Hi there again, aspiring hackers (and veterans as well)! I’m going to explain how to perform a dictionary attack on a WPA/WPA2 protected network with Wifite. Please note that this doesn’t work with WPA Enterprise For that end, you’d have to use an Evil Twin to get the “Enterprise” auth attempt, and then crack it.
But don’t worry, Enterprise isn’t common in many corporations, and I still haven’t seen it on any home network. That being said, let’s get started.
Step 1: Get Your Dictionary File Ready
First, we’re gonna need a dictionary, to perform the dictionary attack. If the network you’re attacking has WPS enabled, you may attempt to get the password that way first.
- In Kali, you have a nice wordlist that comes bundled within your installation/live usb. It’s located in /usr/share/wordlists, but it comes compressed in .gz format (at least in the live version).
- You can also explore my post on WordLists!
To get it ready for the attack, we need to type:
gzip -d /usr/share/wordlists/rockyou.txt.gz
And within seconds it’ll be extracted and ready to use.
Backtrack has them located in /pentest/passwords/wordlists. It has one that’s called darkc0de.lst along with the rockyou.txt one.
You can use them simply copying one of this after the ‘-dict’ option.
For any other distros, search for “download wordlist rockyou” or “download wordlist darkc0de”, or just “download wordlist” in DuckDuckGo. It gives more precise results than Google for this kind of stuff.
For the rest of this, I’ll assume that you’re using Kali.
Step 2: Launch Wifite
To launch Wifite, you must be running with root permissions.
In a live Kali boot, you are logged on by default with the root user. If you let it running for a while (while cracking with the dictionary, pressumably) and it asks for a password to return to the session, it’s ‘toor’ (root backwards).
Same for BackTrack (confirmation needed), and for other distros you can gain root access by typing “su” or “sudo su” and entering the password. The first command requires you to know root’s password, and the second your current account’s and it must have root privileges.
TL;DR? Okay, you just want the command? Here it is!
wifite -mac -aircrack -dict /usr/share/wordlists/rockyou.txt
–mac | Anonymizes your MAC Address by randomizing it (it mustn’t be set to monitor mode, or this command won’t work).
–aircrack | Tells Wifite we’ll be doing an Aircrack only attack.
–dict | Select a dictionary to use for cracking the password after capturing the handshake, otherwise you’ll get the ‘.cap’ file and Wifite will terminate.
I have it located in a different folder because I’m not running Kali, but it’s pretty much the same.
Step 3: Select Your Wireless Adapter and Your Target
If you have a laptop, you’ll probably have to choose which adapter to use, if you have an external USB adapter. Please note that you’ll need a compatible adapter that’s able to inject packets and enter into promiscuous mode (monitor mode), or this won’t work.
If prompted, we select our adapter choosing the number Wifite has assigned it. In my case, I’ll type ‘1’, because that’s mine. One good indicator for knowing which one it is, is reading that name to the left of phy. For example, I have one that says ‘usb’ in it, and one that doesn’t. And yep, I have it plugged to USB, so that one’s it.
Now we’ll see a list of wireless networks, and if we let it run, it will eventually display ‘client’ or ‘clients’ at the top right of the network info, showing that it has a client (or more) connected to it.
To stop the scan, press Ctrl+C. I’ll choose “Casa” (spanish for House).
Step 4: Sit and Wait
If the network you’re attempting to crack has WPS enabled, it’ll start cracking it like that first. To stop it, just press Ctrl+C
Now it will attempt to capture the handshake for a few minutes.
If no clients are connected, it’ll send a general deauth to the wireless adapter, so that clients may show up.
If it detects a client connected to the network, it’ll tell you it’s MAC Address, and proceed to send targeted deauths to that client.
When it succeeds deauthenticating a client (who has re-connect enabled by default), or a new client connects to the network, hopefully it will capture the handshake, and it’ll start attempting to crack it with aircrack-ng and the dictionary file you gave it.
If the passphrase is any of the words contained in that dictionary, it’ll stop and show it on screen. Otherwise, it’ll run through the whole dictionary, and say it couldn’t find the key. But it has a nice success rate.
I used my country in lowercase letters as the passphrase (argentina), and as it’s along the first words in this dictionary, it took only one second to crack it. For you it may take over an hour or two, depending on your processing power and if the passphrase is near the beginning or the end of the list.
Wifite Succeded but Failed!
If it failed, you still get the ‘.cap‘ file (hopefully not empty).
You can use that file with the same dictionary (or others) with aircrack-ng, using this command:
In Kali live, ‘.cap’ files get saved into a folder named ‘hs’ of the folder you’re standing.
After Wifite has ended, type:
To see you ‘.cap‘ files and other files for cracking.