Wi-Fi Hacking

Wi-Fi Hacking

Wi-Fi networks have become more secure over time, with most access points now using WPA 2 Pre Shared Key and AES encryption, no security measure is completely foolproof. One vulnerability of WPA 2 PSK is that the password, in encrypted form, is shared via a 4-way handshake when a user authenticates through the access point. Hackers can capture the 4-way handshake packet and attempt to crack the encrypted password using a wordlist. While there are other methods to crack Wi-Fi passwords, using a wordlist is the simplest and most commonly used by attackers.

Understanding about 2.4 GHz and 5 GHz WIFI Networks.

Wi-Fi networks use different frequency ranges or bands, such as 2.4 GHz and 5 GHz, to transmit data. These bands determine the frequency range and channels used for communication. To connect to a Wi-Fi network, the device must support the same band as the network. For instance, if the Wi-Fi network uses the 5 GHz frequency, the device needs to support this band to connect to the network. Furthermore, if a wireless adapter supports a specific band, it can capture or intercept data transmitted over that band.

Understanding Managed Mode and Monitor Mode.

Managed mode and monitor mode are two modes of operation for a wireless network interface card (NIC) that enable different types of wireless communication.

Managed mode is the default mode of operation for a wireless NIC. In this mode, the NIC behaves as a client and connects to an access point (AP) to access a wireless network. Managed mode allows the NIC to send and receive data over the wireless network, but it cannot capture or sniff wireless traffic.

Monitor mode, on the other hand, is a special mode of operation that allows the NIC to capture or sniff wireless traffic. In this mode, the NIC behaves as a passive listener, capturing all wireless traffic that it can receive on a specific channel. Monitor mode is commonly used for wireless network monitoring and troubleshooting, as well as for wireless network security auditing and testing.

To switch from managed mode to monitor mode, the wireless NIC must support monitor mode, and the user must explicitly activate it using specialized tools or commands. While in monitor mode, the NIC cannot connect to a wireless network as a client, and the user must switch back to managed mode to access wireless networks.

To Check Mode

To view the “Mode” of the wireless card on a Linux system, you can open a terminal and execute the following command:

To activate monitor mode on a wireless NIC in Linux, we can use a command-line tool called airmon-ng. To do this, open a terminal and execute the following command, replacing "wlan1" with the name of your wireless NIC:

This command will create a new virtual interface on your wireless NIC, which will be used for monitor mode. You can then use this virtual interface to capture or sniff wireless traffic using tools like Wireshark for tcpdump.

Note that you need to have administrative privileges to run this command, so you may be prompted to enter your password. Additionally, make sure that any Wi-Fi connections on the NIC are disconnected before enabling monitor mode, as it can interfere with network connections.

To verify if your card has been successfully switched to monitor mode, please run the following command:

Packet sniffing with airodump-ng is a common technique used for capturing and analyzing wireless traffic in real-time. Airodump-ng is a command-line tool that comes with the Aircrack-ng suite of wireless security tools.

To use airodump-ng, open a terminal and execute the following command:

This command will start airodump-ng in monitor mode, using the wireless interface "wlx00c0ca2613bb" (which is the name of the virtual interface created by airmon-ng). Airodump-ng will start scanning all wireless traffic on the current channel and display information about the detected access points (APs) and clients.

• BSSID:This signifies the unique identifier, known as the MAC address, assigned to our router or access point.

• PWR: This column shows how close or far the router is to our device. 

• Beacons: These are the data units transmitted by the Access Point to indicate its availability or existence.

• # Data: This column displays the captured data packets.

• MB: The highest achievable data rate provided by the Access Point

• CIPHER: The Cipher detected on the network

• ESSID; The name of the WIFI network

Targeted packet sniffing involves capturing specific packets of interest from a wireless network, rather than capturing all traffic on a particular channel or network. This can be useful in situations where you are looking for specific types of packets, such as authentication or association requests, or trying to capture packets from a particular client or access point.

To perform targeted packet sniffing with airodump-ng, you can use the "--bssid" and "-c" options to focus on a particular access point and channel. For example, the following command will capture all traffic on channel 1 from the access point with MAC address "6C:72:20:6D:0F:65":

Once you have captured the targeted packets, you can use tools like Wireshark or tcpdump to analyze the captured data in more detail, looking for patterns or specific packets of interest.

fly is the name of the file where captured packets have been stored.

Deauthentication Attack use the aireplay-ng command to send deauthentication packets to the target client or access point:

Replace <num_deauth_packets> with the number of deauthentication packets you want to send, <access_point_mac> with the MAC address of the access point, <client_mac> with the MAC address of the target client, and <interface> with the name of your wireless interface.

Crack “WPA handshake” using “aircrack-ng” to crack the captured 4-way handshake using a wordlist attack:

Replace <wordlist_file> with the path to the wordlist you want to use and <capture_file> with the path to the file containing the captured traffic.

Crack “WPA handshake” using “hashcat” to crack the captured 4-way handshake using a wordlist attack:

The hcxtools is a suite of tools that can be used to capture and convert packets from wireless networks for password cracking purposes. One of the tools in the suite is hcxtool, which is used to capture and save EAPOL frames to a file. EAPOL frames are used in the WPA/WPA2 authentication process and contain important information such as the PMKID (Pairwise Master Key Identifier) which can be used for offline password cracking.

The steps to use hcxtool to convert cap to Hashcat's format are as follows:

Capture the Handshake: You will first need to capture the WPA/WPA2 handshake using a tool such as airodump-ng. Save the capture as a .cap file.

Convert the .cap to Hashcat's format: Use the following command to convert the .cap file to Hashcat's format:

In this command, capture-01.cap specifies the input file in cap format and -o specifies the output file in txt format.

Use Hashcat to Crack the Password: Once you have the hashcat.txt file, you can use Hashcat to crack the password. You will need a wordlist and a compatible Hashcat version for this. Here's an example command to run Hashcat:

Wait for Hashcat to Crack the Password: Depending on the strength of the password and the power of your computer, Hashcat may take several hours or even days to crack the password. You can check the progress by looking at the output on the screen.

Once Hashcat has successfully cracked the password, it will display the password on the screen.

Contributed by  Sandeep Vishwakarma