Wifi

WiFi Hacking with the Aircrack-ng Suite

Introduction

Before we start WiFi hacking (WPA/WPA2) with Aircrack-ng, it’s important to understand a few points first.

In recent years, the password complexity of modems / routers provided by ISP’s (Internet Service Providers) has improved dramatically. Fresh out of the box, these default passwords provide a reasonable amount of security for the regular domestic user. For example, the default WPA2 password of a Sky Wi-Fi router consists of eight random upper case characters (A-Z). A list of the password structure of other ISP’s can be found here.

Password Complexity

Now although the complexity of Sky’s router is made up of only upper case characters, this produces over a billion combinations. I actually generated a wordlist based on the 8 upper case character rule and it was over 1.75TB in size – Cracking a password this complex would take a considerable amount of hardware and time! A problem is only created when a user either uses an older modem/router with a weak default password, or if the user actually changes the password in order to make it easier to remember.

A default Sky password of ‘AFWECPJF’ is much more complex than ‘M4nUn1ted!’. Cracking the first password could take hours or days, where as cracking the latter would take only a matter of minutes. When monitoring Wi-Fi traffic, a user’s SSID (Wi-Fi broadcast name) can reveal some useful information:

  1. SKY20DF11 – Tells me that the person is using a Sky router and I know by default their password is 8 uppercase characters.
  2. If a user’s SSID is unique (e.g. DannysWiFi) – I can presume they’ve also changed their password, which they’ve likely made weaker too!
  3. Using the example from above (2). If my target’s name was Danny and I found Danny’s Facebook account, I would attempt to view his account to gather information (Pet names, partner/children’s names, hobbies/interests) to help generate a targeted wordlist. Such wordlists are simple to create and very effective.

So with the above in mind, I’m about to show you how to crack WEAK WPA/WPA2 passwords using the aircrack-ng suite.

WiFi Hacking (WPA/WPA2) with Aircrack-ng

It’s been a while since I last played with the aircrack-ng suite. For this demonstration, I’ve used a Kali Linux Virtual Machine (VM) and an Alpha Wi-Fi Dongle. There are a lot of videos in circulation that show how to perform this attack, but there are also a lot that don’t really explain the stages. In order to perform this attack, I have split it down into the following stages:

  1. Airmon-ng
  2. Airodump-ng
  3. Aireplay-ng
  4. Aircrack-ng
  1. Airmon-ng

Firstly, you need to put connect the dongle to your VM and then place it into ‘monitor mode’. If like me you are using Kali Linux inside a VM, you will first need to mount the Wi-Fi dongle onto the VM by disconnecting it from the host. In VMware, the icon is in the bottom right hand corner. Right click and select ‘Disconnect (Disconnect from host).

Mount dongle

Type the command ‘ifconfig’. This will reveal the name of your Wi-Fi dongle. In this example, mine is ‘wlan0’. We can now put the Wi-Fi dongle into monitor mode by typing:

'airmon-ng start wlan0'

A quick check of ifconfig should now show the dongle in ‘monitor mode’. As you can see in the screenshot below ‘wlan0’ has now been renamed to ‘wlan0mon’.

If all of this has been done successfully, you are now ready to move onto the next stage.

  1. Airodump-ng

 You can now passively monitor the wireless networks around you by using the following command:

'airodump-ng wlan0mon'

This command will scan the range of Wi-Fi channels, and produce a lot of information you need to know in order to further concentrate your attack.

The target I have chosen (my own router!) is on channel 1, so I have further honed my concentration and specified to monitor channel 1 only. This is achieved by:

'airodump-ng wlan0mon -c1'

The information gained can be used to further leverage the attack. Building on my previous command, I’m now going to specifying the BSSID of the target router I’m trying to attack and write the data to output. This is used later on for cracking the Wi-Fi password.

'airodump-ng wlan0mon -c1 --bssid AB:CD:EF:00:01:AB -w ~/Desktop/WPA'
  1. Aireplay-ng

The above command will write all the data to the desktop in several formats. Leave this to run in the background. We now need to attempt to capture the Wi-Fi handshake. To do this, I’m going to open another terminal window and send a ‘deauth’ command to the router. The router will disconnect all devices. Once I stop the deauth command, the disconnected devices will re-attempt to connect to the router and offer their handshake. This is how we capture the encrypted Wi-Fi password. To deauth, use the following command:

'airplay-ng --deauth 0 -a AB:CD:EF:00:01:AB wlan0mon'

As soon as you cancel the deauth request, you should capture the WPA handshake. This is identified in the top column (highlighted in red).

Now that you have captured the handshake, you can now move onto offline cracking.

  1. Aircrack-ng

It’s now time to take a look into the data that was saved to disk. I saved mine on my desktop. We are interested in the file ending ‘.cap’.

I’m going to use a wordlist. For a wordlist to be a success, the password has to be in the wordlist to be cracked. This further drives home the need to have strong passwords. For simplicity, I’ve used the wordlist ‘rockyou.txt.’ that comes default with Kali (Rockyou.txt is located /usr/share/seclists/Passwords). You can find Seclists on GitHub here.  Alternatively, if you’re using Kali, you can install it by typing:

'sudo apt install seclists'

@myexploit2600 has created a wordlist on steroids called ‘Rocktastic’ available here.

'aircrack-ng -w ~/Desktop/rockyou.txt WPA-01.cap'

Using my laptop, it took 1hr 20mins to crack the password.