Image Credit: Sebastiaan Stam
DISCLAIMER: Ensure you have permission from the Wi-Fi network owner/operator and are fully authorized before attempting to conduct any Wi-Fi penetration testing and/or hacking activities. Use these tools and techniques at your own risk.
What is Wi-Fi
Wi-Fi is a wireless networking technology that allows devices such as computers, mobile devices, Internet of Things devices, and other equipment like printers and video cameras to be connected to networks to communicate to other devices and the Internet. Wi-Fi allows these devices--and many more--to exchange information with one another requesting and providing information, and providing a gateway to the World Wide Web without wires.
Wi-Fi is everywhere: in coffee shops, at home, at work, at small and large organizations, hotels, airports, and more. And even if there is no Wi-Fi, we look around to check to see if there is so we can connect to it.
What Does This Mean
The fact that Wi-Fi access points are additional gateways into networks increases attack surface. In many cases Wi-Fi access points (or routers) are connected directly to the organization's networks with other devices that may contain sensitive information or may be valuable to attackers. An attacker would be able to crack a weak password for a Wi-Fi access point, and gain a foothold into the organization from a parking lot or a coffee shop across the street.
The following are a few examples of what may lead to a weak Wi-Fi access point that can be hacked:
Wi-Fi APs without passwords or keys (open Wi-Fi) usually at public places
Wi-Fi APs with weak passwords, usually guessable
Wi-Fi APs with moderate strength passwords, usually crackable
Wi-Fi APs without guest WiFi enabled, in large organizations
Wi-Fi APs using weak encryption algorithms that can be cracked like WEP
Any one of the above can provide an attacker with an attack vector, that if successfully exploited will provide them access to the network, and any other device connected to that same network. Attackers in many cases can then capture traffic on the network, steal passwords, exfiltrate credit card information, and more.
Why Hack the Wi-Fi
Penetration testing Wi-Fi networks is extremely important to learn about the weaknesses and determine if the current configuration and security of the wireless access points pose a high risk to the network, and to test if an attacker would be able to gain access to the network by cracking the Wi-Fi password or key. By understanding the deficiencies and weaknesses that affect access points, it is possible to take steps to remediate them, improve the configurations, and harden the Wi-Fi access points for better overall security.
Hacking Wi-Fi Passkeys
To sniff Wi-Fi, we use an Alfa AWUS036NH USB Wi-Fi adapter which connects to our Kali laptop via USB. For longer range sniffing, the 16 dBi Yagi antenna can be connected to the Wi-Fi adapter, and then to the laptop, as seen in pictures below.
It is important to make sure to have the right Wi-Fi adapter, due to compatability issues with Linux operating systems. In this case we use Kali Linux, and it can be particular about wireless chipset support and not every chipset may support monitor mode (which is needed to captiure wireless packets).
After the Wi-Fi adapter has been connected to the computer check Wi-Fi interfaces by running the command #airmon-ng or #iwconfig to confirm the connection. wlan0 shows the native laptop wireless adapter on the machine, and wlan1 is the adapter that was connected via USB.
After confirming that the computer has recognized the connected adapter, start the wlan1 interface monitoring by running command #airmon-ng start wlan1 as seen in figure below.
If greeted with the output above, run the command #airmon-ng check kill to kill the processes that may interfere with Wi-Fi monitoring and packet capture. Run #airmon-ng start wlan1 again to successfully put wlan1 into monitor mode and get the following output.
Now phy2 shows wlan1mon which means wlan1 is now in monitor mode and the USB connected Wi-Fi adapter now can capture packets. For the purposes of this hacking demonstration, a special AP was created called Crack this AP. Our targeting will focus on this Wi-Fi access point. To start capturing packets we need to make an output file with a .pcap or .cap extension and dump the captured packets to be saved in this file; we do this by running the following command:
#airodump-ng –w crackthisap --output-format pcap wlan1mon
Once satisfied with the sniffed wireless access points, when done with capturing hit CTRL+C to exit out of the active capture. A file will be saved from the previous command called crackthisap.pcap (or .cap) in the current directory.
A successful capture of a four-way handshake (for WPA) will occur when a client authenticates to the target access point. This can be confirmed by indication of WPA handshake: D4:38:9C:B2:70:72 showing at the top of the terminal once it has been successfully captured in the figure above.
The next step is to crack the Wi-Fi passkey. To do so run the following command:
#aircrack-ng -w passwordlist.txt crackthisap.cap
aircrack-ng reads the .cap file and confirms that a WPA handshake has been captured as seen in figure above. Select number 30 as the index number of target network and hit Enter to start the cracking process. A successful crack of a WPA key should look similar to below.
There are additional techniques that can be used to speed up the process of capturing handshakes such as sending de-authentication packets to the clients, which then will have them re-authenticate back to the access point prompting a handshake capture.
Cracking Handshake with John the Ripper
Another way to crack the captured handshake from a wireless access point is to run it through John the Ripper. To view the captured handshake in the .cap file run the command: #wpapcap2john crackthisap-02.cap
You will receive the below output if there are any handshakes captured within the .cap file.
In order to make this output readable for JtR, we need to convert this .cap file to an ASCII file. First convert the .cap file to a .hccap by running this command:
#aircrack-ng crackthisap-02.cap -J crackthisap-JTR
This will create a file in the directory called crackthisap-JTR.hccap
Select the line number for the target wireless access point and hit Enter to get the output below.
Once the .hccap format file has been created, run the following command:
#hccap2john crackthisap-JTR.hccap > JTR-WiFi-hash
Finally, run John against the hash file to crack the key.
#john -w:passwordlist.txt --format=wpapsk JTR-WiFi-hash
Let's look at a few other relevant Wi-Fi tools below.
Kismet is one of the traditional tools used in Wi-Fi pen tests and hacking. To run Kismet, connect the USB Wi-Fi adapter to the computer and type #kismet in the terminal. Continue through the prompts to start the Kismet server by pressing Enter on the Start button, hitting Tab and Enter to close console window, and pressing Yes to add sources.
If a source has not been defined Kismet may provide a pop up to do so. Add wlan1 as the source and Tab to enter on Add button to start capturing from wlan1. This will put wlan1 into monitoring mode. If a prompt does not pop up to add a source, simply go to Kismet drop down, and select Add Source.
Once the wlan1 has been added as a source, Kismet will start to capture the wireless access points, and save them into a file. After some time has passed hit CTRL+C to shut down Kismet. The saved files will be in the directory.
After this, the .pcap file can be run through aircrack-ng to look for captured handshakes and attempt to crack them just like it was done for the previous section using aircrack-ng.
Kismet has released a new version that now includes a web user interface. Downloads and more information about the new Kismet release can be found here: https://www.kismetwireless.net
A walk-through on how to start and run the newest version of kismet can be found here: https://www.kismetwireless.net/development/kismet_webui_tour
Wifite is another great tool that can be used to quickly review Wi-Fi access points, select and attack them. Wifite has a new version - Wifite2 (optional, but recommended) which can be found here: https://github.com/derv82/wifite2 The GitHub page does a walk-through on how to install it, and configure it to be able to run it from command line or terminal with the same command as Wifite. This is optional and based on preference, however, Wifite2 is faster and has more features.
To run Wifite and Wifite2 (if you have installed it), connect the USB Wi-Fi adapter to the computer and run #wifite in the terminal. Wifite will immediately set wlan1 to monitor mode and start to capture the wireless access points. If faced with any issues run # wifite –kill command, and re-run #wifite
A list with nearby access points will be populated. After some time has passed and when ready to move to next step hit CTRL+C to stop the capturing process. Select the target access point which is #3 in this case and hit Enter. Wifite will start to run various attacks against the target. In this case Wifite was able to successfully crack the key using a set wordlist from aircrack-ng.
After all the Wi-Fi hacking or pen testing activities have been completed, let’s put wlan1mon back to wlan1 by running the command:
#airmon-ng stop wlan1mon
To restore proper network functionality to the machine run the following command:
#service network-manager start
Happy Hacking and Securing!
Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.