Wireless Penetration Testing: Aircrack-ng
In our series of Wireless Penetration Testing, this time we are focusing on a tool that has been around for ages. This is the tool that has given birth to many of the Wireless Attacks and tools. Aircrack-ng is not a tool but it is a suite of tools that all perform different types of attacks or activities related to Wireless Access Points. In this demonstration, we will be focusing on a few of the tools from the Aircrack-ng arsenal.
Table of Content
- Enabling Monitor Mode
- Sniffing Wireless Packets
- Deauthencating Users
- Capturing Handshake
- Cracking Password
Aircrack-ng is a package of Wi-Fi network security assessment tools. It has a detector, a packet sniffer, WPA/WPA2-PSK, and a WEP cracker and analyzer for 802.11 Wireless LANs. With the help of Aircrack-ng, a penetration tester can focus on Monitoring, Attacking, Testing, and Cracking aspects of the Wi-Fi Security. Monitoring includes Packer Capturing and exporting the data to text files for processing by any third-party tool. Attacking includes replay attacks, deauthentication, evil-twin attacks, and packet injection attacks. Testing includes the testing of the Wi-Fi cards and driver capabilities based on the capture and injections. Finally Cracking includes the ability to crack the WEP and WPA PSK keys.
Aircrack-ng is supported on Linux, FreeBSD, macOS, OpenBSD, Android, and Windows.
There are a bunch of tools inside the Aircrack-ng Suite. In this demonstration, we will be focusing on the following:
airmon-ng: It is used to enabling Monitor Mode on Wi-Fi Card
airodump-ng: It is used for sniffing packets. It places the air traffic into a pcap file and shows information about the network
aireplay-ng: It is used for Packet Injection Attacks
aircrack-ng: It is used for cracking the WEP keys using the Fluhrer, Mantin, and Shamir attack (FMS) attack, PTW attack, and dictionary attacks, and WPA/WPA2-PSK using dictionary attacks.
Note: To perform attacks using Aircrack-ng, you need an external Wi-Fi card with monitoring mode.
Enabling Monitor Mode
In general words, Monitor Mode is a mode that is supported by certain Wi-Fi devices. When enabled, the Wi-Fi card will stop sending any data and will be completely dedicated to monitoring the wireless traffic. It is not the only mode that is supported on Wi-Fi devices, there are a total of 6 modes. However, in this demonstration, we will be focusing on Monitor mode only.
As discussed in the Introduction, airmon-ng is used for enabling the Monitor mode on Wi-Fi cards. After connecting the external card with our machine, we will use airmon-ng to start monitor mode by providing the interface. In our case the interface in question is wlan0. If you seem to have issues with enabling the monitor mode, kill the processes that are mentioned with their respective PIDs to ensure that no processes conflict. If not, this will put our Wi-Fi card in Monitor mode.
airmon-ng start wlan0
After using the airmon-ng, we can check the enabling of monitor mode by using the iwconfig command. It is a Linux command that can be used to configure a wireless network interface. It is similar to ifconfig which is used for general interface configurations. After running iwconfig we can see that the interface that we used with airmon-ng has now changed from wlan0 to wlan0mon. Here mon indicates the monitor mode.
Sniffing Wireless Packets
After placing the Wi-Fi card in the Monitor mode, we can then move to sniff network packets. As discussed in the Introduction, airodump-ng can be used for this activity. To start sniffing, we need to provide the airodump-ng with the ESSID of the access point with other details. To get the information required run airodump-ng with the interface only as demonstrated below.
As soon as we start the airodump-ng, we will see the list of Access Points with details such as their BSSID (MAC Address), Strength (PWR), Encryption (WPA/WPA2), Authentication Method, and ESSID (Name of Wireless Access Point) as demonstrated below. We will be targeting the wireless Access Point by the name of “raaj”. We can see that the access point is broadcasting on channel 3 and has WPA2-PSK.
Now that we have the ESSID of the access point that we want to target, we can initiate the sniffing on that particular device. We will need to provide the interface that we have monitor mode on and the details such as the channel of the device, BSSID as demonstrated below. This will begin the network capture.
airodump-ng wlan0mon -c 3 --bssid 18:X:X:X:X:X -w pwd
Since we want to crack the password for the targeted access point, we need the handshake that can be attacked. We will be using the airodump-ng for capturing that handshake. But since all the devices are already connected to the access point hence, there won’t be any authentication performed or we can say that we won’t be able to capture the handshake. So, we will be sending a deauthentication signal to all the devices so that they will be disconnected from the access point. Then they will try to reconnect and at that moment we will capture the handshake. We will be using the aireplay-ng for sending the deauthentication signal. We need to provide the BSSID of the access point to deauthenticate all devices as demonstrated below. Make sure to use a new terminal while running the aireplay and let the airodump-ng running. So that it can capture the handshake.
aireplay-ng --deauth 0 -a 18:X:X:X:X:X wlan0mon
We go back to the terminal where we started the airodump-ng and we can see all the devices that attempted to reconnect to our targeted access point and on the top right-hand side, we can see that airodump-ng was able to capture the WPA handshake between the access point and one of its users.
While running the airodump-ng we mentioned the pwd as the file in which the handshake should be saved. While checking we see that it has been captured into the file named pwd-01.cap. We can now perform a Bruteforce to crack the password using the aircrack-ng. We need to provide a dictionary for the attack that contains the probable passwords.
aircrack-ng pwd-01.cap -w dict.txt
The time that aircrack-ng takes depends on your system configurations and the number of entries in the dictionary file that you provided. The dictionary that we provided had 7 keys. Hence, we were able to crack it in a matter of seconds. We can see the Master and Transient Key that would be used while forming the PSK-PTK combination. The password for the access point was cracked to be raj12345.
The collection of tools in the Aircrack-ng suite is useful in testing the Wireless Access Point Security. With the help of just 4 tools, we were able to crack the password required to connect the targeted Access Point. Aircrack-ng is one of the oldest tools that is used in the domain but we were still able to crack the authentication of a device today.