Wireless networks are common in enterprise environments, making them a prime target for penetration testers. Additionally, misconfigured wireless networks can be easily cracked, providing penetration testers with a great deal of valuable information about the network and its users. This article explores some of the most widely-used tools for different aspects of wireless network hacking.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. Load Reaver and click the Play button in the middle of the window. Click the Play button in the attack column next to the AP you want to crack. Let Reaver run and do its thing. It can take anywhere from a few minutes to a few hours, but if successful, Reaver will return the WPA pre-shared key.
Network discovery
Before attacking a wireless network, it is necessary to know that it exists. A few different tools provide network discovery functionality to help with identifying wireless networks and extracting useful traffic for use in an attack.
1. Kismet
Kismet is one of the most famous Wi-Fi hacking tools available. It is a network sniffer capable of monitoring 802.11 wireless traffic as well as other wireless protocols, such as Bluetooth and Zigbee.
Kismet is available on all operating systems and can run using any Wi-Fi card that supports radio frequency monitoring mode (RFMON). It passively collects packets to identify both broadcasting and hidden wireless networks.
Download Kismet: https://www.kismetwireless.net/downloads/#kismet-release
2. KisMac
KisMac, as its name suggests, is designed to be a Kismet clone available on macOS. Like Kismet, KisMac performs passive network monitoring and can attempt to crack WEP and WPA keys using brute force password guessing or exploiting known flaws in legacy protocols.
Download KisMac: http://kismac-ng.org/
3. inSSIDer
inSSIDer is a Wi-Fi scanner for Microsoft Windows and macOS platforms. The tool is available under a freemium model, where some functionality is available for free but the full tool requires a subscription. The primary use of this tool is by Wi-Fi administrators looking to detect and diagnose issues within Wi-Fi networks.
inSSIDer provides several different features, including locating open Wi-Fi access points, monitoring the signal strength of Wi-Fi networks and saving logs with location data pulled from GPS.
Download inSSIDer: https://www.metageek.com/products/inssider/
4. CommonView for Wi-Fi
CommonView for Wi-Fi is a wireless network sniffer for 802.11 a/b/g/n/ac/ax networks. It captures every packet being sent over the network and provides several different statistics. These statistics are valuable for both discovering wireless networks and identifying any potential issues within them. As a result, CommonView for Wi-Fi is often used by network administrators.
Download CommonView: http://www.tamos.com/products/commwifi/
Password cracking
Wireless networks use encryption to protect the data they carry against eavesdropping and malicious modifications. However, legacy encryption protocols (like WEP) are vulnerable to attack, and even secure protocols can be cracked using brute-force and dictionary-based attacks. Several different tools exist for cracking the passwords securing Wi-Fi networks.
5. Aircrack-ng
Aircrack-ng is a popular wireless password-cracking tool. It starts by capturing wireless network packets, then attempts to crack the network password by analyzing them. Aircrack-ng supports FMS, PTW, Korek and other attacks against WEP passwords. Aircrack-ng can also use dictionary attacks to guess passwords for WPA, WPA2 and WPA3 Wi-Fi networks.
Aircrack-ng is a terminal-based application. However, several tutorials are available to demonstrate how to use the tool.
Download: http://www.aircrack-ng.org/
6. CoWPAtty
CoWPAtty is a password-cracking tool that uses dictionary attacks to crack WPA pre-shared passwords. It supports Linux and operates using a command-line interface.
CoWPAtty has a wordlist containing thousands of passwords, but dictionary attacks with the tool can be slow. This is because the password hash for WPA is based on the wireless network’s SSID. CoWPAtty must calculate the hash for each password in its list before testing, which takes time.
For Wi-Fi networks with one of about 1,000 of the most common and default SSIDs, CoWPAtty offers a rainbow table of 172,000 password hashes. If a particular Wi-Fi network uses one of these SSIDs and has a password in the list, then CoWPAtty can crack it much more quickly.
Download CoWPAtty: http://sourceforge.net/projects/cowpatty/
7. Reaver
Reaver is an open-source password-cracking tool. It performs a brute-force attack against WPS to break the security of Wi-Fi networks.
Download Reaver: https://code.google.com/p/reaver-wps/downloads/list
8. Wifite
Wifite is a tool designed to simplify the Wi-Fi auditing process. It runs existing tools for you to eliminate the need to memorize command-line switches and how to configure various tools. To learn more about using wifite, read the wifite walkthrough.
Download Wifite: https://github.com/derv82/wifite2
9. WepDecrypt
WepDecrypt is a wireless LAN tool written in the C language. It uses dictionary attacks, distributed network attacks and other methods to guess WEP Keys.
Download Reaver Windows 10
WepDecrypt requires installing some libraries and making the binaries executable. For this reason, the tool may not be a good choice for novice users.
Download here: http://wepdecrypt.sourceforge.net/wepdecrypt-manual.html
10. CloudCracker
CloudCracker leverages cloud-based resources to crack WPA keys and other types of password hashes. It takes the handshake file and the network name as input and performs the password cracking.
CloudCracker has a massive password dictionary, giving it a high probability of cracking weak passwords. The price of cracking a hash depends on the desired priority.
See CloudCracker: https://crack.sh/
11. Pyrit
Pyrit is a tool for performing brute-force password guessing attacks against IEEE 802.11 WPA/WPA2-PSK authentication. It supports the creation of massive pre-computed rainbow tables of passwords stored in databases. Pyrit can be used on Linux, macOS and FreeBSD and is available for free.
Download Pyrit: https://code.google.com/p/pyrit/
Reaver Download Windows 10
12. Fern Wifi Wireless Cracker
Fern Wifi Wireless Cracker is designed to crack WEP/WPA/WPA/WPA2 keys on Wi-Fi networks. It accomplishes this through a variety of different attacks including exploitation of vulnerable protocols, phishing attacks, brute-force and dictionary-based password guessing attacks.
Fern is available for Windows, Linux and macOS platforms. It operated under a freemium model, where a license is necessary to gain access to the full suite of features.
Download Fern Wifii Wireless Cracker: http://www.fern-pro.com/downloads.php
13. Airgeddon
Airgeddon is a script designed to run other network monitoring and cracking scripts. For example, Airgeddon requires Aircrack-ng to run. By configuring and executing these scripts for the user, Airgeddon can make Wi-Fi cracking easier to perform.
Download Airgeddon: https://github.com/v1s1t0r1sh3r3/airgeddon
14. Wifiphisher
Many Wi-Fi networks use secure encryption protocols, making them more difficult to attack. Tools like Wifiphisher attempt to steal user credentials via phishing attacks. This tool is built into Kali Linux by default and is available for Windows, macOS and Linux.
Download and read more about WiFiphisher: https://github.com/sophron/wifiphisher
Network sniffing
After gaining access to a wireless network, a penetration tester needs to perform network sniffing and traffic analysis to take advantage of that visibility. A couple of different options exist for monitoring and dissecting the traffic flowing over wireless networks.
15. Wireshark
Wireshark is the most popular network traffic analysis tool in existence. Its wide array of built-in protocol decoders make it easy to dissect and examine packets from all types of network traffic. Wireshark can be run on packet capture files or perform live traffic capture, including wireless traffic.
Wireshark is designed to be an intuitive and easy-to-use tool, but it is designed for network traffic analysis. This means that, while the tool may be easy to use and invaluable for wireless hacking, an understanding of network fundamentals is necessary to use it effectively.
Download Wireshark: https://www.wireshark.org/
16. OmniPeek
Windows 10 Update
OmniPeek is a commercial network packet analyzer designed for the Windows platform. It offers a variety of visualizations and graphs to help in understanding the traffic present on the network. While it still requires an understanding of network protocols to use effectively, it provides an alternative to Wireshark for network analysis.
Download OmniPeek: https://www.liveaction.com/products/omnipeek-network-protocol-analyzer/
Packet injection
Packet injection enables a penetration tester to inject data into an established network connection. This helps perfrom denial of service (DoS) and man-in-the-middle (MitM) attacks against wireless network users.
17. Airjack
Airjack is a packet injection tool for Wi-Fi 802.11 networks. Its packet injection functionality can be used to perform DoS and MitM attacks against Wi-Fi users.
Download AirJack: http://sourceforge.net/projects/airjack/
Wi-Fi cracking for mobile
In some scenarios, performing wireless network hacking on a laptop would be conspicuous, while a mobile device would be essentially invisible. A few different platforms exist for performing penetration testing against wireless networks from a mobile device.
18. Kali Linux NetHunter
Kali Linux NetHunter is an open-source version of the Kali Linux operating system for Android devices. It provides several different tools for Wi-Fi hacking and mobile penetration testing, including Wireless 802.11 frame injection and one-click MANA Evil Access Point setup.
Download Kali NetHunter: https://www.kali.org/kali-linux-nethunter/
19. zANTI
zANTI is a full mobile penetration testing toolkit designed to provide “push button” testing of network security. Among its many features are Wi-Fi hacking scripts designed to perform MitM and other automated attacks against the network.
Download zANTI: https://www.zimperium.com/zanti-mobile-penetration-testing
20. RfA
Reaver for Android (RfA) is an Android port of the Reaver Wi-Fi cracking tool. It allows password cracking of WPS/WPA2 Wi-Fi networks on a rooted Android phone.
Download RfA: https://forum.xda-developers.com/t/app-2-2-root-wifi-reaver-gui-for-android.2456888/
Wireless hacking is essential for penetration testing
Wireless network hacking is an essential skill set for the modern penetration tester. While the tools described in this post are organized into categories, many have functionality that spans multiple different areas. Gaining familiarity with a few different wireless hacking tools can be a valuable investment in an ethical hacking career.