Cracking my neighbors wifi

[Avengers]

Alright, so I've been spending a lot of time reading and watching videos on hacking and I'm currently about 25% through a penetration testing course designed to work you towards a CEH (which I'd love to have someday, although I plan to be more gray hat) and I'm trying to gain access to my neighbors network by cracking the WPA/WPA2 handshake. I've already captured it and run it through rockyou.txt as well as some hashcat brute-forcing using digits I thought might be in the passcode as they were in the default SSID our ISP gave our neighbors router. My neighbors aren't tech savy and it's pretty safe to say everything is still at default.


Going off of what the same ISP set MY router password as, it is most likely the last 5 sections of the routers internal MAC address. My routers MAC address is in the format of: 11:11:A1:11:11:A1 (where 1 is a number and A is a letter) and the default passcode is 11A11111A1. I have no choice but to hope this is the same format for my neighbor as a 10-digit passcode will be impossible to straight up brute force. I'm currently trying to brute force this format with oclHashcat, but it's supposed to take 6 days, and I'm not sure if this is the format Frontier (my ISP) would even use... I'd love to find out my ISPs password creation policy but I have a hunch it is the internal MAC of the router... internal being NOT the one you'd get from airodump-ng. Is there a way for me to get that internal MAC address without being on my neighbors network?

[th31nitiate]

Can you explain a bit more about what you mean by internal MAC ?

[proxx]

Alright, so I've been spending a lot of time reading and watching videos on hacking and I'm currently about 25% through a penetration testing course designed to work you towards a CEH (which I'd love to have someday, although I plan to be more gray hat) and I'm trying to gain access to my neighbors network by cracking the WPA/WPA2 handshake. I've already captured it and run it through rockyou.txt as well as some hashcat brute-forcing using digits I thought might be in the passcode as they were in the default SSID our ISP gave our neighbors router. My neighbors aren't tech savy and it's pretty safe to say everything is still at default.


Going off of what the same ISP set MY router password as, it is most likely the last 5 sections of the routers internal MAC address. My routers MAC address is in the format of: 11:11:A1:11:11:A1 (where 1 is a number and A is a letter) and the default passcode is 11A11111A1. I have no choice but to hope this is the same format for my neighbor as a 10-digit passcode will be impossible to straight up brute force. I'm currently trying to brute force this format with oclHashcat, but it's supposed to take 6 days, and I'm not sure if this is the format Frontier (my ISP) would even use... I'd love to find out my ISPs password creation policy but I have a hunch it is the internal MAC of the router... internal being NOT the one you'd get from airodump-ng. Is there a way for me to get that internal MAC address without being on my neighbors network?

Basically no.
Entirely depends on which MAC addr, if it is the AP's MAC , well then yes.
In this case just run airodump and make note of the BSSID.
If it is the(or one of the) ethernet interface(s), which I think is what you mean then no.

[white-knight]

You can look more into the routers you and your neighbors have. maybe u can generate a custom wordlist off some mac addresses u find .



Also incase it was changed , most people "non tech savy"   will change it to something simple like a phone number , address and so on. So you could also generate a wordlist staring with the area code.

[Avengers]

You can look more into the routers you and your neighbors have. maybe u can generate a custom wordlist off some mac addresses u find .



Also incase it was changed , most people "non tech savy"   will change it to something simple like a phone number , address and so on. So you could also generate a wordlist staring with the area code.

I'm not sure what router they have, but I found a few on our ISPs website and being as they just moved in, it's safe to say they're probably using one of the ones on the website guides. How could I go about finding MAC addresses of these routers?


And yes, I'm not talking about the AP MAC, I'm talking about the other one.

[0E 800]

Alot of times the password is the home phone number.

Create a wordlist for your area code:

Code: [Select]

seq 5101000000 5109999999 > phone.txt
Where 510 is your area code.

Try that list against your handshake.

[iTpHo3NiX]

Ok APs have one Mac address, however all Mac addresses are 10 characters long and are 0-9 and A-F (capitol only) also most ISPs use a 10 character to 15 character default password.

However these are pretty hefty wordlists and without a GPUs help will take forever. Phone numbers with directed area codes will be much better

[white-knight]

The only way to find the MAC of the actual router is to either physically look at it or get connected to there network..


If you can't crack the handshake then try WPS and other methods.


If you can't do that then just ask to see there router im sure they wont mind  [size=78%] [/size]

[proxx]

Well you can find the vendor based on the BSSID.
You can then check the vendor MAC space, shouldnt be that big.
Might cut a few zeros from that bruteforce time.

[kenjoe41]

If you can't do that then just ask to see there router im sure they wont mind  [size=78%] [/size]

I was also going to say that when all fails, befriend the neighbours and SE them into showing you that nice cool router they have since you also want to buy one or something.

[iTpHo3NiX]

I was also going to say that when all fails, befriend the neighbours and SE them into showing you that nice cool router they have since you also want to buy one or something.

Doesn't work when the neighbors like "what's a router" idk I have the one from <insert isp name here>

[aes256]

Try a evil twin attack and social engineer them into giving you it. Or you can check if WPS is enabled or not to crack the 8-digit pin the router, which will usually take you 8 hours or so since its only 8-digits you are cracking. Cracking with a dictionary almost always fail.

And, exactly why are you fucking with your neighbors? After your in, you are going to run Armitage and exploit their computers? I don't see the point. I guess you are just testing what you are learning on someone you don't have permission to do it on, and for the "lulz" of course.

[Avengers]

Try a evil twin attack and social engineer them into giving you it. Or you can check if WPS is enabled or not to crack the 8-digit pin the router, which will usually take you 8 hours or so since its only 8-digits you are cracking. Cracking with a dictionary almost always fail.

And, exactly why are you fucking with your neighbors? After your in, you are going to run Armitage and exploit their computers? I don't see the point. I guess you are just testing what you are learning on someone you don't have permission to do it on, and for the "lulz" of course.

I've never tried an evil twin before, so I'll do some research and whatnot but would I have to go any further than replicating their AP and one way or another bumping them off theirs, make them jump to mine and in doing so force them to re-enter the password that I'd just then have?
And to answer your question: I really am doing it do see if I can gain access to their network. I don't plan on stealing anything or spying, my goal is to just get into the network, and then try to use hydra to hop on the router if I can. Nothing malicious in mind.


Also thanks to everyone with the brute-force suggestions, I'm new here and I appreciate the time taken to respond a TON! 
I'll probably try some different brute-force ideas before I go evil twin, the less invasive I can be, the better while I do this.


PS the router is NOT WPS enabled so I can't use any of those suggestions :/

[iTpHo3NiX]

Evil Twin will only work if you have some strong antennas. Look into the YAGI

[Avengers]

Evil Twin will only work if you have some strong antennas. Look into the YAGI

I'm using a TP-LINK WN722N as my wifi card, and my neighbors are literally next door. I have no clue where their router is but if I turn the power all the way up on the card do you think I'd have a chance?

EDIT: Also I looked into the MAC vendor and it's Actiontec, just in case anyone has any experience related to Actiontec routers.


EDIT 2: (Sorry last edit I swear) So I've been looking at the example 10-character passwords on router manuals from Actiontec and ones listed on my ISPs site and I've noticed each 10-character passcode uses an 8-character character set... Now I'm thinking about trying to find some more passwords online, look at the character sets and using the most common characters for a oclhashcat mask...

EDIT 3: (I lied) So I discovered that the only Actiontec router my ISP talks about is the Actiontec MI424WR Rev. I, which by default has a 16-digit passphrase, but it also has WPS, but I know it's not WPS enabled.