Top 4 ways to hack a Wi-Fi network
Learning about ways to pen-test Wi-Fi
There is no one tool to rule them all when it comes to cracking a Wi-Fi network. It all depends on what the circumstance is at that current time, so choosing the right strategy is more likely to lead to success. This is some of the most effective strategies when it comes to attacking a Wi-Fi network.
Before You Begin Wi-Fi Password Cracking
Become familiar with the terminology and basic technology of wireless hacking. You will also need to get your hands on a compatible wireless adapter > the Alfa AWUS036H is inexpensive, effective, and works well on Kali Linux. You can also swap out the antenna if you need greater signal strength over distance.
The reason you need the right wireless adapter is that you need to be able to simultaneously inject packets into the access point {AP} and capture packets from the AP. Most wireless cards that come with laptops are not capable of this.
WEP;
Wireless Equivalent Privacy {WEP}, was the first wireless encryption technology developed. It was quickly found to be flawed and easily cracked. Although you will not find any new WEP wireless access points being sold, there are still many legacy WEP AP’s still around. It can easily be cracked, using the right tool you can not go wrong, all you need is to take the time to collect enough packets. You must be able to inject packets simultaneously to capturing packets. Most off-the-shelf wireless cards are incapable of this.
When we get to scanning for AP’s you will be able to identify a WEP-encrypted network.
WPS;
Wi-Fi Protected Setup {WPS}, makes it simple for the end user to connect to their AP. Most home routers now home with a WPS button on the device. We can crack that WPS PIN without physically touching the router, we can then access the control panel/router GUI.
This PIN is just eight digits with one being a checksum, leaving seven digits, or 10,000,000 possibilities. A single CPU can usually exhaust those possibilities in a few days. Although this might seem slow, brute-forcing the PSK with many times the possibilities can take much longer.
If the AP has WPS enabled, this is the preferred method of cracking modern wireless AP’s over a network with WPA2. You can use either the Reaver or Bully in conjunction with Aircrack-ng to break the WPS PIN’s.
WPA2-PSK;
After the massive security stuff with WEP, the industry developed a new wireless security standard known as Wi-Fi Protected Access 2 {WPA2}. This standard is now built into nearly every new wireless AP. Although it is more difficult to hack, it is not impossible.
There is a four way handshake when a client connects to the AP. The pre-shared key {PSK} is transferred from the client machine to the AP. We capture that PSK hash and then use a word dictionary or brute-force attack against it. This can be time-consuming and is not always successful. Success is dependent upon the wordlist you use and the time you have to crack it.
Once you have the hash of the PSK captured, you don’t need to be connected to the AP. With enough resources, you can brute-force any PSK.
Evil Twin;
If we can’t crack the password on the AP, another strategy that can be successful is creating an Evil Twin—an AP with exactly the same SSID as the known AP, but controlled by us. The key is for the target to connect to our AP, rather than the authentic AP.
Generally, computers will automatically connect to the AP with the strongest signal, so turning up the power on your AP can be a critical element of this hack. When the user connects to our AP, we can then capture all their traffic and view it, as well as capture any other credentials they present to other systems.
An effective variation on the Evil Twin is to set up a system with the same SSID and then present the user with a logon portal. Many corporate offices, hotels, coffee shops, etc. employ this type of security. When the user presents their credentials in our fake logon screen, we capture the credentials and store them. We can then use those credentials on their authentic AP to gain their access.
There is a number of strategies when it comes to owning a target system including social engineering and the Metasploit exploits. When you gain access to a Windows system, you can simply extract the wireless password from the target system by going to > C::\ProgramData\Microsoft\Wlansvc\Profiles\Interface\{Interface GUID}
You will find a hex-encoded XML document with the wireless password.
Next: Hacking Wi-Fi