New Job-Role Training Path: Active Directory Penetration Tester! Learn More

Wi-Fi Password Cracking Techniques

This module explores the range of techniques used to crack Wi-Fi passwords, from common dictionary attacks to lesser known methods like hybrid attacks and precomputed hash tables. Alongside these approaches, we’ll also dive into performance-focused topics like GPU acceleration and optimization strategies. Whether you're a penetration tester, cybersecurity enthusiast, or IT professional, you'll gain practical insights into the tools, tactics, and workflows behind effective password cracking.

Created by Sentinal
Co-Authors: N1tr0x

Medium Offensive

Summary

This module explores a variety of Wi-Fi password cracking techniques using tools like Hashcat, Cowpatty, and John. It covers brute-force, rule-based, mask, and hybrid attacks, along with precomputed hash (rainbow table) methods, WPA2-Enterprise credential brute-forcing, and Cisco password cracking using configuration files.

In this module, we will cover:

  • Overview
    • Introduction
    • Traditional WPA Password Attack
    • Anatomy of a Password
  • Using Hashcat
    • CPU vs GPU Based Cracking
    • Hashcat Rules
    • Mask Attacks
    • Combinator Attacks
    • Hybrid Mode
  • Generating Credentials
    • Generating Default Credentials
    • Generating Wordlists
    • Generating Usernames
  • Miscellaneous Attacks
    • Precomputation (Rainbow Table) Attacks
    • Using Cloud for Cracking
    • Cisco Password Cracking
  • Skills Assessment

This module is broken down into sections with accompanying hands-on exercises to practice each of the tools, tactics, and techniques we cover. There are no specific WiFi hardware requirements for this module, as Hack The Box manages all necessary resources. You will need to RDP into the provided attacker VM to perform the exercises.

As you work through the module, you will see example commands and command outputs for the various tools and topics introduced. Reproducing as many examples as possible is recommended to reinforce the concepts presented in each section.

You can start and stop the module at any time and pick up where you left off. There is no time limit or grading, but you must complete all of the exercises and the skills assessments to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

This module is classified as "Medium" and assumes a working knowledge of Linux systems and network fundamentals. Prior familiarity with the following topics is recommended for successful completion of this module:

Introduction

Wi-Fi is an essential part of modern life, connecting our devices to the internet at home, at work, and in public spaces. While it's designed with security in mind, weak passwords and misconfigurations often leave networks open to attack. Wi-Fi password cracking involves testing these weaknesses to recover the passphrase or encryption key protecting the network.

When assessing the security of a wireless network, one of the first things we look at is the strength of the password or pre-shared key (PSK). The reason for this straightforward: strong passwords can dramatically increase the time and effort required for an attacker to break in. Whether we're working with a captured handshake or a hashed key, the success of our cracking attempts largely depends on the quality of our wordlist and the techniques we apply.

There are countless ways to build wordlists and approach password cracking, each with its own strengths depending on the context. Since most passwords are chosen by people, they often follow familiar patterns, reflect personal habits, or stick to factory defaults. Being able to stop these tendencies and shape a strategy around them can make all the difference for us as pentesters.

Wi-Fi Encryption Standards

Wireless networks typically use one of these security protocols:

Protocol Status Security Level
802.11 (Legacy) Deprecated Very Weak
802.11b (WEP) Deprecated Very Weak
802.11g/n (WPA) Deprecated Weak
802.11n/ac (WPA2) Widely used Strong (if passphrase is strong)
802.11ac/ax (WPA3) Current Strongest (so far)
Open Networks Active No Security
OWE (Opportunistic Wireless Encryption) Emerging Better than open, but lacks authentication
WPA2-Enterprise Active High (with certificate validation)
WPA3-Enterprise Active Very High

In this module, we'll dive into both traditional and advanced techniques for cracking WPA2 networks, many of which also apply to other wireless security protocols covered in separate Wi-Fi modules. We'll explore methods like generating wordlists from default credentials or user-specific patterns, using mask-based and rule-based cracking, as well as combination and hybrid attacks. We'll also break down the differences between CPU and GPU-based cracking, highlighting the strengths and trade-offs of each.

The Traditional WPA Password Attack

A traditional WPA password attack involves four key steps: Reconnaissance, Handshake Capture, Password Cracking, and Access Verification.

  1. Reconnaissance: Identify nearby Wi-Fi networks (airodump-ng).
  2. Handshake Capture: Listen for or trigger a handshake by disconnecting a connected client (aireplay-ng).
  3. Password Cracking: Use a wordlist or brute-force to attempt to crack the handshake (aircrack-ng, hashcat, cowpatty, john).
  4. Access Verification: If cracked successfully, test the key by connecting to the network.

In the next section, we'll take a hands-on approach and explore a variety of tools commonly used to crack WPA/WPA2 passwords.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Sections