Type your comment> @gnothiseauton said:
If you mean by ‘crack WiFi password’ that you want to ‘end up with the password’, then:
DNS rebinding:
I have it on my to-do list, but haven’t touched on it, so I rather not speak about stuff I know nothing about. Google is your friend…
Apart from the angles other people already mentioned, this seems (or at least ‘seemed’ 5-6 years ago) one of the best technical approaches available. However I’m unsure how current browsers and routers handle it.
Plus: it takes a fair deal of preparation, the victim need to (willingly or unknowingly) connect to you and you’ll need to have the password for the router login-page. But since some people will click just about anything and don’t change router passwords that, you have a fair chance.If somebody allows remote access to a router, you should be able to find it on shodan and if the router runs vulnerable software, that might be an entry
Here it’s less likely that someone hasn’t changed the password, so you are pretty much down to vulnerabilities (or brute forcing or social engineering to get that)Another way is WPS (reaver) but it’s becoming rare that it’s still activated on routers. At least here in Europe. But occasionally you’ll still see one. It’s often people who know enough IT to do their own Internet setup, but not enough to do it safe.
Some WPS cracks take days to pull off: it’s basically brute forcing of a number, only one that’s a lot shorter then most WPA passwords and with a defined amount of maximum possibilities… Just that most modern routers block brute force of the pin number and so you need to get the timing right between ‘not taking ages’ and ‘slow enough so you don’t get blocked’. But even then: it’s a way more plausible route to crack a WPS pin number than cracking a WPA password.
That being said: it’s becoming rare that you see it activated.if ‘wifi’ is WEP, then you’re either dealing with a complete dumbass or a shark waiting for bait… Cracking this is like turning on a TV: just sit and watch it happen without doing much. Around here I nearly never see it anymore. I have one around me, but it’s a kind of monitor system for a local government. Just to say: if you see WEP, think twice before you jump on it.
Another angle is a vulnerable device on the network. Say an Internet facing security cam that run vulnerable software. Then pivot from there.
*credential reuse: lots of breached credentials on the Internet. If the victim is found in there, you may be lucky that he has a same or similar password.
With all the Internet companies delivering the modems, most people tend to leave the default password, so probably less likely and also a great investment in time and disk space to get breached credentials into a workable form.
- if you have physical access, you can use tools like physical keyloggers or usb devices like a rubber ducky or a bashbunny to either plant a backdoor or exfiltrate the information.
The downside here is that you’ll need about 10 seconds where your target is distracted from the screen if you’re talking rubber ducky, probably about 30 seconds with a bash bunny. With a physical keylogger you’ll either need some alone time in the room of about a minute, or the authority to pretend you’re doing something on the back of the computer. You’ll also need to retrieve your device afterwards. You don’t want leave them to be seen and with about 10 to 20$ a piece, that’ll fast be a costly hobby.That’s about all angles I know of.
If anybody should know more things that’s technical and has something to do with flaws in the protocols, I’d be very much interested in that.
- WPS will leave you with the WiFi password. It also allows you to instantly get the new password if the guy changes it.
- DNS rebinding or remote router access: since you’re in the router, you should see the password.
- vulnerable devices on the network: if you gain root on them, you should be able to find the password as well
- with physical access, same: exfiltrating clear text credentials for wireless is easy and, if you keep it low key, not noticeable for AV’s as far as I know of. The hard part is getting it planted and removing it afterwards
- cracking wpa: either you have a lot of spare cash, a victims that doesn’t like to type long words or a lot of time.
Either way: best of luck
Thank you very much