Complete Wi-Fi Hacking Handbook

nuclei_av

8 min readOct 1, 2023

Introduction

Wlan means wifi lan.

Reference (WiFi Pentesting) — https://github.com/ricardojoserf/wifi-pentesting-guide

First convert wlan0 (managed mode) to wlan0mon (monitor mode) by using the below cmds.

Inorder to go back.

Looking for WiFi’s

Look for network packets using airodump.

You can get BSSID/MAC Add via the above cmd. Press CTRL + C and get the BSSID of a private WiFi (like OnePlus). Copy it as it will be needed for EAPOL or 4 way handshake.

Capturing 4 Way Handshake

Now open 2 terminals. In the first one, use cmd while saving it in a “.cap” file (below is hack1 file). It uses the wireless interface to check for connecting stations and shows their MACs. Notice that no channels (i.e. -c) is mentioned. This is done to know the channels used by AP (Access Points) in the second terminal.

Simultaneously, in the second terminal write the aireplay cmd to deauth clients. This will show what channels does the AP use.

Add those channels to the cmd in the first terminal as show. This captures WPA Handshake in the first terminal (precisely 4 messages).

Now in the current directory (here the my root dir) do ‘ls’ to find hack1–01.cap file. Open it using cmd below.

In wireshark set filter to “eapol” (for getting handshakes).

As mentioned above that 4 msgs while be captured b/w the new connection to the wifi and the wifi itself. Here phone MAC was 66:9a: (and so on) and wifi MAC was ea:75: (and so on)

Message 1 of 4 description -

Message 2 of 4 description -

Message 3 of 4 description -

Message 4 of 4 description -

Cracking WiFi Password

(1) aircrack-ng

We need to crack WPA Key Data.

Since the all “hack1–01” files are in “root” user. We need to move it to /home/kali.

We can find the password of the wifi by this below cmd. If its in wordlist rockyou.txt then it will be cracked else not.

(2) Fern WiFi cracker

We can also use a tool named Fern WiFi Cracker. Fern works for LNMIIT WiFi also (Just need a better wordlist in order to get password via bruteforce/dictionary attack).

https://www.wireshark.org/tools/wpa-psk.html can be used to create psk.

(3) Wifite and Hashcat

Using Wifite to crack password. We need to put below cmd. They when asked to select target, select any from the identified.

Now convert ‘.cap’ to ‘.hccapx’ via hashcat-utils/cap2hccapx

Hashcat Wiki — https://hashcat.net/wiki/

Hashcat in windows with cmd provided.

(4) Hashcat, hcxdumptool and hcxpcapngtool

Use the following cmd on terminal in-order/sequence.

sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.service
sudo hcxdumptool -i wlan0 — nmea_pcapng dumpfile.pcapng
sudo systemctl start wpa_supplicant.service
sudo systemctl start NetworkManager.service
hcxpcapngtool -o hash.hc22000 -E essidlist dumpfile.pcapng
hashcat -m 22000 hash.hc22000 wordlist.txt

(Here Word list can be any word list)

Now this creates a file by the name of ‘2023…(some digits)….-wlan0.pcapng’ instead of dumpfile.pcapng. Hence we do a cat cmd as shown below.

After this now drag-drop dumpfile.pcapng to Windows and then write the below cmd in windows instead of Kali since Kali in VM doesn’t have the power/memory to execute. Since windows has a GPU, execute the following cmd there in Command Prompt.

Evil-Twin Attack using Airgeddon

We will explore the ominous world of Evil Twin attacks and understand how to safeguard ourselves using the powerful tool, Airgeddon. Follow these step-by-step instructions, accompanied by screenshots, to fortify your defenses against this menacing security threat. To exploit a Wi-Fi network with a connected client, the attacker requires a Wi-Fi card with a VIA-supported chipset, a requirement is to inject a malicious packet into the network.

To start run the following cmd -

Now select an interface (its always/mostly wlan0). Change the mode to Monitor Mode. After that select the attack you wish to do. Here we wish to do an Evil Twin attack.

Select 9 option now

It starts scanning WiFi.

Now, Configure Captive Portal Set up a Captive Portal for your Evil Twin network to capture login credentials from unsuspecting users.

Now choose and select a target.

Start the Attack Airgeddon will configure the Evil Twin attack and begin broadcasting the malicious network. Wait for unsuspecting users to connect.

So we have started our attack, lets wait for some minutes to enter credentials from the client side.

In our simulated attack scenario, we initiated a deauthentication attack on the original Wi-Fi network, causing it to go offline. As a result, the client devices lost their connection to the legitimate network and were unable to reconnect. Seizing this opportunity, we quickly set up a rogue access point with an identical network name to the original one, capitalizing on the client’s trust in recognizing the familiar SSID. The client, assuming it was the legitimate network, attempted to connect and was prompted to enter the Wi-Fi password. Unaware of the ongoing attack, the user, trusting the network’s authenticity, entered the correct password, believing they were logging back into the genuine Wi-Fi network. Unbeknownst to them, the password was surreptitiously captured by our malicious rogue access point, granting us unauthorized access to their credentials and potentially compromising their security. This scenario underscores the importance of remaining vigilant and cautious when connecting to Wi-Fi networks, especially in public or unfamiliar environments.