Have you been trying to learn how to hack WiFi?
Or are you aspiring to be paid to do wireless penetration tests?
Then you’ll love this article.
Because today, we’re going to take a super deep dive into WiFi hacking.
The tools, techniques, and so much more
Let’s get started
Don’t have time to read the whole guide right now?
No worries. Let me send you a copy so you can read it when it’s convenient for you. Just let me know where to send it (takes 5 seconds):
WiFi Principles and Vulnerabilities
Hardware For Hacking WiFi
The Tools to PWN WiFi
Reconnaissance To Learn Target’s Secrets
Stealthy Non-Disruptive Attacks
Disruptive Attacks Methods
Methods For Cracking The Passwords
WiFi Principles & Vulnerabilities
As with everything in hacking, you need to have a deep understanding of the systems that you will be targeting.
With WiFi hacking, this means that you need a deep knowledge of how WiFi even works.
In this chapter, we’ll look at things like:
How WiFi works, how computers understand WiFi, and the inherent vulnerabilities in the technology.
Let’s get started.
Disclaimer: Nothing in this article is intended to promote the illegal access or use of computer systems. Hacking is completely legal when done in a legal manner. Only perform hacking on systems that you own or have permission to.
The inherent insecurity of wireless communications
To understand the inherent insecurity of WiFi communications, let’s use an analogy.
When you want to tell someone a super guarded secret, what do you do?
You walk over to them, make sure no one is around, and whisper it right?
Would you yell it with a megaphone?
Of course not, everyone would hear it.
Even if you yelled it in some code, there’s still a chance that someone could decipher your message right?
And that in a nutshell, is the problem with wireless communications.
WiFi is a broadcast medium.
Even if you use a very focused antenna to transmit it, there is still leakage and the possibility that someone can collect and analyze it.
While regular networks could still potentially be tapped as well, WiFi networks are definitely much easier to sniff.
In an enterprise, for example, an attacker would need to gain physical access to be able to sniff network traffic on a wired network.
With wireless on the other hand:
They could simply park in the parking deck and start scanning traffic.
So that’s one of the first weaknesses in WiFi – how easy it is to gain access to it.
How WiFi Actually Works
As you know, computers communicate in binary – 0s and 1s that combine to form everything.
And on the physical layer of the OSI model, this is carried out by using pulses of electricity.
Instead of using pulses of electricity, WiFi uses changes in the frequency and amplitude of the wireless wave to represent 0s and 1s.
WEP – Wired Equivalent Privacy
WEP has been known to be vulnerable for over a decade now.
If you find an organization still using it as their security standard, you should be able to crack it very easily.
Numerous demonstrations on how to hack WiFi networks using WEP security have been performed over the last decade and PCI standards officially began prohibiting it in 2008.
One of the main weaknesses in WEP is the way that the initialization vector (IV) is used.
If the IV concept is new to you, it is basically a value in cryptography that is added to the plain text to add variance to the cipher text output.
One of the underlying concepts in cryptography is to create as much variance as possible.
This makes it much harder to find the encryption key.
Weaknesses in WEP Initialization Vector
We can’t get into all of the weaknesses in WEP here.
I’ll explain briefly, but if you really want to understand it thoroughly, check out this article.
The problems with WEP’s IV are these:
- The IV is too small and is in clear text
- It is static
- It makes the stream vulnerable.
- It’s part of the RC4 encryption key (A weakness in RC4 can be used to attack WEP)
- WEP provides no integrity protection
All of those things combined, make it pretty simple to attack WEP.
Hardware For Hacking WiFi
Have you tried to learn or practice wireless hacking already and been super frustrated because you couldn’t get your wireless NIC to work right?
That’s because not every wireless network card has the capabilities that are critical for hacking.
In this chapter, we are going to talk about those special needs and which USB WiFi adapters will support it.
Monitor Mode and Packet Injection
Network interface cards (NICs) don’t listen to every packet on the network.
They “hear” them all, but only really pay attention to the ones addressed to that particular device.
It works like this:
When the packet arrives at a wireless NIC, the packet filter present checks a few things – destination MAC, if the destination is a broadcast, or if the destination is a multicast.
If it’s none of those, the NIC completely ignores the packet.
However, when you are trying to hack WiFi, you don’t necessarily want this.
Think about it.
You have not gained access to the wireless network, right?
So, none of the packets will be addressed to your device.
The solution is to place the wireless NIC in monitor mode.
In monitor mode, the NIC listens to and captures every packet that it encounters.
Even if the wireless traffic is encrypted, there are still parts of the packet that are able to be read – sender and recipient namely.
On the data link layer, this is likely to be MAC addresses.
Packet Injection for WiFi Hacking
When you are working on attacking WiFi, there are a few approaches.
You can set up a rogue WiFi network to lure unsuspecting victims into connecting to your network, or you can be more proactive.
Typically, you’ll want to save time and be proactive.
That means that you’ll basically need to be able to knock someone off of the WiFi network so that they are forced to reconnect.
When they do, you are ready and waiting to capture the password hash so that you can try to crack it.
The problem with this:
Most NICs don’t support the packet injection capabilities needed to do this.
Like with monitor mode, special wireless NICs are needed.
No worries. I’ll show you exactly which ones work well.
NICs that support monitor mode & packet injection
You usually have to get special wireless NICs to be able to perform monitor mode sniffing while attempting to hack WiFi.
Unfortunately, not every device supports it.
Device manufacturers are definitely not looking to make hackers’ jobs easier by supporting it either.
There are only a few adapters that work well for hacking WiFi.
Here are 9 USB WiFi adapters that work with Kali Linux and support monitor mode and packet injection:
I like this adapter because it’s relatively compact and plugs in via USB. It supports the regular 802.11 protocols and is presently the adapter I use for pen tests.
What makes this adapter by Panda so nice is that it’s super small and still pretty powerful. Most people would probably take it for a mouse dongle and not think twice about it.
It doesn’t do packet injection, but would still work just for sniffing.
This adapter is relatively cheap and great for just getting starting with learning how to hack WiFi. However, you have to watch out. Only version 1 will work right with Kali.
This adapter can work on both 2.4 Ghz and 5 Ghz WiFi networks. Consequently, it is a little more expensive that the single band adapters.
One of the nice features that this particular adapter offers is the detachable antenna. This makes it easier to swap with your own preferred kind.
This adapter is fairly new. That being said, it’s still a super powerful adapter. Dual antennas, speeds up to 300 Mbps on 2.4 GHz and 867 Mbps on 5 GHz make this an incredible tool.
This is one of those adapters that has been around a while and still works great.
Bonus Book Suggestion:
If you want to really learn how to hack WiFi, then you should check out the Kali Linux Wireless Penetration Tester’s Book.
This is a great resource to help you go from zero to experienced in hacking WiFi. And it’s even been recently updated to show you how to hack WiFi with the new KRACK attack.
Check it out!
The Tools To PWN WiFi
Just like a wrench won’t help you address a screw, neither will just any hacking tool help you attack WiFi.
Every tool has a specific job or focused set of jobs.
This is really true when it comes to hacking.
There are so many tools.
You need to know which ones can do what jobs.
That’s exactly what we are going to discuss in this chapter.
What hacking tools work best for hacking WiFi.
Like almost everything when it comes to tech and cybersecurity, there a ton of tools that you can use to hack WiFi.
We won’t have room to discuss them all, but I will mention several and potential benefits and differences between the tools.
You really need to learn how to use Wireshark if you plan on doing wireless hacking.
And there is absolutely no way we can discuss all of the intricacies of WireShark for WiFi hacking in this article.
So, I’ll go ahead and explain the basics for you here, but I highly recommend that you go and do some research of your own on everything WireShark can do.
I’m going to assume that you already have WireShark installed and we’ll skip that.
If you don’t have WireShark installed, use this tutorial to walk you through the steps.
Before you can scan a WiFi network for reconnaissance, you need to set your WiFi NIC to promiscuous mode so that it can listen to all of the traffic on the SSID.
Otherwise, you’ll only be scanning the traffic between your device and the access point (AP).
And to be able to set the NIC to promiscuous mode, you have to have one that supports it. (Discussed in Chapter 2)
As, you can imagine, not every NIC manufacturer is that willing to add that capability.
So, assuming you have gotten a USB to WiFi adapter with the necessary capability and you have it setup with the necessary drivers, your next step is to choose the interface that you want Wireshark to capture traffic on.
Now, simply press start to initiate the capture.
Once you have captured enough traffic, it’s time to begin the analysis process.
This is where the real value is:
What can you deduce from the information.
Use Wireshark to trace the communications of specific IP addresses
One of the really nice features of Wireshark is its filter and follow capabilities.
Here’s what I mean:
When you captured all of that traffic during the initial scan, there was a ton of packets, right?
Well, Wireshark does a beautiful job of allowing you to filter down.
In the bar that says “Apply a display filter”
Type in the following, substituting with an IP that you want to review:
ip.addr == 192.168.1.5
And now you can see all the traffic from that specific device.
Excellent if you’re looking for an attack that you can mount.
Using the Wireshark follow stream option
Another really nice thing that you can do in Wireshark when you’re trying to hack WiFi is the follow stream.
First, a little background.
When two devices are communicating over a network of any kind, they have to have a way to keep up with the order of the packets as they don’t always come in the correct order.
In that case, when the receiving device finally gets the missing packet, they know exactly where in the sequence it goes.
Wireshark allows you to use this numbering to follow conversations in the filter.
When you have a packet that appears to be part of a sequence that may be of interest – HTTP, SMTP, etc – right click on the packet and select follow then TCP stream (Or the appropriate kind).
There you have it.
Check out this example.
Using the follow, the entire unencrypted contents of an email were easily retrieved.
See the potential?
AirCrack-NG hacking tool suite
AirCrack is one of the most well-known tools for hacking WiFi available in Kali LInux.
But it’s actually not just one tool.
It’s a complete suite of tools.
Let’s talk about each and show how you may use them.
As we discussed earlier in the article, an important component in being able to hack WiFi is the ability to use promiscuous mode on the WLAN NIC to monitor traffic.
Again, as we talked about, in promiscuous or monitor mode, the NIC doesn’t ignore packets not addressed to it specifically via the MAC.
It listens, or spys, on everything.
To use the tool, simply type:
airmon-ng start wlan0
Substitute wlan0 with the name of your NIC. (Find your NIC’s name by using iwconfig)
The tool is pretty simple.
Start, Stop, and on which interface is really all you need to worry about.
Note: When you WLAN NIC is in promiscuous mode, the name changes. It usually gets mon tacked on the end because it is in monitor mode.
The next tool in the Aircrack suite is Airodump-ng.
Airodump is used for capturing the WPA handshake when a device connects to the WLAN.
Once that handshake is captured, we can work on cracking it so that we can gain access ourselves.
The command looks like this:
The tool monitors each channel of each SSID waiting for the handshake.
That could be quite a while though.
That’s where Aireplay-NG comes in.
Sometimes, you may not want to just sit and wait for a handshake.
You might want to speed the process up.
Aireplay makes this very simple.
It allows you to send a deauth attack to the WIFI AP and knock everyone off and force them to reconnect so you can capture the handshake.
The other really nice thing Aireplay can do is look through Wireshark captures and locate handshakes.
The final tool in the AirCrack-NG suite that you will likely use a lot is aircrack.
If you are attacking WEP, aircrack will use statistical techniques and observations of repetitions to crack the password.
When cracking WPA and WPA2, it lets you specify dictionaries for dictionary attacks.
There are a few other tools in the suite that have specific use cases.
But since we are kind of short on room, we won’t get into them.
Feel free to check out all of the tools at the aircrack site.
The WiFi Pumpkin tool works great for setting up fake captive portals that you can use to get credentials for WiFi networks.
The tool is very robust and has a ton of features.
You can set up rogue access points, perform deauth attacks to get someone to connect to your AP.
Or you can run phishing campaigns, arp poisoning, DNS spoofing and several other attack types.
The tool is super simple to use and has great documentation.
The GUI is pretty self explanatory.
Check it out here: WiFi Pumpkin Link
Other tools for learning how to hack WiFi
There are a bunch of tools for hacking WiFi.
We don’t have the room to discuss them all here.
But if you want to learn more about them, come back soon.
I’m putting together an article on 35 WiFi hacking tools right now!
It should be done very soon.
Reconnaissance To Learn The Target’s Secrets
Are you struggling with your wireless pen tests?
Or feel like you are not able to figure out exactly how to hack WiFi?
The chances are that you need to perform more thorough reconnaissance before actually launching the attack.
The good news:
I’m going to show you the how to perform thorough reconnaissance so that your attack feels like a breeze.
Reconnaissance, hands down, is the most important phase of penetration testing.
And WiFi hacking is no different.
You can literally make or break your pen test during reconnaissance.
Here’s what I mean:
Be too noisy during reconnaissance and your target will likely spot you and depending on your agreement, your test may be over.
Don’t do enough investigation and looking around and you very well may struggle during the attack phase.
And if you do thorough recon before ever trying to attack, you will have a head start.
As Sun Tzu said, If you know thy enemy…
Let’s talk about some wireless reconnaissance tactics that you can use.
Finding SSIDs in the area
One of the first and easiest recon strategies is to look for the wireless SSIDs that are available.
Take your computer, tablet, phone, or whatever device you are using and walk around looking for available networks.
Either make a note of them, or add them to your documentation.
You may find printer or other devices with wireless networks as well.
These may be super valuable and easy targets
Find hidden SSIDs with Wireshark
Not always are the wifi networks obvious during a regular scan.
That is because many organizations still believe that using a hidden SSID is more secure.
The fact is:
It’s not hard at all to find the SSID of a hidden network.
So there isn’t much benefit.
To find hidden wifi networks with Wireshark, you first have to put your wireless adapter in monitor mode.
Now, start a wireless traffic capture.
Once you feel like you’ve captured enough traffic, or while the scan is still going, you can start filtering the results to look for SSID probe .
Tip: I typically just leave the scan going while I start filtering.
Just so I don’t potentially miss anything.
You may be asking:
What are beacon frames?
WiFi APs periodically announce their SSID.
When the SSID is hidden, it just puts Broadcast in place of a name.
But sometimes, devices that have previously connected to those hidden networks will send out a probe looking for the SSID with the name in the probe request.
You’ve got the hidden SSID.
If not, I’ll show in chapter 6, how you can force a device to have to resend that probe request.
Find devices you can spoof
You’re probably familiar with MAC filtering on networks – especially if you’ve done any networking.
If not, here’s a quick explanation.
As a security measure, some network switches only allow approved devices to communicate on the LAN.
They do this by whitelisting MAC addresses of specific devices.
Here’s a super thorough explanation of how that works.
The reason that’s important for us is, we may have to get over the hurdle before we can access the WLAN.
So, while you’re scanning for other items in Wireshark, keep an eye out for the MAC addresses of devices that are connected.
Here’s how you can filter to find MAC addresses in Wireshark.
In the filter tab add:
eth.addr == macaddress
Now, go through the filter contents and look for any interesting mac addresses that you may be able to use.
Be sure not to try to spoof the MAC of the AP or any other system if you are trying to remain stealthy.
That could set off alarms.
Arul’s Utilities is a great tool to help you determine what kind of device a specific MAC may be.
Spoof your MAC address with macchanger
When you need to gain access to a system that uses MAC filtering for security, there is a super easy way to get access.
Simply spoof your MAC address to impersonate a device that is whitelisted on the network.
How do you spoof your MAC?
Let’s take a look.
Once you know the MAC of a device that is allowed on the WLAN from your scanning, you can choose the device that you want to spoof.
The tool for spoofing this address is macchanger.
It comes with Kali linux by default and should be ready to go.
First, turn off the wireless interface with the command
ifconfig wlan0mon down
Substituting the name of your wireless NIC.
macchanger -m 54:8C:A0:54:56:65 wlan0mon
Of course, substituting the MAC that you found to be whitelisted.
Then, bring the interface back up with:
ifconfig wlan0mon up
Non-Disruptive Attacks To Fly Under The Radar
Using Fake Captive Portal
When you are attempting to hack WiFi, you may not want to be noisy and draw a lot of attention.
When this is the case, you’ll want to choose very stealthy attacks.
One common method of doing this is using captive portals and rogue WiFi to gain the credentials.
Here’s what I mean:
Have you ever gone to a hotel or an enterprise environment where they show you the splash page that you have to login before using the WiFi?
As an attacker, you can exploit this.
Let’s use a hypothetical airport wifi scenario.
There are usually quite a few wifi networks available.
Say one of them is DeltaFree.
Using the rights tools, you could set one up called DeltaHighSpeedFree. (Don’t do this unless authorized to during a penetration test).
I can almost guarantee that people would try to connect to that network.
You may be thinking
But that doesn’t help me get the password.
And you’re exactly right.
There’s one more step that you need in your rogue wifi scenario.
So, for the sake of our example, let’s imagine that all delta passengers receive the WiFi passcode in an email 24 hours before the flight.
When someone connected to your rogue wifi network, you would need to redirect them to a captive portal that requires the password.
First person that falls for the rouse and you’ve got the password.
Tools for setting up rogue WiFi captive portals
There are several ways that you can set up a fake captive portal on your rogue network.
Let’s briefly look at a few of them.
WiFiPhisher is a WiFi social engineering tool that you can use to gain credentials to various accounts.
The tools monitors all those probes that devices send out requesting the WIFI networks they have previously joined.
WiFiPhisher serves up rogue versions of those networks and redirects the user to a captive portal of the attackers choice.
Usually, these are things like:
McDonalds Free WiFi
Or something of that nature.
However, if the attacker is clever, he/she can come up with some unique captive portal scenarios like this:
Even the pop-up for the network authentication looks real.
WifiPhisher can perform each of these attack methods:
- Evil twin by creating a fake wireless network that looks like a legitimate one
- KARMA attack in which wifiPhisher fakes as a public network for nearby persons to use
- Known Beacon Attack in which it broadcasts common SSIDs that devices in its vicinity may have connected to in the past.
It’s a really nice tool, and I’ve used it on commercial pen tests before.
If you want to learn more about how to use it, HackerRoyale has a great tutorial and explanation.
Disruptive WiFi Hacking Methods
When you are trying to figure out how to hack WiFi and stealth or utter secrecy is not necessary, there are several methods that may work well.
I have used these very methods on pen tests in large enterprises with some of the best security teams and still went unnoticed.
Let’s look at a few.
So, when you want to get the WiFi credentials, and you don’t want to wait for someone to find and attempt to connect to your rogue network, you have another quicker option.
Basically, instead of just waiting, you kick a device off of the WiFi so that it has to reconnect.
While the reconnection occurs, you are able to grab the credentials.
Let’s look at an example.
You’re going to need the Aircrack suite installed.
If you don’t have it, run:
sudo apt install aircrack-ng
Use this command to figure out what your Wireless NIC is called:
At this point, you want to put your NIC in monitor mode so that it can listen to all traffic.
The command for that is:
airmon-ng start wlan0
(wlan0 is the name of my NIC. Yours may differ)
If you run the iwconfig command again, you should see that your NIC has a new name.
Something like wlanmon0.
Now, we are almost ready to start.
You should now see output similar to this.
This is showing each access point in range and the connected devices.
When you see a station that is connected to an AP (BSSID is the MAC of the AP), you can send a fake deauth to the AP as if the client device is doing it.
To do that, run this command:
aireplay-ng –deauth 100 -c [devices MAC ] -a [Routers MAC] –write [Name of OutPut file] wlan0mon
Run this until you see that a password handshake was captured.
Now you are ready to crack the password.
You can use the output file and whatever cracker you choose.
We’ll explain that part in the next chapter.
Arp Spoof – Understanding ARP
Before we get into how to conduct an ARP spoofing attack, I want to make sure that you understand what we are doing.
After all, we want to be skilled hackers who understand the concepts right?
So, on a network, all the devices that are on the same network talk to each other using MAC addresses right?
Here’s what I mean:
We’re going to be using this example for the explanation.
Computer A needs to send a message to Computer B.
The first thing that computer A does is to check its own ARP cache to see if it has the MAC of computer B.
Unfortunately, it doesn’t.
Computer A sends out an ARP request broadcast to the network announcing its own layer 2 and layer 3 address as the sender.
It adds the layer 3 or IP address of the device that it needs the MAC of.
The message gets broadcast, computer B sees the message is intended for it and send a reply back.
Computer B uses the info about computer A in the broadcast and addresses a reply telling computer A its own MAC address.
Then, computer A updates its ARP table so that it knows where to send messages for computer B.
Super simplified explanation, but hopefully you were able to follow along.
ARP spoof with Ettercap
Ettercap is a tool that will allow you to perform ARP spoof attacks.
Basically, what it allows you to do is to scan the entire network to find hosts.
Then, you can select the hosts that you want to poison their ARP cache.
You select the targets and launch the attack.
What Ettercap does is sniff out all of the traffic from those hosts.
You can them pick which destinations you want to spoof.
If you see that several devices keep sending requests to Google.com, you can target them and make them thing your machine is google.com.
The one drawback:
You have to be on the same network as your target for it to work.
If you want to get a step-by-step tutorial how to perform this attack, check out this article:
Like everything in security and especially when learning how to hack WiFi, there are so many approaches you can take to performing an Man in The Middle (MITM) attack.
The basic concept though is this:
You want to position your device so that all traffic of the device that you are attacking flows through your own device on its way wherever it needs to go.
In this way, you’ll be able to spy on everything they do and perhaps harvest valuable data.
MITM is a disruptive attack because it actually is disrupting the victim’s usual traffic flow.
WiFi Man-in-The-Middle tutorial using Bettercap
For this tutorial, I’m going to assume that you have already done recon and figured out which device you want to target and that you have already set up your NIC that supports packet injection.
If you haven’t done that, go ahead and do so.
To make your attack as stealthy as possible, go ahead and change your MAC to match the manufacturer of WAPs on the victims network.
macchanger -m 00:00:00:00:00:00 wlan0
Of course substituting 00:00:00:00:00:00 with the MAC that you want.
Now you are ready to begin an ARP poison.
You’re doing this so that the victim thinks that your device is the gateway and starts sending traffic to you.
The command is:
bettercap -I wlan0 -O betercap.log -S ARP –gateway [gateway IP] –target [victim IP]
You should now start to see output from the victim’s activity.
And that’s the basics of a Man in the Middle attack.
Of course, it can get much more complex if you are dealing with SSLs or wanting to inject certificates.
We don’t have time to cover that all here, but for further reading, check out this article by Dr. Charles Reid.
Methods For Cracking The Passwords
There are two basic methods for cracking WiFi passwords – dictionary and wordlists or brute force.
You’ll find that there are times that you need to use each.
One isn’t necessarily what you should always use.
It depends on the situation.
However, using dictionaries and word lists can be quicker.
Let’s look at each of these methods.
Dictionaries and Wordlists
Unfortunately, people just have terrible password habits.
They tend to re-use the same passwords multiple times for multiple sites.
And if you have noticed lately, there are tons of site breaches.
Every time you turn around, another site or company has been breached.
For cyber criminals, this means that they can use those stolen credentials and likely get into an account somewhere else.
There’s no lack of them either.
Word lists you can download
There are many places online that you can get wordlists for use in WiFi password cracking.
Just be careful.
Here are a few:
Like I keep saying, there’s no one way or correct way to do things when it comes to hacking.
I’m going to show you how you can brute force a WPA2 password has collected from Aircrack with HashCat.
But know that there are other methods.
Aircrack with Hashcat
If you used Aircrack to capture a WPA handshake, the file will be saved as a .cap.
Get the file in a format that Hashcat can work with by converting it to .hccap by running:
aircrack-ng CaptureFileName.cap -J output
Hashcat can actually be used with or without a word list.
But since this tutorial is about brute force attacks, I’ll show you how to use Hashcat without a word list.
The command looks like this:
hashcat.exe -m 2500 -a3 capture.hccap ?d?d?d?d?d?d?d?d pause
This specific command will use digit only values of a length of 8 into hashcat.
You can customize your values using a variety of flags for upper case letters, lowercase letters, special characters, etc.
The character sets are described in the Hashcat documentation.
Generally, you’ll find that creating a wordlist based on password requirements (if you can find them) will give faster results.
Now It’s Your Turn
So that’s a detailed beginner’s guide to help you learn how to hack WiFI.
Now I want to turn it over to you: Which of the steps from today’s guide are you going to practice first?
Or did I leave out something important?
Let me know by leaving a a quick comment below right now.