To attack multiple WEP, WPA, and WPS encrypted networks in a row. This tool is customizable to be automated with only a few arguments.
So you’re interested in Hacking and Cracking? Or just want some free WiFi! Either way you have found the right place to begin.
Kali Wifite
Today we are going to walk through the steps needed to crack WiFi access points using a combination of wifite and Aircrack-ng. In this guide we will go through how to capture and crack the handshakes to reveal the WiFi Password.
Firstly, you will need a Kali machine! For the purpose of this guide I am using a vanilla install of Kali and am running all of my sessions and commands as a Root user, if you are using a standard account then ‘Sudo’ will be required before most, if not all commands being executed.
- CudaHashcat or oclHashcat or Hashcat on Kali Linux got built-in capabilities to attack and decrypt or crack WPA WPA2 handshake.cap files. Only constraint is, you need to convert a.cap file to a.hccap file format. This is rather easy. Important Note: Many users try to capture with network cards that are not supported.
- (^C) WPA handshake capture interrupted + 2 attacks completed: + 0/2 WPA attacks succeeded + quitting Now the deauth attacks weren't working. This time I increased the deauth frequency. Root@kali:# wifite -wpadt 1. Soon, however, I realized, that the problem was that I was using my internal card (Kali Live USB).
- I'm using the latest builds of Kali Linux and I use the following command: wifite -pyrit -dict./rockyou.txt But after capturing a WPA Handshake, it says that no dictionary was found 00.
The installation of Kali is on a Laptop with a compatible WiFi adapter which allows for monitor mode, this is necessary to capture packets ‘in the air’.
Boot up Kali and either navigate to ‘wifte‘ in the applications tab or open up a terminal and type in ‘wifite‘.
Immediately you will see a list of WiFi SSID’s begin to populate in the terminal window. The key thing to look out for is the amount of connected clients (as we are trying to capture a handshake between the client and the AP).
After choosing the Access Point in wifite in this case ‘EternalWIFI’, it will attempt to deauth the clients connected (disconnect the Clients). Those clients will then try to re-establish a connection and in doing so, wifite will capture the initial handshake packets which contain the password hashes. The more clients that are connected to the AP the better the chance and more quicker wifite will capture the handshake packets.
When a Handshake packet is captured, Wifite will try a default/simple password list. Its not bad and has worked for me a few times on individuals that tether there phones and change their passwords to something very simple, you can of course edit this list to include more passwords.
As you can see from the above, wifite has managed to crack the simple password which is ‘password’.
This however, will not always work and so we will need to crack the hash against a password list. We are going to do this by using aircrack-ng and feeding a password list against the capture handshake hash.
So, we are going to need passwords, a list of passwords to run against the hash.
If you need some password files I have zipped a few up HERE, I have found these on the Internet and take no credit for them!
However, the best way to get wordlists is by creating them yourself on Crunch. If you suspect that someone has changed their password to something ‘personal’ then it might be worth running CUPP (Common User Password Profiler) for a list.
Kali also comes with a default list (rockyou.txt) located in: /usr/share/wordlists
Kali Wifite Handshake Locations
When hashing against a list, the more you know about the network, router and users can help a lot. First things first would be to look at the SSID (most SSID’s have the brand of router included within the name) and this allows you to understand how many characters the default WiFi code is and the combination of letters, numbers, caps. An example of this is:
Default Iphone Hotspots/Tether will use 13 Lowercase only with Numbers (No Symbols or Caps). This information will allow us to filter our wordlists and create new wordlist around this.
Once you have downloaded or created a password list, it’s time to run this against the captured hash using aircrack-ng. The Syntax for aircrack-ng is:
aircrack-ng capturedpackets.cap -w wordlist.txt
When we execute this, aircrack-ng will begin hashing the passwords from the list against the handshake password hash.
If the password is in the list then it will eventually strike a match.
As you can see, the WiFi password is ‘pleaseletmein’. While a simple password, this one wasn’t in the common password file in wifite and required the use of our own wordlist in order to crack.
Make sure you exit monitor mode on your WiFi adapter so you can test if the passphrase works.
So there we have it, the WiFi password. Please note that the cracking speed will be based upon your machines performance and it goes without saying that if the passphrase isn’t in your wordlist then you wont find the password. So make sure you build out specific wordlists dependent on the WiFi AP you want to crack. There are many other tools that you can use for the capture of the handshake and the cracking of the handshake. I prefer wifite as its easy to use and great for beginners and aircrack-ng has easy to remember syntax for piping a handshake to a wordlist.
Please use this knowledge responsibly and make sure you have consent to execute attacks such as this against someones Access Point. I take no responsibility for misuse of this information.
Please feel free to put any questions or comments in the section below.
Written and Executed by Gennaro Migliaccio
Proofed, Edited and otherwise scrutinized by Summer-Jade Greenaway