Cracking Open WiFi Networks | Networks With No Encryption & Security

by hash3liZer . 04 June 2018

Cracking Open WiFi Networks | Networks With No Encryption & Security

In this tutorial, we will see how a wireless network with no Encryption protocols at all protect itself by using an authorized list of users and how we can break through this. Basically, what we are talking about is MAC filtering. It's a feature that makes use of the provided list to permit a client, connecting to network.

Sometimes, when you go to a public place, a library or an educational institute, It's common for you to see encryptionless WiFi networks available to use for everyone. But it's not always true as you may have encountered this when you try to connect which just never happens. It's takes either too long for it to respond or either it just gets saved in your connected networks list.

Mac Filter

So, this actually works after enabling MAC filter in the router preferences. The router is instructed to handle the nodes based on a MAC list, either it uses the list to dissociate clients or either to permit those clients. When a new connection is encountered, router firmware make decision for the client based on this list, if enabled.

So, basically what's protecting the network here is one's MAC address and which is always broadcasted either through the data frames and probe frames after a specific interval of time. Hence, available for us to see, copy and use.

Attack Logic

The idea here is to first get the MAC addresses of all the connected clients. Occupy one of the client's MAC address. Dissociate her from the Access Point and connect to the WiFi.


Get the List

Get the MAC addresses of all the connected devices with airodump-ng.

airmon-ng start wlan0
airodump-ng --bssid [ AP BSSID ] -c [ AP CHANNEL ] wlan0mon

Now, change your interface MAC address:

ifconfig wlan1 down
macchanger -m [ new mac ] wlan1
ifconfig wlan1 up


Now, we have to disconnect the target client from the access point. Remember, a network cannot have two clients of same MAC addresses. The last layer of the network model is responsible for transferring data on the wire from one node to another which makes heavy use of MAC, uniquely assigned to a network adapter. This would create traffic problems when two users of same MAC try to communicate with other resources.

Hence, it is always suggested to kick off the target client before you connect to it.

aireplay-ng -00 -a [ AP MAC ] -c [ CLIENT MAC ] wlan0mon

Note the parameters:

  • -00: this will perform a DoS attack on the client
  • -a: BSSID of target Access Point
  • -c: BSSID of client connect to Access Point

Now, you can connect....



We've learnt how open wireless networks lead on people by using a filtered list of authorized users and how to keep others from connecting to it. Then we learnt that these devices broadcast their MAC addresses after specific intervals in the form of packets which we capture through the famous airodump-ng utility. Then we engaged in with a client by occupying her MAC address, kicked her out and connected to network.