Workshop | Wi-Fi Hacking Lab
Johnny Pan
2022-10-08
This lab was created for educational purposes and thinking to improve and to audit the security of the following wireless networks:
Do it in your own wireless network.
Option #1 - Using ifconfig
Option #2 - Using Airmong-ng
Option #1 - Using ifconfig
Option #2 - Using Airmong-ng
We press Ctrl+C
and review the list of SSIDs. We look for the one we are interested in auditing. In this case we are going to work with OPENSOURCE.
A handshake
occurs when an item connects to a network (e.g., when your computer connects to a router). You need to wait until a handshake occurs so you capture the data necessary to crack the password. To start monitoring, run the following command:
airodump –channel <CHANNEL> –bssid <MAC-AP> -w <CAPTURE-FILE> wlan0mon
In our case the values are the following:
CHANNEL = 6
MAC-AP = 00:18:39:E4:61:28
CAPTURE-FILE = wpa2
As long as this command stays running, you'll be monitoring for all connections and new handshakes.
A deauth attack sends deauthentication packets to the router you're trying to break into, causing uses to disconnect and requiring them to log back in. When a user logs back in, you will be provided with a handshake. If you don't do a deauth attack, you might have to wait around for a long time for a handshake to complete, you'll need that handshake to crack the password.
If you already see a line with the tag "WPA handshake:" followed by a MAC address in the output of the airodump-ng command, skip this step because you have what you need to crack the password and don't need to send deauth packets.
Wait for something to connect to the network. Once you see two BSSID addresses appear next to each other one labeled BSSID (the Wi-Fi router) and the other labeled STATION (the computer or other device) this this means a client is connected. To force them into a handshake, you'll now send them deauth packets that kill their connection.
Open a new terminal. Make sure airodump-ng is still running in original terminal window, and drag it to another place on your desktop so both terminals are visible.
Send the deauth packets. Run this command, replacing STATION BSSID with the BSSID of the client that connected to the network, and NETWORK BSSID with the router's BSSID: aireplay-ng -0 2 -a STATION BSSID -c NETWORK BSSID mon0.
This command will send 2 deauth packets to disconnect the client from the network. Don't try to send more than this sending too many packets could prevent the client from reconnecting and generating the handshake.
As long as you're close enough to the target client, they'll be disconnected from the router and forced to reconnect with a handshake. If this doesn't work, move closer to the client.
As soon as the client reconnects, all of the information you'll need to crack the password will be available.
When you see WPA handshake: <AP MAC ADDRESS>, you can cracking the password.
In the original terminal window, press Control+C to quit airodump-ng. This stops the dump and saves a file ending with .cap to your desktop.
Decompress the rockyou.txt wordlist. To crack the password, you'll need a wordlist. Fortunately, since you're using Kali Linux, you have several already in /usr/share/wordlists. The one we'll want to use is called rockyou.txt, but it's zipped up by default. To unzip it, run gzip -d /usr/share/wordlists/rockyou.txt.gz.
You won't be able to crack the password if it's not in the wordlist. You can always try one of the other wordlists if rockyou.txt doesn't crack the password.
Run the command to crack the password. You'll use a tool called aircrack-ng, which come with Kali Linux, to do so. The command is aircrack-ng -a2 -b NETWORK BSSID -w /usr/share/wordlists/rockyou.txt /root/Desktop/*.cap. Replace NETWORK BSSID with the BSSID for the router.
Depending on the strength of the password and the speed of your CPU, this process can take anywhere from a few hours to a few days.
If you're cracking static WEP key network instead of a WPA/WPA2-PSK network, replace -a2 with -a1.
<length: 10>
Capture packages
Open Wireshark
wlan.ta==00:18:39:E4:61:28
You can use the following link to identified the MAC address vendor
Or using the following command on Kali