Thursday, October 18, 2018

Hacking Wireless Network

Capture The Handshake

Handshake packets are sent every time a client associated with the
target AP. So to capture it we are going to capture every packet that is sent. In this chapter, we are going to use a program called “airodump-ng”. This program lets us sniff and capture the packets that are sent over the network. This program is also a preinstalled program. There are two steps to catch handshake.

Note that before you start capturing the Handshakes you must put your wireless card into monitor mode. You can do this by executing the command airmon-ng start wlan0mon. If the command gives you an error try the steps below to troubleshoot.

airmon-ng start wlan0

airmon-ng check kill

airdoump-ng wlan0mon


airmon-ng start wlan0

airmon-ng check kill

airmon-ng stop wlan0 

airmon-ng start wlan0

airodump-ng wlan0mon

Instruction to Capture the Handshakes

1.Start airodump-ng on the target AP (Access Point):

The syntax is something like this:

airodump-ng --channel [channel] –bssid [bssid] –write [file-name]


airodump-ng –channel 6 –bssid 11:22:33:44:55:66 --write out

2. Wait for a client to connect to the access point, or deauthenticate a connected client (if any) so that their system will connect back automatically.

The syntax is something like this:

aireplay-ng --deauth [number of deauth packets] –a [AP] –c [target]


aireplay-ng –deauth 1000 –a 11:22:33:44:55:66 –c 00:AA:11:22:33 wlan0mon

If the handshake is caught, Kali will inform you on the top right corner of airodump-ng and will say “WPA handshake”.

Follow these steps and you will be able to capture the handshake.

Your screen should like this:

When you captured the handshake you are ready to crack the password.

Cracking The Password

1. For WEP you only need to type in aircrack-ng [handshake filename] 

Example: aircrack-ng capture.cap and press Enter

Aircrack will brute-force the handshake file until it found the password.

For WPA/WPA2 you will need to type in:

aircrack-ng [handshake filename] -w [wordlist] [interface]


aircrack-ng capture.cap -w wordlist.txt wlan0mon

WPA/WPA2 can only be crack with a dictionary wordlist contained in a text file. 

When the password is found your screen should look like this:

Now that we know how to test the security of all known wireless
encryptions (WEP/WPA/WPA2), it is relatively easy to secure our networks against these attacks as we know all the weaknesses that can be used by hackers to crack these encryptions. So lets have a look on each of these encryptions one by one:

1. WEP: WEP is an old encryption, and it is really weak. There are a number of methods that can be used to crack this encryption regardless of the strength of the password and even if there is nobody connected to the network the WEP can be still be cracked in minutes.

2. WPA/WPA2: WPA and WPA2 are very similar, the only
difference between them is the algorithm used to encrypt the information but both encryptions work in the same way. WPA/WPA2 can be cracked in two ways

1. If WPS feature is enabled then there is a high chance of obtaining the WPA/WPA2 key regardless of its complexity, this can be done by exploiting a weakness in the WPS feature. WPS is used to allow users to connect to their wireless network without entering the key, this is done by pressing a WPS button on both the router and the device that they want to connect, the authentication works using an eight digit pin, hackers can brute force this pin in a relatively short time (in an average of 10 hours), once they get the right pin
they can use a tool called reaver to reverse engineer the pin and get the key, this is all possible due to the fact that the WPS feature uses an easy pin (only 8 characters and only contains digits), so its not a weakness in WPA/WPA2, its a weakness in a feature that can be enabled on routers that use WPA/WPA2 which can be exploited to get the actual WPA/WPA2 key.

2. If WPS is not enabled, then the only way to crack WPA/WPA2 is
using a dictionary attack, in this attack a list of passwords (dictionary) is compared against a file (handshake file) to check if any of the passwords is the actual key for the network, so if the password does not exist in the wordlist then the attacker will not be able to find the password.

To brute-force a WPS pin go to the terminal in Kali and type in:

reaver -i wlan0mon -c 6 -b 00:23:69:48:33:95 -vv

-i is the interface
-c is the channel
-b is the MAC address
-vv enables verbose output which greatly helps when trying to see how well reaver is (or is not) progressing.

Here you can see that Reaver is trying to brute-force the 8 digit pin on the router.

NOTE: the command wash -i wlan0mon can also be used to scan for wireless routers that have WPS enabled. (See below)

Here you can see that at least 2 routers that do not have the WPS locked which mean that these routers can be hacked.


1. Do not use WEP encryption, as we have seen how easy it is to crack it regardless of the complexity of the password and even if there is nobody connected to the network.

2. Use WPA2 with a complex password, make sure the password contains small letters, capital letters, symbols and numbers.

3. Ensure that the WPS feature is disabled as it can be used to crack your complex WPA2 key by brute-forcing the easy WPS pin.


Post a Comment