Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

Search Medium

Hack Wi-Fi in 10 mins

Nimish Jain · Follow
8 min read · Mar 21, 2020

Listen Share

1 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

2 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

Photo by Kelly Sikkema on Unsplash

Crack Wi-Fi routers with Airodump-ng and Aircrack-ng/ Hashcat crack WPA / WPA2.

It is a simple walk-through guide that shows how to hack Wi-Fi networks that use
weak passwords. It’s not exhaustive, but you should be given enough details to check
the protection of your own network or hack into one nearby. The attack mentioned
below is completely passive (only listening, nothing is transmitted from your
computer) and can’t be monitored if you don’t even use the password you break. An
optional active deauthentication attack can be used and defined at the end of this
document to speed up the reconnaissance process.

If you are new to hacking, you must not skip the description and jump to a list of the
commands used at the bottom.

DISCLAIMER: This tutorial/software is intended for only educational purposes. It

should not be used for illegal activity. The author will not responsible for the use
thereof. Don’t be a jerk about it.

Getting Started
Assuming that you know :

• Having a basic knowledge of Linux.

• Running a Debian-based system (Ubuntu, Kali Linux),

• Have Aircrack-ng installed ( sudo apt-get install aircrack-ng ) and Hashcat

installed ( sudo apt-get install hashcat )

• Having a wireless card that supports monitor mode

Hacking a Wi-Fi Network

• Monitor mode

The first step is to recognize your wireless adapter by typing the following command
in your terminal.

3 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

$ iwconfig

If an interface is not mentioned then your wireless card is not identified by the
Operating system. �

I am using Linux mint OS. Here you can see, wlxc83a35c26727(in your system it may
be wlan0) is your wireless interface and it tells that it supports 802.11, ESSID is off
and mode is managed.

Now, just type the next command to launch monitor mode, which will turn your
wlan0 into wlan0mon. My command will be “airmon-ng start wlxc83a35c26727"

$ airmon-ng start wlan0

4 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

• Find the Target

The next tool is airodump-ng which enables us to capture packets of our

specifications. Start listening to 802.11 Beacon frames broadcast by nearby wireless
routers using your monitor interface:

airodump-ng wlan0mon

5 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

You should see the output similar to the above screen.

For the purposes of this demo, we will choose to crack the password of my network,
“waitt”. Remember the BSSID MAC address and channel ( CH ) number as displayed
by airodump-ng , as we will need them both for the next step.

6 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

So our BSSID address is 80:AD:16:A7:A9:3E and channel number is 1.

As we can see in the screenshot above, airodump-ng shows all the APs (access
points) within their range with their BSSID (MAC address), their capacity, the
number of beacon frames, the number of data packets, the frequency, the size, the
encryption process, the type of cipher used, the authentication process used and
finally, the ESSID.

Capture Handshake

The next phase is now to catch a 4-way handshake as WPA/ WPA2 uses a 4-way
handshake to authenticate devices into the network. You don’t have to say much
about what it details, but to break the network encryption, you must grab one of
those handshakes.

These handshakes occur whenever a device connects to the network, for instance,
when your neighbour returns home from work.

To capture 4-way handshake, type following command in your terminal.

$ airodump-ng -c 1 — bssid 80:AD:16:A7:A9:3E -w waitt wlan0mon

Command explanation: -c stands for Channel, — bssid stands for Mac address and -w
stands for writing the packets into file.

Now we wait… Once you’ve captured a handshake, you should see something like [

7 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

WPA handshake:80:AD:16:A7:A9:3E ] at the top right of the screen, just right of the
current time.

If you are feeling impatient, and are comfortable using an active attack, you can
force devices connected to the target network to reconnect, be sending malicious
deauthentication packets at them also, If there is no handshake so to get the
handshake value instantly, we’ll use deauthentication method in which we’ll force to
send the malicious deauthentication packets to the target for reconnecting.

Another important tool in our aircrack-ng arsenal is Aireplay-ng which can be used
to produce or boost traffic on the AP. It can be especially effective in threats such as
a deauth attack that knocks anyone off the entry point, password threats on WEP
and WPA2 as well as intrusion and replay attacks on ARP.

To deauthentication the target, type command in another terminal.

$ aireplay-ng -0 2 -a 80:AD:16:A7:A9:3E -c 7C:67:A2:E7:EE:BF

wlan0mon

Here -a stands for BSSID address of the target and -c stands for station address.

Upon receipt of such packets, most clients disconnect from the network and
immediately reconnect, providing you with a 4-way handshake as shown below.

8 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

Captured Handshake

So here, our handshake is “80:AD:16:A7:A9:3E“.

Once you’ve captured a handshake, press ctrl-c to quit airodump-ng . You should see
a .cap file wherever you told airodump-ng to save the capture (likely called -01.cap ).

We will use this capture file to crack the network password. I like to rename this file
to reflect the network name we are trying to crack.

Now the final step is to crack the password using the captured handshake. If you
have access to a GPU, I highly recommend using hashcat for password cracking.

Crack the Network Password Aircrack-ng (CPU)

Aircrack-ng can be used for very basic dictionary attacks running on your CPU.
Before you run the attack you need a wordlist. I recommend using the infamous
rockyou dictionary file:

# download the 134MB rockyou dictionary file

curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases
/download/data/rockyou.txt

Note, that if the network password is not in the wordlist you will not crack the
password.

-a2 specifies WPA2, -b is the BSSID, -w is the word file

9 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

Found!

If the password is cracked you will see a KEY FOUND! message in the terminal
followed by the plain text version of the network password.

Crack the Network Password HASHCAT (GPU)

Hashcat is built to work on Windows, Linux and as well as on Mac. You can go to
hashcat.net and download the binaries and follow the instruction for your operating
system. What we are going to do here is clone a fresh copy of hashcat from GitHub
and manually install it on a Debian based Linux.

Preferably, you should use Kali Or Parrot but a similar distro like Ubuntu will work
as well.

Update Your Repo’s and install the following dependencies:

$ apt update
$ apt install git build-essential ocl-icd-libopencl1 libcurl4-
openssl-dev libssl-dev zlib1g-dev libpcap-dev -y

Either install hashcat by sudo apt-get install hashcat or by cloning it’s repo from

10 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

github

Clone hashcat from github and move to directory:

$ git clone https://github.com/hashcat/hashcat.git

$ cd hashcat/

Finally, compile the binaries and we are all set with hashcat.

$ git submodule update --init

$ sudo make && sudo make install

Done installing

Earlier we have captured 4-way handshake using tool “Airodump”, now we still need
the proper format to supply it to hashcat. To convert it to a proper format (hccapx),
we need another tool.

There are already some online services that you may use: https://hashcat.net

11 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

/cap2hccapx/

In this case, I am doing it locally, clone the hashcat-utils repo from GitHub:

$ git clone https://github.com/hashcat/hashcat-utils.git

$ cd hashcat-utils/src

Next, compile the binaries.

$ sudo make

After, compiling you will have the binaries under the same directory. The binary file
that we need is cap2hccapx.bin. To make sure, you have done it correctly compiled,
try to execute the file, it will throw you back the syntax.

Bingo!! You have installed it correctly.

Use the following command to convert the .cap file to .hccapx hashcat capture
format.

$ ./capt2hccapx.bin /path/tp/capfile.cap hashfile.hccapx

12 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

Cracking WPA/WPA2 (Handshake) with hashcat

There is a probability with hashcat of different attack vectors. We might do a simple

dictionary attack, a brute-force attack, a combinator attack or even a mask attack,
i.e. create rules to consider various possibilities and attempt different characters at
different locations.

• Dictionary Attack

For this to work, you need a wordlist as called. Provided that you have a decent list
of potential wifi passphrases, or else you can grab the popular ones:
https:/www.wirelesshack.org/wpa-wpa2-word-list-dictionaries.html

I will be using rockyou.txt. You can also download it from here: https://github.com
/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

Launch the following command for dictionary attack:

$ hashcat -a 0 -m 2500 hashfile.hccapx /path/to/dict.txt

• -a: specifies cracking mode. In our case it’s dictionary mode and “/path
/to/dict.txt” is complete path to the wordlist.

• -m: hash mode. Specifies what type of hash we are dealing with.

13 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

Follow

Written by Nimish Jain

67 Followers

Stay noob | Netflix nerd

More from Nimish Jain

crack! baby! crack!

The cracked password will be saved to waitt.pot , so check this file periodically.
Once you’re cracked the password, you should see something like this as the
contents of your POT_FILE :

31ff89ae5dbb24c68a6cf3194b144054:80ad16a7a93e:9078b2c1cec3:waittt:pa
tanahi

Where the last two fields separated by: are the network name and password
respectively.

• Brute-Force Attack

14 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

Nimish Jain

The Brute-force is distinct from the attack at the dictionary. Here, we are attempting
Hack Android Phone!
to substitute any character in a specified length from a given charset at any possible
Manually embedding payload into android apk’s
location. For eg, we can try every character from A-Z on every position in this string
7 min read · Apr 6, 2020
in a string of length 8. This is how the brute force operates and is very time-
consuming.
170 2
See all from Nimish Jain

To start your first brute-forcing attempt, launch the following command:

$ hashcat -m 2500 -a 3 hashfile.hccapx ?d?d?d?d?d?d?d?d

Recommended from
• -a: specifies the Medium
cracking mode and here the value 3 indicates, we are running a
brute-force attack.
5 Ways I’m Using AI to Make Money in 2023
• ?d?d?d?d?d?d?d?d: is the brute-forcing rule here. It specifies what kind of values
to check,
Kristen
Kristen where
Walters to replace
in Adventures In AI and also assumes how much time could it take to
Walters
crack the key.

5 Ways
The I’m
above Using
mask i.e. AI to Make Money states
“?d?d?d?d?d?d?d?d” in 2023
to check a string of length 8 with a
Theseatdoubled
digit my incomeYou
every position. lastcan
yearstudy about mask attack here: Hashcat Mask Attack.

· 9 min read · 1 day ago

Contribution
Much
15.1Kof the information
243 presented here was gleaned from Lewis Encarnacion’s
awesome tutorial,https://www.yeahhub.com/crack-wpawpa2-psk-using-aircrack-ng-
and-hashcat-2017/, and https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2.
Thanks
You’re alsoChatGPT
Using to the awesome authors
Wrong! Here’s Howand maintainers
to Be who
Ahead of 99% work onUsers
of ChatGPT Aircrack-ng and
Hashcat.

15 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

The The PyCoach in Artificial Corner

PyCoach

You’re Using ChatGPT Wrong! Here’s How to Be Ahead of 99% of ChatGPT

Users
Lists
Master ChatGPT by learning prompt engineering.
Ultra Staff Picks
· 7 min read · Mar 17
saturated 405 stories · 163 saves

28K 516
Stories to Help You Level-Up at Work
19 stories · 140 saves

Self-Improvement 101
20 stories · 276 saves

Productivity 101
20 stories · 295 saves

10 websites that pay you up to $1000 to start your technical writing journey.

Stephen
Stephen Adesina in Level Up Coding
Adesina

10 websites that pay you up to $1000 to start your technical writing

journey.
Are you at the point in your tech journey where you want to share your experiences? It doesn’t
matter if you’re a tech baby with a passion…

· 8 min read · Jan 19

4K 83

Python for penetration testing Best guide

16 of 17 7/21/23, 16:40
Hack Wi-Fi in 10 mins. Crack Wi-Fi routers password ... https://medium.com/@nimishjain511/hack-wi-fi-in-10-mi...

Imran
Imran Niaz
Niaz

Python for penetration testing Best guide

Python is getting famous since last 5 year. And became more popular when PHP get out dated.
And the people was looking for a modern…

· 3 min read · Jun 8

10 Seconds That Ended My 20 Year Marriage
104
Unbecoming
Unbecoming

10 Seconds That Ended My 20 Year Marriage

It’s August in Northern Virginia, hot and humid. I still haven’t showered from my morning trail
run. I’m wearing my stay-at-home mom…

· 4 min read · Feb 16, 2022

54K 841

I Asked ChatGPT How To Earn $1000 Online. It Was Hilarious.

Linda
Linda Caroll in The Partnered Pen
Caroll

I Asked ChatGPT How To Earn $1000 Online. It Was Hilarious.

Peering in the hive mind can be really helpful, but it can also be so stupid it’s funny

· 6 min read · Mar 24

16.5K 282

See more recommendations

17 of 17 7/21/23, 16:40