TryHackMe: Wifi Hacking 101 — Detailed step-by-step walk-through

Cindy (Shunxian) Ou

6 min readSep 18, 2023

Link to the THM room: https://tryhackme.com/room/wifihacking101

Task 1: The basics — AN Intro to WPA

Answer the questions below

Remember, when in doubt, Google and ChatGPT are your best friends.

What type of attack on the encryption can you perform on WPA(2) personal?
brute force

Hints: Most home WiFi networks use WPA(2) personal. WPA2-EAP uses RADIUS servers to authenticate, so if you have to enter a username and password in order to connect then it’s probably that. Attackers can use various password cracking tools to brute force their way in.

Can this method be used to attack WPA2-EAP handshakes? (Yea/Nay)
Nay

Hints: It is not feasible to attack WPA2-EAP handshakes using brute force in a practical manner. WPA2-EAP is a more secure authentication method compared to the standard WPA2-PSK (Pre-Shared Key) for securing Wi-Fi networks for various reasons:

It is designed to accept authentication methods other than username/password including digital certificates or token-based authentication.
It uses a more complex process for key derivation, which involves secure exchanges between the client and the authentication server.
It has built-in security mechanisms to protect against brute force attacks. After a certain number of failed authentication attempts, they may lock out or delay further attempts, making brute force attempts even more impractical.
The space of possible authentication credentials in WPA2-EAP is typically much larger than a simple passphrase.

What three letter abbreviation is the technical term for the “wifi code/password/passphrase”?
PSK

Hints: “PSK” stands for “Pre-Shared Key.” The PSK is the secret key or passphrase used to authenticate and secure access to a Wi-Fi network in WPA/WPA2-PSK (Wi-Fi Protected Access — Pre-Shared Key) security modes.

What’s the minimum length of a WPA2 Personal password?
8

Hints: The minimum length of a WPA2 Personal (WPA2-PSK) password is typically 8 characters. However, it is generally recommended to use a longer and more complex passphrase for better security. Longer and more complex passphrases are more resistant to brute-force attacks and dictionary attacks. Many security experts recommend using passphrases that are at least 12–16 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters for stronger security.

Task 2: You’re being watched — Capturing packets to attack

Answer the questions below

First thing first, our protagonist in this room is Aircrack-ng. It is a popular suite of wireless network security tools used for assessing the security of Wi-Fi networks. It includes various tools for tasks such as capturing network traffic, analyzing captured data, and attempting to crack WEP and WPA/WPA2-PSK encryption keys. These tools are commonly used by security professionals and researchers to test the security of wireless networks and identify vulnerabilities.

This task is more of a theoretical exercise, as opposed to a practical lab. For the most part, you should be able to answer all of the questions by referring to aircrack-ng — — help or https://www.aircrack-ng.org/doku.php?id=airmon-ng. Have fun stretching your brain a little bit :)

How do you put the interface “wlan0” into monitor mode with Aircrack tools? (Full command)
airmon-ng start wlan0

What is the new interface name likely to be after you enable monitor mode?
wlan0mon

What do you do if other processes are currently trying to use that network adapter?
airmon-ng check kill

What tool from the aircrack-ng suite is used to create a capture?
airodump-ng

In the Aircrack-ng suite, the tool used to capture wireless network traffic is called “airodump-ng.” Airodump-ng is a versatile command-line tool that allows you to monitor and capture Wi-Fi traffic from nearby networks. It provides information about available wireless networks, their BSSIDs (Basic Service Set Identifiers), signal strength, and more. You can use airodump-ng to capture data packets and save them to a file, which can later be used for various purposes, including cracking Wi-Fi passwords.

How would I know all these? I just asked ChatGPT… Hey no judgements, please. All roads lead to Rome anyways.

What flag do you use to set the BSSID to monitor?
— — bssid

And to set the channel?
— — channel

And how do you tell it to capture packets to a file?
-w

Task 3: Aircrack-ng — Let’s Get Cracking

Answer the questions below

I know you’re probably ready to roll up your sleeves and jump right in with some practices. You won’t be disappointed with this task. At least I enjoyed it.

What flag do we use to specify a BSSID to attack?
-b

What flag do we use to specify a wordlist?
-w

How do we create a HCCAPX in order to use hashcat to crack the password?
-j

Using the rockyou wordlist, crack the password in the attached capture. What’s the password?
greeneggsandham

This is going to take a few steps in order for you to get the password. Don’t worry. I am going to break it down for you.

Step1: Download the project file

Step2: Decompress the project file as it is a compress archive. You can ask ChatGPT for the correct command to unzip the file.

Step3: Create a .hccapx file so that we can crack the password using aircrack-ng or hashcat. If you look carefully in the output below, you can also find additional useful information such as BSSID (02:1A:11:FF:D9:BD) or ESSID (James Honor 8). Trust me, it is going to come in handy real soon.

Step 4: Use aircrack-ng to crack the password contained in the .hccapx file we just created (filename is wifi.hccapx). Remember to also have the rockyou.txt wordlist as well as BSSID or ESSID (choose either one is fine) handy.