Linux Kali has various options for auditing WiFi (WEP / WPA / WPA2) cracking passwords. This mainly with the Aircrack-NG suite. The WPS (WiFi Protected Setup) function on much older routers (pre 2013) is even easier to crack because this pin code consists of only 8 numeric characters and a signal is given when the first 4 digits are correct. After a maximum of 11,000 attempts, the cracker is therefore in possession of your PIN code and WiFi password. A well-known tool that exploits the WPS weaknesses is Reaver. I would like to explain how these tools work in another post. But now there is a rather new guy in town … he is called “WiFite”!DISCLAIMER: This post has been published for educational purposes. I am not responsible for potential damage or fraudulent practices applied with this knowledge. If you continue reading, you agree to use this information only for ethical matters. If not, stop reading now!
WIFITE (WE FIGHT?)
WiFite is a python script that makes hacking auditing of WPS / WEP / WPA / WPA2 secure networks very easy. WiFite is fully automated. WiFite spoofs your MAC address, captured the WiFi handshakes, de-authenticate connected clients and crack the found passwords. WiFite is a command line based “set-it-and-forget-it” audit tool that only needs to be set up properly once. Another advantage is that WiFite not only automatically hacks protected wireless networks, but also does so in the best possible way. For example, WiFite for WEP cracking will use “fakeauth” and the ARP method to speed up the flow of data packets.
WHAT DO YOU NEED TO RUN WIFITE
- Linux Kali
- Wireless network adapter where “packet injection” and “monitor mode” are possible
- Aircrack-NG suite (default in Linux Kali)
- Reaver suite (for WPS hacking, also default in Linux Kali)
- Python 2.4.5 or 2.5.2 (default in Linux Kali)
START WIFITE AND WIFITE COMMANDS
The current version of WiFite is V2 and can be found in Kali under “Applications” – “Wireless Attacks” – “wifite”.
If you do not yet have the latest WiFite script, you can download it here .
Because WiFite is a command line based script, we need to know the commands before we can use WiFite. During the start-up or execution of the “wifite –help” command, we get to see all possible commands. The most important WiFite commands are:
Show all wireless networks that can be found
Target and crack only on WEP secured networks
Target and crack only on WPA secured networks
Target and crack all available wireless networks
Specify a dictionary for the WPA dictionary attack
Specify a CAP file with previously found handshakes
Generate a list of previously cracked networks
Specify the wireless network to be used
Spoof MAC address
Specify a WiFi channel to scan
Deauthenticate clients not during scanning (silent scan)
With the –wpadt flag you indicate the time between sending the deauthentication packets
Use “pyrit” to find out the handshake (with WPA)
Specify the number of packages to be injected per second (with WEP)
Use the “arpreplay” attack (with WEP)
Use the “chopchop” attack (with WEP)
To run WiFite you must be “root” within the Linux shell. You can do this by logging in as root or by using the “su” command.
It is very tempting to perform the “wifi-all” attack where WiFite simply tries to crack all wireless networks. This is of course possible, but in practice it takes an extremely long time that network B can be gone before WiFite is finished with network A. It is a better scenario to focus WiFite on a specific network. All possible networks can be found with the command:
The “wifi-showb” scan will automatically put the network card in monitor mode (via aircrack-ng) and start scanning wireless networks. WiFite also scans for hidden wireless networks (by using client authentication). The scan will run again every 5 seconds and generate an output. To stop the scan, use the key combination “CTRL + C”.
The list in our demo environment looks like this:
The AccessPoint in my demo environment has WPA security. Because WiFite will also try a dictionary attack with a WPA crack, we must specify that we target a WPA-protected network and where the dictionary file is located. You do this by the commands “-wpa” and “-dict”. The full command then looks like this:
|wifite – wpa – dict / usr / share / wordlists / fern – wifi / rockyou . txt|
The default WiFi wordlist location in Kali Linux is “/ usr / share / wordlists / fern-wifi /”. Kali comes standard with the common.txt wordlist but personally I prefer to use a custom list or the rockyou.txt wordlist. The rockyou.txt wordlist is larger and can be downloaded at various locations.
After executing this command you get (just like with the “wifite –showb” command) a list with all WPA / WPA2 networks. Press CTRL + C and choose your target number (in my case 1) and press enter.
WiFite then does the rest. WiFite authenticates the client so that it logs in again. WiFite captured the handshake during registration. The handshake is then replayed and cracked with the specified dictionary file and specified techniques.
After some tweaking I finally used the following command:
|wifite – wpa – mac – pyrit – wpadt 10 – dict / usr / share / wordlists / fern – wifi / rockyou . txt|
Regardless of whether you like this script or hate it … the fact is that it’s child’s play to crack a WiFi network. These types of tools are used by script kiddies because real knowledge is no longer needed. How do wireless networks work? What is the difference between WEP and WPA? What are the weaknesses in these protocols and how can we exploit them? How does Aircrack-NG work? None of these questions need to be answered when using the WiFite script. Simply 1 push button and hop-hop, the computer does the rest. The only real security is a strong password, WPA2 encryption and the disabling of WPS.