top of page

Basic Dictionary Wifi Attack

Wifi hacking, grabbing the 4-way handshake after deauthing clients and sending the results through Aircrack is easy. Retrieving a usable cracked password can be problematic. Just as well users are one thing and that's reliable. They will tend to use and re-use easy passwords, there's a good chance the password will exist in a wordlist. 

The tool of choice for 'testing', somebody else's Wifi password, is the tried and tested Aircrack-ng utility installed with Kali. I'll be using an Asus Zenbook 301LA with the built-in wifi adapter.

From Terminal session as a user type 'ip address'

Now su root

airmon-ng check kill

IP address and make a note of the adapter, it would normally be 'wlan0', but it can change to 'wlan0mon' if 'airmon-ng start' had previously run. Running 'airmon-ng stop wlan0mon' will reset the wireless adapter back to wlan0 then execute the service network-manager start. If all else fails take the Microsoft approach and reboot.

To start monitor mode type 'airmon-ng start wlan0mon'

Then 'airodump-ng wlan0mon'

Listed will be the reachable SSID's and the 802.11 beacon frames 

Open a new terminal.

Select a victim's BSSID, their Channel (CH) and the name of your wifi adapter (wlan0mon)

In the example Nadir-VPN is the target 'airodump-ng --ch 3 --bssid 94:83:C4;03:41:2D wlan0mon'

In this example there is only 1 client or Station.

Hightlight and copy both the BSSID and Station, this will be the individual client that's going to be targeted, paste the clipboard after the  -a.

aireplay-ng -death 20 -a 94:83:c4:03:41:2D -c 48:E2:44:F6:3C:c5 wlan0mon

The client will be deauth'd and in the process of reconnecting to the Access Point will broadcast its 4 way authentication, this is captured and written out to a .cap file.

The final stage is trying to dictionary attack the captured handshake with a wordlist. Kali provides some wordlists at 'usr/share/wordlists'. 

'aircrack-ng -w usr/share/wordlist/rockyou.txt /home/user/Nadir-VPN-01.cap'

With any luck and after a few hours the victims wifi password is known.

Aircrack relies on the CPU to crack the handshake and is limited to dictionary attacks. With access to a GPU and Hashcat, more options to brute force the handshake are available. As I'm GPU poor, it's an option not available to me. Are there other options that do not include dictionary or brute force attacks, that's something for next time?

bottom of page