Cracking Wi-FI passwords is one of the most common and fascinating things that hackers do in sci-fi movies or tv series. Despite hackers are not that
guys committed to do malicious things with their knowledge (have a look at the preface of The Art of Exploitation
for a discussion about the birth of the term hacker), let me use this term for simplicity. If you think to TV series like Mr Robot, or Person of Interest, or videogames like Watch Dogs (all descendants of Orwell's 1984 in some way), there is always a moment in which the main character breaches into the target network, probably to get some very confidential information used to save the world from the plans of a very bad corporation. In this tutorial, I will show you how to use the built-in tools of Linux to write a script that may perform dictionary or
brute-force attacks against wireless access points to guess the right passphrase. Although more advanced methods exist,
this approach has the advantages of being simple and to be able to discover weak and default passwords.
The Linux utility that we are going to use to perform our wireless attacks is wpa_supplicant. wpa_supplicant is a cross-platform supplicant with support for WEP, WPA and WPA2 (IEEE 802.11i). It is suitable for desktops, laptops and embedded systems. It is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wireless driver.
wpa_supplicant supports a lot of authentication protocols but we'll try to abuse it in order to crack WPA/WPA2 wireless access points using
PSK(Pre Shared Key) mode. These are the kind of Wi-Fi networks that you find in home environments and also in those enterprise environments
which do not use the more secure WPA-Enterprise mode. In WPA-PSK wireless network there is no Identification of users, since
credentials are not required. Instead, everyone who has the right password is welcome, and this architectural weakness is the one that we will try to
exploit in order to get access to the network.
So, let's start guessing the password!
1. Create a wpa_supplicant configuration file
The first step is to become familiar with wpa_supplicant: we cannot expect to use it to hack a Wi-Fi network if we are not able to
connect to our own network! So let's power on our raspberry Pi, and create a configuration file with the SSID and the password of our own
wireless network. Assuming that our network is called Home-Network and that our password is h0m3P@ssw0rd, we will need to create
a file named wpa_supplicant.conf (actually you could choose any name you want for the file) with the following content:
2. Connect to the Wi-Fi with wpa_supplicant
Now that you have created your configuration file, it is time to connect to the Wi-Fi from the terminal using the wpa_supplicant utility.
Assuming that you are in the same folder of the wpa_supplicant file and that the wireless interface is names wlan0,
run in your terminal
wpa_supplicant -B -i wlan0 -c wpa_supplicant.conf
Perfect! If everything went as expected, after a few seconds you should be attached to the desired wireless interface.
To check whether you have been successfully connected to the access point, you could for instance run ifconfig
or
ip address
, and look whether you have been assigned an ip address. Since we are assuming that the wireless access point
supports DHCP (the default in home environments and guest enterprise networks), any IP address that we see different from
169.254.X.Y will be probably fine. As an example, this is how the output of the ifconfig command looks like after I
successfully connect to the wireless interface:
3. Automatize the process with wpa_passphrase
So, at this point you should have managed to connect to the desired wireless access point using the wpa_supplicant utility.
This required you to manually create a configuration file that wpa_supplicant could read in order to do the proper setup and connect
to the wi-fi. The cool point is that it exists another utility inside the wpa_supplicant suite, which is called wpa_passphrase,
which allows you to generate the configuration file programmatically. This is a great deal, because it means that I can take the wpa_passphrase utility
and embed it into a script that is able to automatically generate passwords by some means (for instance employing a brute force / dictionary /
hybrid technique), then feed the password to wpa_passphrase to generate the configuration file and finally feed the file to wpa_supplicant to try to connect
to the wi-fi. If we guessed the right password, then ifconfig will show us a valid address and we will understand that we have successfully connected
to the access point, otherwise we will generate another password and try again. This algorithm allows to develop a tool that can automatically audit
the strength of wireless passwords and is the core of WC (Wi-Fi Cracker), a security audit tool used to check the strength of Wi-Fi passwords using a
Raspbrry Pi. The following figure schematically recaps the steps involved in assessing the strength of a WPA/WPA2 wireless access points using PSK mode:
4. Run WC (Wi-Fi Cracker) to audit the crack the Wi-Fi password
All the discussion that we made so far uncovers the main idea behind WC, a simple tool that implements the schema shown in step 3 to crack
wi-fi passwords using dictionary-based attacks. The steps involved in using WC are listed below. You will need to have python3 installed.
1.Download WC: git clone https://github.com/Balzu/WC.git
2.Install python3 if you don't have it: Python3 download link
3.Install inquirer for python3:pip install inquirer
4.Run WC: inside the src folder run python3 cracker.py
5.Inside WC, select a wireless interface among the ones available
6.Inside WC, choose the SSID that you want to crack (the Service Set Identifier is basically the name of the wireless
access point)
7.Inside WC, choose one or more dictionaries that you want to use to to guess the password. You can also add more dictionaries or
create your own, by adding or editing files inside the dictionaries folder
8.Cross your fingers and wait!
A demo of the tool is available below: