How to hack wifi passwords - easy methods

How to hack the WiFi Passwords

11 Shares
11
0
0

The best way to test the security of a WiFi network is to try hacking. We have written about WiFi hacking many times before, but such instructions get out of date very quickly. The only way to update them is to go all the way through them yourself again and share fresh experiences. That is exactly what I tried to do in this article.

What does it take to hack WiFi?

Universal gentleman’s kit: laptop with “Linux” and WiFi-adapter with USB interface (they are also called dongles). You can also use a smartphone, but for some attacks banal need a second USB-port. Even a laptop with no OS installed and no drive at all will do.

All information is provided for educational purposes only and is intended for pentesters (white hackers). Neither brain-upd.com nor the author is responsible for any damage caused by the material in this article.

Which OS should I choose for WiFi passwd hacking?

“Linux” allows fine control of devices (dongles in particular) via opsonsor drivers. Almost any distribution is suitable, but it is more convenient to use an off-the-shelf build. For example, BlackArch, BackBox, Parrot Security, Kali Linux.

The most promoted builds of Kali Linux, which are already integrated not only sets of hacker utilities, but also drivers most potentially suitable for warcracking chips plus initially made small tweaks.

In the latest Kali releases a lot of things have been rethought. It can now mimic the look of the Windows (so the pentester doesn’t get burned by seeing weird stuff on the monitor), root is disabled by default (either enable or write sudo before commands that require superuser privileges). Most importantly, Kali now immediately supports the new 802.11ac dongles and makes it extremely easy to increase the power of your Wi-Fi adapter.

How can I use Linux on my laptop without uninstalling Windows?

The developers do not recommend installing Kali to the hard disk, although technically the multiboot option is quite feasible through the same GRUB. It is just that the boundaries of the legal actions during the audit are very blurred, and for your own safety it is better to use the Live Persistence mode. Working there will be almost no difference from the work in the installed operating system. All updates, configs, new scripts and your personal files will be caught on the next reboot in Persistence mode. It can also be encrypted for more privacy.

In my opinion, a memory card is more convenient than a flash drive because it doesn’t take up a USB port and doesn’t stick out. Ports (especially split-powered ones) are always in short supply on laptops. Choose a card marked at least Class 10 (10 Mbytes/sec. line write speed), or better – UHS-I V30 and faster (if the built-in card reader supports it).

How do I make a bootable flash drive with Kali and a Persistence partition?

To do this, you need to create two partitions on a USB Flash or SD card. One will be FAT32 for starting the OS – the kali.org image will be unpacked onto it. The second partition is ext3, for saving your settings, your own files and session changes.

Partitioning scheme with Persistence section
Partitioning scheme with Persistence section

Windows cannot handle flash drives with more than one partition and does not support ext3. However, it is easily partitioned with the free utility Rufus. The main thing is to run the regular version (not portable).

How to hack the WiFi Passwords
Creating a flash drive for WiFi hacking

What WiFi-adapter is suitable for wargaming?

In general, capable of switching to monitoring mode (mandatory) and injecting network packets (desirable). Whether it can do this or not depends on the chip on which the adapter is built and its driver. 

An up-to-date list of suitable WiFi adapters for hacking can be found at kernel.org.

This site has a table of WiFi drivers for Linux. We are not interested in all of them, but only those with yes in the monitor column, with N or AC in the next column (PHY modes) (the guarantee that relatively new standards are used), and USB in the Bus column.

You can get more information about the drivers from the two tables in the English-language Wiki. The principle is the same – look for a combination of parameters: 802.11n(ac) + monitor mode + USB.

At the time this article was written (March 2020), the following drivers were dry: ath9k_htc, carl9170, mt76, mt7601u, p54, rt2800usb, rt2x00, rtl8187, rtl8192cu, zd1211, zd1211rw.

Click on the link to the description of each suitable driver and see the list of supported chipsets and then devices. For example, here is a page about the ath9k_htc driver. It contains a list of chipsets (with USB only AR9271) and devices based on it. His study shows that TL-WN722N will suit us, because it has a removable external antenna.

By analogy, look at other drivers/chips/devices and make a list of models. Then choose the latest one and buy one (to start with) or more dongles. Here you need to be careful with the version of the device. Often models with the same number but different revision are just two different devices in the same case.

Driver lists are updated by volunteers, that is, with unpredictable delays. In reality, the list of suitable chips is longer. Earlier it was reduced mainly to models from Ralink and Atheros, but now it is suddenly extended with Realtek RTL8812AU and RTL8814AU. The latter works with 802.11ac and, in addition to the monitoring mode, supports packet injection. However, it needs USB 3.0 (900 mA and 5 Gbit/s instead of 500 mA and 0.48 Gbit/s for USB 2.0).

Why buy multiple WiFi adapters?

To perform advanced attacks (such as “evil clone”) and increase the probability of success of any other attacks. Simply because there is no universal adapter. Each one has its own peculiarities. For example, the AR9271-based dongles mentioned above are better at handling WPS attacks. Devices with RT3572, RT5572, and RTL881xAU chips can attack targets in the 5 GHz band, while the old guys with the RTL8187L chip can see a target hundreds of meters away because they support 802.11g. Of course, the standard is obsolete, but it is often enabled in compatibility mode even on newer routers with 802.11ac/ax support.

Why do they recommend Alfa Networks dongles for WiFi hacking?

This Taiwanese manufacturer specializes in wireless equipment, and makes it slightly better (and much more expensive) than others. For example, many of its adapters are shielded (increases the sensitivity of the receiver) or have a built-in amplifier (increases the peak power of the transmitter). Almost all models are equipped with removable antennas (you can screw your own, more appropriate). For easy choice there is even a special section Kali WiFi USB, which lists adapters are guaranteed to work in Kali Linux in monitoring mode. If you have the money, but no time – take “Alpha”, you can not go wrong. It’s like Cisco for admins.

What settings should I make before hacking WiFi?

Running Kali in default configs and plugging in a freshly unpacked WiFi adapter, you can only hack your router, no pentest is out of the question. To find out the possibility of remote attack from the street (or at least from the neighboring room), you need to do the following:

  • disable power saving for the WiFi adapter;
  • increase the power of the dongle;
  • prepare dictionaries for password search;
  • update all integrated software and install additional software;
  • check and save the changes.

How do I disable power saving for the WiFi adapter in Kali?

In the terminal we write:

iw dev # Display a list of Wi-Fi adapters and find the external dongle by its MAC-address
iw dev wlan1 set power_save off # Here the external dongle is named wlan1

If you disable power saving and increase the power of the adapter, don’t forget to arrange for cooling. It is also better to use USB 3.0 or powered USB 2.0 ports. These are usually highlighted in color.

How do I increase the power of my Wi-Fi adapter?

There are two methods to get them up and running. The first is through the global settings in Kali. It is suitable for those adapters that read the region code from the OS.

Method 1

First we look at the current parameters:

  • iw dev shows a list of wireless adapters and their maximum power allowed by the settings. Usually we see txpower 20.00 dBm (+20 decibels to milliwatt), which in theory means 100 mW transmitter power, but in practice means that your “whistle” is unlikely to be heard by attacked routers.
  • iw reg get displays the global settings for WiFi restrictions. In particular, the ISO 3166-1 country code, available frequency bands, and channel widths. If country 00 is specified, no country is set and severe restrictions apply

The most liberal regulations for WiFi are in Guyana (GY) and Belize (BZ), where ten times the power of WiFi adapters is allowed. The corresponding entry in the database is as follows: country BZ: DFS-JP. (2402 — 2482 @ 40), (30). (5735 — 5835 @ 80), (30). DFS stands for Dynamic Frequency Selection after the country code. It can be American (FCC), European (ETSI), or Japanese (JP). It does not need to be changed.

Next you specify the frequency window in the 2.4 and 5 GHz bands and the channel width in megahertz. These parameters determine how many channels you will see.

To change the region, simply write in the terminal:

iw reg set BZ # We are transported to Belize with the laptop
ip link set wlan1 down # Disable the external dongle designated as wlan1
iw dev wlan1 set txpower fixed 23 mBm # Double the transmit power

The scale here is logarithmic, so doubling the power (to 200 mW) corresponds to a gain of 3 dBm (to 23 dBm). Simply put, TxPower(dBm) = 10 * LOG(P/1), where P is power in milliwatts.

Changing the region and getting 1,000 mW
Changing the region and getting 1,000 mW

Don’t be in a hurry to turn the dongle to full power. There is a reasonable limit for each device, which is chosen experimentally. One of my adapters is more stable at 27dBm (500mW) than at 30dBm (1000mW), and it’s useless to drive it higher than 23dBm.

If you are lucky enough to buy a good quality dongle with a large power reserve (e.g., an outdoor version), try to specify the PA region. It is Panama, where transmitters up to 4 watts (36 dBm) are allowed. True, you won’t get that much from a USB 2.0 port – you need USB 3.0 or additional power.

Method 2

Used for those WiFi-adapters, in which the regional code is flashed in its own memory. For example, these are all the adapters I met Alfa Networks. They ignore the global settings (including iw reg set BZ), so you have to change the restrictions themselves for the country, which is already written in the memory dongle.

iw reg get # Find out what country the adapter was released for
git clone https://kernel.googlesource.com/pub/scm/linux/kernel/git/sforshee/wireless-regdb # Clone our WiFi regional restrictions database
cd wireless-regdb/ # Go to this directory
gedit db.txt # Correct the base source
Changing the power limit of WiFi transmitters in the regional settings
Changing the power limit of WiFi transmitters in the regional settings

Find the desired country by code and instead of 20 (dBm) in brackets everywhere write 30 (or even 33, that is 2000 mW). Make the same changes for country 00 (or even for all countries) and save db.txt.

Previously, to compile the database from a text file and sign it, you had to install the Python shell for the OpenSSL library, but the new version of Kali already has it (python3-m2crypto). So we just write the make command and get a new regulatory.bin where all the restrictions are removed (or rather, set to a deliberately large one).

Creating your own base with access rights for more powerful WiFi
Creating your own base with permissions for more powerful WiFi

Next, delete the old (original) base, copy ours (modified) instead, copy our public key (since the base has a digital signature) and restart.

rm /lib/crda/regulatory.bin
cp regulatory.bin /lib/crda/regulatory.bin
cp $USER.key.pub.pem /lib/crda/pubkeys/
reboot
Changing the power limit in the regional settings
Changing the power limit in the regional settings

That’s it! Now, after rebooting in Live USB Persistence, set the adapters to a higher power in the standard way.

ip link set wlan1 down # Turn off the dongle
iw dev wlan1 set txpower fixed 23 mBm # We have doubled the power
ip link set wlan1 up # enabled dongle

We check the result:

iw reg get

It should be something like this (here the power increase is 10 dBm).

Strengthening the wifi antenna reception signal
Ten times the power of the WiFi adapter

What antenna should I use to hack WiFi?

Depends on the specific application. Some provide wide coverage, while others allow you to reach a distant access point by focusing the EMI with a narrow beam.

It is more convenient to perform on-air reconnaissance with dipole antennas, which have a wide angle of radiation but low gain (CG). These values are always interrelated, because the antenna does not add power, but simply focuses electromagnetic waves. Therefore, with a vertical orientation in the horizontal direction, communication is improved, while in the other direction (towards the upper and lower floors), it is degraded.

Tiny antennas with up to 5 dBi have the widest beam patterns. Here, for the sake of marketing effect, the decibel is not used in relation to a milliwatt, but to an isotropic radiator, a mathematical model of an antenna with a sphere-shaped pattern. If a customer sees two antennas that say “5 dBi” and “3 dBm,” they think the first is “more powerful,” even though they are virtually identical.

Simple dipole antennas are often offered in the kit, and they are quite sufficient to start with. Then I recommend to try the antenna Alfa ARS-N19 with a CG of 9 dBi – the most reasonable for omnidirectional antennas. It is a long rod with a narrower angle of radiation, but also the range of confident reception is more.

The main disadvantages of such antennas – the size (the ARS-N19 – 39 cm, you can not put in your pocket) and a small frequency range (either 2.4 GHz or 5 GHz). Therefore, you cannot do with just one antenna.

A more compact and versatile antenna is the Alfa APA-M25. It is panel mounted (partially directional) and dual band. At 2.4 GHz it provides 8 dBi CG and at 5 GHz it provides 10 dBi CG. It is convenient to attack pre-selected access points, the location of which you have at least an approximate idea. The antenna will have to be both deflected vertically and rotated horizontally to target the selected router.

The most hardcore variants are directional antennas with a large CG and a very narrow beam (sector pattern). They can reach the target from a kilometer away, but it is extremely difficult to accurately aim them. They were designed primarily for 802.11b/g – long range, but slow. Trying to use them for 802.11n and even more so 802.11ac communications is justified only in exceptional cases.

How do I find the position of the antenna?

The easiest way is to run the Wifite2 script (about it below). In the new version, the signal strength of all found APs is updated every second, both during scanning and during the attack. Simply rotate the antenna slowly first in the vertical plane and then horizontally. Fix the position where the numbers are maximum.

Another important note: The signal-to-noise ratio also changes depending on the position of the adapter itself, especially if its board is not shielded. In my experiment, tilting the Alfa Tube-UNA WiFi adapter from a vertical position to a horizontal one added 7 dBm with the same antenna orientation. The selected access point came out of the area of uncertain reception and was successfully… inspected.

How do I connect a non-standard antenna?

In practice, you have to change antennas, so you should choose an adapter with a connector for an external antenna. The problem is that they are different and do not fit together. Usually a miniature RP-SMA connector is used for indoor equipment, while more powerful “outdoor” adapters like Alfa Tube-UNA have a large N-Type jack. Coaxial adapters help to connect them. Choose the highest quality, otherwise the signal to noise ratio (SNR) will be severely degraded. The picture shows an N-Type – RP-SMA adapter. I used it to connect ARS-N19 and APA-M25 antennas to Alfa Tube-UNA with a built-in signal booster.

Connecting an antenna with an RP-SMA connector to an adapter with an N-Type jack
Connecting an antenna with an RP-SMA connector to an adapter with an N-Type jack

How to automate Wi-Fi access point auditing?

The threshold of entry for learning how to hack WiFi is steadily decreasing. Over the past couple of years, a collection of simple and effective utilities has grown again, automating most types of wireless attacks. Kali (back then called BackTrack) used to have only raw scripts, but now the abundance of out-of-the-box tools is overwhelming.

Today, it is not even necessary to start with Aircrack-ng, the package on which almost all Wi-Fi hacking tools are based. The WiFi-autopwner scripts by Alexey Miloserdov and Wifite2 by Derv Merkler (a pseudonym of the Seattle-based programmer) can help you quickly get practical results.

I like both scripts, but Wifite2 and its folk fork are more familiar. It cleverly uses additional utilities to make auditing more efficient and allows you to automatically perform the five most common types of attacks on all at once or only the specified access points.

Wifite2 uses bully, tshark, and reaver to perform PixieDust or pin brute force attacks against WPS. It uses coWPAtty and pyrit to check handshakes captured during a WPA(2) attack, and implements a new PMKID attack using hashcat.

Capture PMKID handshake
Successful PMKID handshake capture

All types of attacks are already sorted by speed of execution. First, the fastest ones (WPS, WEP, PMKID) are used for the selected access point, and in case of failure the script moves on to the next variants. Moreover, when verbose -vv mode is enabled, all used commands and their results are displayed in the terminal. This is essentially a learning and debugging mode.

What is the fastest WiFi hacking technique?

Earlier I would have answered: WPS. If Wi-Fi Protected Setup is enabled on an access point, it is very likely to be broken into by brute forcing known pins or a more elegant PixieDust attack. The list of pins for the search is taken from the manufacturer’s default configuration, which is determined by the MAC address. Making an exhaustive search of all variants (bruteforce) in most cases makes no sense, since after N unsuccessful authorization attempts by WPS the router blocks further ones for a long time.

Match WPS Pin with WiFi-Autopwner
Successful WPS PIN matching with WiFi-Autopwner

In any case, an attack on WPS took up to five minutes and seemed fast compared to waiting for WPA handshake capture, which then must be painfully long to brute force. But now there is a new type of attack – PMKID (Pairwise Master Key Identifier). It allows to grab the handshake of vulnerable routers in seconds, even if there are no clients connected to it! With it, you don’t have to wait and deauthenticate anyone, one (even unsuccessful) authorization attempt from your side is enough.

Therefore, the optimal hacking (auditing) algorithm is as follows: determine whether the target access point is WPS enabled. If yes, run PixieDust. No success? Then goes through the known pins. No success? Check if WEP encryption is enabled, which is also bypassed. If not, then perform a PMKID attack on WPA(2). If that does not work, then remember the classics and wait for handshake (so as not to get caught) or actively kick clients to catch their authorization sessions.

I found out the WPS PIN, now what?

Then you can use it to connect to the router and find out the password, no matter how long and complex it is. In general, WPS is a huge security hole. I always disable it on my equipment and then check with a WiFi scanner whether WPS is really turned off.

I intercepted the handshake. What to do with it?

The four-way handshake is recorded by the Wifite2 script in a file with a .cap extension.

Capturing the Classic WPA Handshake
Capturing the Classic WPA Handshake

TCPdump, Wireshark, Nmap and other programs use the .pcap format. PMKID handshake will be in .16800 format.

By default, Wifite uses Aircrack-ng to guess passwords. It sends a command of the form

aircrack-ng yourhandshake.cap -w /yourwordlist.txt

In the simplest variants it is enough, but more often you have to convert handshakes with hcxtools to feed one of the advanced password search utilities. For example, John the Ripper or hashcat.

I like hashcat better. To work with it, you need to convert .cap to .hccapx format. You can also do it online or locally with the utility cap2hccapx. In the latter case you have to download the source code and compile it.

wget https://raw.githubusercontent.com/hashcat/hashcat-utils/master/src/cap2hccapx.c
gcc -o cap2hccapx-converter cap2hccapx.c

The resulting executable file cap2hccapx-converter is more convenient to put into /bin, so you can access it anywhere.

mv cap2hccapx-converter /bin
Hashcat WiFi password cracking by WPA2 handshake
Successful hashcat WiFi password cracking by WPA2 handshake

PMKID hashes are brutalized the same way. You just need to explicitly specify hashcat handshake type and dictionary.

hashcat64 -m 2500 -w3 Beeline.hccapx "wordlist\wpadict.txt" # Rearrange passwords from your wordlist wpadict.txt to the hash from the WPA(2) handshake in Beeline.hccapx
hashcat64 -m 16800 -w 3 RT-WiFi.16800 "wordlist\rockyou.txt" # We use PMKID handshake from file RT-WiFi.16800 and ready-to-use dictionary rockyou.txt
PMKID Brute Force in hashcat
PMKID Brute Force in hashcat

What do I use to brute force WiFi passwords?

Locally, it is better to search for passwords on a desktop computer with a powerful videoadapter, and if you don’t have one, use online services. They offer limited sets for free, but even these are sometimes enough.

How to crack wifi password online? Is it posible to crack wifi passwd online?
Cracking two WiFi passwords online

Another interesting option is to use a distributed computing network. Elcomsoft Distributed Password Recovery, for example, makes it possible. This versatile program understands dozens of password and hash formats, including .cap, .pcap and .hccapx. Up to ten thousand computers can work simultaneously on one task, combining the resources of their CPU and graphics cards.

Distributed WPA hash brute force
Distributed WPA hash brute force

Plus it has a very advanced approach to dictionary attack. You can use masks, prefixes, and mutations, effectively expanding your vocabulary several times over.

Why perform a dictionary attack instead of a brute force one?

The WPA(2)-PSK key is generated with a length of 256 bits. The number of possible combinations (2^256) is such that even on a powerful server with graphics gas pedals it would take years to try them. Therefore, it is more realistic to perform a dictionary attack.

Usually Wifite2 does this itself. After it captures the handshake, it checks its quality. If all the necessary data is present, it automatically launches an attack against the wordlist-top4800-probable.txt. As can be easily guessed, it contains a total of 4800 of the most common passwords.

It is convenient because it works quickly even on an old laptop, but most likely the combination you’re looking for will not be in this dictionary. Therefore it is worth to make your own.

How do I make my own vocabulary?

First, I gathered a collection of dictionaries from different sources. These were preinstalled dictionaries in password recovery programs, /usr/share/worldlists/ directory in Kali Linux itself, databases of real passwords from different accounts that leaked into the network and a selection of passwords from specialized forums. I brought them to the same format (encoding) using the recode utility. Next I renamed the dictionaries by the pattern dict##, where ## – the counter of two digits. The result was 80 dictionaries.

Make your own dictionary for brute force wifi passwords.
Combining 80 dictionaries, skipping identical entries

In the next step, I merged them into one, removing obvious repetitions, and then ran the PW-Inspector utility to clear the merged dictionary of garbage. Since WiFi passwords can be from 8 to 63 characters long, I deleted all entries shorter than 8 and longer than 63 characters.

cat * > alldicts | sort | uniq
pw-inspector -i alldicts -m 8 -M 63 > WPAMegaDict

Then I thought that the file was too big, which could be shortened more without obviously compromising the efficiency of the search. Have you ever seen Wi-Fi passwords longer than 16 characters in real life? Neither have I.

pw-inspector -i WPAMegaDict -m 8 -M 16 > WPADict_8-16

You can download the resulting dictionary on Kim Dotcom’s file-sharing site (647 MB in ZIP-archive, 2.8 GB unzipped).

How do I switch to the 5 GHz band?

First you need to connect a 5 GHz Wi-Fi adapter and equip it with a suitable antenna (they are also made for different bands). Then just run Wifite with the -5 key and you will see five GHz access points. They are usually much smaller than 2.4 GHz. This is due to both their relatively low spread and the shorter range. The higher the frequency, the (all other things being equal) faster the signal decays.

Enabling 5 GHz mode in Wifite to scan wifi
Enabling 5 GHz mode in Wifite

Is it possible to attack a hidden network?

Yes. If the network name (ESSID) is hidden, you see the MAC address of the access point during an air scan. The first client to connect will reveal its name. So just wait for a connection or speed up the process by sending out deauthentication packets.

How to atack hidden wifi network to crack wifi password?
Defining the name of a hidden WiFi network

Conclusion

In conclusion, I would like to say that this article provides information for learning. Keep learning, keep learning, keep learning about cybersecurity, and you will be successful in this field.

Remember that WiFi hacking carries criminal penalties, so approach the topic wisely and use this information only to improve the security of your own network.

The author and Brain-upd.com are not responsible for your actions, this article is provided for educational purposes only.

11 Shares
5 comments
  1. Help me choose a linux distribution to hack wi-fi networks. I can’t decide which distribution to start with to get acquainted with cybersecurity.
    Kali linux was recommended to me, but I want to hear some more opinions before installing it. For example, if hacking wifi, how good is Kali?

    1. Kali linux is an excellent choice as a distribution for testing networks for vulnerabilities, in particular for hacking wi-fi networks, more specifically for pentests.

      I recommend to do live usb first and try to use live mode cali linux, as installing this distribution as the main operating system is not always useful. However, for penetration tests without breaking the laws, this option is also very good.

      I use Kali linux as my main operating system and I like it. But I also use a macbook for work.

  2. How I can crack wifi password using Windows? Is it real to install Kali Linux tools on Windows or I need to make live USB with Kali or Parrot linux to hack wi-fi password?

    1. In this article I was written about cracking wifi via kali or parrot linux with their tools. Of cource you can install some programs for Windows, but I think that it will be better if you intall kali on usb and use it. If you are insteresting in cyber security, handshakes, brute force and other methods of wifi hacking you need to know how to use Kali linux and the same OS. If you are insterested in the same article, but about Windows, we will write it, subsrice to newsletter. Thanks for comment.

  3. I want to say thank you for step-by-step tutorial about how to hack wifi password using handshake and brute force. Really good article. Thanks again.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like