Breaking Unsecure WiFi Passwords

Many out-of-the-box Optimum routers (and other providers) come with basic, pre-configured passwords that are easy for users to enter and share with others on their home network. These passwords typically consist of 8 characters, including a mix of capital letters and numbers, making them easily identifiable and vulnerable to brute-force attacks. This weakness makes these routers a prime target for war driving, a technique used to locate and exploit Wi-Fi networks.

To effectively brute-force these networks, attackers can utilize a dedicated GPU with HashCat and various tools from Backtrack/Kali Linux, such as airmon and aireplay. With a powerful GPU like the GTX 980, cracking these passwords can take up to 30 minutes.

To gather the necessary handshake for the attack, using ALFA network cards is recommended due to their excellent Linux compatibility. The AWUS036NHA, in particular, comes with a high-gain antenna that enhances the reliability of initiating the attack.

The attack process is relatively straightforward and relies on the fact that a device already connected to the network will automatically attempt to rejoin when disconnected. The attacker spoofs themselves as the router and intercepts the handshake containing the encrypted password. Once the handshake is captured, tools like John the Ripper (for CPUs) or Hashcat (with a dedicated GPU) can be used to crack the password.

It is crucial for users to be aware of these vulnerabilities and take appropriate measures to secure their home networks. Changing the default password to a strong, complex one and regularly updating the router's firmware are essential steps in mitigating the risk of brute-force attacks.

Using airmon-ng

Using airmon-ng is straightforward. First, identify the interface name of your wireless adapter (e.g., wlan0) using the ifconfig and iwconfig commands. Once you have the interface name, you can enable monitor mode with the airmon-ng start command followed by the interface name. Typically, the process follows these steps:

1. Run ifconfigto check for the interface name.
2. Run iwconfig to check the mode. If it’s in managed mode, proceed to the next steps. If it’s already in monitor mode, you can skip the rest of this process.
3. Run airmon-ng check to look for any conflicting processes that might interfere with setting up monitor mode.
4. Run airmon-ng check kill to stop any conflicting processes.
5. Run airmon-ng start <interface_name> (wlan0). This command will bring your adapter up in monitor mode, appending 'mon' to the end of the interface name, such as wlan0mon.

Airodump-ng

Airodump-ng is a crucial tool in the Aircrack-ng suite, primarily used for capturing packets from wireless networks. By capturing packets, you can analyze network traffic, identify connected devices, and obtain essential information like encryption keys and handshakes needed for cracking the network's security.

To use airodump-ng effectively:

1. Enable monitor mode with airmon-ng.
2. Run airodump-ngwith the monitoring interface (e.g., wlan0mon) and specify various parameters like the channel to monitor, the BSSID to filter, and the output file prefix for the captured data.

Commands:

To capture packets:

sudo airodump-ng wlan0mon --channel 6 --bssid AA:BB:CC:DD:EE:FF -w output

To see all networks in range:

sudo airodump-ng wlan0mon

Aireplay-ng

Aireplay-ng, another tool in the Aircrack-ng suite, is designed to generate, inject, and manipulate wireless network traffic. It supports various attack types, including deauthentication, fake authentication, and ARP request injection, aiding different stages of wireless security assessments or ethical hacking operations.

After capturing packets with airodump-ng and analyzing the network traffic, you can use aireplay-ng to:

1. Force client disconnections.
2. Test network security by injecting custom packets.

Example of a deauthentication attack:

sudo aireplay-ng --deauth 100 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

Transitioning the .cap File to .hccapx Format

Before attempting to crack a password, convert the .cap file (e.g., wpa-01.cap) to the .hccapx format, used by Hashcat. This can be done using Hashcat’s online converter.

Brute-Force Attack Strategy

Brute-force attacks test every possible combination, leading to a significant increase in potential combinations as the password length increases. To commence a brute-force attack, use a custom mask. For example, for a password like 87654321, use the mask ?d?d?d?d?d?d?d?d.