Hacking WiFi in Linux
How to hack WiFi in linux?
Step One:Start Kali Linux and login, preferably as root.
Step Two:Plugin your injection-capable wireless adapter, (Unless your native computer wireless card supports it). If you’re using Kali in VMware, then you might have to connect the card via theicon in the device menu.
Step Three:Disconnect from all wireless networks, open a Terminal, and typeairmon-ngThis will list all of the wireless cards that support monitor (not injection) mode. If nocards are listed, try disconnecting and reconnecting the adapter (if you’re using one) and check that it supports monitor mode. If you’re not using an external adapter, and you still don’t see anything listed, then your card doesn’t support monitor mode, and you’ll have to purchasean external one (see the link in therequirements). You can see here that my card supports monitor mode and that it’s listed aswlan0.
Step Four:Typeairmon-ng startfollowed by the interface name of your wireless card. mine iswlan0, so my command would be:airmon-ng start wlan0The “(monitor mode enabled)” message means that the card has successfully beenput into monitor mode. Note the name of the new monitor interface,mon0.EDIT:A bug recently discovered in Kali Linux makes airmon-ng set the channel as a fixed “-1” when you first enablemon0. If you receive this error, or simply do not want to take the chance, follow these steps after enablingmon0:Type:ifconfig [interface of wireless card] downand hit Enter.Replace[interface of wireless card]with the name of the interface that you enabled mon0 on; probably calledwlan0. This disables the wireless card from connecting to the internet, allowing it to focus on monitor mode instead.Afteryou have disabledmon0(completed the wireless section of the tutorial), you’ll need to enablewlan0(or name of wireless interface), by typing:ifconfig [interface of wireless card] upand pressing Enter.
Step Five:Typeairodump-ngfollowed by the name ofthe new monitor interface, which is probablymon0.If you receive a “fixed channel –1”error, see theEditabove.
Step Six:Airodump will now list all of the wireless networks in your area, and a lot of useful information about them. Locate your network or the network that you have permission to penetration test. Once you’ve spotted your network on the ever-populating list, hitCtrl + Con your keyboard to stop the process. Note the channel of your target network.
Step Seven:Copy the BSSID of the target networkNow type this command:airodump-ng -c [channel] --bssid [bssid] -w /root/Desktop/ [monitor interface]Replace [channel] with the channel of your target network. Paste the network BSSID where [bssid] is, and replace [monitor interface] with the name of your monitor-enabled interface, (mon0). The “–w” and file path command specifies a place whereairodump will save any intercepted 4-way handshakes (necessary to crack the password). Here we saved it to the Desktop, but you can save it anywhere.A complete command should look similar this:airodump-ng -c 10 --bssid 00:14:BF:E0:E8:D5 -w /root/Desktop/ mon0Now press enter.
Step Eight:Airodump with now monitoronlythe targetnetwork, allowing us to capture more specific information about it. What we’re really doing now is waiting for a device to connect or reconnect to the network, forcing the router to send out the four-wayhandshake that we need to capture in order to crack the password.Also, four files should show up on your desktop, this is where the handshake will be saved when captured, so don’t delete them!But we’re not really going to wait for a device to connect, no, that’s not what impatient hackers do. We’re actually going to use another cool-tool that belongs to the aircrack suite called aireplay-ng, to speed up the process. Instead of waiting for a device to connect, hackers can use this tool to force a device to reconnect by sending deauthentication (deauth) packets to one of the networks devices, making it think that it has to reconnect with the network.Of course, in order for this tool to work, there has to be someone else connected to the network first, so watch the airodump-ng and wait for a client to show up. It might take a long time, or it might only take a second before the first one shows. If none show up after a lengthy wait, then the network might be empty right now, or you’re to far away from the network.You can see in this picture, that a client has appeared on our network, allowing us to start the next step.
Step Nine:Leaveairodump-ngrunning and open a second terminal. In this terminal, type this command:aireplay-ng –0 2 –a [router bssid] –c [client bssid] mon0The–0is a short cut for the deauth mode and the2is the number of deauth packets to send.-aindicates the access point/router’s BSSID, replace [router bssid] with the BSSID of the target network, which in my case, is 00:14:BF:E0:E8:D5.-cindicates the client’s BSSID, the device we’re trying to deauth, noted in the previous picture. Replace the [client bssid] with the BSSID of the connected client, this will be listed under “STATION.”And of course,mon0merely means the monitor interface, change it if yours is different.My complete command looks like this:aireplay-ng –0 2 –a 00:14:BF:E0:E8:D5 –c 4C:EB:42:59:DE:31 mon0
Step Ten:Upon hitting Enter, you’ll see aireplay-ng send the packets. If you were close enough to the target client, and the deauthentication process works, this message will appear on the airodump screen (which you left open):This means that the handshake has been captured, the password is in the hacker’s hands, in some form or another. You can close the aireplay-ng terminal and hitCtrl +Con the airodump-ng terminal to stop monitoring the network,but don’t close it yetjust incase you need some of the information later.If you didn’t receivethe “handshake message,” then something went wrong in the process of sending the packets. Unfortunately, a variety of things can go wrong. You might just be too far away, andall you need to do is move closer. The device you’re attempting to deauth might not be set to automatically reconnect, in which case you’ll either have to try anotherdevice, or leave airodump on indefinitely until someone or something connects to the network. If you’reveryclose to the network, you could try a WiFi spoofing tool like wifi-honey, to try to fool the device intothinking that you’re the router. However, keep in mind that this requires that you be significantly closer to the device than the router itself. So unless you happen to be inyour victim’s house, this is not recommended.Do note that, despite your best efforts, there are many WPA networks that simply can’t be cracked by these tools. The network could be empty, or the password could be 64 characters long, etc.
Step 11:This concludes the external part of this tutorial. From now on, the process is entirely between your computer, and thosefour files on your Desktop. Actually, it’s the.cap one, that is important. Open a new Terminal, and type in this command:aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap-ais the method aircrack will use to crack the handshake, 2=WPA method.-bstands for bssid, replace [router bssid] with the BSSID of the target router, mine is 00:14:BF:E0:E8:D5.-wstands for wordlist, replace [path to wordlist] with the path to a wordlist that you have downloaded. I have a wordlist called “wpa.txt” in the root folder./root/Desktop/*.capis the path to the .cap file containing the password. The*means wild card in Linux, and since I’m assuming that there are no other .cap files on your Desktop, this should work fine the way it is.My complete command looks like this:aircrack-ng –a2 –b 00:14:BF:E0:E8:D5 –w /root/wpa.txt /root/Desktop/*.capNow press Enter.
Step 12:Aircrack-ng will now launch into the process of cracking the password. However, it will only crack it if the password happens to be in the wordlist that you’ve selected. Sometimes, it’s not. If this is the case, you can try other wordlists. If you simply cannot find the password no matter how many wordlists you try, then it appears your penetration test has failed, and the network is at least safe from basic brute-force attacks.
I am not responsible for any crime, do it on your own risk.....:)
Step One:Start Kali Linux and login, preferably as root.
Step Two:Plugin your injection-capable wireless adapter, (Unless your native computer wireless card supports it). If you’re using Kali in VMware, then you might have to connect the card via theicon in the device menu.
Step Three:Disconnect from all wireless networks, open a Terminal, and typeairmon-ngThis will list all of the wireless cards that support monitor (not injection) mode. If nocards are listed, try disconnecting and reconnecting the adapter (if you’re using one) and check that it supports monitor mode. If you’re not using an external adapter, and you still don’t see anything listed, then your card doesn’t support monitor mode, and you’ll have to purchasean external one (see the link in therequirements). You can see here that my card supports monitor mode and that it’s listed aswlan0.
Step Four:Typeairmon-ng startfollowed by the interface name of your wireless card. mine iswlan0, so my command would be:airmon-ng start wlan0The “(monitor mode enabled)” message means that the card has successfully beenput into monitor mode. Note the name of the new monitor interface,mon0.EDIT:A bug recently discovered in Kali Linux makes airmon-ng set the channel as a fixed “-1” when you first enablemon0. If you receive this error, or simply do not want to take the chance, follow these steps after enablingmon0:Type:ifconfig [interface of wireless card] downand hit Enter.Replace[interface of wireless card]with the name of the interface that you enabled mon0 on; probably calledwlan0. This disables the wireless card from connecting to the internet, allowing it to focus on monitor mode instead.Afteryou have disabledmon0(completed the wireless section of the tutorial), you’ll need to enablewlan0(or name of wireless interface), by typing:ifconfig [interface of wireless card] upand pressing Enter.
Step Five:Typeairodump-ngfollowed by the name ofthe new monitor interface, which is probablymon0.If you receive a “fixed channel –1”error, see theEditabove.
Step Six:Airodump will now list all of the wireless networks in your area, and a lot of useful information about them. Locate your network or the network that you have permission to penetration test. Once you’ve spotted your network on the ever-populating list, hitCtrl + Con your keyboard to stop the process. Note the channel of your target network.
Step Seven:Copy the BSSID of the target networkNow type this command:airodump-ng -c [channel] --bssid [bssid] -w /root/Desktop/ [monitor interface]Replace [channel] with the channel of your target network. Paste the network BSSID where [bssid] is, and replace [monitor interface] with the name of your monitor-enabled interface, (mon0). The “–w” and file path command specifies a place whereairodump will save any intercepted 4-way handshakes (necessary to crack the password). Here we saved it to the Desktop, but you can save it anywhere.A complete command should look similar this:airodump-ng -c 10 --bssid 00:14:BF:E0:E8:D5 -w /root/Desktop/ mon0Now press enter.
Step Eight:Airodump with now monitoronlythe targetnetwork, allowing us to capture more specific information about it. What we’re really doing now is waiting for a device to connect or reconnect to the network, forcing the router to send out the four-wayhandshake that we need to capture in order to crack the password.Also, four files should show up on your desktop, this is where the handshake will be saved when captured, so don’t delete them!But we’re not really going to wait for a device to connect, no, that’s not what impatient hackers do. We’re actually going to use another cool-tool that belongs to the aircrack suite called aireplay-ng, to speed up the process. Instead of waiting for a device to connect, hackers can use this tool to force a device to reconnect by sending deauthentication (deauth) packets to one of the networks devices, making it think that it has to reconnect with the network.Of course, in order for this tool to work, there has to be someone else connected to the network first, so watch the airodump-ng and wait for a client to show up. It might take a long time, or it might only take a second before the first one shows. If none show up after a lengthy wait, then the network might be empty right now, or you’re to far away from the network.You can see in this picture, that a client has appeared on our network, allowing us to start the next step.
Step Nine:Leaveairodump-ngrunning and open a second terminal. In this terminal, type this command:aireplay-ng –0 2 –a [router bssid] –c [client bssid] mon0The–0is a short cut for the deauth mode and the2is the number of deauth packets to send.-aindicates the access point/router’s BSSID, replace [router bssid] with the BSSID of the target network, which in my case, is 00:14:BF:E0:E8:D5.-cindicates the client’s BSSID, the device we’re trying to deauth, noted in the previous picture. Replace the [client bssid] with the BSSID of the connected client, this will be listed under “STATION.”And of course,mon0merely means the monitor interface, change it if yours is different.My complete command looks like this:aireplay-ng –0 2 –a 00:14:BF:E0:E8:D5 –c 4C:EB:42:59:DE:31 mon0
Step Ten:Upon hitting Enter, you’ll see aireplay-ng send the packets. If you were close enough to the target client, and the deauthentication process works, this message will appear on the airodump screen (which you left open):This means that the handshake has been captured, the password is in the hacker’s hands, in some form or another. You can close the aireplay-ng terminal and hitCtrl +Con the airodump-ng terminal to stop monitoring the network,but don’t close it yetjust incase you need some of the information later.If you didn’t receivethe “handshake message,” then something went wrong in the process of sending the packets. Unfortunately, a variety of things can go wrong. You might just be too far away, andall you need to do is move closer. The device you’re attempting to deauth might not be set to automatically reconnect, in which case you’ll either have to try anotherdevice, or leave airodump on indefinitely until someone or something connects to the network. If you’reveryclose to the network, you could try a WiFi spoofing tool like wifi-honey, to try to fool the device intothinking that you’re the router. However, keep in mind that this requires that you be significantly closer to the device than the router itself. So unless you happen to be inyour victim’s house, this is not recommended.Do note that, despite your best efforts, there are many WPA networks that simply can’t be cracked by these tools. The network could be empty, or the password could be 64 characters long, etc.
Step 11:This concludes the external part of this tutorial. From now on, the process is entirely between your computer, and thosefour files on your Desktop. Actually, it’s the.cap one, that is important. Open a new Terminal, and type in this command:aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap-ais the method aircrack will use to crack the handshake, 2=WPA method.-bstands for bssid, replace [router bssid] with the BSSID of the target router, mine is 00:14:BF:E0:E8:D5.-wstands for wordlist, replace [path to wordlist] with the path to a wordlist that you have downloaded. I have a wordlist called “wpa.txt” in the root folder./root/Desktop/*.capis the path to the .cap file containing the password. The*means wild card in Linux, and since I’m assuming that there are no other .cap files on your Desktop, this should work fine the way it is.My complete command looks like this:aircrack-ng –a2 –b 00:14:BF:E0:E8:D5 –w /root/wpa.txt /root/Desktop/*.capNow press Enter.
Step 12:Aircrack-ng will now launch into the process of cracking the password. However, it will only crack it if the password happens to be in the wordlist that you’ve selected. Sometimes, it’s not. If this is the case, you can try other wordlists. If you simply cannot find the password no matter how many wordlists you try, then it appears your penetration test has failed, and the network is at least safe from basic brute-force attacks.
I am not responsible for any crime, do it on your own risk.....:)
Comments
Post a Comment