Full Tutorial:-Download
When it comes to learning pen-testing, one of the most frequently asked questions we receive
is, “how do I hack WiFi?” It is often the first hands-on challenge aspiring hackers want to try.
Your being here is proof positive.
That’s great! Hacking WiFi is a fantastic exercise. It’s a chance for you to learn command
line tools, wireless protocols, enumeration, and password cracking. In this article, we’ll
teach all these things to you. We’ll discuss the technology, how the attacks work, and
what hardware you need. Finally, we’ll set up a lab and practice it together.
So get ready because we’re going to teach you how to hack WiFi with Kali Linux.
Disclaimer
We want to be absolutely clear on this point. As much fun as it might seem to hack into your
neighbor's wireless network or a secured network at a friend’s house, hotel, or other location,
don’t do it. You need to have permission from the network owner if you are to do any kind of
hacking or penetration testing on their systems.
It might not seem like a big deal, but hacking a system without permission can hold
extremely steep legal penalties, including jail time, depending on your location.
Such laws include:
- The Computer Fraud and Abuse Act (United States)
- Sections 184, 342.1, 380, and 430 of the Criminal Code of Canada (Canada)
- Computer Misuse Act 1990 (England)
- Sec. 202a and 202b of the German Criminal Code (Germany)
- Information Technology Act Sec. 43 and 66 (India)
- The Act on the Prohibition of Unauthorised Computer Access (Japan)
Before We Begin
There’s some background we need to cover before you can start hacking. This will include
the necessary hardware, software, and an understanding of wireless technologies and
dictionary attacks.
Required Hardware
To hack a wireless network, you need a wireless card with two features:
- Make sure your card supports monitor mode/promiscuous mode
- Make sure you card is capable of performing packet injection
We have bad news for you. It is almost certain that your onboard network card is incapable
of this. You will need to purchase an external network adapter - and it has to have these
specific (and uncommon) abilities.
For this article, we will be using Kali Linux with the ALFA AWUS036NEH Long Range
adapter. This particular adapter is now end-of-life and discontinued, but it still serves its
purpose. You can see our top choices for Kali Linux-compatible WiFi
adapters here.
Specifically, we are using this adapter with Kali Linux 2022.4 running in VirtualBox on
a Razer Blade 15 2018 Basic laptop.
Set Up Kali
If you don’t have Kali Linux installed, see our article How To Install Kali Linux on VirtualBox.
To connect your wireless adapter, follow these steps.
First, make sure your virtual machine instance is shut down.
Next, plug in your USB network adapter.
Now go to the VirtualBox manager. Select your Kali instance, click the list icon, and choose
Details.
You will now see a page giving you various details about your virtual machine instance,
such as the base memory, any shared folders connected to it, and the hard disk details.
Click on USB to bring up the USB settings menu. Now click the green plus sign on the
right-hand side.
You want to add your new network adapter. It may not list the manufacturer, but instead
list the chipset, as you can see in our image below. Once selected, click OK.
Back on the manager Windows, click Network this time. We want to disable all network
adapters for this virtual machine, so unclick Enable Network Adapter in all four tabs.
Click OK. Now all communication will be through our wireless card.
Once done, Kali is ready.
Different Wireless Technologies
We won’t go into the entire history of the 802.11 wireless standards.
Instead, we’re just going to talk about encryption.
There are several encryption types to choose from when securing a wireless network.
Those include
- WEP
- WPA
- WPA2
- WPA2 Enterprise
WEP stands for Wired Equivalent Privacy. Despite the name, it is far from being as
private as a wired connection. This is completely depreciated, as it can be hacked in
literally seconds. Some routers will still come with it as an option for legacy reasons. Never
use it. Most businesses know better. If you see it on a penetration test, you can clock out
early that afternoon, as it is the easiest wireless hack you’ll ever perform.
The common encryption methods you will run into are WPA2 and WPA2 Enterprise. The
difference between them, in a very high-level and simplified explanation, is the Enterprise
version will have a secure login for every member of the domain. This means instead of one
password to access the WiFi for everyone (like you would see at home), each user would
have their own username and password.
Attacking WPA2 Enterprise is beyond the scope of this article. Many businesses small to
medium-sized businesses and any home routers are likely to be set to WPA2, which is what
we will be hacking today.
What Are Dictionary Attacks?
A dictionary attack is the process of running through a preset list of words to see if any
match the password you are looking to crack. For this, you need a password list to try.
This differs from a brute force attack, which tries every combination of characters based on
the rules you prescribe. For example, if you know the password is between six and eight
characters and contains upper and lower case letters and numbers but no special characters,
the brute force attack might try “Aaaaa1,” “AAaaa1,” “AAAaa1,” etc., until it finds a match.
Each attack has its benefits and drawbacks. A dictionary attack is guaranteed to work
eventually. The problem is a complex password (12 characters, upper and lower case letters
with numbers and symbols) could literally take tens of thousands of years to crack with
current technology. We doubt you’ll want to sit for this long looking to get WiFi access.
A dictionary attack is only as strong as its password list. However, if the password is on that
list, the cracking will be much faster. There are many bad password policies in place, and
while people are getting better at protecting their email and other online accounts, things like
WiFi still take a back seat.
For our lab, we will be using a password list included with Kali Linux. You can find it here:
/usr/share/wordlists/fern-wifi/common.txt
It contains 477 passwords, which is fine for our practice lab. When trying this for real, have
many different password lists handy. Start with the smaller ones and hope for a quick win,
if it doesn’t work, try larger ones. You can always see if the company has had a security
breach before, you might find some passwords they’ve used in the past sitting online.
Setting Up Our Practice Lab
Since we don’t want to try and hack any of our neighbors, we’ll set up a practice lab to hack
into.
There is a caveat we want to mention before going further.
If you set up your actual router with a vulnerable password, you are putting your network at
risk. We instead recommend finding an old router collecting dust that you can use solely for
the purpose of this lab.
We also want to point out that if this router is in any way connected to your home network, it
is still a vulnerable access point. You also run the risk of creating a rouge DHCP server which
can cause issues with your home network.
The best scenario is a separate router not connected to the internet or any other device in
your home. All we need is for it to broadcast WiFi. We will connect a single wireless device to
it for testing purposes, like a cellphone, when the time is right.
We can’t walk through the setup wizard for every possible router, but they all function similarly.
Check your manufacturer’s website for details on logging into the administrator controls.
Usually, you connect a computer physically to the router and go to 192.168.0.1 or a similar
IP address.
If your router is in a factory default state, it will likely prompt you to set up your network.
There are a few specific settings we want to prepare.
First, set any network name you want. Some recommendations include:
- Drop_it_like_its_hotspot
- Panic_at_the_Cisco
- Keep_it_on_the_download
- Wi-Fight_this_feeling
Second, choose a password from the password list we mentioned in the previous section.
In our lab, we went with w0rkplac3rul3s.
Lastly, make sure the security mode is set to WPA2-Personal.
Confirm you can discover this network with other devices, and you’re ready to go.
How to Hack WiFi With Kali LinuxWe’re now going to go through the step-by-step
process of hacking a WPA2-Personal WiFi network.
.
Promiscuous Mode
In most cases, a network card only listens for traffic sent to its MAC Address. Promiscuous
mode (also called monitor mode) tells the card to listen to all traffic, not just traffic directed to it.
Let’s switch to root using the command sudo su
. You will be prompted for your Kali password.
Use ifconfig
to see what our network card is. We see below it’s wlan0.
Using iwconfig
we see the adapter is currently in managed mode (not monitor).
We will use Airmon-NG to set the adapter to monitor mode enabled.
First, we end any processes that might interfere using the command
airmon-ng check kill
Then change the adapter’s mode using
airmon-ng start wlan0
Use whatever your adapter name is, if different. Your adapter name will change, adding the
letters “mon” to the end (for monitor). In our case, it became wlan0mon
Scanning For Networks
Now that we are in monitor mode, we can begin scanning. We will use the program
Airodump-NG, with the -i flag to indicate the interface to listen on, then the name of our
interface (which in our case is wlan0mon).
airodump-ng -i wlan0mon
We are picking up all kinds of traffic. Let’s examine what we see.
- BSSID is the MAC address of the access points we can see.
- CH is the channel they are running on (WPA2 typically runs on channel 1, 6, or 11).
- ENC is the encryption method. In this picture we see two open networks, and many WPA2.
- AUTH is the authentication method used to connect to the network. PSK stands for pre-shared
key. - ESSID is the common name of the wireless network. We can see our target network,
as well as the MAC address and the channel it is running on. - STATION lists the MAC address of devices connected to the different networks.
Capturing Traffic
Now that we know our target’s BSSID, let’s capture packets only going to our target and save
it as a capture file. We will use Airodump-NG again, with the --channel flag to indicate the
channel to listen on, the --bsside flag to let it know what device to listen to, and the -- write
command to name the capture.
airodump-ng --channel 1 --bssid EC:AD:E0:AB:93:34 --write HackDump wlan0mon
All the data is now being saved to a capture file. We can see one device connected to this
network (the phone we connected to this access point - connect a device if you haven’t
already).
What we want to capture is a device successfully connecting to the network. We call this the
handshake. The best way for us to accomplish this is to run an attack against the connected
device and kick it from the network. It will attempt to reconnect, allowing us to capture the
handshake.
In a new terminal, we will run Aireplay-NG using the following flags
--deauth <num> (we will use the number zero, which means keep attacking until we say stop)
--a <BSSID>
--c <STATION>
And then list the interface
aireplay-ng --deauth 0 -a EC:AD:E0:AB:93:34 -c F2:98:XX:XX:XX:XX wlan0mon
After letting this run for a while, hit ctrl+c to stop the attack. In roughly 10 seconds, we had
enough information in the capture to start cracking. You can also stop the packet capture in
the other terminal window now.
You can see all the files that were saved. The *.cap file is the one we need.
Cracking the Password
We will use the program aircrack-ng to run a dictionary attack against the captured handshake
and try to break the password. We are using the fern-wifi common password file, as
mentioned earlier.
The command is:
aircrack-ng HackDump-01.cap -w /usr/share/wordlists/fern-wifi/common.txt
The cracking attempts begin. We already know the password was in this list. In under one
second, Aircrack-NG tried 400 passwords and found the correct one. We now have access to
this network.
Conclusion
This example was under ideal conditions. We knew the password was on our short list.
In real life, you will likely be building your own password lists based on what you know of the
target. You may also need to take other measures, such as spoofing your MAC Address to
bypass whitelisting.
Still, this exercise proves that wireless networks are only as secure as the passwords you
choose. Even with very secure passwords, other ways exist to infiltrate a network. We didn’t
touch on hacking WPS, which can be a quicker method to gain access, or setting up an
evil twin to try and social engineer credentials.
0 Comments