The most common types of wireless security are Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is a notoriously weak security standard. The password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WPA was a quick alternative to improve security over WEP.
Cracking of wireless networks is the defeating of security devices in Wireless local-area networks. WLANs – also called Wi-Fi networks are inherently vulnerable to security lapses.
There are two basic types of vulnerabilities associated with WLANs: those caused by poor configuration and those caused by weak encryption.
So lets get to the demo! The actual process goes in the way described below,
STEP 1Put Wi-Fi Adapter in Monitor Mode with airmon-ng
Let’s start the whole process by putting our wireless adapter in monitor mode. This is similar to putting a wired adapter into observation mode. It allows us to see all the available wireless traffic aka Wi-Fi networks around us. So let’s open a terminal and type:
airmon-ng start wlan0
Now you can observe that airmon-ng has just changed your wlan0 adapter id to wlan0mon or mon0 as per your wireless adapter. If you get any sort of processes that’re conflicting, kill those processes by typing
STEP 2Capture available Wireless Traffic using airodump-ng
As our wireless adapter is in monitor mode, it can see all the wireless traffic nearby. We can capture the required traffic using airodump-ng command.
airodump-ng grabs all the traffic nearby and displays critical information of the wireless networks including the BSSID or the MAC address of the AP, Power, Number of Beacons, Number of Data Frames, Channel, Transfer Rate, Encryption status (if any) , and finally the ESSID or the name of the wireless network which most refer as the SSID. We can use airodump-ng by typing
Now we can the see the APs’ which are to the near proximity of our hacking station. All the visible APs are listed in the upper part of the screen and the clients who are connected to the respective APs are listed in the lower portion of the screen.
STEP 3Force airodump-ng to use on required AP and One Channel
In this step, we focus airodump-ng to work on single AP, and on one channel which we’re trying to hack and capture critical data from it. We need the BSSID and the channel of the AP to do this. So, open another terminal and type
airodump-ng --bssid 5C:F1:88:89:7F:E2 -c 1 --write WPAhack wlan0mon
- 5C:F1:88:89:7F:E2 is the BSSID of the AP
- -c 1 is the channel the AP which we are working on
- WPAhack is the file we want to write to
- wlan0mon is the monitoring wireless adapter
As you can see from the above screenshot, we’re now focusing on capturing data from on AP with a ESSID of sredsredsred on channel 6. We get damn critical information by forcing the airodump-ng on a single channel rather than jumping around all the channels.
STEP 4Kick the Client(s) of the victim Wi-Fi using airplay-ng
For capturing the packet which consists the password which is usually encrypted. For this to happen, first we’ve to kick off a client from the victim’s Wi-Fi network for a four-way handshake to happen. So, we usually DOS the network to kick all the users or a single user using the IP of the victim client. So, for this to happen, let’s type
aireplay-ng --deauth 100 -a 5C:F1:88:89:7F:E2 wlan0mon
- 100 is the number of de-authenticate frames you want to send
- 5C:F1:88:89:7F:E2 is the BSSID of the AP
- wlan0mon0 is the monitoring wireless adapter
STEP 5Capturing the 4-way Hand Shake
In the previous step, we bounced the user off their own AP, and now their device usually tries to re-authenticate automatically. Now airodump-ng will attempt to capture their encrypted password which is usually 4-way handshake. We can check the progress in the top right corner of the airodump-ng screen as “WPA handshake”.
STEP 6Crack the Password Captured using aircrack-ng
As we have the encrypted password, lets try decrypting it using aircrack-ng tool available in Kali as aircrack-ng or darkc0de in BackTrack. We had already saved the encrypted password as WPAhack. So, lets start it by typing
aircrack-ng WPAhack-01.cap -w /usr/share/wordlists/rockyou.txt.gz
WPAhack-01.cap is the name of the file we’ve previously saved our captured encrypted password file
- /usr/share/wordlists/rockyou.txt.gz is the path to our passsword file or the wordlist
The whole process of cracking could be relatively slow.
When it successfully cracks the password, we’ll be able to see it on the screen. If the password file or the word list is critical, better use the default word list such as rockyout.txt usually default in Kali. It could save some time in this area.