In order to run the tools necessary for this attack, there are several programs that must be installed on your Mac. All of these programs will be installed from the terminal.
Terminal is a Command Line System that allows you to tell your operating system to execute certain commands. Basically, it is a way for you to talk to your Mac. We are going to use Terminal during this entire attack. If that scares you, don’t be worried. We will walk you through every step! Your grandmother would be able to follow this guide, so stick with us! To open up Terminal:
Open the "Finder" application in the bottom left-hand corner of your Mac’s home screen.
Open the "Applications" folder.
Open the "Utilities" folder by clicking on the dropdown arrow.
Double click on the "Terminal" application.
There are four tools we need to install that will be used in our WiFi attack. The first tool, Xcode, will be installed through the App Store, but the rest of the tools will be installed using Terminal.
IMPORTANT: Any time one of these steps prompts for a password, enter the password used to unlock your computer, and then hit enter. (Your password will not appear in text as you type so do not worry about that.)
The first tool we need to install is Xcode. Xcode has software development tools that we will need to install our next tool.
If you already have Xcode installed, skip below to the HomeBrew Install section.
To install Xcode:
Navigate to the “Applications” folder as described in the Opening up Terminal section.
Double click on the “App Store” icon to open the Apple App Store.
If you have not already installed Xcode, there will be a “Get” button next to the app icon. Click on this button and follow the prompts to install.
Installation Time: Depending on previous installations, Xcode could take over an hour to install. Thankfully, many people will already have Xcode installed on their Mac.
The second tool we need to install is HomeBrew. HomeBrew is a package manager (basically a tool to install other tools) for Mac that will allow you to install the last tool that we need.
If you already have HomeBrew installed, skip below to the HashCat Install section.
To install HomeBrew:
Open Terminal as described in the Opening up Terminal section.
Copy and paste this command into Terminal: ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Press enter to execute the command.
Installation Time: Five to twenty minutes.
The last tool we need to install is HashCat. HashCat is a password cracking tool that we will use to crack the “password hash” that we will recover (more on that later).
If you already have HashCat installed, you can click on the next page to begin Executing the Attack!
We will install HashCat using HomeBrew from Terminal.
Open Terminal as described in the “Opening up Terminal” section.
Copy and paste this command into Terminal: brew install hashcat
Press enter to execute the command.
Installation Time: Two to ten minutes.
In the search bar, search for “Xcode”.
This is where we will teach you how to hack your WiFi. We will walk you through the necessary installations and then show you how to execute the attack.
Let's actually hack some WiFi! The next two sections run through the directions for executing the attack. The first section goes through all the installations you'll need before successfully carrying out the attack. (All the installations we step you through are entirely free. No need to worry about purchasing anything!) The second section guides you through the attack itself.
Additionally, there is a complete video walkthrough of the "Executing the Attack" section. This video walks through every step of a successful attack (other than installing the tools), so feel free to use it for reference! Again, make sure you perform all of the necessary installations before running the commands in the guide and in the video.
Here we will walk you through every step of the attack, explaining some of the technologies as we go. Make sure you have completed the necessary installations page before you do this!
IMPORTANT: Any time one of the steps on this page prompts you to enter a password, enter the password used to unlock your computer, and then hit enter (your password will not appear in the terminal as you type so do not worry about that).
All steps should execute instantly unless noted otherwise.
Additionally, make sure that you go through these instructions in order, as commands usually depend on the output of previous commands.
Open Terminal.
First, we are going to download a wordlist that we will use later on. The wordlist, called RockYou.txt, is a list of 1.4 million common passwords. We will use this list to try and crack the password hash later in the attack. To download and unzip the file, copy and paste this command into Terminal (note: after every command that you copy and paste, be sure to hit enter so that it runs):
wget https://github.com/praetorian-inc/Hob0Rules/blob/master/wordlists/rockyou.txt.gz?raw=true -O rockyou.txt.gz && gunzip rockyou.txt.gz
The output should look similar to this, but not necessarily identical as your environment may look different than ours. It is important to look for a "100%" somewhere in the terminal.
Execution Time: Less than one minute
Our goal is now to learn the name of the network router. We will do this by using a library called airport. airport will allow us to both determine the network name and mac address.
MAC address: (Media Access Control address), is a unique identifier used to identify devices on a network
In Terminal, copy and paste this command to allow the airport binary to be recognized:
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport
If prompted, enter your password and hit enter.
Determine the name of the WiFi network that you are trying to attack. A list of WiFi names can be found by clicking on the WiFi button in the upper right-hand corner of your home screen. For our example, we will be attacking the “MySpectrumWifi4B-5G” network.
Now we will use Mac’s network listening abilities to get some more information about our target network. In Terminal, copy and paste this command:
sudo airport -s
The output should look something like the figure above. If no networks were found, repeat the previous step.
Execution Time: Instant
We now need to find the actual name of the network router. The name of the network router is what we need to impersonate the router. All login attempts need to be handled by the router, so when a new person logs into the WiFi their request will be sent to that name. We then want to intercept that encrypted login request that the user sends; this will likely be a encrypted password.
From the output of the previous step, find the BSSID of the target network. It should look like the BSSID outlined in red in the screenshot below:
This BSSID is the Mac Address (the unique identifier) of the WiFi router. We are going to save the BSSID in an environment variable that we will use later. To do this, copy and paste this command:
export BSSID=<TARGET_MAC_ADDRESS>
In our example, we would run:
export BSSID=78:29:ed:27:07:4a
Verification
If the above command worked, you should be able to now run:
echo $BSSID
And see something like the below:
Execution Time: Instant
This step will only work if someone is trying to connect to the network. Either one needs to wait for someone else to make a login attempt on the network, or one could simulate a login attempt by disconnecting and reconnecting their phone to the network.
Now we are going to use airport to disassociate from all networks. This will disconnect you from WiFi, so make sure not to close out of this guide before you are done or you will not be able to access it. To dissociate, run:
sudo airport -z
Next, we will use airport to tell our machine to listen on the channel that our target network is using. First identify the channel from the output of the first step of the previous section Set Environment Variables:
Execution Time: Instant
Now that we have identified our target network, we will use airport to start eavesdropping on that network. To do this, run:
sudo airport -c<target_channel>
In our example, we would run:
sudo airport -c36
Now we will begin collecting packets. To do this we are going to use tcpdump, a network packet analyzer. We are going to listen for a packet, and then save that packet to a file called beacon.cap. Run:
sudo tcpdump "type mgt subtype beacon and ether src $BSSID" -I -c 1 -i en0 -w beacon.cap
This command should complete fairly quickly, as long as there are people using the target network [4]. Look for the packet captured line:
Execution Time: Less than one minute if people are actively using the network.
Once the last command is complete, we are going to start listening for any authentication packets. These packets get sent whenever someone re-authenticates to a network. (This happens any time someone goes from being not connected to the WiFi to being connected.) To listen for these packets, run:
sudo tcpdump "ether proto 0x888e and ether host $BSSID" -I -U -vvv -i en0 -w handshake.cap
This will not complete immediately, so wait and move on to the next step. When the above command does terminate, it will save the authentication packet in a file called handshake.cap. Within this file will be the hash of the WiFi password that we will try to crack [7].
Execution Time: See Step 7
In order to make the last command terminate, we need to figure out a way to get someone to connect to the network. This is where it gets fun. In a real attack scenario, the attacker would just wait until someone entered the house. When doing this on your own home, you can think of creative scenarios to convince your friends to disconnect and then reconnect to the WiFi. Or, if you want to be boring and you have a device that is connected to the target network, you can just turn the WiFi off on the device, then turn it back on, and wait for the device to reconnect to the target network. When the terminal output changes from Got 0 to another number greater than zero, such as Got 4 in the screenshot below, there have been sufficient packets captured.
Once the terminal says that packets have been captured, you can kill the process by going to your terminal and pressing the control key, often abbreviated to "Ctrl", and the "C" key at the same time.
Note: At this point you are free to reconnect to WiFi.
Execution Time: This command will not terminate until someone successfully authenticates to the target network.
Now we have to merge the two capture files into one file called capture.cap. To do that run:
mergecap -a -F pcap -w capture.cap beacon.cap handshake.cap
We must transfer capture.cap into a format that our cracking tool hashcat can use to crack the password hash. To do this, we have to install one last tool. We will install, compile, and run the tool using this command:
git clone https://github.com/hashcat/hashcat-utils.git && cd hashcat-utils/src && make && cd ../../ && hashcat-utils/src/cap2hccapx.bin capture.cap capture.hccapx
There will be a lot of text printed to the terminal, but the last few lines should look like this:
Note that if you already had a hashcat-utils folder in the working directory, this step may not work. in that case, run the previous command starting from the "cd hashcat-utils..." section.
Execution Time: Less than two minutes.
Make sure that there was at least one WPA Handshake written to capture.hccapx as is shown in the screenshot above. If there was not, then go back to the sudo tcpdump step of Start Listening and try again. If this still does not work, cascade up the tutorial and confirm your ability to successfully complete and confirm the outputs of Wait for Reconnection and Collect Packets. If the problem persists, it may be that your WiFi authentication scheme is not vulnerable to this attack.
Once we have the hash file, we are going to try and crack it using hashcat. A hash is just an encrypted password. We are going to go through the entire list of 1.4 million passwords that we downloaded earlier, encrypt them, and then see if they match the hash that we captured. If they match, then we have cracked the WiFi password [8]! To begin this process, run:
hashcat -m 2500 capture.hccapx rockyou.txt
This process could take up to five minutes (remember, it is trying 1.4 Million passwords). If successful, the result will look like this:
Now all that is left to do is to retrieve the password! Finally, run:
hashcat -m 2500 capture.hccapx rockyou.txt --show
You should now have the decrypted password, as shown in the screenshot above.
Execution Time: Five to ten minutes.
On my network, the password was rewardbarrel058 (don’t worry, I changed it immediately after this example).
If the password attack was not successful, congratulations! You at least have a decently secure password. Keep in mind, however,mthat we only used 1.4 Million passwords. A dedicated cracking rig could run through over a billion attempts in a very short amount of time.
You can also add your password to the wordlist and re-run the last few steps to see what it would be like if the steps did work. To do that, run echo <your_password> >> rockyou.txt where <your_password> is the password of your target network. This command adds your password to the end of the rockyou.txt file, thus adding the password to the wordlist. For example, if rewardbarrel058 was not on rockyou.txt, we would add it by running:
echo rewardbarrel058 >> rockyou.txt
Now go back and follow the tutorial from Cracking The Hash, and the password hash should get cracked!
