How to hack someone else's Wi-Fi

[Man]

I'll tell you about the Wi-Fi hacking methods that I use myself.

Salute to all, dear friends!

In this article, at your numerous requests, I have collected all the most effective Wi-Fi hacking techniques, which together always bring me results.

This article will be a great cheat sheet for beginners, since most of the methods are quite simple and almost all of them allow you to quickly achieve the desired result.

• Here is an example of collected passwords in one of my previous places of residence (Asian outback with three-story houses) :

Lines that start with [+] were mined using OneShot, lines that start with {"result":true,"data":{ were mined using 3WiFi. 3BB-KANCHANANAT brute-forced them. Most of the passwords were collected in just 20-30 minutes.

What is needed to hack Wi-Fi​

1. You need a sufficient number of wireless networks. If you live on the edge of a village and you have one Wi-Fi network within reach, which is sometimes visible, sometimes not visible, then your chances are not very high.

The more networks in the area, the better.

2. There are no special hardware requirements, and for some attacks even Wi-Fi adapters that do not support monitor mode are suitable. However, I highly recommend adapters with an external antenna, and if the antenna is removable, it is better to buy another larger one.

IMHO, half of the "skills" of a Wi-Fi hacker are in a large antenna...

Necessary commands​

From now on I will only say "adapter in monitor mode" or "adapter in managed mode", I will not duplicate these commands.

• To view the names of wireless interfaces and their current mode:

iw dev

• To switch the Wi-Fi card to monitor mode:

sudo ip link set <INTERFACE> down
sudo iw <INTERFACE> set monitor control
sudo ip link set <INTERFACE> up

• If the attack does not require an Internet connection (and for some it does), then it is better to stop the processes that may interfere (when executing the first command, the Internet connection will be lost) :

sudo systemctl stop NetworkManager
sudo airmon-ng check kill

• Return to controlled mode:

sudo ip link set <INTERFACE> down
sudo iw <INTERFACE> set type managed
sudo ip link set <INTERFACE> up

Or simply disconnect and connect the Wi-Fi adapter - by default it is always turned on in managed mode.

• If you have stopped NetworkManager, to start it, run:

sudo systemctl start NetworkManager

Search for already hacked wireless Access Points​

This is the simplest method, it does not require wireless mode but requires an internet connection.

After the scan is complete, when the seen APs are checked against the database, the Wi-Fi adapter (which performed the scan) is no longer used. That is, while the check is in progress, you can move on to the next attack.

• If you have another, non-guest 3WiFi account, then in the script itself, replace the API and remove the line:

sleep 15;

In this case, the script will not pause between checks.

In Windows, you can use the Router Scan by Stas'M program to view the BSSID, and then search for it using 3WiFi. Router Scan can automatically check the Access Points it sees against the 3WiFi database.

Pixie Dust without monitor mode​

The author of the current mod wrote to me about the OneShot program - since then it has been my favorite program.

This program can only get passwords from APs with WPS enabled, but it doesn't need monitor mode. When attacked by Pixie Dust, the password can be obtained in a matter of seconds.

For Windows, the equivalent is Router Scan by Stas'M

Quick brute force password​

Unfortunately, there are not many access points with WPS enabled. However, we will return to them later. Now we will consider the classic option of capturing a handshake and cracking a password. Its speed is as follows:

1. Automatic handshaking capture is performed for all Access Points within range
2. two types of brute force are launched with Hashcat: by dictionary and by mask of eight digits. Experience shows that quite a lot of TDs are susceptible. This method also has a good ratio of time spent to the result obtained

• So, we switch the wireless interface to monitor mode.
• We run the command to collect handshakes:

sudo besside-ng INTERFACE -W

• All handshakes will be saved to the wpa.cap file.
• If you are going to crack them all, you can convert them all at once to hashcat format using cap2hccapx :

cap2hccapx wpa.cap output.hccapx

If you only need the hash of a specific Access Point, use the network name (ESSID) as a filter.

• For example, I'm only interested in the Wi-Fi network handshake netis56and I want to save it to a file netis56.hccapx:

cap2hccapx wpa.cap netis56.hccapx netis56

For dictionary attack I use rockyou dictionary, cleaned version can be downloaded from this link.

• Example of a successful hack using a dictionary ( hack time 9 seconds ):

• Another example of a successful dictionary hack ( hack time 13 seconds ):

• My command to run looks like this:

hashcat --force --hwmon-temp-abort=100 -m 2500 -D 1,2 -a 0 'ХЕШ.hccapx' /ПУТЬ/ДО/rockyou_cleaned.txt

The mandatory options in this command are:

• 'HASH.hccapx' - your hccapx file with one or more hashes
• /PATH/TO/rockyou_cleaned.txt — path to dictionary
• -m 2500 — the type of hash to be cracked is specified

Optional options:

• -a 0 — attack type: dictionary attack. Can be omitted, as it is assumed by default
• -D 1,2 — means to use both CPU and GPU to crack the password. If not specified, only GPU will most likely be selected
• --force — means ignore warnings. I don't have the CPU used to crack passwords without this option. Be careful with this option.
• --hwmon-temp-abort=100 — this is the maximum temperature at which brute force will be forcibly interrupted. My climate is such that during the day the room is always above +30℃, besides, I run brute force on a laptop (I do not recommend doing this on a laptop), so in my conditions the default barrier of +90℃ is reached very quickly and the brute force stops. With this option set to a temperature above the default 90, you can really burn out your computer/video card/laptop. Use it at your own risk — I HAVE WARNED YOU!!!

To launch a mask attack:

hashcat --force --hwmon-temp-abort=100 -m 2500 -D 1,2 -a 3 'ХЕШ.hccapx' ?d?d?d?d?d?d?d?d

What's new in this team:

• ?d?d?d?d?d?d?d — mask, means eight digits, on my hardware it goes through in about 20 minutes. To create a mask with a larger number of digits, add ?d.
• -a 3 - means attack by mask.

In addition to 8-digit passwords, 9-11-digit passwords are also common (the latter are most often phone numbers, so you can specify a mask like 89?d?d?d?d?d?d?d?d?d ), but each additional digit increases the search time by 10 times.

WPS hacking by most probable pins​

In addition to the already discussed Pixie Dust attack, there is another very interesting attack on Access Points with WPS enabled. The fact is that for some router models, pins are generated according to certain algorithms, for example, based on the MAC address of the router or its serial number. Knowing this data, you can generate one or more pins that are highly likely to be suitable for a wireless Access Point.

This attack is implemented in WiFi-autopwner - this script requires an Internet connection to request PINs online, but it implements a fix for adapters on the Ralink chipset (most of them).

• Example of very quickly hacked Wi-Fi networks using this method:

Another similar attack is implemented in airgeddon. But in this program, WPS attacks do not work with adapters on Ralink chipsets. In this program, you need to use, for example, Alfa AWUS036NHA (Atheros chipset). Best with an Alfa ARS-N19 antenna. This is exactly the combination I use. In general, this is a very good Wi-Fi adapter for hacking wireless networks, including for attacking WPS. The downside of this card is that it is quite old and does not support modern protocols.

That's all for today! Have a good hunt