Hacking Tony

In this tutorial we are going to show how you can get a WiFi password from any visible APs around you. We will use the Aircrack-ng tool and, because we are going to use Kali Linux distribution, we haven't given any detail about the installation of this tool. In Kali, every tool wee need is already installed.

In summary, we will put our WiFi card on monitor mode to listen to all the WiFi traffic around us and then we will get the handshake (it contains the hash of the WiFi password and it is sent in every package between the router and any computer connected to it). Then, you will try to crack to get the password or we will try to get it by bruteforce with a dictionary in the case we couldn't crack it (if the WiFi connection uses WPA/WPA-2-PSK encryption it is not possible to obtaing the password from the handshake). In that way we will realize how importat is choose the right encryption method and a strong password when we are going to set up our Wifi connection.

This tutorial is based on a very precise shellhacks article about Aircrack-ng. My intention is extend it to add some extra information I learnt while I was reading and testing it on my computer and also reading other articles from the Internet.

First of all we have to be sure that any other process related with our WiFi card can create some troubles. To do that we will execute the next command:

santi@kalibook:$ airmon-ng check kill

You will see an output similar to the next one:

Killing these processes:
 
  PID Name
  907 wpa_supplicant
  908 dhclient

Now, we are ready to activate monitor mode in our WiFi card. Then, it will begin monitoring all the traffic

santi@kalibook:$ airmon-ng start wlan0

You will see an output similar to the next one. It depends of your WiFi card driver. In my case I am using the iwlwifi.

PHY	Interface	Driver		Chipset
 
phy0	wlan0		iwlwifi		Intel Corporation Wireless 7265 (rev 59)
 
		(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
		(mac80211 station mode vif disabled for [phy0]wlan0)

Then, airmon-ng has created a new interface called wlan0mon (in my case) and the monitor mode has been activated. You can check everything is ok executing the command iwconfig to see network configuration. In that way you will be sure your card is in monitor mode.

santi@kalibook:$ sudo iwconfig
wlan0mon  IEEE 802.11abgn  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=0 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on
 
usb0      no wireless extensions.
 
lo        no wireless extensions.

Now, we are going to view all the WiFi traffic that our card is monitoring. With the next command we will obtain a list of all the visible APs around us with some extra information:

santi@kalibook:$ airodump-ng wlan0mon

You will see an output similar to the next one:

In the screehshot above you can see the list of the visible APs so you only have to select wich one you want to try to get its password. You will need its MAC address (you have it at the left of the screenshot) and the channel (CH column).

So, we are going to try to discover, in this case, the handshake of our own WiFI AP because the goal of this tutorial is to protect our infrastructure, not to try to steal a password from someone.

We have to search the name of our Wireless connection and take note of the MAC address. Our AP is called eircom-09843703 2.4G so we write the proper MAC:

santi@kalibook:$ airodump-ng -c 1 --bssid F4:8E:92:36:EB:F8 -w WPAcrack wlan0mon --ignore-negative-one 

Now, we will see how airodump searching for the handshake:

When airodump has found the handshake it shows it on the left top corner of the screen and it continues working. When you see the handshake written in the corner you can stop airodump pressing Ctrl-C

Once we have the handshake we have two choices:

• Crack the password (not possible if the WiFi connection use WPA/WPA2 encryption)
• Try to discover the password using a dictionary attack

By the moment we will try to discover the WiFi password by dictionary attack. To do that, first, we need a dictionary. Because we are using Kali we can found some dictionaries in the /usr/share/wordlists. For example, in this case, we will use rockyou.txt.gz. You can found other dictionary in some links in Resources

First, we need to gunzip the file:

santi@kalibook:$ gunzip rockyou.txt.gz

And now we can execute aircrack-ng with the dictionary file, the MAC address of the AP and the file that airodump has created once it has found the handshake. Normally, the file is named WPAcrack-XX.cap where XX is the number of the different attempts you had done previously.

santi@kalibook:$ aircrack-ng -w rockyou.txt -b F4:8E:92:36:EB:F8 WPAcrack-01.cap

We will see how aircrack-ng is searching the password trying with every word in the dictionary.

Once aircrack has found the password (if it did it), it will show it in the center of the screen. Then, you have the password to connect to this WiFi connection.

As you can see in the example above, it is not very difficult to perform an attack to get a WiFi password if the connection is not properly configured. We must notice the following aspects:

• You must select only WPA/WPA2-PSK encryption methods. In this way you can prevent that someone crack your WiFi password
• You must change default password for a real stronger password. You must use letters, numbers, capital letters and special characters (like !, ., ?). In this way you can prevent the dictionary attack. You can check if your password is strong enough in some websites like Kaspersky Secure Password Check
• You also can change the SSID of your Wifi connection. Notice that some companies put similar names to all WiFi routers they provide. In this case, it is easy to know which type of router you have and to look for, for example, an specific vulnerability on it. An attacker can obtain passwords from an specific password generator that generates them following the same seed that the company of your router.

© 2017 Hacking Tony