How to Hack Wifi Password Easily 2020

How to Hack Wifi Password Easily 2020

Welcome to WebTechTricks. In this chapter, I will offer you a quick introduction to 802.11 before going to how to hack wifi password easily?. Which helps you choose just the right 802.11 gear for the work. Then, you need to have a basic comprehension of how 802.11 networks operate. As well as answers to common questions, including what type of card, GPS, and antenna to buy.


The 802.11 standard defines a link-layer wireless protocol. Institute of Electrical and Electronics Engineers (IEEE) manages the 802.11 wireless protocol. Many individuals think of Wi-Fi whenever they notice 802.11. But they are nearly the thing that is the same.

how to hack wifi password easilyWi-Fi

A lot of people understand that 802.11 provides wireless access to wired networks if you use an access point (AP). The 802.11 standard divides all packets into three different categories: data, management, and control.

  • Data packets are accustomed to carrying higher-level data (such as IP packets).
  • Management packets are essentially the most interesting to attackers; they control the handling of the network.
  • Control packets get their name from the term “media access control.” They’ve been useful for mediating access to the shared medium. Any given packet type has many different subtypes.

802.11 packets have three addresses: a source address, a destination
address, and a Basic Service Set ID (BSSID)

The BSSID field uniquely identifies the AP and its collection of associated stations and is often the same MAC address as the wireless interface on the AP. The three addresses tell the packets where they’re going, who sent them, and what AP to endure.

802.11 Security Primer

There are two different encryption techniques used to safeguard the 802.11 networks. Wired Equivalency Protocol (WEP) and Wi-Fi Protected Access (WPA). WEP could be the older, extremely vulnerable standard. WPA is more modern and resilient.

  • WEP networks (usually) rely on a static 40-or 104-bit key that is known on each client.
  • WPA may be configured in two very different modes: pre-shared key (or passphrase) and enterprise mode.

The 4-way handshake WPA/WPA2 encryption protocol

WPA-PSK authentication process

The pre-shared key (passphrase) can be anywhere between 8 and 63 printable ASCII characters long.

The handshake is a term such as the first four messages of the encryption connection process between the client that wants the WI-FI and also the AP that offers it. To understand the 4 stages we want firstly to have over a few keys that’ll be essential:

PMK (Pairwise Master Key)

PSK (Pre-Shared Key) and passphrase. they are the same but different. The passphrase could be the password that people are giving to the network- to the AP. The PSK may be the passphrase but he (the PSK) took it and translate it to 256 bits of string. Both (client and AP) have the PMK in assumed the client knows the password for the WI-FI.

PTK (Pairwise Transit Key)

The PTK is encryption for uni-cast traffic. To fully grasp this encryption the client and also the AP need several parameters.

  • ANONCE– is a random number that the AP has made.
  • SNONCE– is a random number that the client has made.
  • MAC(AA)- the mac address of the AP (authenticator).
  • MAC(SA)- the mac address of the client (supplicant).
  • MIC– Message Integrity Code, its like a stump from the sender who sent the message.

GTK(Group Temporal Key)

The GTK could be the encryption for broadcast and multicast when it comes to traffic between one AP to his clients. For each and every different AP there is certainly an alternative GTK to secure the traffic within the “air” that belongs to the same network. All the clients that connect to the same AP have a similar GTK.

GMK(Group Master Key)

The GMK is used in this action to create the GTK, the GTK is generated on every AP and shared with the devices that are connected with him.

A successful four-way handshake
A successful four-way handshake
Message 1:

AP sends to your client his ANONCE. Now your client has everything he needs to create the PTK because he got the ANONCE, it was the only thing which was missing for him.

Message 2:

The client sends into the AP his SNONCE with a MIC, the MIC is principally for the AP to acknowledge that this message is really out of this client, it’s like a signature (a high-level algorithm signature). Now, following the AP got the message he’s got everything he has to create the PTK and that is what he does.

Message 3:

The AP sends to your client the GTK because he is going to be his new client.
The client gets the GTK and installs it.

Message 4:

The customer sends to your AP that all things are OK and installed.

The encryption combined with WPA relies on a pairwise master key (PMK), which is computed through the pre-shared key and SSID. After the client has the PMK, it and the AP negotiate a fresh, temporary key called the pairwise transient key (PTK) They’ve been the purpose of the PMK, a random number (furnished by the AP, called an A-nonce), another random number (given by your client, called a Snonce). As well as the MAC addresses regarding the client and AP.

Hardware and Drivers

This section introduces you to the currently available drivers, the chipsets that they control, and the cards that have the chipsets in them. We’ve placed a strong emphasis on Linux drivers because this is where most of the development is currently happening.

Chipsets and Drivers

They are simple to find on the market today. This set of functioning wireless chipsets/drivers is certainly not supposed to be exhaustive. Rather, it is a list of probably the most commonly found chipsets with stable Linux support.

Ralink (RT2X00)

The Ralink is among the smaller 802.11 manufacturers that are chipset. It has excellent open-source support, and all sorts of the cards we have used have become stable. Ralink is one of the few chipset vendors that have solid USB support on Linux.

Realtek (RTL8187)

The Alfa is just a USB card with a Realtek RTL8187 chipset in. The driver has the name that is exactly the same.

Atheros (AR5XXX, AR9XXX)

Atheros chipsets have been heavily popular with the hacking community for years because of their extensibility and quality open source drivers.

Intel Pro Wireless (iwlwifi)

Intel 802.11 chipsets are commonly found built into laptops and are attached to the PCIe bus. Newer Intel chipsets are supported by the iwlwifi or the iwlagn driver. All of these drivers are merged into recent kernels.


Bear in mind the odds have become good that the built-in wireless card will offer basic monitor mode and injection support. You might not need certainly to buy anything more. The goal of this section is always to catalog the important attributes of any card. By the end, you can expect to find a list of recommended cards for readers enthusiastic about buying one.

Transmit Power

Transmit (TX) power, of course, refers to how far your card can transmit and it is usually expressed in milliwatts (mW). Most consumer-level cards come in at 30 mW (+14.8 dBm). The Alfa AWUS306H currently holds the raw TX power medal, allegedly providing 1000 mW (30 dBm) of power.


Sensitivity is normally measured in dBm (decibels in accordance with 1 mW). The more negative the number, the better (–90 is way better than –86). Typical values for sensitivity in average consumer-grade cards are –80 dBm to –90 dBm. Power in dBm is simply ten times the base 10 logarithm associated with the power in milliwatts. Here’s the formula: 10 × log 10 (mW) = dBm, or mW = 10 dBm/10

Antenna Support

Currently, cards come either with zero, one, or two antenna jacks. 802.11n cards need at least two antennas to support MIMO (although one is often built-in). Cards are connected to antennas via cables called pigtails. Fortunately, most antennas come with a particular connector, called the N-type. Specifically, antennas usually have a female N-type connector.

Recommended Cards

The following three cards are highly recommended. They will have above-average sensitivity/transmit power, solid support under Linux, and antenna connectors.

The Alfa AWUS306H

 The Alfa  AWUS306H
The Alfa AWUS306H
  • IEEE 802.11b, 802.11g compliant
  • Realtek RTL8187L chipset
  • Connects at a full 54Mbps via USB 2.0, up to 8 times faster than a USB 1.1 adapter
  • USB Adapter drivers are available for the following platforms: Windows XP, Vista, 7, Debian Linux 3.1 (Kernel 2.6.13), MacOS 10.3, 10.4, 10.5, 10.6 )
  • monitor mode: Linux(Rt2xx00), Win (NetMon, CommView ),Os X(KisMac)
  • Antenna Interface: 1*SMC
  • Price: 40$

The Alfa AWUS036NEH

  The Alfa AWUS036NEH
The Alfa AWUS036NEH
  • ALFA Networks / AWUS036NEH
  • Chipset: Ralink RT3070
  • Supported OS:Windows XP / Vista / 7 / 8 / 10, Linux (2.6.37), Mac OS (10.9 – 10.14)
  • 802.11g/n
  • Antenna Interface: 1*SMC
  • Monitor mode: Linux(Rt2xx00), Win (netMon,CommView)
  • Price: 40$

The AWUS051NH (Gold Alfa) adds support for 5 GHz. Sadly, it isn’t supported on OS X.

Ubiquiti SR71-USB

how to hack wifi password easily? Ubiquiti SR71-USB
Ubiquiti SR71-USB
  • Antenna Ports: (2) MMCX for 2×2 MIMO Operation
  • Chipset: Atheros AR9280
  • IEEE 802.11a/b/g/n
  • RoHS Compliance YES
  • USB 2.0
  • Monitor mode: Linux(CARL9170), Win (NetMon,CommView)
  • 300Mbps
  • 100$

How to hack wifi password easily?HACKING WPA-PROTECTED 802.11 NETWORKS

WPA attacks can be broken down into two categories: attacks against authentication and attacks against encryption.

  • Authentication attacks are the most common and yield direct access to the wireless network. When attacking WPA-PSK authentication, the attacker also has the ability to decrypt/encrypt traffic because the master key is recovered.
  • Encryption attacks are just emerging against WPA networks. These attacks provide the ability to decrypt/encrypt traffic but do not allow the attacker to fully join the network as a legitimate user.

Authentication attacks

Obtaining the Four-Way Handshake

How to Hack Wifi Password Easily 2020? The four-way handshake allows the client additionally the access point to negotiate the keys used to encrypt the traffic sent over the air. Whenever we wish to crack the main element, we want the network SSID, the authenticator nonce (A-nonce) sent by the AP, the supplicant nonce (S-nonce) sent by the client, the client’s MAC address, the AP’s MAC address, and an email Integrity Check (MIC) to verify.

Passive Sniffing

Getting the handshake through passive sniffing requires no interaction because of the target network and it is by far the stealthiest method. Because a client joining the network is a fairly common occurrence, all we need to do is wait patiently, and in case we’re in the right the channel at the right time, we’ll capture the handshake. This simple process may be performed with any Wi-Fi capture tool. Airodump-ng for the Aircrack-ng is a straightforward, lightweight sniffer that is particularly useful in this scenario because it will let us know when we’ve captured a handshake.

Active Attacks

The most popular is the de-authentication assault. Our first step is to install our passive sniffer (just described). Then, in a brand new window on the identical system, we release our de-authentication attack so our sniffer captures each of the assaults and the client reconnecting. Although numerous tools are available with the intention to release a de-authentication attack, using aireplay-ng is straightforward.

Cracking the Pre-shared Key

Like many authentication attacks, hacking WPA-PSK boils right down to an offline brute-force attack.This greatly increases the computational complexity of the brute-forcing process, making it difficult to crack long and sophisticated passphrases.

Using aircrack-ng Since we’ve been using the Aircrack-ng suite, it’s only natural to
continue with the tool the suite is known as after—aircrack-ng—to crack our key. Like most WPA-PSK cracking tools, aircrack-ng requires a capture file containing, at a minimum, two of the four frames contained within the four-way handshake.

Cracking with Cryptographic Acceleration

How to Hack Wifi Password Easily 2020? Realistically speaking, unless the network you’re attacking uses quite common dictionary words, you’re unlikely to recover the passphrase using only the CPU resources of a typical laptop or desktop system (which will get you a couple of thousand attempts per second counting on your hardware). you’ll improve the throughput on this attack in two ways: offload the computation to a more specialized piece of hardware (such as a video card GPU), or upload your job to the cloud.

Graphical Processing Units

how to hack wifi password easily with GPU?Graphical processing units (GPUs) are the processors in video cards that handle graphic rendering. They operate very efficiently and, in modern video cards, are often extremely powerful at performing computational tasks. Pyrit is an open-source WPA-PSK brute-forcing tool that supports a GPU and general-purpose processing architectures.

Cracking WPA-PSK on the “Cloud”

How to hack wifi password easily with cloud? Amazon Web Services (AWS) supports GPU-enabled Elastic Cloud Computing (EC2) instances. this suggests you can spin up a WPA-cracking machine, upload, and hash for as long as required, and shut the whole thing down once you are finished.
Spinning Up an Amazon EC2 Instance the subsequent section assumes the reader is already somewhat conversant in Amazon’s EC2 service. Readers who haven’t used Amazon’s cloud service are encouraged to check-in and play with a number of the free tier services before creating instances that will cost them a big amount of cash if left unattended. Always make certain to terminate your EC2 instances when you are finished with them.

Reaver and WPS

How to hack wifi password easily with Reaver? Wi-Fi Protected Setup (WPS) that might simplify the configuration of home networks. The general goal was that nontechnical end-users wouldn’t then be liable for a secure WPA passphrase. Devices that authenticate themselves with this PIN would then be sent the credentials needed to attach to the network. the general concept is that home users type during a fairly simple eight-digit number, and therefore the router then provisions them with a difficult-to-remember and, therefore, secure from dictionary attacks, PSK. Clients then store the PSK and use it to attach like any other client from that time forward.

Passphrases with Reaver and WPS

Assume it takes one second to travel through the authentication of the process with one PIN and also that the AP doesn’t care if you incorrectly enter 100 million PIN values during a row. At that rate, it might take approximately 578 days to undertake half all the possible PINs.

Unfortunately, although the PIN appears to be a random eight-digit number, the last digit may be a checksum, which suggests that rather than the 578 days needed to brute-force the PIN, it now takes 57.8 days. Not ideal, but still probably unfeasible.A secondary deficiency that creates it possible to brute-force the WPS PIN is that the protocol treats it as two separate numbers, as shown here.

how to hack wifi password easily? Pin

When authenticating to WPS, the primary half the PIN is transmitted in one packet. If this doesn’t match, the AP sends a negative acknowledgment to the client.

Consequentially, rather than trying to brute-force 107 possible PINs, the attacker is essentially trying to brute-force two independent PINs: one with 104 possibilities and therefore the other with 103. The attacker only must make 11,000 unique authentication attempts before he has exhausted the PIN keyspace.
Although we started with an assumption that it only takes one second for every PIN guess, in practice it takes several thanks to the overhead of the remaining protocol within the exchange.

Finding APs Vulnerable to Reaver

If a router is susceptible to a WPS PIN guessing attack, it can take anywhere between 2 and 14 hours to finish the attack. The patch that vendors are pushing bent address this issue simply adds a big amount of throttling between PIN guess failures to extend the quantity of your time to finish the attack. Both Craig Heffner (of Tactical Network Solutions, TNS) and Stefan Viehböck discovered the vulnerability independently. Once Viehböck released his whitepaper, Heffner and TNS responded by open-sourcing their tool Reaver, which implements the attack. How to Hack Wifi Password Easily 2020 using Reaver?

Finding APs Vulnerable to Reaver The easiest way to determine what APs in the area are (potentially) vulnerable to this type of attack is to use a tool bundled with Reaver. Wash performs a passive survey of APs in the area and displays the current state of WPS. vulnerable WPS network must be enabled and not locked.

Hacking Exposed Wireless, Third Edition: Wireless Security Secrets & Solutions
Source book

Written by admin


Leave a Reply

One Ping

  1. Pingback:

Leave a Reply

Your email address will not be published. Required fields are marked *


business intelligence tools

Business Intelligence Tools List Top (BI) Tools 2020

How Much Money Do Youtubers Make

How To Monetize Youtube?[Youtube Earnings]