Objective
Test the security of your WiFi password by attacking it
Distributions
This will work with any Linux distribution, but it’s recommended that you use Kali.
Requirements
A working Linux distribution with a WiFi adapter and root privileges.
Difficulty
Easy
Conventions
- # – requires given linux commands to be executed with root privileges either directly as a root user or by use of
sudocommand - $ – requires given linux commands to be executed as a regular non-privileged user
Introduction
Most people have terrible passwords, and WiFi is no exception. Your WiFi password is your primary line of defense against unwanted access to your network. That access can result in a whole host of other nasty things because an attacker can monitor the traffic on your network and even gain direct access to your computers.
The best way to prevent such an intrusion is to use the same tools an attacker would to test the security of your WiFi password.
Install Aircrack-ng
This guide is going to use the Aircrack suite of tools. They’re already installed on Kali, so you won’t have to do anything. If you’re on another distro, they’re in your repositories.
$ sudo apt install aircrack-ng
Scan For Your Network
First, find out what the name of your wireless interface is with ip a. Once you have it, you can use airmon-ng to create a virtual monitoring interface on it.
$ sudo airmon-ng start wlan0
The result of the command will give you the name of the new virtual interface. It tends to be mon0.
Dump the results of the monitor into a terminal, so you can see them.
$ sudo airodump-ng mon0
You can see a table of data pertaining to wireless networks in your area. You only need information about your own network. Look for it, and note the BSSID and the channel that it’s on.
Dump The Results To A File
Next, you’re going to log the results of a scan to a file. That capture log will be needed by Aircrack to run a brute force attack on the network later. To get your capture, you’re going to run the same command as before, but you’ll specify your BSSID, channel, and the log location.
$ sudo airodump-ng -c 1 --bssid XX:XX:XX:XX:XX:XX -w Documents/logs/wpa-crack mon0
Fill in your actual information before running the command, and leave it running.
Disconnect A Client
Open a new terminal. You’re going to use this one to disconnect one of the clients on your network. Take a look at the lower table in your other window running airodump-ng. It contains the BSSID of your network along with the BSSIDs of the clients. Pick one, and use the following linux command with that information.
$ sudo aireplay-ng -0 0 -c CLIENT BSSID -a NETWORK BSSID mon0
You may need to add the --ignore-negative-one flag to the command.
That command will run indefinitely, continuously disconnecting that client. In the first line of the airodump-ng window, look for a message concerning a handshake to appear at the end of the line. It’ll be harder to see if you had to run --ignore-negative-one because a message about that will occupy the same space, causing the handshake message to flash for a second before being overwritten.
After only a couple of minutes, you can safely stop the disconnect requests and the dump. You can stop sooner if you see a handshake message.
Get A Wordlist
Brute force attacks run down a wordlist, testing each possibility. So, in order to carry one out, you’ll need a wordlist to test with. Kali Linux comes with a few already. If you’re on a different distro, you can find some online, but the best way to get them is from Kali. It’s worth loading a live CD or a VM just to pull them off.
On Kali, they’re located in /usr/share/wordlists. The one this guide will cover is rockyou.txt, but you can use any of the ones there.
If you really want to be obsessively thorough, you can use Crunch to create your own wordlists. Beware, they can be absolutely massive.
Attack!
Now that you have your wordlist and your capture, you’re ready to carry out the attack. For this one, you’ll be using the actual aircrack-ng command and passing it the wordlist and the capture.
$ sudo aircrack-ng -w rockyou.txt Documents/logs/wpa-crack-01.cap
It can take a seriously long time to go through this list, so be patient. If you have a more powerful desktop, there’s nothing wrong with installing Aircrack on it, and transferring both files there.
When Aircrack finished, it’ll let you know if it found the password or not. If it did, it’s time to change your password.
Closing Thoughts
Remember this process should only ever be used to test your own security. Using it on someone else’s network is illegal.
Always use strong passphrases with as many characters as possible and include special characters and numbers. Avoid common dictionary words if possible.