxg 4QKONI/HmfyCyLAfogSmQ1VfCQlEJjoQXsIEDI002Slb4ek02mPjdNhZrarBZlpZBZIlvdIo6DCo kim62SoHeIV4rW2gB625Aor3MkoYi9lK1BxKtHKiMpIe64LRHEronV2LFmsOLW4r8bmrFrQA1Qqv wAe3B5/pbb9RBxZggnkcNOdj5afU1bl3tTOv09PLjGlFADTYeQSUnl5Tui7dntpdGmoX8LSlhBFu thLaMrrBEyF8BmfRqagXUeOyvl4rXWqpp0yh14PQKtVo3f6QFlf1NfDN5wYam5mCxt5J22/WGhAy I5S0/QkMjeEySiB2hPrmQjSA45aR5OkLf5XMknAht5AIU4PrpJNmg4hIzD1Koravtl+4gcY6h2jd qquQED5a5dYgrXxsyoHTbSfjyQSPpOl2g6Isnd5Chk9zhfOpZr86WHGyKbi7H45PvCGd8ocIQqzR qioDjomAs4Nqas0xgcOwIpGV8TdXmLK0a55G6RhK6YgmIcoqipnMU7hO5YU6+q6wgXGX7RkMapgk K4TDQBVY06hWNS2qRqrD0qp7PpOynJE0y5ppZRVVNd1ZzFohLwNztrxakTe0yk0MOc2s8Gnqnk+5 a3mum+sTiioBBi/s56i6FygIhmrlYpZqSuPFNKxydka1a0e+wXNUu0iRMLJ+Mxc7Z7eiRjiXA+KV Kj/wzUctkCZ5X6kt7TrY3kOJNwyqbR8Ol2E4+Ayu4HjaB9qqoq0qGlzBmTOUi/SguO1nFzkFnqeU AlPLKbUcU88p9ZzSyCmNnNLMKU3f0yeqcIqvDlN9Lz8whRqWHbBmvYV9+r/xLwAAAP//AwBQSwME FAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAABjbGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMvZHJhd2lu ZzEueG1sLnJlbHOEj80KwjAQhO+C7xD2btJ6EJEmvYjQq9QHCMk2LTY/JFHs2xvoRUHwsjCz7Dez TfuyM3liTJN3HGpaAUGnvJ6c4XDrL7sjkJSl03L2DjksmKAV201zxVnmcpTGKSRSKC5xGHMOJ8aS GtHKRH1AVzaDj1bmIqNhQaq7NMj2VXVg8ZMB4otJOs0hdroG0i+hJP9n+2GYFJ69elh0+UcEy6UX FqCMBjMHSldnnTUtXYGJhn39Jt4AAAD//wMAUEsBAi0AFAAGAAgAAAAhALvlSJQFAQAAHgIAABMA AAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEArTA/8cEA AAAyAQAACwAAAAAAAAAAAAAAAAA2AQAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEAAzBKccIC AABpBgAAHwAAAAAAAAAAAAAAAAAgAgAAY2xpcGJvYXJkL2RyYXdpbmdzL2RyYXdpbmcxLnhtbFBL AQItABQABgAIAAAAIQCSfYfgHQcAAEkgAAAaAAAAAAAAAAAAAAAAAB8FAABjbGlwYm9hcmQvdGhl bWUvdGhlbWUxLnhtbFBLAQItABQABgAIAAAAIQCcZkZBuwAAACQBAAAqAAAAAAAAAAAAAAAAAHQM AABjbGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMvZHJhd2luZzEueG1sLnJlbHNQSwUGAAAAAAUABQBn AQAAdw0AAAAA " filled="f" strokecolor="#0df32e" strokeweight="1pt"></v:rect><![endif][if !vml][endif]aircrack-ng reads the .cap file and confirms that a WPA handshake has been captured as seen in figure above. Select number 30 as the index number of target network and hit Enter to start the cracking process. A successful crack of a WPA key should look similar to below.

There are additional techniques that can be used to speed up the process of capturing handshakes such as sending de-authentication packets to the clients, which then will have them re-authenticate back to the access point prompting a handshake capture.

Cracking Handshake with John the Ripper

Another way to crack the captured handshake from a wireless access point is to run it through John the Ripper. To view the captured handshake in the .cap file run the command: #wpapcap2john crackthisap-02.cap

You will receive the below output if there are any handshakes captured within the .cap file.

In order to make this output readable for JtR, we need to convert this .cap file to an ASCII file. First convert the .cap file to a .hccap by running this command:

#aircrack-ng crackthisap-02.cap -J crackthisap-JTR

This will create a file in the directory called crackthisap-JTR.hccap

Select the line number for the target wireless access point and hit Enter to get the output below.

Once the .hccap format file has been created, run the following command: #hccap2john crackthisap-JTR.hccap > JTR-WiFi-hash

Finally, run John against the hash file to crack the key.

#john -w:passwordlist.txt --format=wpapsk JTR-WiFi-hash

Let's look at a few other relevant Wi-Fi tools below.

Kismet

Kismet is one of the traditional tools used in Wi-Fi pen tests and hacking. To run Kismet, connect the USB Wi-Fi adapter to the computer and type #kismet in the terminal. Continue through the prompts to start the Kismet server by pressing Enter on the Start button, hitting Tab and Enter to close console window, and pressing Yes to add sources.

If a source has not been defined Kismet may provide a pop up to do so. Add wlan1 as the source and Tab to enter on Add button to start capturing from wlan1. This will put wlan1 into monitoring mode. If a prompt does not pop up to add a source, simply go to Kismet drop down, and select Add Source.

Once the wlan1 has been added as a source, Kismet will start to capture the wireless access points, and save them into a file. After some time has passed hit CTRL+C to shut down Kismet. The saved files will be in the directory.

After this, the .pcap file can be run through aircrack-ng to look for captured handshakes and attempt to crack them just like it was done for the previous section using aircrack-ng.

Kismet has released a new version that now includes a web user interface. Downloads and more information about the new Kismet release can be found here: https://www.kismetwireless.net

A walk-through on how to start and run the newest version of kismet can be found here: https://www.kismetwireless.net/development/kismet_webui_tour

Wifite

Wifite is another great tool that can be used to quickly review Wi-Fi access points, select and attack them. Wifite has a new version - Wifite2 (optional, but recommended) which can be found here: https://github.com/derv82/wifite2 The GitHub page does a walk-through on how to install it, and configure it to be able to run it from command line or terminal with the same command as Wifite. This is optional and based on preference, however, Wifite2 is faster and has more features.

To run Wifite and Wifite2 (if you have installed it), connect the USB Wi-Fi adapter to the computer and run #wifite in the terminal. Wifite will immediately set wlan1 to monitor mode and start to capture the wireless access points. If faced with any issues run # wifite –kill command, and re-run #wifite

A list with nearby access points will be populated. After some time has passed and when ready to move to next step hit CTRL+C to stop the capturing process. Select the target access point which is #3 in this case and hit Enter. Wifite will start to run various attacks against the target. In this case Wifite was able to successfully crack the key using a set wordlist from aircrack-ng.

After all the Wi-Fi hacking or pen testing activities have been completed, let’s put wlan1mon back to wlan1 by running the command:

#airmon-ng stop wlan1mon

To restore proper network functionality to the machine run the following command:

#service network-manager start

Happy Hacking and Securing!

References:

https://www.wi-fi.org

https://www.wi-fi.org/discover-wi-fi/security

https://www.sans.org/reading-room/whitepapers/wireless/secure-approach-deploying-wireless-networks-37342

https://www.pentestingshop.com/how-to-pentest-your-wpawpa2-wifi-with-kali-linux

https://openwall.info/wiki/john/WPA-PSK

https://github.com/derv82/wifite2

https://www.kismetwireless.net

https://www.kismetwireless.net/development/kismet_webui_tour

https://tools.kali.org/wireless-attacks/airmon-ng

http://www.aircrack-ng.org/

https://www.aircrack-ng.org/doku.php?id=airmon-ng

https://aircrack-ng.org/doku.php?id=airodump-ng

https://www.openwall.com/john/

https://tools.kali.org/password-attacks/john

https://www.newegg.com/Product/Product.aspx?Item=9SIA8UD3T90768&Description=Alfa%20AWUS036NH%20USB%20Adapter%20%2b%2016%20dBi%20Yagi%20antenna%20%2b%205m%20LMR-200%20extension%20cable&cm_re=Alfa_AWUS036NH_USB_Adapter_%2b_16_dBi_Yagi_antenna_%2b_5m_LMR-200_extension_cable-_-9SIA8UD3T90768-_-Product

Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.

Phone: 571-969-7039

E-mail: info@politoinc.com

Website: politoinc.com

Contact Us
Our Address

5015 Observer Ln

Woodbridge, VA 22192

info@politoinc.com

Call Us
  • White LinkedIn Icon
  • White Facebook Icon
  • White Twitter Icon
  • White Google+ Icon

© 2020 by Polito, Inc. All rights reserved. Privacy Policy.