Hack WiFi
Using The Aircrack-ng Suite
Aircrack-ng Suite
The Aircrack-ng suite is a collection of wireless network security tools designed for auditing and testing the security of Wi-Fi networks.
It is widely used by security professionals and network administrators to assess the vulnerability of wireless networks and to perform penetration testing.
The suite includes several individual tools that serve different purposes:
- Airodump-ng: Airodump-ng is a packet capture tool used for capturing and analyzing wireless network packets. It allows you to monitor nearby Wi-Fi networks, capture packets, and obtain important information such as MAC addresses, signal strength, channel, and encryption type.
- Aireplay-ng: Aireplay-ng is a tool used for injecting and replaying network packets. It supports various types of attacks, such as deauthentication attacks, ARP request replay attacks, and fragmentation attacks. These attacks can be used to test the security of wireless networks and to perform various exploits.
- Airmon-ng: Airmon-ng is a script used for managing wireless network interfaces. It allows you to enable and disable monitor mode on wireless interfaces, which is essential for capturing and analyzing network packets.
- Aircrack-ng: Aircrack-ng is the primary tool in the suite used for cracking WEP and WPA/WPA2 encryption keys. It uses captured packets and various techniques to recover the encryption keys, allowing authorized access to a Wi-Fi network.
Aircrack-ng Commands
airodump-ng
| Option | Description |
|---|---|
--channel, -c |
Specify the channel to capture packets from. |
--bssid, -b |
Filter results based on the BSSID (MAC address) of the target network. |
--output-format, -o |
Specify the output file format for captured data (e.g., pcap, csv). |
--write, -w |
Write captured packets to a file. |
--encrypt, -e |
Filter results based on the encryption type of the target network. |
--manufacturer, -M |
Display manufacturer information of connected clients. |
aireplay-ng
| Option | Description |
|---|---|
--deauth, -0 |
Send deauthentication packets to a client or access point. |
--fakeauth, -1 |
Perform fake authentication with an access point. |
--arpreplay, -3 |
Perform an ARP request replay attack. |
--fragment, -5 |
Perform a fragmentation attack on WEP encryption. |
--interactive, -I |
Run in interactive mode, allowing manual selection of attacks. |
--ignore-negative-one, -O |
Ignore the use of negative one (-1) as a special value. |
aircrack-ng
| Option | Description |
|---|---|
--b, -b |
Specify the BSSID (MAC address) of the target network. |
--w, -w |
Specify the wordlist file for password cracking. |
--e, -e |
Specify the ESSID (name) of the target network. |
--k, -k |
Specify the key index for WEP cracking. |
--split, -s |
Split output files based on ESSID for WPA cracking. |
--ignore-negative-one, -O |
Ignore the use of negative one (-1) as a special value. |
This tutorial covers wifi hacking by obtaining a WPA handshake.
The 4-way WPA handshake is a crucial step in establishing a secure connection between a client device and a wireless access point (AP).
It is used in WPA and WPA2 (Wi-Fi Protected Access) security protocols to authenticate and encrypt communication between the client and the AP.
The handshake involves four messages exchanged between the client and the AP:
- Message 1: The AP sends a nonce (random number) to the client.
- Message 2: The client combines the AP's nonce with its own nonce, generates an encryption key, and sends it back to the AP in an encrypted form.
- Message 3: The AP confirms the encryption key and sends its own nonce to the client to verify the connection.
- Message 4: The client acknowledges the AP's nonce, establishing a secure connection with the AP.
Starting The Attack
Aircrack-ng is a security auditing tool for Wifi. Aircrack-ng comes pre-installed on Kali Linux. On linux systems you can install it by using this command:
$sudo apt-get install aircrack-ng
To begin the attack you have to check if there are any processes that may interfere with the process.
$sudo airmon-ng checkThen type:
$sudo airmon-ng check kill
This command is done to check for any running processes that may interfere and shuts them down
Now you must put your wifi adapter into monitor mode
This can be done in two ways, here we will just cover the Aircrack-ng suite method
To put you adapter into monitor mode:
$sudo airmon-ng start wlan0
You wireless interface may be called something else like wlan1
Now that you are in monitor mode you are ready to scan the airwaves and find the wifi network that you want to hack!
To scan the air type this command:
$sudo airodump-ng wlan0
There are other options that you can use with airodump-ng. You can get manufacturer information, WPS details, target a specific network, even GPS location. The most important option is the '-w' option. This option is to write details to a file such as the WPA handshake that we will use to crack the password later. Other options include
- -w (write to file)
- --bssid (use this option to target a specific network)
- --manufacturer (get manufacturer details
- --wps (wps details)
- --showack (show acknowledgement packets)
- --channel (set channel)
Now you should be looking at a list of wifi networks available. It is possible to capture a WPA handshake by monitoring all the networks but that will take a lot of time. Targeting a specific network is the best way, to do this:
$sudo airodump-ng --bssid [TARGET MAC ADDRESS] -w [FILE] wlan0
You are now monitoring one network. You can wait until somebody authenticates themselves into the network, but that could take a while. De-authenticating a device is the most efficient way to do this. When a device authenticates into the network is when the WPA handshake can be obtained. Devices on the network will be shown under the 'stations' column, if none show you can do a fake authentication into the network to be able to get more data, do that by doing this:
$sudo aireplay-ng --fakeauth 10 -a [access point] -h [your adapter MAC] wlan0
Now pick a device and de-authenticate them:
$sudo aireplay-ng --deauth 30 -a [access point] -c [device MAC]
Now when the device re-authenticates into the network we should have the WPA handshake
We can now use aircrack-ng to crack the password by comparing a list of passwords against the handshake to find the correct password
$sudo aircrack-ng -w rockyou.txt -b 84:D8:1B:06:EF:06 scan.cap
Wait and watch for results. The password has to be in your wordlist for this to work. results depend on the password complexity