The aircrack-ng Suite
Introduction
Disclaimer: I carried out this attack on my own network, all MAC Addresses and names have been faked. This tutorial is for learning purposes only and should not be used for any illegal activities.
Source LINK
Aircrack-ng is a suite of tools that allows you to monitor, gather packets, inject them and finally crack a networks key in order to gain access. Nearly all wireless networks now use WPA2 for security as you will see WEP security just wont meet the requirements any more.
Most wireless networks will use either WEP or WPA, to be able to crack either of these you will need to have a wireless card that can both monitor and inject packets. I've aimed this tutorial as a step by step for beginners, so if you already know how to setup your wireless card ready for an attack crack on
Step 1 - Setting up your wireless card.
In order to capture network traffic without associating with the target access point we need to set our wireless network card in monitor mode. To do this open a terminal window and type:
Code:
This will find all wireless network interfaces and their current status. In my case its called wlan0. Next you will want to run the command:
Code:
This will set that wireless interface (wlan0) into monitor mode. If you run iwconfig again you will see what looks like another device has appeared, in my case mon0. This is just the monitoring side of your wireless card that we will use for the next step.
Step 2 - Monitoring available access points
Now that you have your wireless card in monitor mode lets check out what AP's are available in our area by running the command:
Code:
As mentioned in step 1 you will now use mon0 instead of wlan0 to monitor the networks. By running airodump-ng this activates a passive listening mode were we can see all AP's available to you and some details about them. All you need to do now is select a target of your choice, once you have done this note down its Channel and BSSID (MAC address). It is also handy to note down any STATION that is associated with the same BSSID.
Step 3 - Capturing Data
WEP is easy to crack compared to WPA-PSK. This is due to the fact that we only need to capture between 20k and 40k of interesting packets. Cracking WPA-PSK is a little harder as we need to carry out a dictionary attack on a captured handshake between the access point and an associated client.
To capture data from a single access point we run the command:
Code:
This is a breakdown of the command we just used
This will capture data on channel 6 only: -c 6
This is the MAC address of our targets access point: bssid 00:0F:CC:7D:5A:74
This saves captured packets into a file called "HackThis" in the current directory: -w HackThis
This just states the wireless adaptor that we have used to carry out the data capture: mon0
Step 4 - How to Increase Traffic
The time taken to capture the data from a target network can vary depending on how many uses are connected and if they are actively using it. Sometimes you may need to speed up this process as the users are inactive and it would take hours to gather the number of packets required to crack the key.
This is were injecting packets comes into play. By injecting packets you will increase the traffic on the wireless network which in turn will reduce the time required to capture the quantity of data we need.
To carry out the next step you will have to open another terminal window and type the command:
Code:
-3 Type of attack, in our case ARP-request replay
-b MAC address of access point
-h MAC address of associated client from airodump-ng
-x 50 Limited to sending 50 packets per second
wlan0 Again our wireless network interface
Step 5 - Cracking the WEP Key
As mentioned earlier WEP cracking is the easiest to do as you only need to collect a certain amount of data. To crack the WEP Key we will run the command:
Code:
Remember that you require around 20k and 40k worth of packets, you can sometimes do it with around 10k packets if the target only had a short key/password.
Step 6 - Cracking WPA or WPA2 PSK
Cracking WPA is similar to WEP up to the point were you are gathering packets. This time you have to wait for is a successful capture of the four-way-handshake association between the access point and a client machine. To do this you set the capture going as in step 3 then either wait for a device to authorise with the AP or my favourite is to de-authenticate a client so that they have to reconnect, essentially booting them off their own network for a fraction of time then capturing the handshake when they reconnect.
To de-authenticate an client you carry out the following command in a separate terminal:
Code:
APMAC is the MAC address of the access point
ClientMAC is the MAC address of an associated client
Step 7 - Cracking the WPA Key
Once you have captured a four-way handshake, you will need a large dictionary file, i'll leave that up to you to find.
You then run the command:
Code:
Wordlist is your dictionary file and capture_HackThis is a .cap file with a valid WPA handshake.
The length of time it will take you to crack a WPA key is based on the length of the targets password and the quality of your wordlist/dictionary file.
Points to remember:
[*] Cracking WPA-PSK and WPA2-PSK only needs a handshake
[*] Cracking WPA is CPU intensive so a powerful machine is recommended.
[*] Aquire a good size wordlist (google is your friend here).
[*] WEP requires 20k+ IV packets for a decent shot at decrypting the key.
[*] If your like me you dont fancy using your mac address on an attack you can always spoof it with the macchanger command
Summary of commands used:
airmon-ng - Used to switch the wireless network card to monitor mode.
airodump-ng - Used for monitoring and capturing network packets.
aireplay-ng - Used to generate extra traffic on the wireless network.
aircrack-ng - Used to crack the WEP key, or launch a dictionary attack on WPA-PSK.
And thats it thanks for reading please comment if you like
Happy Hacking