Every problem brings together a solution, every solution brings together an invention and every invention open ways for problems and there becomes a loop that goes on and on and on. When WiFi was first invented, we certainly were not so concerned about the privacy risks it brings together not until WEP(Wired Equivalent Privacy) was created. From WEP privacy remained a topic of discussion over the use of wifi devices.
Although its not all a risk while using wifi but we will go through here a quick demo of a wifi router being hacked.
WARNING:Before proceeding i want this to be crystal clear that this is strictly for educational purpose. You are not supposed to perform this anywhere without any prior permission. Your only motive while performing this should be to learn, understand and find ways to overcome this vulnerability.
A WIFI Router (Target)
Kali Linux Machine (Host) (You can follow tutorials to install or dual boot kali linux. You can also live boot kali linux using a USB drive without installing locally. Also kali linux supports persistence boot i.e. it will run via USB drive and will store your data there on the USB)
Comment below if you want a detailed post to set up the kali linux machine
A wireless network adapter (Attacker) (The one that supports monitor mode and packet injection)
I prefer AR9271 chip-set network adapter. It certainly comes cheap and is found almost anywhere. At amazon you can find it a dollar or three higher than aliexpress or banggood.
Our target here is a WPA2-PSK Router that uses AES encryption algorithm which is very difficult but not impossible to crack. The WPA2-PSK system uses 4 way handshake to authenticate devices requesting connection. We will take advantage of this authentication method.
Here i suppose you have successfully booted into the kali linux with the wifi adapter being connected to the host machine. So lets Proceed -
For operations to be performed over the target router, we at first need to get detailed info about the it. Monitor mode helps us to get the detail info about devices in our reach. We can get an overview of the traffic of our target router together with other information like BSSID, Encryption, ESSID,etc. Even the hidden networks becomes visible in Monitor Mode.
So we open a terminal and type -
airmon-ng start wlan0
This puts your adapter from managed mode to monitor mode i.e. from wlan0 to wlan0mon
No that we are capable of monitoring crucial information about devices around us. Its time to capture those information so we can put information from it into our use later.
In the terminal type -
Where BSSID are the MAC address's of the visible routers or APs(Access Points), ESSID are the names of the visible routers and we can also see the #data(Data), CH(Channel), ENC(Encryption) of the visible routers.
ctrl + c to stop capturing
Note: All the routers visible are listed on upper part of the screen while the connected devices or clients are listed on lower part of the screen.
From the above screen we can have the required information of our target router. So find your target in that list you can use ESSID to find your target by its name. After you select your target, have two information about it i.e. BSSID and CH(channel) which is clearly visible.
Now we will save data flowing in between the target and connected devices by
--write command in a specific file.
So lets type -
airodump-ng --bssid 00:1F:9F:A2:E2:2A -c 1 --write [ File Name ] wlan0mon
Replace [ File Name ] with the name of your choice
Let the data being captured, open a new terminal window and swiftly move to the next step -
What we need is capture is the footprint of 4 way handshake. For that we need to de-authenticate the target from its clients and let them reconnect. Now they are already connected so we cant really have that footprint of 4 way handshake. So to de-authenticate the target type -
aireplay-ng --deauth 100 -a 00:1F:9F:A2:E2:2A wlan0mon
Here we are sending
100 de-authentication frames to the target router. What will happen is that the connected devices from the router will remain disconnected till the 100 frames are sent. Meanwhile the router will try to authenticate with the devices(clients) we will capture the footprint of the handshake in the background.
So lets see if the handshake is captured or not -
You can clearly see above that in the previous terminal where the data was being captured says WPA handshake: [ BSSID ] , means handshake captured successfully.
Our captured handshake file will be saved in the root directory with .cap extension. Now this method of wifi hacking involves cracking password against
aircrack-ng using a dictionary of passwords. This dictionary contains A-Z every combination of passwords. The matching one from the dictionary will be identified. So the better the dictionary, the more will be the chances of password being found. Here i am using the default dictionary that comes with aircrack-ng. So lets crack it -
aircrack-ng [ FileName.cap ] -W /path/to/wordlist.txt
You can find a better wordlist or dictionary over the internet, go ahead download them and give the path to it after
-W just like above.
This method of wifi hacking is pretty old but is best for beginners and to learn. If you want to know about all other methods of wifi hacking then comment below.
Thanks for Reading ;)