Can you hear things’ talk? — Hacking a WiFi router
Can you hear things talk?!!
What is a simple way to hear your things talk to your home’s WiFi router? The question just popped up on my head once I had an Alexa echo spot with me and I let her connect to my home’s WiFi router. I also introduced my other (Internet of Things) IoT devices to Alexa and let her be a boss of everything. This could be done quite simple since I shared my home WiFi with Alexa and IoT devices. However, I just was wondering that what Alexa and IoT devices talked to my WiFi router, and of course what they talked to each other?
Well, tools for listening what Alexa and my IoT devices talk to my WiFi router are:
- WiFi Router (D-Link LTE)
- Wireless USB adapter (Alfa network, model AWUS036NH)
- Computer installed Kali Linux (version 2020.1 codename: kali-rolling)
- Wireshark
- Aircrack-ng
I setup a small network with those tools by connecting my Kali Linux computer with wireless USB adapter and connect the computer to the internet via an ethernet interface. That’s simple setting allow me to sniff packets travel on the air by Aircrack-ng and Wireshark.
Turn a wireless USB adapter to be a monitor mode
My magic tool for sniffing things talk to my WiFi router is a wireless USB adapter. Let’s start setting in a terminal. I open a terminal and type a script to check the network interface.
ifconfig
The result on the terminal shows that this computer has wlan0 interface, which has already received an local IP address. Then, I check the wireless connection with “iwconfig” command. Of course, it is in a managed mode.
iwconfig
Besides, I can check my WiFi USB adapter chipset whether it is compatible with airmon-ng or not. The compatible chipsets are listed in this website. The most popular ones are:
Atheros AR9271
Ralink RT3070
Ralink RT3572
Ralink RT5572
Realtek RTL8812AU
Ralink RT5370N
To make sure that my wireless USB adapter is in the list, I can check its chipset by typing command “lsusb” or “airmon-ng”. The result shows that my wireless adapter chipset is “Ralink RT3070”, which is compatible with.
lsusb
airmon-ng ## check wifi adapter chipset
Before turning the wireless adapter to be “monitor mode”, I check it first by typing command “airmon-ng check”.
airmon-ng check
It might be a case that there is more than 1 process is running. The guideline listed down after the command will tell you to kill them.
airmon-ng check kill
Then, I turn the wireless adapter from “management mode” to “monitor mode” by the command “airmon-ng start [wlanX]”, where [wlanX] is the wireless interface that I want to turn to the monitor mode. In my case, I use “wlan0”.
airmon-ng start wlan0
The wifi interface name “wlan0” was changed to “wlan0mon” and it is ready for monitoring. So, now I can observe which WiFi Router I want to sniff by typing command “airodump-ng wlan0mon”.
airodump-ng wlan0mon
From the result, I see a lot of WiFi router broadcasting around me. Then, I select my WiFi router whose ESSID is “CPS” as a target. The information we will use next is “bssid” and “channel”. The result shows that the ESSID : “CPS” has bssid “00:AD:24:BA:1A:1C”, channel is CH: “10” encrypted with WPA2. To capture the 4-ways handshake (EAPOL packets) from CPS WiFi, we have to specify its channel “-c 10” and “ — bssid 00:AD:24:BA:1A:1C” and write to the file name “wpa_cps”.
airodump-ng -c 10--bssid 00:AD:24:BA:1A:1C -w wpa_cps wlan0monWhat I need is “waiting and waiting…”. How long should I wait?…Well, I wait until there is a hooked thing on this WiFi. To be able to crack the encrypted messages, I have to wait EAPOL messages.
There are 3 things hooked CPS WiFi and EAPOL messages are captured. WireShark also hows “EAPOL” messages that it captured. (If to make EAPOL messages pop up quickly, you may need to try to de-authen the hooked things.) To crack the password of WiFi, I create “password.lst” file which includes the list of passwords. In this case, I put the correct password “1q2w3e4r” in the list. However, in practice, you can choose the common passwords from Internet. I use command “aircrack-ng -a2 wpa_cps-01.cap -w password.lts”. Command “-a2” is to specify the EAPOL messages cap file and command “-w” is to specify the password list file. I also use WireShark to capture the packets. The result shows that the password matched is “1q2w3e4r”.
aircrack-ng -a2 wpa_cps-01.cap -w password.lts 
So, what would it happen in WireShark?
I wonder how to encrypt the captured packets in WireShark. In WireShark, it shows only 802.11 protocol. Then, I input “Decryption keys” in 802.11 Preference. I put “wpa-psk” with the key. Actually, the key is in plaintext is “1q2w3e4r”, which may not work for WPA2 encrypted. To solve this problem, I calculate the WPA key in Hexadecimal key from this website.
Finally, I can see the TCP and HTTP messages from things talk.
Wrap up
Hacking a WiFi Router is possible with a WiFi USB router in the monitor mode and it can sniff messages things sending to the WiFi router. Even though, the messages are encrypted with WPA or WPA2, if your WiFi router has a weak password, it can be decrypted easily. Well, please make sure your WiFi password is not too easy to be guessed.