Wifi Hacking with Aircrack-ng
Aircrack-ng is a suite of tools specifically designed to test WIFI network security. In my experience, although there are many other WIFI network tools in use, the Aircrack-ng suite has provided the most long-term stability and best out of the box functionality. Other tools include Wifite2 and WiFi Exploitation Framework which I will link below along with official Aircrack-ng documentation.
Aircrack-ng: https://www.aircrack-ng.org
Wifite2: https://github.com/derv82/wifite2
WiFi Exploitation Framework: https://github.com/ewanmoak/Wifi-Exploit
For the purpose of this demonstration I will be using the Panda Wireless - PAU09 wireless adaptor. However, as long as your wireless adaptor supports monitoring mode, the process should roughly be the same.
There are a multitude of WIFI attack methodologies, but I break down WIFI hacking into 4 phases.
Tools Setup and Configuration
Network Discovery and Target Selection
Attack and Capture
Password Cracking
Tool Setup and Configuration
Step 1:
Check to make sure your wireless adaptor is showing as a network interface.
Enter “iwconfig” and verify “wlan0” is connected.
Step 2:
Next put the wireless adaptor in monitoring mode.
Enter “airmon-ng check kill” this command checks for processes that might interfere with airmon-ng and kills the proccess.
Enter “airmon-ng start wlan0” this command puts the wireless adaptor into monitoring mode.
Check to make sure the network adaptor is in monitoring mode with “iwconfig” you “wlan0” should now be “wlan0mon”
Network Discovery and Target Selection
Step 1:
Enter “airodump-ng wlan0mon —band a” to start searching for wireless networks around you. “—band a” searches for 5GHz networks “a” and “g” are 2.4GHz
Once you find the wireless network you would like to attack stop airodump-ng with “Ctrl+C” and make note of the following:
BSSID
Channel (CH)
Attack and Capture
Step 1:
Enter “airodump-ng -c <channel> --bssid <bssid> -w <name capture file> wlan0mon”
This will start the password capture process, and you should see the number of beacons increase. This process can take quite a long time. To speed up the process, its helpful to deauth a client on the network.
Step 2:
Deauthing a client on the network will cause the client to reconnect - speeding up the rate of packet capture.
Open another terminal and enter the following command:
aireplay-ng -0 10 -a <MAC address of access point> -c <MAC address of client to deauth> wlan0mon
-0: deauth attack
10: number of deauths (0 would be continuous deauths…aka denial of service)
Once the WPA handshake is captured you will get an alert at the top of the screen.
At this point, you have the password capture file and no longer need the in range of the network. You can do the next step at your leisure.
Password Cracking
Step 1:
You should now have a .cap file containing the WIFI network’s password.
Step 2:
We are going to use a dictionary attack to attempt a password crack. Keep in mind you might have a create a custom password list to WIFI passwords if traditional lists do not produce results.
For cracking the password enter the following command:
aircrack-ng -w <path to wordlist> -b <MAC address of access point> <name of .cap file>
If the password crack is successful you will receive a key found message with the network password in clear text. If the key is not found then try a different dictionary.
Final Notes
Please keep in mind that the Aircrack-ng suite is far more complex and offers many more options than what has been shown here. Refer the the Aircrack-ng official documentation for more options and command troubleshooting.