Wifi Hacking
So, I was basically reading the introduction to networking on Hack The Box and I found this line about MAC spoofing. It said you could change your MAC address to get unauthorized access to a network.
That made me wonder, is that really how you get into a network?
I searched it up and found out that yeah, some Wi-Fi networks use the MAC address to check who can connect, but that's like, a really old and weak security method. It's not the main one. Soo, how do you actually get into a modern Wi-Fi?
The Real Vulnerability: The WPA2 Handshake
Turns out, the main way to do it is by exploiting a vulnerability in the WPA2 protocol, which is what most Wi-Fi networks run on. For this, you need two things: a Wi-Fi card that can go into "monitor mode" and a software suite called aircrack-ng
.
Monitor mode is the key. It lets your Wi-Fi card sniff ALL the data flying through the air around you, not just the stuff meant for your computer.
The Game Plan: How it Works
The whole attack is about capturing something called the "4-way handshake." When a device connects to Wi-Fi, it does this handshake with the router to prove it knows the password. The handshake has a piece of data that's encrypted using the password. If you can capture it, you can try to crack the password later, offline.
Forcing The Handshake (The Fun Part)
But nobody wants to wait around for someone to connect to the Wi-Fi. This is where it gets crazy. You can actually force a device to disconnect!
There's another vulnerability in the Wi-Fi standard where you can send fake "deauthentication" messages to someone's phone or laptop, pretending you're the router. The client device doesn't know how to verify if the message is legit, so it just disconnects.
And what happens when your phone disconnects from Wi-Fi? It automatically tries to connect again. When it does that, it performs the 4-way handshake, and that's when you, listening in monitor mode, can grab that dammnn handshake!
The Final Step: Cracking the Password
After you've captured the handshake and saved it to a file, the hard part is over. Now it's just about being patient and lucky. You use aircrack-ng
to run a dictionary attack on that file. You just have to hope the network has a password that isn't too strong, so you can eventually crack it.
Last updated