How to use Aircrack-ng to ha-ck WEP, WPA and WPA2 Wi-Fi networks

What is the Aircrack-ng suite and what is it for

Aircrack-ng is a suite of programs that will allow us to perform WiFi wireless audits on WiFi routers and access points. This suite is one of the most used to try to h-ack or crack WiFi networks with WEP, WPA and also WPA2 encryption on different computers. This software is a complete audit suite that is divided into different programs specifically designed for a specific task, we do not have a “big” program that performs different actions based on arguments. In order to make it easier for the user to use the different tools, depending on what we want to do with the wireless network, we will have to use one program or another.

This security suite focuses specifically on four distinct areas of cybersecurity in wireless networks:

• Monitoring : this software allows you to capture all the packets of a wireless network, export the data to text files and also to other formats to be analyzed by other programs. For example, we can capture all the WiFi network packets and analyze them with the WireShark program.
• Attacks : we can do replay attacks, deauthentication attacks, set up a fake access point for victims to connect to, and even inject packets into the wireless network.
• Testing : we will be able to check if the WiFi card is compatible with the different attacks, and also if we can configure it in monitor mode and if it is capable of injecting packets into the network.
• Cracking – Allows you to directly crack WEP, WPA, and WPA2 dictionary-based or brute-force encryption.

This software is compatible with Windows, Linux, Unix and macOS operating systems, in fact, we have the source code available so that we can compile it ourselves in our operating system. In the vast majority of cases, if you want to perform wireless audits, you are going to use a Linux-based operating system since we will have perfect compatibility, especially due to the drivers of the different WiFi network cards since they usually support monitor and injection mode of packages.

A very important aspect is that this suite of programs is available by default in the popular Kali Linux distributions and also in WifiSlax, this last distribution is specifically designed for Wi-Fi wireless audits.

Another very important feature is that all the tools are executed through the command line, this allows you to automate different attacks based on scripts. It is also true that we can take advantage of this to have graphical user interfaces, but there comes a time when using the command line is much faster. This project of the Aircrack-ng suite is more alive than ever, and it is that they have recently released the latest version 1.7 with a large number of improvements in operation, optimization of commands and new options, all this after 2 years since the previous one version.

Now that you know what the aircrack-ng suite is, we are going to briefly explain all the tools that we have incorporated and how each of them is used.

Tool operation

The aircrack-ng suite is made up of a large number of tools, each one of them is specifically designed for a specific objective, so all of them are very important depending on the different attacks that you are going to carry out. Next, we explain what each of them is for, and we will explain some of the most common commands.

airmon-ng

This program allows us to enable the monitor mode in the WiFi network card, this program is used to kill the process of the network managers that may be using the card, in order to put it in monitor mode. In a WiFi audit, putting the card in monitor mode is the first step to be able to carry out the rest of the usual attacks.

The use of airmon-ng is very simple, the syntax is as follows:

• If you want to show WiFi cards: airmon-ng
• airmon-ng <start|stop> <interface> [channel]
• airmon -ng <check|check kill>

The first command allows us to see a list of all the WiFi cards that we have connected to our computer.

The second command is the one we must use to start the interface in monitor mode with the «start» command, or stop it with the «stop» command, we must also choose the physical interface to use, and we can even put the card to listen in a certain channel or all.

The third command allows us to check what other processes are interfering with the aircrack-ng suite, in order to kill all the processes so that we don’t have any problems. In the case of killing all the processes that are interfering, we can execute the command “airmon-ng check kill” and it will do it automatically.

This program has other arguments such as «verbose» to see at a low level everything that is happening and if there is any kind of problem.

airbase-ng

This tool allows us to attack wireless clients instead of the access points themselves. This tool is really versatile and very flexible, so it will allow us to carry out a large number of attacks:

• It allows capturing the handshake of the WPA and WPA2 protocol.
• It acts as an ad-hoc access point for clients to connect.
• It allows to act as a complete access point.
• Filter by SSID or client MAC address.
• Ability to manipulate and forward packets.
• Ability to encrypt sent packets and decrypt received packets.

The goal of this program is for clients to associate with the Fake AP, not the real access point. Real clients will send probe requests for configured networks, and these frames will allow us to bind clients to our Fake AP that we configured. The AP will respond to any poll request with an appropriate poll response, thus telling clients to connect to the BSSID of airbase-ng. Because of this, real APs around us may be disrupted by doing this attack, so it would be advisable to use filters to minimize this “damage” to other APs. The options that we have available in airbase-ng are very broad, so we are going to indicate the main commands that we can use to carry out certain specific actions.

If we want to create a fake access point called “this article” to capture the WPA handshake, we have to enter the following command:

airbase-ng -c 9 -e this article -z 2 wlan0

• -c: Specifies the channel used.
• -e: Specifies the SSID of the AP.
• -z 2 – Specifies the encryption mode. Although we could also use 4 to use CCMP (WPA2 with AES).
• wlan0: is the physical interface of the WiFi card.

In the case that it is WPA2 AES, we have to change the -za value to 4, in this way:

airbase-ng -c 9 -e this article -z 4 wlan0

The rest of the parameters would be exactly the same.

This program has many other attacks, also for WEP networks that are older.

airodump-ng

airodump-ng is the software that is responsible for capturing the packets in the wireless network, it is capable of capturing the raw frames of the 802.11 standard, and the monitor mode is essential for it to work perfectly. This program is essential to crack WEP and WPA networks, in the first case it is capable of capturing the initialization vectors, and in the second case it is capable of capturing the handshake of wireless clients, to later try to crack them with aircrack-ng which is the program commissioned for it.

Other very important features of this software is that it works through the command line, therefore, we will be able to make our own scripts easily and quickly, to obtain a large amount of information about all the WiFi networks in our around. Before running airodump-ng, it is essential that you use airmon-ng in order to put your wireless card into monitor mode, otherwise it will not work.

This program has many options and filters to only capture certain information, then we are going to give you some examples. The syntax of this program is as follows:

• airodump-ng <options> <interface>

If you want to capture all the packets of all the WiFi channels and view all the data, you must put the following order:

• airodump-ng wlan0

In the case of wanting to monitor only certain WiFi channels or a specific channel, you can put:

• airodump -ng -c 6 wlan0
• airodump-ng -c 1,6,11 wlan0

If you want to filter by WiFi networks with WPA, then you must put the following command:

• airodump-ng –encrypt wpa wlan0

If you want to filter by BSSID, then you should put:

• airodump-ng –bssid 00:01:02:03:04:05 wlan0

In case you want to write all the data to a file, you will have to use additional arguments:

• airodump-ng -w file –output-format pcap wlan0

As you can see, this program is really complete.

aireplay-ng

The objective of this program is to generate traffic on wireless networks with WEP and WPA, with the aim of cracking them later with aircrack-ng. There are different attacks that we are going to be able to carry out, among which are the deauthentication attacks to capture the WPA handshake, it also allows false authentications, replay of the packets to accelerate the cracking of the WEP networks, and even injection of packages. This program is quite related to packetforge-ng, because it is possible to create frames specifically designed as we want.

Next, you have a complete list of all the attacks that it is capable of performing, the number of the attack is very important because it is the one that we will have to put in the order.

• 0: Deauthentication
• 1: Fake authentication
• 2:Interactive packet replay
• 3: ARP request replay attack
• 4: KoreK chopchop attack
• 5: Fragmentation attack
• 6: Cafe latte attack
• 7: Client-oriented fragmentation attack
• 8: WPA Migration Mode
• 9: Injection test

The syntax for using aireplay-ng is as follows:

• aireplay-ng <options> <replay interface>

In the event that we want to carry out a deauthentication attack, we have to execute the following:

• aireplay-ng -0 1 -a MAC_AP -c MAC_CLIENTE_WIFI wlan0

This is one of the most used attacks if you want to crack a WPA or WPA2 network, since we can force the client to deauthenticate to later capture the handshake with airodump-ng.

aircrack-ng

This program is the core of the suite that gives it its name, the objective of this program is to recover the passwords of WEP, WPA and also WPA2. There are different ways of cracking, generally it is done by brute force, by dictionary, or a combination of both methods. Depending on the wireless network that we want to crack, we will have to use some commands or others, we are going to teach you a crack of WPA and WPA2 once we have captured the handshake with airodump-ng.

The syntax for using this program is as follows:

• aircrack-ng [options] <capture file(s)>

This program allows us to add multiple input files, although it is normal to use only one capture where we have the handshake of the wireless network.

Let’s imagine that we want to crack the WPA or WPA2 password based on a password dictionary, the command you need to execute is the following:

• aircrack-ng -w password_dictionary.lst *.cap

This command will take the files with the .cap extension from the directory, and will try all the passwords that we have contained in the key dictionary one by one. Once we have done it, we will have to choose which of the WiFi networks that we have captured the handshake we want to crack, as a configuration assistant.

It is also possible to use different dictionaries as input to crack a specific handshake, the syntax would be as follows:

• aircrack-ng -w password_dictionary1.lst,password_dictionary2lst,password_dictionary3.lst,password_dictionary4.lst *.cap

In case you want to automate this, you can use the “-e ESSID” argument to select the SSID of the WiFi access point to crack, so it doesn’t ask us and does everything automatically.

airdecap-ng

This program is quite simple, the goal is to decrypt WEP, WPA and WPA2 traps. It can also be used to remove all headers from an unencrypted wireless capture (when the access point is without encryption of any kind). This program will generate a new file ending in “-dec.cap” which is the decrypted version of the input file.

The syntax of this program is as follows:

• airdecap-ng [options] <pcap file>

Let’s imagine that we want to remove all the headers from a capture of an open WiFi network, we can execute the following command:

• airdecap-ng -b MAC_AP open-network.cap

Let’s imagine that we want to decrypt all the capture where WPA or WPA2 is being used, we have to execute the following command:

• airdecap-ng -e ‘wifi network name’ -p WPA_password capture.cap

As you can see, it is a simple way to have a decrypted capture, although we could also do the same thing with Wireshark through the graphical user interface.

other tools

Within the aircrack-ng suite there are other very specific tools that will allow us to increase the functionalities that we have seen, for example, we have very interesting tools such as airdecloak-ng, airdrop-ng, airgraph-ng, airolib-ng, airserv-ng, airtun-ng, besside-ng, dcrack, easside-ng, packetforge-ng, tkiptun-ng, wesside-ng. Depending on our needs and what we want to do, we can use some of them to greatly facilitate the task of wireless audits.

For example, one of the most notable would be dcrack, this tool allows us to crack WPA and WPA2 keys distributed on several computers, with the aim of increasing CPU power and reducing the time it takes to crack a password. This program uses a client-server mode, we have a server that will be the coordinator of the different clients that connect to it, the user will send commands to the server and later send the necessary data to the clients.

As you have seen, this suite is really complete because we have a large number of tools, in addition, it is modular so we can run each tool separately to have even more options.

Conclusions

We have seen that the Aircrack-ng suite is a really complete software to carry out WiFi wireless audits to any router or access point. This software allows cracking networks with WEP in a really low time, however, today this type of encryption is deprecated by the WiFi Alliance, so it is really rare that we can find this type of network right now. The same happens with WPA encryption, it is hardly used today because it is considered “deprecated” in favor of WPA2, which is currently used by the majority.

Although many of these tools are aimed at WEP networks that are no longer used, the truth is that we still have different attacks that we can carry out on networks with WPA2. If you want to test the security of any WPA2 network, this auditing suite is what you are looking for, and it is simply the best. Also, you should keep in mind that distributions specifically oriented to wireless auditing bring it by default, but also include different scripts and other programs based on this suite, to make it easier for users to use all the tools.