Wifi Hacking with Aircrack-ng

Aircrack-ng is a suite of tools specifically designed to test WIFI network security. In my experience, although there are many other WIFI network tools in use, the Aircrack-ng suite has provided the most long-term stability and best out of the box functionality. Other tools include Wifite2 and WiFi Exploitation Framework which I will link below along with official Aircrack-ng documentation.

Aircrack-ng: https://www.aircrack-ng.org

Wifite2: https://github.com/derv82/wifite2

WiFi Exploitation Framework: https://github.com/ewanmoak/Wifi-Exploit

 

For the purpose of this demonstration I will be using the Panda Wireless - PAU09 wireless adaptor. However, as long as your wireless adaptor supports monitoring mode, the process should roughly be the same.

There are a multitude of WIFI attack methodologies, but I break down WIFI hacking into 4 phases.

  • Tools Setup and Configuration

  • Network Discovery and Target Selection

  • Attack and Capture

  • Password Cracking

Tool Setup and Configuration

Step 1:

  • Check to make sure your wireless adaptor is showing as a network interface.

  • Enter “iwconfig” and verify “wlan0” is connected.

Step 2:

  • Next put the wireless adaptor in monitoring mode.

  • Enter “airmon-ng check kill” this command checks for processes that might interfere with airmon-ng and kills the proccess.

  • Enter “airmon-ng start wlan0” this command puts the wireless adaptor into monitoring mode.

  • Check to make sure the network adaptor is in monitoring mode with “iwconfig” you “wlan0” should now be “wlan0mon”

Network Discovery and Target Selection

Step 1:

  • Enter “airodump-ng wlan0mon —band a” to start searching for wireless networks around you. “—band a” searches for 5GHz networks “a” and “g” are 2.4GHz

  • Once you find the wireless network you would like to attack stop airodump-ng with “Ctrl+C” and make note of the following:

    • BSSID

    • Channel (CH)

Attack and Capture

Step 1:

  • Enter “airodump-ng -c <channel> --bssid <bssid> -w <name capture file> wlan0mon”

  • This will start the password capture process, and you should see the number of beacons increase. This process can take quite a long time. To speed up the process, its helpful to deauth a client on the network.

Step 2:

  • Deauthing a client on the network will cause the client to reconnect - speeding up the rate of packet capture.

  • Open another terminal and enter the following command:

    • aireplay-ng -0 10 -a <MAC address of access point> -c <MAC address of client to deauth> wlan0mon

    • -0: deauth attack

    • 10: number of deauths (0 would be continuous deauths…aka denial of service)

  • Once the WPA handshake is captured you will get an alert at the top of the screen.

  • At this point, you have the password capture file and no longer need the in range of the network. You can do the next step at your leisure.

Password Cracking

Step 1:

  • You should now have a .cap file containing the WIFI network’s password.

Step 2:

  • We are going to use a dictionary attack to attempt a password crack. Keep in mind you might have a create a custom password list to WIFI passwords if traditional lists do not produce results.

  • For cracking the password enter the following command:

    • aircrack-ng -w <path to wordlist> -b <MAC address of access point> <name of .cap file>

  • If the password crack is successful you will receive a key found message with the network password in clear text. If the key is not found then try a different dictionary.

Final Notes

Please keep in mind that the Aircrack-ng suite is far more complex and offers many more options than what has been shown here. Refer the the Aircrack-ng official documentation for more options and command troubleshooting.