Wireless Pentesting with WiFite
This will be a walkthrough used to obtain wireless handshakes and PMKID using Wifite and crack it using Hashcat. This is a more automated way than using Aircrack or Betterecap.
This is for educational purposes and only to be performed on networks you have permission to do so.
My notes on Wireless in general can be found here.
My notes on Hashcat can be found here.
This will require having a WiFi Adapter that supports monitor mode, also known as packet injection.
I myself have and recommend these adapters:
- Alfa AWUS036ACM <– Capable of 2.4GHz and 5GHz
- Alfa AWUS036ACHM <– Capable of 2.4GHz and 5GHz
- Alfa AWUS036ACH <– Capable of 2.4GHz and 5GHz (This more than likely *will* require driver installation)
- Panda Wireless PAU09 N600 <– Capable of 2.4GHz and 5GHz
- Alfa AWUS036NEH
- Alfa AWUS036NH
- Panda Wireless PAU05
- TP-Link TL-WN722N
- Ralink USB WiFi RT5370
Wifite
Specify a wireless interface with
sudo wifite -i wlan0
OR if we only have one WiFi interface on that is capable of monitor mode, we can just run it as is.
We can do a WPA attack on a target network with
sudo wifite --wpa
This will enable monitor mode on the wireless interface and begin scanning for networks.
I will target Pixel7, number 2
.png)
.png)
This starts with a PMKID attack, then moves onto a WPA Handshake attack if a PMKID is unable to be obtained.
.png)
*Note, we can skip the PMKID attack by adding the argument --no-pmkid
.png)
When obtaining a WPA handshake attack, this will attempt to de-authenticate clients from the network until we have obtained the handshake.
When the handshake is captured we see where it was saved to with the name of it. It will attempt to crack it automatically with aircrack-ng using their default worldlist wordlist-probably.txt
.png)
If you would like to use your own dictionary, such as rockyou.txt we can use the --dict argument.
.png)
Hashcracking with Hashcat
We have our PMKID in the .pcap format, we can use hashcat to crack it. First we must use the hcxpcapng tool from HCXtools.
hcxpcapng -o CrackMe (.pcapng file)
.png)
Dictionary
If we want to use a dictionary attack, like using rockyou.txt for example
hashcat -a 0 -w 3 -m 22000 (hash file) (wordlist)
.png)
.png)
Depending on your hardware, the dictionary you chose, and the password, this may take some time. You can press S for a status to see the time time estimated on finishing, as well as the updated Recovered.Total to see the recovered keys.
We can run the same command again with –show appended to the end to see our cracked passwords.
.png)
Brute Force
If we wanted to run a brute force attack rather than a dictionary attack, it’s a similar command
hashcat -a 3 -w 3 -m 22000 (hash file) '?l?l?l?l?l?l?l'
Replace the ?l with whatever we see fit.
* ?l = a-z
* ?u = A-Z
* ?d = 0-9
* ?h = 0-9a-f
* ?H = 0-9A-F
* ?s = !"#$%&'()\*+,-./:;<=>?@\[]^\_\`{|}\~
* ?a = ?l?u?d?s
* ?b = 0x00 - 0xff
This will cover the basics of the hash cracking with hashcat but it can get SO much more advanced with hashcat. Especially when using rules like OneRuleToRuleThemAllStill and modern wordlists like rockyou2021.txt.