In this post, I will talk some about auditing wireless networks using Wifite
Wifite (and it’s many forks) is a particularly useful tool to conduct site security surveys.
My techniques for auditing try to make the least amount of noise, unless we have to. In that case, we spoof the MAC 🙂
What I have installed
- Wifite (and it’s dependencies)
- A good set of passwords lists – I recommend probable-v2-wpa-top4800.txt, 2020-200_most_used_passwords.txt, and probable-v2-top12000.txt
- A shamelessly cute regex password list generator!
- $CARD_DEV – Your wireless adapter device ID, get that from
iwconfigthen we’ll export e.g.
- $WORD_LIST – Your custom wordlist file that you’d like to use, you’ll need to provide the absolute path to Wifite, sadly it can only handle 1 dict file, e.g.
You can combine multiple wordlist files with a little bash magic to make things easier, for example:
cat probable-v2-wpa-top4800.txt 2020-200_most_usedpassword.txt probably-v2-top12000.txt | sort | uniq > /home/kali/wifite_dict.txt
Unblocking monitor mode
In order to get started, we’ll need to unblock the device with
rfkill unblock # where
# is the numeric ID that corresponds to the card shown with
rfkill which is your wireless device that will be put in monitor mode. You’ll need to be root to do this, so you can
sudo -s to become root beforehand.
Wifite PMKID Attacks (sniff only)
sudo python Wifite.py --kill -v -i $CARD_DEV --random-mac -p 300 --new-hs --dict $WORD_LIST --bully --pmkid --pmkid-timeout 30
–kill – This will kill anything managing the wireless card, including NetworkManager.
–random-mac – This will randomize the MAC address (just in case).
–new-hs – This will force Wifite to capture new handshake files.
–pmkid – This will force Wifite to only execute PMKID sniffing.
–pmkid-timeout – Wifite will wait up to 30 seconds to receive a PMKID broadcast.
-p 300 – Pillage mode. This will scan for target APs for 5 minutes, then begin the discovery.
See the Feature List for more information on the attack flags.
This attack is extremely stealthy. A little known thing is that a lot of WPA access points broadcast their password every so often, all you have to do is listen! And have a huge wordlist to hopefully crack it with hashcat. Wifite will automatically detect support for hcxpcaptool and start a dictionary attack.
Wifite WPS Attacks
sudo python Wifite.py --kill -v -i $CARD_DEV --random-mac -p 300 --new-hs --dict $WORD_LIST --bully --wps --nodeauths
This attack focuses on WPS (WiFi Protected Setup), also known as the “push button”.
--bully is provided here to switch from the default
reaver as bully is a good bit more effective. I’ve not seen this particular type of attack logged to where it’s evident in a Router Web GUI. Sometimes the attacks can take a while as the WPS feature will periodically become locked. You can add
--ignore-locks to adjust the default of waiting for the AP WPS mechanism to unlock before resuming WPS attacks.
Wifite WPA Attacks (Full deauth)
sudo python Wifite.py --kill -v -i $CARD_DEV --random-mac -p 300 --new-hs --dict $WORD_LIST --bully --wpa --clients-only
This attack focuses on WPA/WPA2 4-WAY handshake captures. This is done by getting a list of access points with both WPA and active clients. First we deauthenticate the AP itself, then when existing clients reconnect to the AP, we add them to a list of associated MACs. On the next deauth (this repeats until we have a handshake capture) it hits broadcast then deauths through the list of associated MAC addresses of that AP. This causes repeated disconnects of the AP and the clients, so it’s definitely going to be noticed, but is the most direct method of capturing handshakes.