Aircrack-ng is a set of tools in Kali Linux that can be used to assess Wi-Fi network security. It is capable of monitoring (capturing packets), attacking, and cracking Wi-Fi networks. In this post, Aircrack-ng will be used to crack a password-protected WPA/WPA2 Wi-Fi network.
- Kali Linux can be A) installed or B) used in the Live version through a Bootable version or C) installed on a VM using VMWare or Virtual Box.
- To crack the Wi-Fi network password, the PC/computer should have an external wireless card capable of running a monitor or injection mode.
- A wordlist to crack the Wi-Fi password
How does Wi-Fi work?
To understand how to crack Wi-Fi, one needs to know how Wi-Fi works. Wi-Fi works by transmitting network packets, which can be captured and dumped using airodump-ng, part of aircrack-ng. Then it needs to be determined whether the victim is connected to the target Wi-Fi network. It is worthwhile to mention that if no one is connected to the target Wi-Fi network, it won't be possible to crack it, as it won't be possible to perform a WPA/WPA2 handshake without a client being connected to the network. The goal here is to capture the WPA/WPA2 authentication handshake by sending de-authentication packets to crack the pre-shared key using the aircrack-ng tool.
Steps to crack Wi-Fi WPA/WPA2 passwords using Aircrack-ng
- Launch the terminal in Kali Linux.
- In the terminal, use the iwconfig to determine the name of the wireless adapter, as there may be multiple wireless network interfaces on the system.
In this case, *wlan0* is the name of the wireless adapter, which may vary depending on the system configuration. If connected to an external wireless card, it may be wlan1 or even wlan2.
- For certain wireless cards, some error messages may be shown (for example, enable monitor mode error). If there are any such errors, the command airmon-ng check kill should be used to kill the process as shown below.
- Enable the monitor mode in the Wi-Fi card (wlan0) by using the command airmon-ng start wlan0 (interface of wireless card). Using the interface in the terminal, use wlan0mon.
Note: Use the wireless interface, which is indicated by the red mark in the above screenshot.
- Use the command airodump-ng wlan0mon, as shown below, to display all the access points in the computer's proximity, including the clients connected to that access point. This command captures the network packets. It will also gather data from the wireless packets.
Note: Do not close this terminal because it will be used to know whether the WPA handshake has been captured or not.
- Add some more parameters to the airodump-ng command. The final command in this step will be airodump-ng -c channel --bssid [bssid of Wi-Fi] -w [path to writing the data of packets] wlan0mon [interface].
Explanation of the flags (or options) used in the command:
-bssid: it has been indicated with a red mark in the screenshot.
-c: is the channel of the target Wi-Fi which in this case is 10 (see in the previous screenshot for channel number)
-w is the directory where the captured data is written to, which, in this case, is '/root/Desktop/hack' but can be changed to an arbitrary location.
The network interface, in the example shown, is wlan0mon.
The file path chosen is /root/Desktop/hack in the above command, so the packets captured by airdump-ng will be written to the file named hack in the Desktop or the /root/Desktop directory.
The following would be displayed in the terminal if the command ran successfully:
- Next, deauthenticate the clients connected to the Wi-Fi network. The command for that would be aireplay-ng --deauth 10 -a [router bssid] interface
Optionally, add the client MAC address by adding the -c command line flag, where the part is to be replaced by the MAC address unique to the client. This will disconnect the client from the access point. Below is a screen screenshot of a client connected to an access point.
After this, the client will try to connect to the Wi-Fi network again. This is when the packets sent by the client will be captured by the tool. The WPA handshake would be captured from this and displayed, as shown below.
- To crack the Wi-Fi with these captured packets, use the command: aircrack-ng -b [bssid of router] -w [path to word list] [path to capture packets]
-w is the path to the wordlist, which in this case is '/root/Desktop/wordlist.txt'.
A wordlist is needed to perform the brute-force attack. Custom word lists can also be generated by using crunch, as shown below:
Using the command shown above in the screenshot, aircrack-ng will crack the Wi-Fi network password.
For the attack to succeed, aircrack-ng needs a good wordlist, which can be custom generated or downloaded from the internet, as said earlier. As shown above, the key was found by aircrack-ng and displayed in the terminal.
This WPA/WPA2 Wi-Fi password cracking method using aircrack-ng can be especially useful for infrastructure security testing, red teaming assessments, and attack simulation that encompasses physical network security testing. Reference: https://www.aircrack-ng.org/