A small article on hcxdumptool wifi hacking. But first read these Basic WEP cracking, Half-Handshake WIFI cracking, Basic WPA cracking, Wifi security
If you're done reading, then let's try something else. There's another way to look for vulnerable routers, and that's using a tool called hcxdumptool. Normally we need a client on the network, we need to deauth them, and then get the keyfile, We then try to crack the keyfile using bruteforce or dictionary based attacks. But, if the router is vulnerable to this attack, we simply just have to walk by the building, get the key material, clean it, and then try to crack it. It only works on wpa-psk and wpa2-psk, not on RADIUS based networks.
Now, before you get to worked up, a standard disclaimer. Don't hack other peoples wifi ! As everything else on this site, it's for educational purpose only, to help you look at your own stuff, and maybe learn something along the way.
The only way to secure against this, is a good password policy, so check those passwords and read the article on wifi security !
Now on with the show :)
This test requires a Kali / Linux machine and a wifi card that will work with the software. So, how do we install it.
# In kali - open a terminal as root
apt update
apt install hcxdumptoolIf you're on a different system (Debian or the likes, try this)
git clone https://github.com/ZerBea/hcxdumptool.git
apt-get install libcurl4-OpenSSL-dev libssl-dev pkg-config
makeNow, you need packet injection to work on the wifi card, but how do do that varies between models. And you'll need the aircrack-ng suite of tools for later and HashCat, so install that, and make sure injection is working.
Before we start, we have to disable network_manager and wpa_supplicant, or else we could get errors, because the interfere with our hcxdumptool, stopping the capture.
systemctl stop wpa_supplicant
systemctl stop NetworkManager'Time to fire up the tool.
hcxdumptool -i <YOUR-WIFI_CARD> -o <CAPTURE_FILE.pcapng> --disable_deauthentication --disable_client_attacks --enable_status=3-i is your wificard, -o is the outputfile in pcapng format.
Now, turn off powermanagement so the software is running on your laptop when the lid's closed, test it works, Now, you're ready for a walk around town and start looking for networks.
Now, you should start to see networks coming in, so let the tool run for a while, and then CONTROL-C out to stop it.
Now, we need to clean the dumpfile, and we do this using this command.
hcxpcapngtool -o CLEANED_DUMP_FILE.txt CAPTURE_FILE.pcapngThe last thing is simply to get cracking.
hashcat -a 3 -w4 -m 22000 /home/USER/CLEANED_DUMP_FILE.txt 05?d?d?d?d?d?d?d?d -o /home/USER/pmkid_cracked.txtSo, what's up with the ?d?d. It's a Hashat mask that tell hashcat we need a mask starting with 05, followed by eight digits. What you want might be different, so here's a bit about masks.
?d – digits
?l – lower case characters
?u – Upper case characters
?s – special symbols as ? ! $ …..The mask for the password: 202!$ummeR would become ?d?d?d?s?s?l?l?l?l?u
I would point out that not all networks are falling for this, but a lot do, and that's the scary part. Check your own network, and see if it works :)
Now, how could we use this in a larger scale ?. One thing comes to mind here. We could make a backpack with a laptop, an Alfa card, a battery pack and then lan some routes in the nearest city, dump networks on a larger scale, and then feed the dumpfile onto a GPU intense Linode instance for some effective cracking, but not very discrete is it ?.
Why not go for a custom suitcase with a Raspberry, a large battery pack, custom built antennas, made to look like they are part of the case ?, or what about a drone / a RC car ?
I leave the creative part up to you dear reader :)
Much Happy Hacking :)