RWSPS: Automated WiFi Cracking [ch4]

Hello and welcome to Chapter 4 of RWSPS. In this chapter we will learn to automate the WiFi hacking using Wifite.
We will cover:

• How to Hack WEP  using Wifite
• How to Hack WPA/2 using Wifite

Wifite: Automated Wireless Hacking/Auditing Tool

Wifite is a Linux platform tool(comes pre-installed on Kali, Backtrack, Pentoo, BackBox, BlackBuntu and other pentesting distributions ) coded in Python. It is used to automate the hacking process and aims at minimizing the user inputs by scanning and using Python for automation techniques. Wifite is capable of Hacking WEP, WPA/2 and WPS, but not alone. It actually uses tools like aircrack-ng, reaver, Tshark, Cowpatty for various purposes like

• Enabling monitor mode
• Scanning air
• Capturing handshake
• Validating handshake
• Cracking key
• analyzing output and captured packets etc.

Before we start the tool, we do need to learn how to install the tool and make it working like a command as it comes in all the pentesting distros. Here are the steps we will be covering in this tutorial.

• Downloading Wifite
• Installing Wifite as a system command
• Cracking WEP using Wifite
• Cracking WPA/2 using Wifite
• How to fix WPA/2 handshake capture error in Wifite
• Focusing Wifite

Let’s begin.

Downloading Wifite

Wifite was previously hosted on code.google.com, but it is now a full-fledged project and hosted on GitHub. For all the latest updates you should go for the GitHub link, that you may find on Search engine’s results.
You may directly download it here https://github.com/derv82/wifite
Latest version (October, 2015) is r87. Kali Sana includes r87 version by default, but that version has an error that we will see to fix in this tutorial.

Installing a tool ( Wifite ) as a command in Linux

This is not only limited for this script i.e Wifite, but you can apply this to any working tool/script/program on your Linux platform to make and run it as-a-command. We will use Wifite as an example to do so.
We have already downloaded the latest Wifite script and assume that it is stored on our Desktop.
Now open terminal and type:

• cd ~/Desktop

“~” reflects the HOME Directory to the shell. Check your home directory by “echo $HOME“. Here $HOME is an environment variable. /Desktop is the directory stored in the HOME directory.

• unzip wifite*.zip

unzip is the tool to extract files from a .zip file. wifite*.zip means any file with starting name wifite and ending with .zip, here “*” means anything (including blank).

• cd wifite*/

Changes the pointer to first directory starting with name “wifite”. ‘/‘ symbolizes directory.
Now you can check that if the script works or not just by typing python wifite.py, as wifite is a python script. If it (or any script) is working fine you might like to make it a system command so that you don’t have to traverse the directory every time. It is pretty better to just open the terminal and type command.
For that we should know where the actual executable commands are stored in Linux, so that we can also copy our script in the same directory. Just like in Windows systems, all the CMD commands are stored in \WINDOWS\System32\.
type “which“ followed by a simple “linux command“

• which ls

“which” command tells us the location of the command passed as an argument to it. which is “ls” in this case. It will reflect “/usr/bin/ls” as output. From here we know that ls, executable file is stored in /usr/bin directory.
Now, what we have to do is move our wifite script to “/usr/bin/” and make it executable, if not already.
Moving wifite.py to /usr/bin/ (we are in ~/Desktop/wifite/)

• sudo cp wifite.py /usr/bin/wifite

sudo stands for SUperuser DO. Used to take root(SuperUser) permission to perform certain tasks.
cp is used to copy files, Syntax: cp “Source” “Destination”, where Source is wifite.py and destination is /usr/bin/wifite. Also wifite is the output filename that we would like to use as command.

Here rwx stands for Read, Write, Executable. All of them are file attributes.
Making wifite Executable(if not already), so that no need to write python before the file name.

• sudo chmod +x /usr/bin/wifite

chmod, changes the file(/usr/bin/wifite) mod to +x, i.e executable.
Now wifite is a system command you can open a new terminal and type sudo wifite to run the command with root privilege.
Let’s now move on to Cracking.

Cracking WEP using Wifite

Cracking WEP using any automated tool is hell lot of easy task as you don’t have to analyze anything, just see target, select option and hit [ENTER]. I don’t recommend using any automated tool until you have learned the actual working of the script or the process that runs behind the script. Scripts are only to reduce time and effort. Please don’t rely upon scripts and go ahead and Learn the real process by yourself and use automated tools to save your time.

I will show the tutorial on Kali Linux v1 and v2, which comes with pre-installed Wifite. I am running root account by default. If you are running standard account, use sudo before Wifite eg: sudo wifite

Open Terminal and type wifite and wait for it to show you the AP List.
Press CTRL-C and select desired AP with enc type WEP and type its NUM. like show in the image below.
Just wait for Wifite to capture the IVs(Initialization Vector) and crack the key for you.

WEP cracking is the easiest of all. that is the one of the reasons that WEP is now depreciated, but still you may find it in many places where people haven’t changed their router from a while.

Things to note:

1. Wifite start the cracking after 10K IVs.
2. Around 60K IVs might be required to crack key.
3. Success rate is 99.9%.
4. Make sure capture speed is 100+ IVs/second.

After Wifite captures enough IVs to crack the WEP key, it will show you an output similar to this:

Note in the image above, total IVs captured are 52,846 with a speed of 857 iv/sec and the Key is cracked.

If you have enough IV, your WEP key is going to be broken, regardless of the length, complexity of the key.

How to fix it ? use WPA/2.
Let’s move on to WPA/2 cracking.

Cracking WPA/2 using Wifite

Unlike WEP, WPA/2 encryption algorithm is way much stronger and perhaps considered the strongest encryption at this moment. WPA2 encryption algorithm is not really broken but we manipulate the Key authentication mechanism used by WPA2 to discover the key.You can see the detailed working here.
Similar to above example. Open terminal and type wifite and select the desired AP(WPA/2 enabled).
first few steps may go somewhat like this:
We are targeting rootsh3ll, which is WPA2 type.
You can also select multiple APs, just by putting commas.
example: 4,1,3,2
Here order will follow according to the input, means Wifite will try AP #4 at first place, AP #1 at second place  and so on as input is provided.
After capturing the handshake Wifite may behave in 2 ways depending on versions (r87 or earlier)
version r87: Selects a default dictionary already stored in Kali Linux, Backtrack, eg: r0cky0u.txt, darkc0de.lst etc. In new version default dictionary used is located here: /usr/share/fuzzdb/wordlists-user-passwd/passwds/phpbb.txt
version r85 or earlier: Does not use any wordlist until -dict option is provided along with a dictionary file. Example:

• $ sudo wifite -dict /path/to/dictionary.txt

Soon after Wifite(r87) captures handshake you will see a similar option:

Here Wifite used a stored dictionary on Kali Linux by itself, No option provided and password was not in the dictionary so Crack attempt failed.
That is what usually happens in WPA2 cracking, cracking don’t succeed as there are enormous no. of possibilities for a WPA2 type passwords that lies from 8-63 characters, also which can include Alphabets(a-z, A-z), Number(0-9) and Special characters(!, @, #, $,… etc)
But no need to feel low. There are numerous methods also to retrieve WPA2 Passphrase, some of which we will learn in this series.
In the above image you can see the path in which Wifite has stored the .cap file i.e /hs/ . You can copy the file and use it for manual brute-forcing.

How to fix WPA/2 handshake capture error in Wifite ?

If you are a frequent user of Wifite script, you may have encountered an issue related to the handshake capturing part of Wifite. If you are not familiar, then here is the error:
Wifite keep on listening the handshake and deauth-ing the connected clients in a loop and not capturing any handshake. Where at the same time if you start airodump-ng in another terminal it will capture the handshakes Wifite is deauth-ing the clients again and again airodump-ng will keep on capturing handshake again and again.
So what is the issue ? is it with the script ?
Yes, there was an issue in the Wifite script ( r85, 587[old] in which auto-deauth during handshake capture was not guaranteed to deauth as expected intervals resulting in the handshake capture failure.
This issue can be fixed in 3 ways:

1. Use airodump-ng to capture files.
2. Use latest version of Wifite

Using airodump-ng to fix Wifite Handshake issue

This one is very simple. While Wifite is running in background and failing to capture handshake. just open a new Terminal and run airodump-ng followed by the output_filename and Interface BSSID and channel_no.

• $ sudo airodump-ng wlan1mon -c 11 -w cap_file -b BSSID

If there are connected clients, wifite will deauth them and the handshake will be captured by airodump-ng.
Then press CTRL-C and have fun with your captured file.

BSSID, Channel are very important, as our wireless card can operate at 1 frequency at a moment. Wifite fixes the wireless card on the Channel no.(frequency) similar to the AP’s we are trying to capture handshake of and by default airodump-ng hops between the channels so to avoid the errors we need to tell airodump-ng to fix itself on our desired channel i.e Channel 11 in this case. and also to avoid other AP’s handshake that might be operating on similar channel we use BSSID as a filter.

Use latest version of Wifite to fix Handshake capture issue

If you are using Kali Linux 1.1.0, BackBox, Ubuntu, Mint etc and facing the issue, you should try updating your Wifite version. You can do it in 2 ways.

• Use wifite  –update command. Didn’t work ?
• Try downloading manually and running the script.

Here is a thing to note while you might be updating using wifite –update command. You might see this output

What usually happens is Wifite check for the latest version on GitHub, not by the filesize but by the version i.e r87 which is pre-installed on Kali Linux 2.0. But here’s a catch, if you look at the last update of wifite on GitHub page it was 5 months ago and the version installed in Kali Sana are both same i.e r87 but filesize differs as Kali Sana version of wifite isn’t Fixed but 5 months earlier version is r87 but fixed one.
We will check it by downloading the latest wifite script from GitHub and comparing the file size of both scripts.
Here is what I got when checking file size of both wifite scripts i.e one downloaded and other pre-installed.  both are r87

lets understand the above image in 2 parts
Above Yellow Line:

• ls -lh $(which wifite)

ls command is used to list files in a certain directory, -lh are the command line arguments where “l” stands for listing the file details and “h” stands for human readable format for file-size followed by the file-path reflected by which command.
$(), this is the bash function used to execute another command within a command, which we used to get the path to installed wifite script.

• ls -lh ./wifite.py

again ls -lh for same purpose but the file is now wifite.py which is stored in current directory i.e ~/Desktop .

In Linux world a dot (.) stands for current location, followed by “/” i.e directory. So “./” stands for current directory and ./wifite.py is the file-name(wifite.py) in the current directory(./)

Now notice the file-size for both, its 158 kiloBytes as Human readable format option is passed to ls command.
But if we look it more clearly, means see size in Bytes we will see a change in the size of both files which you can see below the yellow line
Below the yellow Line:
You are now familiar to the commands used. Let’s jump onto the file-size
Latest r87 version: 160949 Bytes
Old r87 version: 161323 Bytes
This change in the size is due to the edited code. From the older version many lines are edited to fix the Handshake error.
According to tests I conducted on Kali Sana, Wifite still didn’t work even after updating it to latest version. Digging deeper I came to know that as Kali Sana was released in August and Wifite was last updated in June. So at that time Wifite was updated for Kali Linux version 1.1.0. and so not working in Kali Sana for now. Soon after finishing this series I will look at the code to fix it to work in Kali Sana. Till then you can use two of the either options to get the work done.

Focusing Wifite

Focusing Wifite means using wifite’s options to filter the output or the cracking process to save screen clutter, memory, wireless card life and a sometimes headache.
For example if we are interested in cracking only WEP type Access points we will use

• sudo wifite -wep -p0841

-p0841 is the type of attack which I have found most useful and working in most of the cases, so it might be better for you too for using -p0841 when cracking WEP, it will save you a lot of time while capturing IVs.
and similarly for WPA/2, lets also tell wifite to use our desired dictionary

• sudo wifite -wpa -w /media/drive/wordlists/MY_DICT.txt

Wifite will now use MY_DICT.txt located in /media/drive/wordlists/ as a wordlist to crack WPA/2 passphrase after capturing handshake.
there are many options that you can use

1. Using specific channel
2. Specific BSSID/ESSID
3. Certain attack type for WEP/WPA/2
4. Setting time limit for WEP/WPA/2 using -wept and -wpat options
5. and many more.

Just type:

• sudo wifite –help

For looking up all the options available. Explore the tool and keep learning.

Fuente: http://www.rootsh3ll.com/2015/10/rwsps-automated-wifi-wep-wpa2-wps-cracking-ch4/