The Art of Wi-Fi Hacking: An Ethical Guide for Education and Research
Disclaimer
We want to be absolutely clear on this point. As much fun as it might seem to hack into your neighbor’s wireless network or a secured network at a friend’s house, hotel, or other location, don’t do it. You need to have permission from the network owner if you are to do any kind of hacking or penetration testing on their systems.
It might not seem like a big deal, but hacking a system without permission can hold extremely steep legal penalties, including jail time, depending on your location.
-To hack a wireless network, you need a wireless card with two features:
- Make sure your card supports monitor mode/promiscuous mode
- Make sure you card is capable of performing packet injection
We have bad news for you. It is almost certain that your onboard network card is incapable of this. You will need to purchase an external network adapter — and it has to have these specific (and uncommon) abilities.
You can buy the network adapter from here .
Set Up Kali
If you don’t have Kali Linux installed, see our article How To Install Kali Linux on VirtualBox.
Let’s Start Hacking
We’re now going to go through the step-by-step process of hacking a WPA2-Personal WiFi network.
There are several programs we can use, but this article will only focus on using the Aircrack-NG suite of tools. We encourage you to try some of the other tools mentioned in the Frequently Asked Questions.
Promiscuous Mode
In most cases, a network card only listens for traffic sent to its MAC Address. Promiscuous mode (also called monitor mode) tells the card to listen to all traffic, not just traffic directed to it.
Let’s switch to root using the command sudo su
. You will be prompted for your Kali password.
Use ifconfig
to see what our network card is. We see below it’s wlan0.
Using iwconfig
we see the adapter is currently in managed mode (not monitor).
We will use Airmon-NG to set the adapter to monitor mode enabled.
First, we end any processes that might interfere using the command
airmon-ng check kill
Then change the adapter’s mode using
airmon-ng start wlan0
Use whatever your adapter name is, if different. Your adapter name will change, adding the letters “mon” to the end (for monitor). In our case, it became wlan0mon
Scanning For Networks
Now that we are in monitor mode, we can begin scanning. We will use the program Airodump-NG, with the -i flag to indicate the interface to listen on, then the name of our interface (which in our case is wlan0mon).
airodump-ng -i wlan0mon
We are picking up all kinds of traffic. Let’s examine what we see.
- BSSID is the MAC address of the access points we can see.
- CH is the channel they are running on (WPA2 typically runs on channel 1, 6, or 11).
- ENC is the encryption method. In this picture we see two open networks, and many WPA2.
- AUTH is the authentication method used to connect to the network. PSK stands for pre-shared key.
- ESSID is the common name of the wireless network. We can see our target network, as well as the MAC address and the channel it is running on.
- STATION lists the MAC address of devices connected to the different networks.
Capturing Traffic
Now that we know our target’s BSSID, let’s capture packets only going to our target and save it as a capture file. We will use Airodump-NG again, with the –channel flag to indicate the channel to listen on, the –bsside flag to let it know what device to listen to, and the — write command to name the capture.
airodump-ng --channel 1 --bssid EC:AD:E0:AB:93:34 --write HackDump wlan0mon
All the data is now being saved to a capture file. We can see one device connected to this network (the phone we connected to this access point — connect a device if you haven’t already).
What we want to capture is a device successfully connecting to the network. We call this the handshake. The best way for us to accomplish this is to run an attack against the connected device and kick it from the network. It will attempt to reconnect, allowing us to capture the handshake.
In a new terminal, we will run Aireplay-NG using the following flags
–deauth <num> (we will use the number zero, which means keep attacking until we say stop)
–a <BSSID>
–c <STATION>
And then list the interface
aireplay-ng --deauth 0 -a EC:AD:E0:AB:93:34 -c F2:98:XX:XX:XX:XX wlan0mon
After letting this run for a while, hit ctrl+c to stop the attack. In roughly 10 seconds, we had enough information in the capture to start cracking. You can also stop the packet capture in the other terminal window now.
You can see all the files that were saved. The *.cap file is the one we need.
Cracking the Password
We will use the program aircrack-ng to run a dictionary attack against the captured handshake and try to break the password. We are using the fern-wifi common password file, as mentioned earlier.
The command is:
aircrack-ng HackDump-01.cap -w /usr/share/wordlists/fern-wifi/common.txt
The cracking attempts begin. We already know the password was in this list. In under one second, Aircrack-NG tried 400 passwords and found the correct one. We now have access to this network.