Cracking WiFi Networks

Today we are going to look at gaining access into WiFi networks without the password. We’ll be using the tools on Kali Linux so if you don’t have that already, you can download it here. But if you don’t want to download a complete OS for this one purpose, the aircrack-ng suite is all that is required.

How it works

The idea behind this attack is to do a simple man in the middle. We will kick someone (or everyone) off the network, and as soon and they rejoin, we will capture the handshake between the router and the user and crack the hashed password. This may seem complicated, but sadly, it’s a lot easier than it sounds.

Let’s get started!

First off, we need to put our wireless adapter into monitor mode so we can retrieve packets. This is going to change the name of your network interface from wlan0 to wlan0mon.

airmon-ng start wlan0

Note: There may be some Interfering processes… You can kill these with kill <process #>
Next, we are going to get some information associated with the network. The two things we will need are the MAC address (BSSID) and the Channel number. Run this command and write down the information for your network.

airodump-ng wlan0mon

Now we will start capturing packets on the network, looking for a handshake. You are going to use the information you gathered earlier to fill in the placeholders in the command with the correct information.

airodump-ng -c <channel> -w <name> –bssid <bssid> wlan0mon

-c -> Channel number
-w -> Network name
–bssid -> MAC address

Since we are impatient and don’t want to have to wait for someone to join the network, we can speed up the process by kicking someone off. Open up a new terminal with the previous process still running, and type the following:

aireplay-ng -0 5 -a <bssid> wlan0mon

Make sure to fill the BSSID with one listen on the network in the other terminal window. You can close this terminal window when it has finished.

There should now be a WPA handshake shown in the top right. Press ctrl+c to stop the command. Now all we need to do is crack that handshake. We can do so by typing:

aircrack-ng -w /usr/share/wordlists/rockyou.txt <network name>-01.cap

This command might take a while. In the meantime, let’s talk about the potential of this. A hacker could easily create a script to automate this entire process. Combine that with a Raspberry Pi to create a mobile hacking machine. With a large enough wordlist, any network is vulnerable to this kind of attack. In fact, I’ve created a script to test this with. Yu can see it in action below or you can download it and try it yourself.