Background
Recently I moved to a new apartment and my boy friend fells into so many troubles with the local ISPs here.. I got messed up and decided to hack a few of my neighbours WiFi’s so we can have some Internet till we install ours.
WEP does not exist anymore 😦
A few years ago, hacking WiFi access point was really easy. The passphrase did not matter since most of the access points used to have WEP passwords. WEP mechanism has a vulnerability by design, so it very easy to get hacked. There are many articles about this issue where you can read about.
Over the years,technicians became”more” security-aware as they setup a WPA/WPA2 authentication so it seems like WEP is hardly exist anymore. BUT – Do you really think that people are really security aware?
Hacking neighbours WiFi == “Can I have you phone number please?”
In most cases, ISP technicians ask the clients for their phone number when they setup the WiFi access point so I thought may be I should go and knock on their doors, asking for a milk/sugar and phone number..
As you can imagine, I’m too lazy for chitchatting…
The other approach – REMOTELY
The general idea is to ‘sniff’ the WPA handshake containing the hashed password and try to break it. Breaking is done via brute-force technique. I described the process in a very high level and for further technicalities I suggest to read this article.
Find relevant candidates (aka ‘victims’)
Using airmon-ng we will find WiFi around us and choose the ones with a qualified connection.
Sniff WPA handshake
Using airodump-ng we sniff WPA handshake that is needed for cracking the WiFi password. Note that airodump-ng is a passive tool which only sniff data. In order to get a WPA handshake, you can either passively wait till a device authenticates the Wifi or you can actively accelerate the process using packet injection tools that de-authenticate devices from access points. For instance, aireplay-ng.
Generate a ‘password dictionary file’ based on prior knowledge
The code below generates passwords based on the assumption that technicians use clients phone numbers as passwords. Important fact about phone numbers in my area:
- Most phone numbers start with one of the four prefixes: ‘050’, ‘052’, ‘054’, ‘057’.
- Suffixes have 7 digits and cannot start with a zero digit.
def generate_passlist():
prefix = ["050", "052", "054", "057"]
for j in prefix:
for i in range(1000000, 9999999):
print "%s%s" % (j, str(i))
Brute force
Once we have WPA handshake and the passwords list, we can start cracking. Using Intel i7 (4 cores) you can try about 6000 passwords per second. Doing some math shows that it takes only a few hours to break the password (assuming its a phone number, indeed).
Results
Apparently, 3 out of 5 access points had a phone number as their WiFi password, as expected 🙂
References
Kethy Hacks 