Friday, November 25, 2016

// //

How to do wifi password recovery | Wifi Hacking

Normally, Wi-fi has the function of wifi password recovery in its device or router. Anyone with the basic knowledge to gadgets can perform simple password recovery or wifi  password reset using the button on wifi device.
Here we are going to do a tutorial on wifi password recovery. We are going to cover four methods to recover wifi password. 1st method is by using the default username and password.

1. Wifi password recovery using device local address

Here’s the good news: because you’ve locked down your wireless network and router configuration settings, you’re one step ahead of anyone trying to access your network and its devices.
The bad news? Depending on which password you’ve forgotten – the Wi-Fi password that enables you to connect devices to your router, or the administrative password you use to log directly in to your router —you’re either in for a short visit to your router’s Web configuration screen or a total router reset.
The Forgotten Wi-Fi Password
I’ll start with the easy one: the forgotten Wi-Fi password. Once you’ve set and saved a Wi-Fi password on your laptop, after all, you won’t ever need to change it — though I do recommend you change all of your passwords a few times a year.
Resetting your D-Link® router’s Wi-Fi password is easy:
  • Type your router’s IP address —— into your Web browser.
  • At the login screen, select “Admin” from the drop down menu and enter your admin password.
  • Once you access the Web configuration screen, click “Setup” in the top menu.
  • Select the “Wireless Settings” link on the left-hand side.
  • From there, click on the “Manual Wireless Connection Setup” button.
  • Scroll down to the field representing my “Pre-Shared Key”. If you don’t see it, select a security mode from the dropdown menu at the bottom of the screen first.
  • Type in a new password. (I use a hybrid WPA/WPA2 security mode.)
That’s it! Now for the more challenging of the two: the forgotten admin password.
Wifi password recovery image_1  | By
The Forgotten Admin Password
If you forget your Web configuration password, you’re stuck: you have no way to change any settings on your router. Your only recourse is to use a paperclip or other pointy object to reset your router to its factory settings. With the
paperclip, hold down the tiny reset button on the back of your router for about five seconds. Your router lights will blink to confirm the factory reset. You can now use the router’s default password to log into its Web configuration screen (look in your router manual if you can’t remember what this is). Once you’re in, be sure to change this password to something unique.

2. Recover wifi password using device reset button

Factory Restore is the only option.
If everything fails you could always perform a factory restore. However it comes with its set of problems. For starters you loose all your PTCL settings that are essential for you to use your DSL. So bear in mind that if  you factory reset the modem you would have to call the PTCL help line and get all the settings redone over the phone. So do this at your own risk!
Wifi password recovery image_ 2 | By
What you need is a pin or a needle and your modem. If you look carefully at the back of the modem you will see a tiny rest hole. This is where you insert the pin/needle with the modem powered on and hold it for a few seconds till the modem restarts. You now have your modem factory restored and wiped of all settings
Note that your SSID (wireless network name) would change back to PTCL-BB. Router configuration page would be reset to Username & Password to access it would be reset to admin (both). You would now be required to call PTCL and have them talk you through the configuration.

Read More

3. Find the Default Username and Password

Before resetting your router to its default settings, you should first try using the default username and password to log in. You’ll need these anyway if you plan on resetting the router to its factory default settings. There are several ways to find this information:
  • Read your router’s manual. Different models of routers – even ones from the same manufacturer – often have different username and password combinations. To locate the default username and password for the router, look in its manual. (If you’ve lost the manual, you can often find it by searching for your router’s model number and “manual” on Google. Or just search for your router’s model and “default password”.)
  • Look for a sticker on the router itself. Some routers – particularly ones that may have come from your Internet service provider – ship with unique passwords. These passwords may sometimes be printed on a sticker on the router itself.
  • Try a common username and password combination. Many routers use the password “admin”  (don’t type the quotes) and a blank username, a blank password and “admin” as the username, or “admin” as both the password and username. You can find a fairly comprehensive list of default usernames and passwords for various routers on
    Wifi password recovery image_ 3 | By
Try to log in with the default credentials after finding them – it’s possible the router was already reset or someone never changed its password. If they don’t work, continue to the next section – you’ll need the default credentials after resetting the router.

4. You can always hack wifi password to recover it

you need to find out the following about you target network-
  • Does it have WPS enabled. If not, then the attack will not work.
  • The BSSID of the network.
Now to check whether the network has WPS enabled or not, you can either use wash or just use the good old airodump-ng. Wash is specifically meant to check whether a network has WPS enabled or not, and thereby is much easier to use. Here are the steps-
Wifi password recovery image_ 4 | By
  • Set your wireless interface in monitor mode- 
airmon-ng start wlan0
  •  Use wash (easy but sometimes unable to detect networks even when they have wps enabled). If any network shows up there, it has WPS enabled.
wash -i wlan0mon

Wifi password recovery image_ 5 | By
  • This is an error which I haven't figured out yet. If you see it, then you'll have to do some howework, or move on to airodump method. Update :  wash -i wlan0mon --ignore-fcs  might solves the issue.
    Wifi password recovery image_6  | By
  • Use airodump-ng. It will show all networks around you. It tells which of them use WPA. You'll have to assume they have WPS, and then move to next steps.
airodump-ng wlan0mon
Wifi password recovery image_7  | By
BSSID of the network - Now irrespective of what you used, you should have a BSSID column in the result that you get. Copy the BSSID of the network you want to hack. That's all the information you need.

So by now you must have something like XX:XX:XX:XX:XX:XX, which is the BSSID of your target network. Keep this copied, as you'll need it.


Now finally we are going to use Reaver to get the password of the WPA/WPA2 network. Reaver makes hacking very easy, and all you need to do is enter-
reaver -i wlan0mon -b XX:XX:XX:XX:XX:XX 
Explanation = i  - interface used. Remember creating a monitor interface wlan0mon using airmon-ng start wlan0. This is what we are using. -b species the BSSID of the network that we found out earlier.
This is all the information that Reaver needs to get started. However, Reaver comes with many advanced options, and some are recommended by me. Most importantly, you should use the -vv option, which increases the verbosity of the tool. Basically, it writes everything thats going on to the terminal. This helps you see whats happening, track the progress, and if needed, do some troubleshooting.  So final command should be-

reaver -i wlan0mon -b XX:XX:XX:XX:XX:XX -vv
After some hours, you will see something like this. The pin in this case was intentionally 12345670, so it was  hacked in 3 seconds.
Wifi password recovery image_8  | By
X is the password of the wireless network.

Here is an extra section, which might prove useful. 

Known problems that are faced - Troubleshooting

  1. As in the pic above, you saw the first line read "Switching wlan0 to channel 6". (Yours will be wlan0mon instead of wlan0). Sometimes, it keeps switching interfaces forever.
  2. Sometimes it never gets a beacon frame, and gets stuck in the waiting for beacon frame stage.
  3. Sometimes it never associates with the target AP.
  4. Sometimes the response is too slow, or never comes, and a (0x02) or something error is displayed.
In most cases, such errors suggest-
  1. Something wrong with wireless card.
  2. AP is very choosy, won't let you associate.
  3. The AP does not use WPS.
  4. You are very far from the AP.
  5. Rate Limiting implemented in the router (most new router have this)
Possible workarounds-
  1. Sometimes, killing naughty processes helps. (see pictures below)
    Wifi password recovery image_9  | By
    Wifi password recovery image_ 10 | By
  2. Move closer to target AP
  3. Do a fakeauth using aireplay-ng and tell Reaver not to bother as we are already associated using -A (just add -A at the end of your normal reaver code)
  4. If you are using Kali Linux in Vmware, try booting into Kali using USB. I don't know why, but sometimes internal adapters work wonders, and can't be used from inside of a VM. In my case, booting up from USB and using internal adapter increased the signal strength and speeded up the bruteforce process. Update : It has nothing to do with internal adapter. I have verified this with many others, and it is now a known problem with Reaver. It does not work well inside Virtual machines. It is recommended that you do a live boot.
  5. As far as rate limiting is concerned, there are few workarounds available in forums across the web,but nothing seems to work with 100% certainty. Here is a relevant discussion of gitlab, here is a solution on hack5 forums which has a script and uses mdk5 tool (it doesn't work for me, it's supposed to DOS the router and reset the ban temporarily), and here is a thread on Kali Forumson the same issue, which has various possible solutions listed (including a method which changes your MAC address regularly [sorry if the download link on the thread there doesn't work] and hence allows reaver to work against routers which lock the particular MAC address which is attacking them and don't lock down completely). 
  6. Update: For some people the reason Reaver is not working is because the version of Libpcap you are using is not compatible with the version of Kali you are using.
A lot of people have shared their experiences in the comments section. Help out if you can, seek help if you need any. I can't always respond, but someone usually does.

Can't get it to work

Even after all your attempts, if you can't get it to work, then the AP just isn't vulnerable. You have the following alternatives-
  1. If you were following the tutorials one by one in the order shown in the top navigation bar (Hack With Kali -> Wireless Hacking), then you have learnt all you needed in this tutorial (even if you failed to get WPA-PSK), and can move to the next ones.
  2. If you just want to see if you can hack a WPA network, then there are three posts below which will help you with that without relying on WPS vulnerability.