RWSPS: Automated WiFi Cracking [ch4]

rwsps-rootsh3llwifi-hack-automate-wep-wpa2-wps-logo

Hello and welcome to Chapter 4 of RWSPS. In this chapter we will learn to automate the WiFi hacking using Wifite.

We will cover:

  • How to Hack WEP  using Wifite
  • How to Hack WPA/2 using Wifite
  • How to fix WPA/2 handshake capture error in Wifite ?

Wifite: Automated Wireless Hacking/Auditing Tool

Wifite is a Linux platform tool(comes pre-installed on Kali, Backtrack, Pentoo, BackBox, BlackBuntu and other pentesting distributions ) coded in Python. It is used to automate the hacking process and aims at minimizing the user inputs by scanning and using Python for automation techniques. Wifite is capable of Hacking WEP, WPA/2 and WPS, but not alone. It actually uses tools like aircrack-ng, reaver, Tshark, Cowpatty for various purposes like

  • Enabling monitor mode
  • Scanning air
  • Capturing handshake
  • Validating handshake
  • Cracking key
  • analyzing output and captured packets etc.

Before we start the tool, we do need to learn how to install the tool and make it working like a command as it comes in all the pentesting distros. Here are the steps we will be covering in this tutorial.

  • Downloading Wifite
  • Installing Wifite as a system command
  • Cracking WEP using Wifite
  • Cracking WPA/2 using Wifite
  • How to fix WPA/2 handshake capture error in Wifite
  • Focusing Wifite

Let’s begin.

Downloading Wifite

Wifite was previously hosted on code.google.com, but it is now a full-fledged project and hosted on GitHub. For all the latest updates you should go for the GitHub link, that you may find on Search engine’s results.

You may directly download it here https://github.com/derv82/wifite

Latest version (October, 2015) is r87. Kali Sana includes r87 version by default, but that version has an error that we will see to fix in this tutorial.

Checkout my new store for Best WiFi adapters for Hacking, Best-selling Pentesting Books and Best WiFi Boosters: Rootsh3ll rStore

Installing a tool ( Wifite ) as a command in Linux

This is not only limited for this script i.e Wifite, but you can apply this to any working tool/script/program on your Linux platform to make and run it as-a-command. We will use Wifite as an example to do so.

We have already downloaded the latest Wifite script and assume that it is stored on our Desktop.

Now open terminal and type:

  • cd ~/Desktop

“~” reflects the HOME Directory to the shell. Check your home directory by “echo $HOME“. Here $HOME is an environment variable. /Desktop is the directory stored in the HOME directory.

  • unzip wifite*.zip

unzip is the tool to extract files from a .zip file. wifite*.zip means any file with starting name wifite and ending with .zip, here “*” means anything (including blank).

  • cd wifite*/

Changes the pointer to first directory starting with name “wifite”. ‘/‘ symbolizes directory.

Now you can check that if the script works or not just by typing python wifite.py, as wifite is a python script. If it (or any script) is working fine you might like to make it a system command so that you don’t have to traverse the directory every time. It is pretty better to just open the terminal and type command.

For that we should know where the actual executable commands are stored in Linux, so that we can also copy our script in the same directory. Just like in Windows systems, all the CMD commands are stored in \WINDOWS\System32\.

type “which followed by a simple “linux command

  • which ls

which” command tells us the location of the command passed as an argument to it. which is “lsin this case. It will reflect “/usr/bin/ls” as output. From here we know that ls, executable file is stored in /usr/bin directory.

Now, what we have to do is move our wifite script to “/usr/bin/” and make it executable, if not already.

Moving wifite.py to /usr/bin/ (we are in ~/Desktop/wifite/)

  • sudo cp wifite.py /usr/bin/wifite

sudo stands for SUperuser DO. Used to take root(SuperUser) permission to perform certain tasks.

cp is used to copy files, Syntax: cp “Source” “Destination”, where Source is wifite.py and destination is /usr/bin/wifite. Also wifite is the output filename that we would like to use as command.

wifite-copy-usr-bin

Here rwx stands for Read, Write, Executable. All of them are file attributes.

Making wifite Executable(if not already), so that no need to write python before the file name.

  • sudo chmod +x /usr/bin/wifite

chmod, changes the file(/usr/bin/wifite) mod to +x, i.e executable.

Now wifite is a system command you can open a new terminal and type sudo wifite to run the command with root privilege.

Let’s now move on to Cracking.

Cracking WEP using Wifite

Cracking WEP using any automated tool is hell lot of easy task as you don’t have to analyze anything, just see target, select option and hit [ENTER]. I don’t recommend using any automated tool until you have learned the actual working of the script or the process that runs behind the script. Scripts are only to reduce time and effort. Please don’t rely upon scripts and go ahead and Learn the real process by yourself and use automated tools to save your time.

I will show the tutorial on Kali Linux v1 and v2, which comes with pre-installed Wifite. I am running root account by default. If you are running standard account, use sudo before Wifite eg: sudo wifite

Open Terminal and type wifite and wait for it to show you the AP List.

Press CTRL-C and select desired AP with enc type WEP and type its NUM. like show in the image below.

wifite-scan-selectJust wait for Wifite to capture the IVs(Initialization Vector) and crack the key for you.

WEP cracking is the easiest of all. that is the one of the reasons that WEP is now depreciated, but still you may find it in many places where people haven’t changed their router from a while.

Things to note:

  1. Wifite start the cracking after 10K IVs.
  2. Around 60K IVs might be required to crack key.
  3. Success rate is 99.9%.
  4. Make sure capture speed is 100+ IVs/second.

After Wifite captures enough IVs to crack the WEP key, it will show you an output similar to this:

wifite-wep-key-cracked

Note in the image above, total IVs captured are 52,846 with a speed of 857 iv/sec and the Key is cracked.

If you have enough IV, your WEP key is going to be broken, regardless of the length, complexity of the key.

How to fix it ? use WPA/2.

Let’s move on to WPA/2 cracking.

Cracking WPA/2 using Wifite

Unlike WEP, WPA/2 encryption algorithm is way much stronger and perhaps considered the strongest encryption at this moment. WPA2 encryption algorithm is not really broken but we manipulate the Key authentication mechanism used by WPA2 to discover the key.You can see the detailed working here.

Similar to above example. Open terminal and type wifite and select the desired AP(WPA/2 enabled).

first few steps may go somewhat like this:

wifite-wpa-selectWe are targeting rootsh3ll, which is WPA2 type.

You can also select multiple APs, just by putting commas.

example: 4,1,3,2

Here order will follow according to the input, means Wifite will try AP #4 at first place, AP #1 at second place  and so on as input is provided.

After capturing the handshake Wifite may behave in 2 ways depending on versions (r87 or earlier)

version r87: Selects a default dictionary already stored in Kali Linux, Backtrack, eg: r0cky0u.txt, darkc0de.lst etc. In new version default dictionary used is located here: /usr/share/fuzzdb/wordlists-user-passwd/passwds/phpbb.txt

version r85 or earlier: Does not use any wordlist until -dict option is provided along with a dictionary file. Example:

  • $ sudo wifite -dict /path/to/dictionary.txt

Soon after Wifite(r87) captures handshake you will see a similar option:

wifite-wpa-crack

Here Wifite used a stored dictionary on Kali Linux by itself, No option provided and password was not in the dictionary so Crack attempt failed.

That is what usually happens in WPA2 cracking, cracking don’t succeed as there are enormous no. of possibilities for a WPA2 type passwords that lies from 8-63 characters, also which can include Alphabets(a-z, A-z), Number(0-9) and Special characters(!, @, #, $,… etc)

But no need to feel low. There are numerous methods also to retrieve WPA2 Passphrase, some of which we will learn in this series.

In the above image you can see the path in which Wifite has stored the .cap file i.e /hs/ . You can copy the file and use it for manual brute-forcing.

How to fix WPA/2 handshake capture error in Wifite ?

If you are a frequent user of Wifite script, you may have encountered an issue related to the handshake capturing part of Wifite. If you are not familiar, then here is the error:

Wifite keep on listening the handshake and deauth-ing the connected clients in a loop and not capturing any handshake. Where at the same time if you start airodump-ng in another terminal it will capture the handshakes Wifite is deauth-ing the clients again and again airodump-ng will keep on capturing handshake again and again.

So what is the issue ? is it with the script ?

Yes, there was an issue in the Wifite script ( r85, 587[old] in which auto-deauth during handshake capture was not guaranteed to deauth as expected intervals resulting in the handshake capture failure.

This issue can be fixed in 3 ways:

  1. Use airodump-ng to capture files.
  2. Use latest version of Wifite

Using airodump-ng to fix Wifite Handshake issue

This one is very simple. While Wifite is running in background and failing to capture handshake. just open a new Terminal and run airodump-ng followed by the output_filename and Interface BSSID and channel_no.

  • $ sudo airodump-ng wlan1mon -c 11 -w cap_file -b BSSID

If there are connected clients, wifite will deauth them and the handshake will be captured by airodump-ng.

Then press CTRL-C and have fun with your captured file.

BSSID, Channel are very important, as our wireless card can operate at 1 frequency at a moment. Wifite fixes the wireless card on the Channel no.(frequency) similar to the AP’s we are trying to capture handshake of and by default airodump-ng hops between the channels so to avoid the errors we need to tell airodump-ng to fix itself on our desired channel i.e Channel 11 in this case. and also to avoid other AP’s handshake that might be operating on similar channel we use BSSID as a filter.

Use latest version of Wifite to fix Handshake capture issue

If you are using Kali Linux 1.1.0, BackBox, Ubuntu, Mint etc and facing the issue, you should try updating your Wifite version. You can do it in 2 ways.

  • Use wifite  –update command. Didn’t work ?
  • Try downloading manually and running the script.

Here is a thing to note while you might be updating using wifite –update command. You might see this output

wifite-up-to-date

What usually happens is Wifite check for the latest version on GitHub, not by the filesize but by the version i.e r87 which is pre-installed on Kali Linux 2.0. But here’s a catch, if you look at the last update of wifite on GitHub page it was 5 months ago and the version installed in Kali Sana are both same i.e r87 but filesize differs as Kali Sana version of wifite isn’t Fixed but 5 months earlier version is r87 but fixed one.

We will check it by downloading the latest wifite script from GitHub and comparing the file size of both scripts.

Here is what I got when checking file size of both wifite scripts i.e one downloaded and other pre-installed.  both are r87

wifite-latest

lets understand the above image in 2 parts

Above Yellow Line:

  • ls -lh $(which wifite)

ls command is used to list files in a certain directory, -lh are the command line arguments where “l” stands for listing the file details and “h” stands for human readable format for file-size followed by the file-path reflected by which command.

$(), this is the bash function used to execute another command within a command, which we used to get the path to installed wifite script.

  • ls -lh ./wifite.py

again ls -lh for same purpose but the file is now wifite.py which is stored in current directory i.e ~/Desktop .

In Linux world a dot (.) stands for current location, followed by “/” i.e directory. So “./” stands for current directory and ./wifite.py is the file-name(wifite.py) in the current directory(./)

Now notice the file-size for both, its 158 kiloBytes as Human readable format option is passed to ls command.

But if we look it more clearly, means see size in Bytes we will see a change in the size of both files which you can see below the yellow line

Below the yellow Line:

You are now familiar to the commands used. Let’s jump onto the file-size

Latest r87 version: 160949 Bytes

Old r87 version: 161323 Bytes

This change in the size is due to the edited code. From the older version many lines are edited to fix the Handshake error.

According to tests I conducted on Kali Sana, Wifite still didn’t work even after updating it to latest version. Digging deeper I came to know that as Kali Sana was released in August and Wifite was last updated in June. So at that time Wifite was updated for Kali Linux version 1.1.0. and so not working in Kali Sana for now. Soon after finishing this series I will look at the code to fix it to work in Kali Sana. Till then you can use two of the either options to get the work done.

Focusing Wifite

Focusing Wifite means using wifite’s options to filter the output or the cracking process to save screen clutter, memory, wireless card life and a sometimes headache.

For example if we are interested in cracking only WEP type Access points we will use

  • sudo wifite -wep -p0841

-p0841 is the type of attack which I have found most useful and working in most of the cases, so it might be better for you too for using -p0841 when cracking WEP, it will save you a lot of time while capturing IVs.

and similarly for WPA/2, lets also tell wifite to use our desired dictionary

  • sudo wifite -wpa -w /media/drive/wordlists/MY_DICT.txt

Wifite will now use MY_DICT.txt located in /media/drive/wordlists/ as a wordlist to crack WPA/2 passphrase after capturing handshake.

there are many options that you can use

  1. Using specific channel
  2. Specific BSSID/ESSID
  3. Certain attack type for WEP/WPA/2
  4. Setting time limit for WEP/WPA/2 using -wept and -wpat options
  5. and many more.

Just type:

  • sudo wifite –help

For looking up all the options available.

Explore the tool and Keep learning.

 

Useful Links:

Router:

TP-LINK TL-MR3420 300 MB/s Wireless Router 2x 5dBi antennas

Network Adapters:

Alfa AWUSO36NH High Gain B/G/N USB / Alfa AWUS036NHA B/G/N USB

High Gain Antenna:

Alfa 9dBi WiFi Omni-Directional High-Gain Antenna

USB Drive (32 GB):

SanDisk Ultra Fit  USB 3.0  32GB Pen Drive

 

468
  • Hi – can you describe the set up that you have in the photo? What brand cell phone is that? Do you have some version of Linux installed? Can the phone really power the Alfa wireless card? Thanks!

    • Hi Jack,
      This is a Google Nexus 5 used in the Title image connected via a Micro-USB 2.0 OTG cable with an Alfa AWUS036NH WiFi Adapter.
      Also the mobile is rooted and have Kali Linux NetHunter installed on it and tool shown running is WiFite.
      Which at the same time shows that yes Phone can power this WiFi adapter.
      You might like to check out this Kali Linux NetHunter Installation on Nexus 5 Video
      Hope it helps! 🙂

      • Ed Mac

        Can I install it on a Galaxy Note 2?

        • Sorry to say Ed, but unfortunately NetHunter is supported only on Nexus and OnePlus devices. See here

          Although you can install Kali direct on your rooted Galaxy Note 2 or simply install apps like zANTI(pentesting app). It owuld convert you mobile into a WiFi network pentesting app to some extent.

          • Ed Mac

            Hablas español? estuve leyendo que se puede instalar un kernel para que soporte los drivers de una tarjeta rtl8187, tu sabrás como se hace ? así ya funcionaria aircrack

          • Hey Ed,
            usted debe utilizar controladores backports parchear conductores rtl8187 . Aquí están los comandos que necesita para escribir en su terminal para instalar controladores más recientes backport :

            wget http://www.kernel.org/pub/linux/kernel/projects/backports/stable/v4.2.6/backports-4.2.6-1.tar.xz
            tar xvfJ backports-4.2.6-1.tar.xz
            cd backports-4.2.6-1
            make defconfig-wifi
            make
            sudo make install
            sudo update-initramfs -u

            y entonces,

            sudo reboot

            puedo escribir español 🙂

  • brayo sparkx

    really helpful. thanks

  • Cristhian

    Sera q podrias hacer un video ! Please

  • s3v3n

    Can you show us how to automate the process of having crunch pipe its output into wifite to crack the handshake instead of using a dictionary file.

    Will wifite need to be modified to make this work in an automated fashion?

    • Hello s3v3n,

      Using crunch along WiFIte isn’t a good idea and it won’t work either as Crunch will start creating wordlist as soon command is invoked also it will pass each word to Wifite at the same time which will not allow you to chose any of the option Wifite will ask you for.

      You can try it by entering below command for testing:
      crunch 4 4 | sudo wifite -dict –

      Using min and max 4 just for testing as it will create a 2MB dictionary, which is good for testing purpose.

      Also Wifite uses aircrack for cracking passphrases, you should directly use aircrack-ng along with Crunch if handshake is already captured.

      A sample command would go like:
      crunch 8 8 | aircrack-ng test.cap -w – -e “ESSID”

  • Here are the WPA/WPA2 wordlists dictionaries for cracking wireless passwords using Aircrack-ng – Free Download http://hackzzon.blogspot.in/2016/04/wpawpa2-wordlist-dictionaries-for.html

  • HelenHH

    This article mentions “newest” and “newer” and “older” versions. Or says “the one from June instead of Aug”.
    Ugh. What year????

    Does anyone know what the latest wifite version is as of Dec 2016?
    I’m using v87…. the “newest” version on github is v82 from several years ago.
    And there are apparently several versions with the same version number.
    Ugh. Is it really THAT hard to get the version numbering correct? Or immediately release a new version with
    the numbering corrected.

    What is the exact cmd I’d type into Kali’s terminal to update wifite to v88 or newer?

    • The article talks about the Wifite version from year 2015.
      Here is the official GitHub page for Wifite: https://github.com/derv82/wifite
      It hasn’t been updated since then(2015), most recent version is still r87 though.

      To update this is the exact command you need to execute:
      sudo ./wifite.py --update

Shares
Share This
%d bloggers like this: