How to Hack Wi-Fi: Selecting a Good Wi-Fi Hacking Strategy

Selecting a Good Wi-Fi Hacking Strategy

Welcome back, my rookie hackers!

So many readers come to Null Byte to learn how to hack Wi-Fi networks (this is the most popular hacking area on Null Byte) that I thought I should write a "how-to" on selecting a good Wi-Fi hacking strategy.

Many beginners come here looking to hack Wi-Fi, but have no idea where or how to start. Not every hack will work under every circumstance, so choosing the right strategy is more likely to lead to success and less wasted hours and frustration.

Here, I will lay out the strategies based upon the simplest and most effective first, through the most complex and difficult last. In general, this same continuum will apply to the probability of success.

Before You Begin Wi-Fi Password Cracking

I strongly suggest that you read this article to become familiar with the terminology and basic technology of wireless hacking. In addition, to really be effective at Wi-Fi password cracking while using Aircrack-ng, the premier Wi-Fi cracking tool, you will need to have an Aircrack-ng compatible wireless adapter.

Check out our 2017 list of Kali Linux and Backtrack compatible wireless network adapters in the link above, or you can grab our most popular adapter for beginners here.

A range of Kali Linux compatible wireless network adapters. Image by SADMIN/Null Byte

If you're looking for a cheap, handy platform to get started working with aircrack, check out our Kali Linux Raspberry Pi build using the $35 Raspberry Pi.

1. Crack WEP

WEP, or the Wireless Equivalent Privacy, was the first wireless encryption technology developed. It was quickly found to be flawed and easily cracked. Although you will not find any new WEP-encrypted wireless access points being sold, there are still many legacy WEP APs still around. (On a recent consulting gig with a major U.S. Department of Defense contractor, I found nearly 25% of their APs were using WEP, so it's still out there.)

WEP can easily be cracked with Aircrack-ng using a statistical cracking method. It is nearly foolproof (don't prove me wrong on this). If you can collect enough packets (this is key), it's a simple process. This is one of the reasons you need an Aircrack-ng compatible wireless adapter. You must be able to inject packets simultaneously to capturing packets. Most off-the-shelf wireless cards are incapable of this.

To know whether an AP is using WEP, you can simply hover your mouse over the AP and it will display its encryption algorithm. Note that this approach only works if the AP is using WEP. It does not work on any of the other encryption schemes on wireless. If you are lucky enough to find a wireless AP with WEP, you can expect to crack its password within 10 minutes, although some claim to have done this task in less than 3 minutes.

2. Crack WPS

Many Wi-Fi APs were equipped with Wi-Fi Protected Setup, or WPS, to make it simpler for the average home user without knowledge of Wi-Fi security measures to set up their wireless AP. Fortunately for us, if we can crack that WPS PIN, we can then access the control panel of the AP.

This PIN is relatively simple; just eight digits with one being a checksum, leaving just seven (7) digits, or 10,000,000 possibilities. A single CPU can usually exhaust those possibilities in a few days. Although this might seem slow, brute-forcing the PSK with many times the possibilities can take much longer.

If the wireless AP has WPS enabled, this is the preferred method of cracking modern wireless APs with WPA2. You can use either the Reaver or Bully in conjunction with Aircrack-ng to break these WPS PINs.

3. Crack WPA2

After the disaster that was WEP, the wireless industry developed a new wireless security standard known as WPA2, or Wi-Fi Protected Access II. This standard is now built into nearly every new wireless AP. Although more difficult to hack, it is not impossible.

When a client connects to the AP, there is a 4-way handshake where the pre-shared key (PSK) is transferred from the client machine to the AP. We can capture that PSK hash and then use a dictionary or brute-force attack against it. This can be time-consuming and is not always successful. Success is dependent upon the wordlist you use and the time you have to crack it.

Once you have the hash of the PSK captured, you don't need to be connected to the AP. With enough resources, you can brute-force any PSK.

4. Evil Twin

If we can't crack the password on the AP, another strategy that can be successful is creating an Evil Twin—an AP with exactly the same SSID as the known AP, but controlled by us. The key is for the target to connect to our AP, rather than the authentic AP.

Generally, computers will automatically connect to the AP with the strongest signal, so turning up the power on your AP can be a critical element of this hack. When the user connects to our AP, we can then capture all their traffic and view it, as well as capture any other credentials they present to other systems.

An effective variation on the Evil Twin is to set up a system with the same SSID and then present the user with a logon screen. Many corporate offices, hotels, coffee shops, etc. employ this type of security. When the user presents their credentials in our fake logon screen, we capture the credentials and store them. We can then use those credentials on their authentic AP to gain their access.

This process has been automated by a script called Airsnarf. Unfortunately, Airsnarf is out of date, but I have been working on updating it and will present the script and tutorial soon.

5. ICMPTX

If all else fails and you absolutely MUST have Internet access, ICMPTX often works on wireless networks that require authentication via proxy. These include some schools and universities, hotels, coffee shops, libraries, restaurants, and other public Wi-Fi spots. It relies upon the fact that ICMP (the ping protocol) is usually enabled on the AP and passes through to the intended IP address or domain. Since it is not TCP, it does not engage the proxy, it simply passes through.

This hack is complex and time consuming and is not for the beginner to hacking. It is slow, as ICMP can only carry a small amount of data in each packet, but in the circumstance where you actually MUST have Internet access and the amount of data is small, such as email, it works great.

Other Strategies

There are numerous strategies to owning a target system including social engineering and the many Metasploit exploits. When you gain access to the target system, you can simply extract the wireless password from the target system by going to:

C::\ProgramData\Microsoft\Wlansvc\Profiles\Interface\{Interface GUID}

There, you will find a hex-encoded XML document with the wireless password.

Gaining access to the wireless AP can be as simple as cracking the WEP key or as complex as using ICMPTX, but wireless access can be broken. If all else fails, target one machine on the network, own it, and then recover the password as described above.

Cover image via Shutterstock (1, 2)

39 Comments

If im correct
Once we know the WPS
we can log into the admin panel of the router then accsess the WPA2 encryption code and possibly change it ?
But how do we accsess the control panel ?
For my one we need to type the router name and its connects us to the webserver

For most, type 192.168.1.1 or 192.168.0.1 in your web browser, and then it'll prompt for user & password. If it tells you the router model in the question, look up defaults on google.

It's usualyl a combination of these:
1234
admin
password

Sometimes, just leave the user blank and enter the password. admin@admin and admin@1234 are my first guesses

Also a fairly common password for routers is "public"

That's true these are the most popular articles in Null-Byte but do't miss DB hacking i follow you bcuz of it master

Master once i cracked WPS and WEP but WPA2-PSK i hardly tried that all of them was dictionary attack o you know any other attack except dictionary for WPA2-PSK?

Folder C:\ProgramData\Microsoft\Wlansvc\Profiles\Interface\ doesn't exist on my Windows 8.1 machine, anywhere else it could be found?

ProgramData is a hidden directory.

Got it, I thought if I ran from Win+R it would find it even if it were hidden

Do you plan on making a How To for WPA Enterprise?

Before trying to brute force WPS, I've been using a Pixie Dust attack with pretty decent success. Ralink and RealTek chipsets have been the most successful while I've had very limited success with Broadcom chips. It's definitely worth a mention since this attack takes only a few minutes (30 minutes max) while WPS brute forcing can take hours and days (depending on AP lockout time limits).

Indeed when you try to crack through the WPS it can be really annoying, cause most ISP routers nowadays provide lockout time limits.

what is a Pixie Dust attack?

It's a fork off of Reaver that recovers the WPS pin by exploiting the low or non-existing entropy of some APs. Once you have the WPS pin, you can use Reaver again to get the password by supplying the decoded PIN.

Maybee make an How-to on how to use that attack BURNCT. I'm sure many people would be interested in reading it.

Great way to unify the posts on wi-fi here in null-byte and, at the same time, giving a good methodology on how to hack most APs.

As always, great post OTW. Looking forward for more.

If I were to do something illegal or hack some big guy who i know will do everything in his power to find me, and went wardriving and found a strong wifi signal that I could crack the pass of from my car, and used a wifi adapter and spoofed the MAC address, and maybe used tor or default firefox, to do a search or two, uh let's say log into the victims email and send an email pretending to be him, could I be traced? if so how to prevent that?

Oh and I would really appreciate it if you could do a post about deleting your traces when you have physical access to the victims pc, let's say I have my keylogger on a USB and want to connect it to the victims computer, based on what I know, they could look at the time the usb was connected and realize they were having a meeting with me at that time so they come after me.

why am i getting negative points for having questions?

Probably because of the extremely unreal situation you are painting. You would probably get traced if you don't use protection in every step. Everything from finding the target's ip address to hacking his email would have to be from a spoofed location or other ip address.

You have the answer to most of those questions lying around in articles of this site. You seem to be concerned to much about Forensics, and you seem to be planning to do something illegal, and as far as the sub-title says, this is a White Hat playground. There are plenty of pages where you could learn Black Hat stuff on Tor, but learn those at your own risk (of getting caught and/or hacked)

not doing anything illegal, just learning. there was an article on how to hack your creepy neighbour, so it got me curious if that creepy neighbour could come kidnap me after finding out it was me who called the cops. thanks anyway

He couldn't get you if you called the cops, because the police would have got him/her by that point...

true, he might have a contact in jail lol

References! Yes! Gold to my eyes! Names of tools and stuff!

Love this kind of posts! Shocked about the XML hex encoded passwords thing.

Another Password cracking strategy,
I created custom a word list using crunch for mobile numbers

I am from India so i created word list like this

9@@@@@@@@@
8@@@@@@@@@
7@@@@@@@@@

I got success in cracking passwords for more than 3 AP's.

Yeah, crunch is great for making dictionaries, in my city many AP's have the phone number of their home owners preceded by 11

I piped Aircrack-NG with Crunch... it ran for weeks with no success. I guess that was happens with 8 ^ 40 combinations or something like that.

So it was Upper or Lower chars +0-9 + 4 special chars?

Might be better off with a mask but not much.

I think you need to use a botnet for that kind of brute-forcing.

Well, sure, I guess. Split up the sections of passwords to try.

I found the .xml files with the hex-encoded passwords named 'keyMaterial'. How do I convert this string to normal text? A simple hex-to-text decoder doesn't seem to do the job.

Try Cain&Abel

Great tutorial, looking forward to that airsnarf script of yours ;)

Thanks for this useful job!
I`ve an app on my smartphone called"WPSPIN" which can show the WPS PINs !!
how should i connect to a network using this pin just by my android phone???!!

Pretty sure it shows the PINs of wifis you have already been connected to.

Did you ever find an answer to your question about connecting using your Android only?

Just want to let you guys know - there is another method to bypass 'Captive Portals' A.K.A the login screens which you mentioned with ICMPTX.

If you spoof your MAC Address before connecting. ~ To either of these:
0a:00:00:00:00:00
0b:00:00:00:00:00
0c:00:00:00:00:00

Keep incrementing until you find a MAC that works! :)

The technic depends on your recognicion. Lets say, we find a Fritz!Box with an SSID FritzBox<something> in SSID we know, the owner uses the Default PSK, which consists of only alphanumerical letters. The rest is up to you to think about that a few seconds.

No. 2: Vodafone names each Box with SSID easy<Somethin alphanumerical>. You see a box like that you already know how much characters are uses by Default...

Ist not only a matter of technical knowledge. Ist combining YOUR knowledege and experience to find the best way...

Please replace "alphanumerical" to "Digit" in my previous post, and you will know what i mean. Sorry, I m not a native Speaker....

Also check fixes length....

Share Your Thoughts

  • Hot
  • Latest