Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
Passwords that are long, random and unique are the most difficult to crack. But humans tend to use weak passwords made up of familiar phrases and numbers. Mike Meyers demonstrates just how easy it is to hack a weak Wi-Fi password in this episode of Cyber Work Applied.
How to hack WPA and WPA 2 Wi-Fi
Infosec Skills author Mike Meyers demonstrates a Wi-Fi WPA key hack in the video below. He uses Aircrack-ng and Airodump-ng to access 802.11 WPA and WPA2 connections.
Cyber Work listeners get free cybersecurity training resources. Click below to see free courses and other free materials.
Wi-Fi hacking examples and walkthrough
The edited transcript of the Wi-Fi password hack walkthrough video is provided below, separated into each step Mike covers in the video.
WPA and WPA2 security
(0:00- 0:24) WPA and WPA2 are very good encryptions. If you're using WPA, you're using RC4, but you're using TKIP with that. If you're using WPA2 while you're using AES with CCMP, then you are not going to be able to crack these passwords, except for one little problem.
Problem with WPA and WPA2
(0:25- 1:35) The problem is that the initial connection between a wireless WPA or WPA2 client to an access point has what we call a four-way handshake. Not that many years ago, there was a small weakness discovered in this four-way handshake that allows us to do something very interesting.
Now, I need to be careful here. When you're cracking WEP, you can mathematically derive the password just by looking at packets. You can't do that with WPA and WPA2.
FREE role-guided training plans
With WPA and WPA2, think more instead that you've got this guy who's really good at turning the numbers on a bicycle lock and then pulling on it. So you can go up to this guy and say, "Hey, try 0000," and he could do that real quick and pull on it.
If you wanted to, you could tell this guy, start with all zeros and then just keep going and go to 9999. Now, if there were only 10,000 different permutations that would work great. But with WPA or WPA2, take that same bike lock analogy and turn it from four digits to like 128 digits. So it would take that guy, even if he was fast, a very, very long time to go through all these.
Humans use weak passwords
(1:36- 2:15) Luckily for us, we know that human beings don't use good, randomized, long passwords. We know that most human beings are going to use a phrase and then a number. Or their pet's name and then the date they were born, or the number of kids they have and their wife's name and the date that they got married. Little, simple, things like that.
And if we know that, we can tell the guy who's spinning on that bicycle lock, "No, no, no. Don't start at the zeros, just try all of these first." So we've got to give this WPA, WPA2 cracker what we call a dictionary file.
What is a dictionary file?
(2:16- 3:07) Now, a dictionary file is nothing more than a big text file full of tens of millions of different types of permutations of well-known words, numbers and all kinds of different things. Now you think, "Whoa, tens of millions." Well, compared to 128th power stuff, at 10 million even my laptop, give it a day, could knock all that stuff out. So it makes a big difference.
Here’s what we're going to be doing with WPA and WPA2. We’ve got a whole bunch of packets. What we're going to grab is those four-way handshakes when people start to connect. Using that, we can derive the passwords by using a dictionary file. Basically saying, "Try all these, and if people use it, then we're going to have them." So let's go ahead and let me show you how the setup works this time.
Setting up the Wi-Fi hacking demo
(3:08- 4:26) So I've got my same wireless access point. Now, he's still set to WEP at this moment. So we're going to change him to a regular, old WPA-PSK, and get him up and running.
We'll put a really weak password on here, then we're going to go back over to the Kali box and in this case, what we're going to do is we're still going to monitor the traffic, but we're just going to wait for somebody to authenticate, and we got them. We'll run the cracker, and with luck, since it's a weak password, we're going to be able to get it pretty easily.
So let's take a look at the setup. All right, so let's go over here, and first of all, instead of calling it a NOTSECUREWEP, let's call it NOTSECUREWPA.
The next thing I'm going to do is go over to Wireless Security, and we're going to take off WEP, and let's go to WPA Personal. This type of attack will work with a WPA or WPA2 personal shared key. So I've already got a password here, and I want to keep it.
The password is “timmytimmy,” so it's a pretty simple password. It's just a very common word, used twice. So let me go ahead and apply all this, we'll save it, and we're pretty much ready to go.
Take your hacking to the next level
Learn how to pentest and be an ethical hacker with expert-guided training, or learn more about the world of ethical hacking.
Using airodump to grab WPA connection data
(4:27- 6:29) So this guy is now WPA personal, he has a very simple password of “timmytimmy,” and now what we're going to do is go over here, we're going to grab a bunch of data. But in particular, we're not just grabbing data, we're looking for handshakes, and that's where airodump does a great job. Let me show you.
Now, what I've got here is I've got airodump still running on my screen. If you take a look right here at the top, you're going to see there's NOTSECUREWPA. You can even see that it's WPA and it's running TKIP. No great surprise there, and there's the MAC address for it.
So what we're going to do now is let's start airodump, and we're going to watch for handshakes.
I'm going to put all the stuff that it finds into a file called wpafile, and this guy's on channel 6, and the bssid is 20:AA:4B:42:43:E8 and we're going to tell them to listen on wlan0mon.
root@kali:~# airodump-ng -w wpafile -c 6 --bssid 20:AA:4B:42 :43:E8 wlan0mon
So what we're going to do now is keep watching this and see if somebody comes in.
There it is. Wow! That was really quick. Let's go ahead and take a look at that file and go ahead and see if we can pull the password out. We can go ahead and turn this off.
Cracking passwords with aircrack
(6:30- 7:31) Let me make sure I've got a dictionary file in there.
root@kali:~# ls
There it is. Way up at the top, you see the word dictionary? That's a dictionary file that I've created. So to actually go about the cracking, we go ahead and run Aircrack. “a2” means I'm doing a WPA attack on this guy.
root@kali:~# airodump-ng -a2
I got to tell it where my dictionary file is. It's right here in the same folder, so I type in “dictionary.” Then I tell it which file I want to crack. In this case, it's going to be wpafile-01.cap.
root@kali:~# airodump-ng -a2 -w dictionary wpafile-01.cap
Ta-da! There it is, right there.
Weak keys are vulnerable to attack
(7:32-8:17) Pretty easy stuff. Now, you're looking at this probably saying, "Wait a minute, Mike. You put the right password into your dictionary file." Yeah, I did. But I did that just to speed up this demonstration. Trust me, there are huge dictionary files, and they got “timmytimmy” in there just as easily.
If you have a weak WPA or WPA2-PSK, odds are good that people will be able to crack it almost as quickly as I've done right here.
The right answer is simple. Use long, complex private shared keys when you're dealing with WPA and WPA2. A lot of people recommend that you don't use any human words and make sure you use at least 20 characters, which can sometimes be long to remember, but boy, does it make it secure.
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
More cybersecurity training resources
Check out Infosec's weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders — plus other free cybersecurity training videos.
Cyber Work listeners also get free cybersecurity resources. Check out the latest free training courses and resources and keep learning!
In this Series
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- How to hack mobile communications via Unisoc baseband vulnerability
- How to build a hook syscall detector
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough [Updated 2021]
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- What is a side-channel attack?
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- Top 7 cybersecurity books for ethical hackers in 2020
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Podcast/webinar recap: What's new in ethical hacking?
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Getting started in Red Teaming
- Ethical hacking: IoT hacking tools
- Ethical hacking: BYOD vulnerabilities
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: How to hack a web server
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Port interrogation tools and techniques
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Social engineering basics
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Basic malware analysis tools
- Ethical hacking: How to crack long passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: Log tampering 101
- Ethical hacking: What is vulnerability identification?
- Ethical hacking: Breaking cryptography (for hackers)
- Ethical hacking: Attacking routers
