Tips and Hacks Everyone Should Know

How to Hack Password Protected WiFi Using Kali Linux

0 481

In the previous article, we covered all the important things you need to know about wireless networks and how easy or difficult it is to hack one. In this article, we will get our hands dirty and learn how to hack password protected WiFi using Kali Linux. So let’s start.

I will be straight with you and say that to hack password protected WiFi network is a tedious and most cases time-consuming job. In some cases, a dictionary attack may take days, and even then it may not be a success. Also, the best dictionaries you will need to download are huge files. This is so because a brute force or dictionary attack is a trial-and-error approach to establish a connection with an access point using different combinations of all the letters of the alphabet in both upper and lower case, numbers, and common symbols.

Rainbow tables, which are known to speed up the hacking process by completing parts of the letter, number, and symbol combinations, is a large file that could be hundreds of gigabytes. This hour, we will learn two of the most effective ways to hack password protected WiFi network and to introduce you to the world of on-location wireless penetration.

How to Use Reaver to Hack WPA/WPA2 WPS WiFi

WPS (Wi-Fi Protected Setup), which was introduced to complement the WPA, is designed to be easier to configure but tough to crack. However, it has a well-known security hole that various tools such as Reaver can exploit with minimal effort on your part. Note, however, that it still might take hours for the hack to be successful, but as you will discover later in the article, it is a much more preferable technique than brute force.

Information Gathering

Before you can begin using Reaver on Kali Linux to hack password protected WiFi network, you first need to know whether WPS is enabled. This attack will not work if WPS is not enabled. You will also need to know the BSSID of the network which means it would probably be best not to attempt this exercise on a hidden network.

Step 1: Start VMware, load Kali Linux OS on the virtual machine and log into your root account.

Step 2: Next, set the wireless interface to monitor mode using the following command:

airmon-ng start wlan

This command should reveal details of the adapter card interface, chipset, and driver as well as enable monitor mode.

Step 3: We can then use the wash command to find networks with WPS enabled. While wash is an easier way to detect a network, it might sometimes fail to detect networks even those with WPS enabled. The good thing is that any network it finds has WPS enabled. Here is the command:

wash -i mon

The results you get will contain a column of the network’s BSSID.

Step 4: Use the airodump-ng to show all the networks around you and see which ones have WPA enabled. The command is:

airodump-ng mon

Step 5: Write down or copy the BSSID of the target network in the format XX:XX:XX:XX:XX:XX. This is what we need to hack the network using Reaver.

Hacking the Wireless Network

Start Reaver on the terminal and begin the hack using the following command:

[email protected] # reaver -i mon -b [BSSID]

Replace [BSSID] with the network’s BSSID you copied in the previous step. In the command, the -i is the interface to use, which is the network monitor mode we created in step 4. The -b in the command specifies the BSSID of the target network.

That is all you need to do to initiate the hack. Depending on how secure the network is, the process may be over in a few minutes, or it might take hours. Be patient and let Reaver do its thing.

When the hack is complete, Reaver will present you with the password of the network in the message:

WPA PSK: [password]

If yours did not work as expected, read on to troubleshoot.

How to Hack WPS WiFi Password – Video Tutorial

You can find many tutorials on YouTube on how to hack password protected WiFi. Some of them are great, but some simply don’t work. The following is an excellent step by step guide on WPS Cracking with Reaver.

Commands used in the video:

airmon-ng
airmon-ng start wlan0
mkdir /etc/reaver
wash -i mon0 -C
reaver -i mon0 -b (BSSID) -vv

Below is another great video demonstration on cracking WPS password:

Known Issues with Reaver

Below are some of the known issues you may come across while using Reaver.

  1. It is not uncommon for Reaver to keep switching interfaces forever rather than carrying out the actual scan. If yours does this, try turning the wireless adapter on then back on then attempt the hack again.
  2. Errors such as “Something went wrong with the wireless card,” “AP does not use WPS,” “You are too far from the AP,” and “AP is choosy, does not let you associate” are straightforward and have possible workarounds.
  3. If you are using the version of Reaver that came bundled with your version of Kali Linux, you might want to update it first if it does not work. A newer version of Libpcap may solve the problem.
  4. Reaver may not work if you have other services using the wireless adapter. For instance, if you are already connected to a Wi-Fi network, you may want to disconnect and refresh the AP before giving it another try.
  5. If after many attempts and rectification of issues the hack does not work, perhaps the target network just isn’t vulnerable. There are many other hacking tools available on the Kali platform that you can try.

How to Brute Force WPA/WPA2 WiFi Password

Brute force is a very popular way to hack password protected WiFi network because it takes advantage of users’ susceptibility to create easy and textbook passwords. If you find that a network’s WPS is secure and Reaver is not getting anywhere, brute force, also called dictionary or wordlist attack may work. There are many tools you can use on Kali Linux, but for this guide, we will use the Hashcat tool.

What is the Hashcat Tool?

The Hashcat is a CPU-based tool has been around for quite some time. The Hashcat tool we will use uses modern GPU processors to crack encrypted username and password hashes on WPA and WPA2 wireless networks. It’s the best way to start and hack password protected WiFi.

Step 1: Capturing a 4-Way Handshake With the Router

First, you will need to capture a 4-way handshake with the secured wireless network and save it in a .cap file. Your network adapter must support monitor mode, just as with the previous hack. We will use the airmon-ng command to switch to monitor mode and airodump-ng to sniff the networks. Enter the following commands on your Kali Linux shell:

airmon-ng start wlan0mon
airodump-ng wlan0mon
airodump-ng -c 1 -b XX:XX:XX:XX:XX wlan0mon -w write2file

When the airodump-ng is done saving the file, send de-authentication packets to the target network access point to force connected devices to disconnect from the AP. You will then be able to capture the 4-way handshake when the devices are establishing a new connection using aireplay-ng. Here is the command to use:

aireplay-ng --deauth 100 -a [Router_Mac] -c [Device_Mac] wlan0mon

Replace [Router_Mac] with the router mac address and [Device_Mac] with the mac address of a connected device. If this attempt fails, retry several times because it is not uncommon for the first couple of attempts to fail. Just remember that the -a switch in aireplay-ng is for the Wi-Fi/AP mac address and -b is the mac address of the device connected to the wireless network.

Step 2: Convert the .CAP File to .HCCAP

Hashcat works with a .hccap file while the data we need is stored in a .cap file. Use the following command to convert the file and assign it the name handshake.hccap:

aircrack-ng filename.cap -J handshake.hccap

Step 3: Download a Wordlist to Use in The Hack

One of the best things about Hashcat is that it creates its own wordlist to use in the brute force hack on the fly. This means that you can use it without downloading an existing dictionary of passwords to try. We will cover this in Step 5, but for now, we will get ready with a downloadable wordlist.

There are many wordlists you can download on the internet in .txt files. A simple Internet search should give you millions of results. Simply filter results to find the newest hosted in a credible site and download it. However, be sure to check that the wordlist is created specifically for WPA/WPA2 as the passwords must be eight characters long. Save the file in root, where the handshake.hccap file is located.

Step 4: Use oclHashcat With a Wordlist

Use the following command to crack the WPA handshake file, which is now in the .hccap format:

oclhashcat -m 1000 /root/handshake.hccap /root/wordlist.txt

At this point, you can let Hashcat run the hack attempts in the background. Depending on the speed and memory of your GPU, this tool can peak at over 150,000 attempts per second. You can tweak the command using -u to get fill speed.

Step 5: Use oclHashcat Without a Wordlist

Alternatively, you can let Hashcat create its own dictionary on the fly and not clog it up with a massive wordlist. For this to work though, you will need to use various masking options in order to create a text file with your preferred charsets.

The basic set includes:

?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?l = abcdefghijklmnopqrstuvwxyz
?d = 0123456789
?s = !"#$%&'()+,-./:;[email protected]\^`{|}~
?a = All the above characters (?L, ?U,?D, and ?s)

Other character sets and switches available on Hashcat include:

?l?l?l?l?l?l?l?l = a-z, 8 Characters long.
?u?u?u?u?u?u?u?u = A-Z, 8 Characters long.
?d?d?d?d?d?d?d?d = 0-9, 8 Characters long.
?s?s?s?s?s?s?s?s = All special characters, 8 characters long.
?a?a?a?a?a?a?a?a = a-z, A-Z, 0-9, and all special characters, 8 characters long.

Hashcat offers you the option to choose an attack mode to use. The switches to use are:

0 = Straight attack
1 = Combination attack
3 = Brute force attack
6 = Hybrid dictionary + mask attack
7 = Hybrid mask + dictionary attack

For instance, to carry out a mask brute force attack, you will use the -a 3 switch.

Hack WPA/WPA2 WiFi Password – Video Tutorial

Below is a full verbal step-by-step guide on how to hack password protected WiFi using aircrack-ng suit on Kali Linux. It’s one of my favorite and easy to follow tutorial on cracking WPA/WPA2 with Kali Linux.

How to Crack WEP Encrypted Passwords

WEP (Wired Equivalent Privacy) is the least secure security protocol, so for that reason, it’s less common today as security-aware network admins prefer WPA and WPA2. Using Kali Linux tools, you’ll be able to hack this type of network in few minutes. Below is a quick video demonstration on how to crack WEP encrypted passwords.

How to Hack Password Protected WiFi

Hacking a secured network is not easy, and this explains why it takes long even when successful. However, with so many hacking tools available on the Kali Linux platform, you will discover a pattern and even your favorite methods with practice in your lab. These two approaches are basically examples of how you would go about using almost every other WPA/WPA-2 hacking tool in your arsenal. I hope you find this article interesting and learned how to hack password protected WiFi using Kali Linux. Share your thoughts in the comments below.


Leave A Reply

Your email address will not be published.