Internet connection has become a basic need in our advanced modern lives. A couple of networks like wired and wireless have been used so as make use of Internet in the best way. Wireless networks have become most common at workplaces for business and home-based works. Usage of wireless networks is robust and at the same time it is not highly secured. Hacking wireless networks is relatively easy when compared to wired networks. Many Hacking tools, software and techniques have been used by many hackers that crack a high secured Wi-Fi Network.
Most of the people are very much interested in hacking the Wi-Fi networks, but it may not be for illegal activities. Strong Encryption techniques have been developed in order to secure Wi-Fi networks. There are different types of Encryption from which three basic security encryption are most common.
Wi-Fi Security: Methods of Encryption
Before cracking a Wi- Fi network, you must be aware of basic encryption techniques that protect a Wi-Fi network. These three methods of encryption are the major sources of vulnerability associated with wireless networks. The different types of Wireless Encryption Security techniques include the following:
WEP: WEP is Wired Equivalent Privacy that can be cracked easily when configured appropriately. This method of encryption can be cracked within few minutes.
WPA: WPA is Wi-Fi Protected Access that provides strong security. Even then, there is possibility to crack if the Wi-Fi password if short. However, wireless networks can be hacked easily using various tools.
WPA2: WPA2 is Wi-Fi Protected Access 2 that also eventually provides high security. You can hack this method of Wi-Fi encryption at the time of packet generation from Wi-Fi access points.
Method 1: Hack Wifi Password Using Airgeddon
You can check out the Airgeddon GitHub page for more about which Airgeddon will work with.
To start using the Airgeddon wireless attack framework, we’ll need to download Airgeddon and any needed programs. The developer also recommends downloading and installing a tool called CCZE to make the output easier to understand. You can do so by typing apt-get install ccze a terminal window. Next, we’ll install Airgeddon, change directories, and start Airgeddon with the following commands.
git clone github.com/v1s1t0r1sh3r3/airgeddon.git
sudo bash ./airgeddon.sh
If you see the alien spaceship, you know you’re ready to hack.
Step 3: Configure Airgeddon
Press enter to check the various tools the Airgeddon framework relies on. If you’re missing any, you can open a new terminal window and type apt-get install tool, substituting “tool” for the name of the missing tool. If that doesn’t work, you can also try sudo pip install tool.
When you have all of the tools, proceed to the next step by pressing return. Otherwise, you may experience problems during your attack, especially if you are missing dnsspoof.
Next, the script will check for internet access so it can update itself if a newer version exists. When this is done, press enter to select the network adapter to use.
After we select our wireless network adapter, we’ll proceed to the main attack menu.
Press 2 to put your wireless card into monitor mode. Next, select option 7 for the “Evil Twin attacks” menu, and you’ll see the submenu for this attack module appear.
Step 4: Select the Target
Now that we’re in our attack module, select option 9 for the “Evil Twin AP attack with a captive portal.” We’ll need to explore for targets, so press enter, and you’ll see a window appear that shows a list of all detected networks. You’ll need to wait for a little to populate a list of all the nearby networks.
After this runs for about 60 seconds, exit out of the small window, and a list of targets will appear. You’ll notice that networks with someone using them appear in yellow with an asterisk next to them. This is essential since you can’t trick someone into giving you the password if no one is on the network in the first place.
Select the number of the target you wish to attack, and press enter to proceed to the next screen.
Step 5: Gather the Handshake
Now, we’ll select the type of de-authentication attack we want to use to kick the user off their trusted network. I recommend the second option, “Deauth aireplay attack,” but different attacks will work better depending on the network.
Press enter once you’ve made your selection, and you’ll be asked if you’d like to enable DoS pursuit mode, which allows you to follow the AP if it moves to another channel. You can select yes (Y) or no (N) depending on your preference, and then press enter. Finally, you’ll select N for using an interface with internet access. We won’t need to for this attack, and it will make our attack more portable to not need an internet source.
Next, it will ask you if you want to spoof your MAC address during this attack. In this case, I chose N for “no.”
Now, if we don’t already have a handshake for this network, we’ll have to capture one now. Be VERY careful not to accidentally select Y for “Do you already have a captured Handshake file?” if you do not actually have a handshake. There is no clear way to go back in the script without restarting if you make this mistake.
Since we don’t yet have a handshake, type N for no, and press enter to begin capturing.
Once the capture process has started, a window with red text sending deauth packets and a window with white text listening for handshakes will open. You’ll need to wait until you see “WPA Handshake:” and then the BSSID address of your targeted network. In the example below, we’re still waiting for a handshake.
Once you see that you’ve got the handshake, you can exit out of the Capturing Handshakewindow. When the script asks you if you got the handshake, select Y, and save the handshake file. Next, select the location for you to write the stolen password to, and you’re ready to go to the final step of configuring the phishing page.
Step 6: Set Up the Phishing Page
In the last step before launching the attack, we’ll set the language of the phishing page. The page provided by Airgeddon is pretty decent for testing out this style of attack. In this example, we’ll select 1 for English. When you’ve made your selection, press enter, and the attack will begin with six windows opening to perform various functions of the attack simultaneously.
Step 7: Capture Network Credentials
With the attack underway, the victim should be kicked off of their network and see our fake one as the only seemingly familiar option. Be patient, and pay attention to the network status in the top right window. This will tell you when a device joins the network, allowing you to see any password attempts they make when they’re routed to the captive portal.
When the victim joins your network, you’ll see a flurry of activity like in the picture below. In the top-right corner, you’ll be able to see any failed password attempts, which are checked against the handshake we gathered. This will continue until the victim inputs the correct password, and all of their internet requests (seen in the green text box) will fail until they do so.
When the victim caves and finally enters the correct password, the windows will close except for the top-right window. The fake network will vanish, and the victim will be free to connect back to their trusted wireless network.
The credentials should be displayed in the top-right screen, and you should copy and paste the password into a file to save, in case the script doesn’t save the file correctly. This sometimes happens, so make sure not to forget this step or you might lose the password you just captured.
After this, you can close the window, and close down the tool by pressing Ctrl + C. If we get a valid credential in this step, then our attack has worked, and we’ve got the Wi-Fi password by tricking the user into submitting it to our fake AP’s phishing page.
Method 2: Hack Wifi Password Using Fluxion
Fluxion evolved from an advanced social engineering attack named Lindset, where the original tool was written mostly in Spanish and suffered from a number of bugs. Fluxion is a rewritten attack to trick inexperienced users into divulging the password/passphrase of the network.
Fluxion is a unique tool in its use of a WPA handshake to not only control the behavior of the login page, but the behavior of the entire script. It jams the original network and creates a clone with the same name, enticing the disconnected user to join. This presents a fake login page indicating the router needs to restart or load firmware and requests the network password to proceed. Simple as that.
The tool uses a captured handshake to check the password entered and continues to jam the target AP until the correct password is entered. Fluxion uses Aircrack-ng to verify the results live as they are entered, and a successful result means the password is ours.
To get Fluxion running on our Kali Linux system, clone the git repository with:
Note: The developer of Fluxion shut down the product recently, but you can get an older version of it using the command above instead (not the URL you see in the image below).
Then, let’s check for missing dependencies by navigating to the folder and starting it up for the first time.
You’ll likely see the following, where some dependencies will be needed.
Run the installer to fetch dependencies and set your board to green with:
A window will open to handle installing the missing packages. Be patient and let it finish installing dependencies.
After all the dependencies are met, our board is green and we can proceed to the attack interface. Run the Fluxion command again with sudo ./fluxion to get hacking.
Step 2: Scan Wi-Fi Hotspots
The first option is to select the language. Select your language by typing the number next to it and press enter to proceed to the target identification stage. Then, if the channel of the network you wish to attack is known, you may enter 2 to narrow the scan to the desired channel. Otherwise, select 1 to scan all channels and allow the scan to collect wireless data for at least 20 seconds.
A window will open while this occurs. Press CTRL+C to stop the capture process whenever you spot the wireless network that you want. It is important to let the attack run for at least 30 seconds to reasonably verify if a client is connected to the network.
Step 3: Choose Your Target AP
Select a target with active clients for the attack to run on by entering the number next to it. Unless you intend to wait for a client to connect (possibly for a long time), this attack will not work on a network without any clients. Without anyone connected to the network, who would we trick into giving us the password?
Step 4: Select Your Attack
Once you’ve typed the number of the target network, press enter to load the network profile into the attack selector. For our purpose, we will use option 1 to make a “FakeAP” using Hostapd. This will create a fake hotspot using the captured information to clone the target access point. Type 1 and press enter.
Step 5: Get a Handshake
In order to verify that the password we receive is working, we will check it against a captured handshake. If we have a handshake, we can enter it at the next screen. If not, we can press enter to force the network to provide a handshake in the next step.
Using the Aircrack-ng method by selecting option 1 (“aircrack-ng”), Fluxion will send deauthentication packets to the target AP as the client and listen in on the resulting WPA handshake. When you see the handshake appear, as it does in the top right of the screenshot below, you have captured the handshake. Type 1 (for “Check handshake”) and enter to load the handshake into our attack configuration.
Step 6: Create the Fake Login Page
Select option 1, “Web Interface,” to use the social engineering tool.
You will be presented with a menu of different fake login pages you can present to the user. These are customizable with some work, but should match the device and language. The defaults should be tested before use, as some are not very convincing.
I chose an English language Netgear attack. This is the final step to arm the attack; At this point, you are ready to fire, so press enter to launch the attack. The attack spawns multiple windows to create a cloned version of their wireless network while simultaneously jamming the normal access point, enticing the user to join the identically named, but unencrypted, network.
Step 7: Capture the Password
The user is directed to a fake login page, which is either convincing or not, depending on which you chose.
Entering the wrong password will fail the handshake verification, and the user is prompted to try again. Upon entering the correct password, Aircrack-ng verifies and saves the password to a text file while displaying it on the screen. The user is directed to a “thank you” screen as the jamming ceases and the fake access point shuts down.
You can verify your success by checking the readout of the Aircrack-ng screen.
Congratulations, you’ve succeeded in obtaining and verifying a password, supplied by targeting the “wetware.” We’ve tricked a user into entering the password rather than relying on a preexisting flaw with the security.
Method 3: Hack Wifi Password Using Wifi Phisher
The idea here is to create an evil twin AP, then de-authenticate or DoS the user from their real AP. When they re-authenticate to your fake AP with the same SSID, they will see a legitimate-looking webpage that requests their password because of a “firmware upgrade.” When they provide their password, you capture it and then allow them to use the evil twin as their AP, so they don’t suspect a thing. Brilliant!
To sum up, Wifiphisher takes the following steps:
- De-authenticate the user from their legitimate AP.
- Allow the user to authenticate to your evil twin.
- Offer a webpage to the user on a proxy that notifies them that a “firmware upgrade” has taken place, and that they need to authenticate again.
- The Wi-Fi password is passed to the hacker and the user continues to the web oblivious to what just happened.
Similar scripts have been around for awhile, such as Airsnarf, but this new Wifiphisher script is more sophisticated. In addition, you could always do this all manually, but now we have a script that automates the entire process.
To begin, fire up Kali and open a terminal. Then download Wifiphisher from GitHub and unpack the code.
kali > tar -xvzf /root/wifiphisher-1.1.tar.gz
As you can see below, I have unpacked the Wifiphisher source code.
Alternatively, you can clone the code from GitHub by typing:
kali > git clone https://github/sophron/wifiphisher
Step 2: Navigate to the Directory
Next, navigate to the directory that Wifiphisher created when it was unpacked. In my case, it is /wifiphisher-1.1.
kali > cd wifiphisher-.1.1
When listing the contents of that directory, you will see that the wifiphisher.py script is there.
kali > ls -l
Step 3: Run the Script
You can run the Wifiphisher script by typing:
kali > python wifiphisher.py
Note that I preceded the script with the name of the interpreter, python.
The first time you run the script, it will likely tell you that “hostapd” is not found and will prompt you to install it. Install by typing “y” for yes. It will then proceed to install hostapd.
When it has completed, once again, execute the Wifiphisher script.
kali > python wifiphisher.py
This time, it will start the web server on port 8080 and 443, then go about and discover the available Wi-Fi networks.
When it has completed, it will list all the Wi-Fi networks it has discovered. Notice at the bottom of my example that it has discovered the network “wonderhowto.” That is the network we will be attacking.
Step 4: Send Your Attack & Get the Password
Go ahead and hit Ctrl + C on your keyboard and you will be prompted for the number of the AP that you would like to attack. In my case, it is 12.
When you hit Enter, Wifiphisher will display a screen like the one below that indicates the interface being used and the SSID of the AP being attacked and cloned.
The target user has been de-authenticated from their AP. When they re-authenticate, they will directed to the the cloned evil twin access point.
When they do, the proxy on the web server will catch their request and serve up an authentic-looking message that a firmware upgrade has taken place on their router and they must re-authenticate.
When the user enters their password, it will be passed to you through the Wifiphisher open terminal, as seen below. The user will be passed through to the web through your system and out to the Internet, never suspecting anything awry has happened.