Well, there was a time when ” people with networking skills and an hacker mindset ” can only hack into wireless networks. But that time is long gone my friend.
Now a days even kids can hack wifi passwords. If you don’t believe me read this article ” A 7-year-old shows how easy it is to break into a public network in less than 11 minutes. ” by dailymail.
You might have been searching on google ” how to hack wifi” or “How to hack into wifi passwords“. And certainly you have gone through a lot of tutorials on the web. You know people are recycling the old content again and again.
May be you have found something new on the sites but that did not help you with your problem that is still junk to you. thats why you are still in search of tutorial that will bring forth such knowledge that make you an hacker
If not an pro ethical hacker but, you will surely became an wifi hacker today.
This article is all about hacking a wifi password and breaching into all type of encyptions related to wireless networks.In this tutorial we will discuss possible ways to hack wifi and all the misconception related to password cracking.
You may not become an expert ethical hacker after reading this but you will surely be able to hack wifi password.And you will have access to free wifi.
[off topic]if you have watched tv series like ” Mr robot ” , ” Die hard 4.0 ” and you want to be an hacker. Then i will suggest you to stick around and follow our tutorials. We have started series of hacking articles in this we will be discussing brief hacking tutorials.
Table of Contents
- What you need to get started
- Type of wifi encryptions and their analysis
- Hacking Tools(introduction and their use)
- Theoretical approach towards our goal
- How to Hack wifi(three methods)
- At-last you are a hacker
- Conclusion and advice
Null and bolts needed to hack wifi password
You will need certain type of environment that will let you have such permissions of your machine resource that will help in hacking a wifi.
Windows is not such type of operating system. Microsoft has given restricted access to his users which can’t do anything if you ask me. You can’t hack a wifi network using a windows machine.
Here is what you need to hack wifi password.
- Any Linux distro will do the magic. But, I prefer kali linux.
- Wifi hacking tools (already configured in kali linux).
- A laptop/pc.
- Wi-fi Card to intercept wi-fi signals
- A hacker mindset.
Types of Wifi encryptions and their analysis
An encryption is technique or process of converting information or data into a code, especially to prevent unauthorized access.
Since the late 1990s, Wi-Fi security algorithms have undergone multiple upgrades with outright depreciation of older algorithms and significant revision to newer algorithms.
A stroll through the history of Wi-Fi security serves to highlight both what’s out there right now and why you should avoid older standards.
Wifi encryption theory and data
There are three types of wifi encryption till 2017
- WEP(Wired Equivalent Privacy)
- WPA(Wi-Fi Protected Access)
- WPA2(Wi-Fi Protected Access 2)
These wifi encryption technologies most commonly used in real world and are insecure as hell.
First is WEP and can be cracked easily when configured in-appropriately. This method of encryption can be cracked within few minutes to hours.
Wired Equivalent Privacy (WEP)
Wired Equivalent Privacy (WEP) is the most widely used Wi-Fi security algorithm in the world in late 1999s.
This is a function of age, backwards compatibility, and the fact that it appears first in the encryption type selection menus in many router control panels.
WEP was ratified as a Wi-Fi security standard in September of 1999.
The first versions of WEP weren’t particularly strong, even for the time they were released, because U.S. restrictions on the export of various cryptographic technology led to manufacturers restricting their devices to only 64-bit encryption.
When the restrictions were lifted, it was increased to 128-bit.
Despite the introduction of 256-bit WEP encryption, 128-bit remains one of the most common implementations.
Despite revisions to the algorithm and an increased key size, over time numerous security flaws were discovered in the WEP standard and, as computing power increased
it became easier and easier to exploit them.
As early as 2001 proof-of-concept exploits were floating around and by 2005 the FBI gave a public demonstration (in an effort to increase awareness of WEP’s weaknesses)
where they cracked WEP passwords in minutes using freely available software.
Despite various improvements, work-arounds, and other attempts to shore up the WEP system.
it remains highly vulnerable and systems that rely on WEP should be upgraded or, if security upgrades are not an option, replaced. The Wi-Fi Alliance officially retired WEP in 2004.
Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access was the Wi-Fi Alliance’s direct response and replacement to the increasingly apparent vulnerabilities of the WEP standard.
It was formally adopted in 2003, a year before WEP was officially retired.
The most common WPA configuration is WPA-PSK (Pre-Shared Key). The keys used by WPA are 256-bit, a significant increase over the 64-bit and 128-bit keys used in the WEP system.
Some of the significant changes implemented with WPA included message integrity checks (to determine if an attacker had captured or altered packets passed between the access point and client) and the Temporal Key Integrity Protocol (TKIP).
TKIP employs a per-packet key system that was radically more secure than fixed key used in the WEP system. TKIP was later superseded by Advanced Encryption Standard (AES).
Despite what a significant improvement WPA was over WEP, the ghost of WEP haunted WPA. TKIP.
A core component of WPA, was designed to be easily rolled out via firmware upgrades onto existing WEP-enabled devices.
As such it had to recycle certain elements used in the WEP system which, ultimately, were also exploited.
WPA, like its predecessor WEP, has been shown via both proof-of-concept and applied public demonstrations to be vulnerable to intrusion.
Interestingly the process by which WPA is usually breached is not a direct attack on the WPA algorithm (although such attacks have been successfully demonstrated)
But by attacks on a supplementary system that was rolled out with WPA, Wi-Fi Protected Setup (WPS), designed to make it easy to link devices to modern access points.
Wi-Fi Protected Access II (WPA2)
WPA has, as of 2006, been officially superseded by WPA2.
One of the most significant changes between WPA and WPA2 was the mandatory use of AES algorithms
And the introduction of CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) as a replacement for TKIP (still preserved in WPA2 as a fallback system and for interoperability with WPA).
Currently, the primary security vulnerability to the actual WPA2 system is an obscure one (and requires the attacker to already have access to the secured Wi-Fi network in order to gain access to certain keys and then perpetuate an attack against other devices on the network).
As such, the security implications of the known WPA2 vulnerabilities are limited almost entirely to enterprise level networks and deserve little to no practical consideration in regard to home network security.
Unfortunately, the same vulnerability that is the biggest hole in the WPA armor, the attack vector through the Wi-Fi Protected Setup (WPS), remains in modern WPA2-capable access points.
Although breaking into a WPA/WPA2 secured network using this vulnerability requires anywhere from 2-14 hours of sustained effort with a modern computer.
It is still a legitimate security concern and WPS should be disabled (and, if possible, the firmware of the access point should be flashed to a distribution that doesn’t even support WPS so the attack vector is entirely removed).
Hacking tools used in this tutorial
Now in 2017 there are tons of tools and standalone scripts to crack wifi password.
Here are few of them that we are going to use in our today’s tutorial
- Aircrack-ng suite (to hack WPA/WPA2 )
- Reaver (to hack WEP)
- Fern Wifi cracker (WPA2 and WEP Both)
You know that quote right?
Nothing is secure if you have right tools.
Note: Above are three different tools and there will be different methods to use them to breach wifi password.
Theoretical approach to hack wifi password
As you have read above. There is no method or tool that will give you 100% results. These methods and tools works but chances of cracking a wifi password are less then 30%.
Because it depends upon different factors like gpu of the machine you are using, length of the password that you have to crack. and there are so many other factors that will need an separate article to explain them.
I have hacked wifi password using these methods but not all the time i have succeeded in my approach. I have seen failures. So, don’t loose hope if that didnot work in first attempt and try harder till you succeed.
How the actual wifi password cracking is done
You have read and understand about encryptions and wifi hacking terminology. And you know what to expect. Now we are going to do practical approach to hack wifi password.
These are the best and most efective ways to crack wifi password.
Hacking wifi using Aircrack-ng suite
You can boot into kali Linux as a live boot or if you have installed kali Linux on your system then you direct fire up the kali Linux
Before launching the attack you need to know about your wireless network interface name, make your wireless card is in monitor mode.
Then get the BSSID ( it is the series of unique letters and number of a particular router) of the access point. So let us do all these things.
Find your wireless card
You can check that by typing in command in your terminal:
Start aircrack-ng suite
Inside terminal or console, type:
There you should see a list of interface names of different devices. There should be a wireless device in that list you have connected it to Kali Linux.
You will get your wifi card as Wlan0 if you have not created a monitor interface yet.
Kill the process that can stop us from monitor mode this can be done by following command
airmon-ng check kill
Enable monitor mode
Supposing your wireless card interface name as wlan0, type this command in that same console.
airmon–ng start wlan0
This code will create a new monitor mode interface wlan0mon like in the screenshot below which you want to keep note of.
Now Type the following command to get a view on the air around and check who is connected to the wifi routers around you
Search the BSSID and channel of the Access Point
Now let’s find the information. Type the following Command in terminal
airodump–ng wlan0mon –c 6
Then you will see a list of Wireless Networks available around you and please keep note of the BSSID and channel of the ESSID (wireless network) you want to crack.
Please note that the less the number is in the PWR column the close you are to the router; example mine is (-42) which means I am quite near to the router.
When you find it hit CTrl+C to stop it scanning and enter the following:
airodump–ng —bssid (AP BSSID address) –c (chaneel no) –w (file name you want to save with) (monitorinterface)
airodump–ng —bssid 54:E6:FC:E0:AC:FC –c 1 –w thzone wlan0mon
Capture the handshake to hack wifi
Now, its time to capture a handshake so that we can use it to get the plain password of the network.
Here is a little tricky part, if there is a client connected to the network then there will a mac address listed in the “station column”
if not then you will have to wait for someone to connect it to get the 4-way handshake.You will get the handshake if anyone tries to connect to that network.
But, if there is someone connected to the network then you can de-authenticate him so that he will try to reconnect and you will be able to get the handshake.
To de-authenticate him enter the following code in a new console. But, before taking note of the Mac Address of the station.
aireplay–ng –a (BSSID of the network) –c (MAC address of the client) –0 20 (for deauntheticate “20” forno of packets to send) (monitor interface)
You can send any no of packets but few packets would be enough. In the image, I have sent 20 packets it is better you send few packets and only and if you don’t get the handshake
you can hit Ctrl+C to stop the process and redo it again.
aireplay–ng –a 54:E6:FC:E0:AC:FC –c 9C:4E:36:4E:F5:F0 –0 20 wlan0mon
Now it will send deauthentication packet and if you are close to the network and if everything goes right then he will get disconnected and will try to connect again
And we will get the 4-way handshake file in the top right corner of the airodump screen as shown below.
But, the client should also be physically close to your wireless adapter network range so that it can de-authenticate them.
cracking handshake hash file using aircrack-ng
Now it’s time to crack the 4-way handshake which is little difficult to do. There are lots of ways to do it but I will show you the simple one.
First, let us see where is our saved .cap(4-way handshake) file so please enter the following: ls
It will show you the list of files in your Desktop in the terminal. The screen would look like this.or you can check directly by browser like in screenshot
Now, lets brute force the thzone.01.cap file using aircrack-ng. You will need a Dictionary or word list file to get it work. There are few of them already in the Kali Linux but you can download more.
Aircrack simply tries to match the word from the dictionary to the .cap file and if matched then it will show the password but if the word is not in the dictionary then it will fail.
We are using the thzone_wordlist.txt password list which can be found in ‘/root/thzone_wordlist.txt” of Kali Linux you can create your own wordlist by using the following tutorial on wordlist creation in kali Linux.
Enter the following command
aircrack–ng –w ‘/root/thzone_wordlist.txt’ thzone.01.cap
Depending upon the speed of your CPU and the size of the password file it could take a lot of time. The -01 is automatically added by the Kali Linux and everything is case sensitive. After executing this command the screen will look like this.
If the key is found then it will say, “KEY FOUND!” and if not it will say, The pass-phrase is not in the Dictionary or something like this. So, if it is not found then you can try to bruteforce it by trying every combination of word which will take lots of time.
Reaver to hack wifi password
As reaver is already installed in kali Linux We should get to the process of wifi password hacking.If you have root access to kali Linux then you can use commands without sudo and if you are a simple user then you should use these commands
sudo iwlist scan wlan
Set your device into monitor mode.
sudo airmon-ng start wlan0
Run the tool against an access point.
reaver -i wlan0mon -b <MA:CA:DD:RE:SS:XX> -vv
after running this command this tool will automatically hack wifi which have WEP security configured
Hack WPA2 wifi password using Fern wifi cracker
Fern Wi-fi Cracker can crack WEP, WPA, and WPA2 secured wireless networks.
Fern basically takes the command line utilities to crack these networks and puts them in a GUI. Very simple to use… scary easy! Fern also provides some extra functionality for hijacking sessions and locating a computers geolocation via its Mac address.
Plug in the USB wireless adapter (I’m using the Alfa AWUS036H 802.11b/g USB wireless adapter) and open the Terminal and run iwconfig to verify the USB adapter interface.
Select the Interface and Fern enables monitor mode. If your wireless interface does not show in the list hit the Refresh button and try again.
Before starting the scan double-click on any blank area of the Fern home screen to bring up the Access Point Scan Preferences screen.
You can set the channel option to scan a single channel or leave it at the default All Channels. One nice feature is to check the Enable XTerms option which will have Fern open up the Terminal windows during its usage to see what the program is doing in the background.
Back on the Fern home screen click the Scan for Access points button.
Two Terminal windows will open; one showing the WEP enabled networks
And another showing the WPA enabled networks. The top part of the WPA Scan Terminal window shows the networks being found, and the lower part shows any connected client devices.
For a WPA attack to work, it requires a connected client.
The most important part of the attack will kick the client off the wireless network and capture the 4-way handshake when the client device re-authenticates to the network.
On Ferns home screen the networks being detected will start populating next to the WiFi WEP or WiFi WPA buttons.
Clicking on the WiFi WEP or WiFi WPA button will bring up the Attack screen and the top pane will list the networks found.
Select the AP to crack, but before clicking the Attack button to the right let’s go over a couple of settings.
I will use the Regular Attack option, but there is a WPS Attack option and I believe Fern uses the Reaver utility to launch the WPS attack as we have done above with reaver this tool will do it in gui and automate the process.
Common.txt is the wordlist that comes with the Fern program, but any wordlist you download or have created on your own can be used by hitting the Browse button and pointing Fern to the alternative wordlist file.
With the Regular Attack and the wordlist selected hit the Attack button.
Fern will start the attack and on the left side of the screen, the attack steps will turn yellow as Fern works through the various steps.
The most important step is capturing the 4-way handshake and Fern will open an aireplay-ng Terminal window showing the progress of deauthentication of the connected client.
It may take several attempts to deauth a client and capture the 4-way handshake.
Once Fern has captured the handshake it will start the brute force attack. Viola! If the WPA key is in the wordlist being used it will display the found key in Red.
As I mentioned I setup a passphrase I knew would be found quickly, and from the start, to finish this attack took under 4 minutes!
Back on the Fern main screen is a Key Database button and it now shows one entry.
Clicking the Key Database button will display the found keys.
At the End (Conclusion)
So here it is congratulation you became a wifi hacker. You can proudly say that you are an wifi ethical hacker.Just practice this on an authorized wifi network to remember the commands and you are good to go.
How was it do you feel already like an hacker?
Let me know how the attack goes did it work or not, in the comment section below.