Illuminate Your World
I’m a wireless junkie. I don’t know why, but there’s just something about unconvering the hidden world of data that’s all around us that excites me. I could sit there all day just watching connections.
One tool that can help illuminate this exciting world is Aircrack. Actually, Aircrack is a suite of tools: airomon, aircrack, aireplay, etc.
Let’s jump right into the action … well, almost.
Aircrack Prep
Who is this tutorial for?
I’m going to assume you’re brand-spanking-new to Aircrack and possibly wireless security in general. If you’ve been using Aircrack at all, this tutorial will probably be of little use to you.
In short, what you’ll need:
- Aircrack
- Compatible wireless card
- Testing network
Site Location & Installing
Here’s the official site for Aircrack.
If you have an offensive Linux distro, there’s a chance that Aircrack is installed and ready to go (type aircrack-ng on the command line and see what happens).
And if not, you’ll need to go to their site, grab the source and build it out.
If you’re a Windows user, I’d recommend grabbing an offensive Linux distro like Kali or Pentoo and getting familiar with it. I’m a Linux guy first and use Linux for all my development/security, so this tutorial may or may not work too well for Windows people.
WiFi Adapter
You’ll need a WiFi adapter that’s compatible with Aircrack. Your adapter of choice needs to have monitor mode capability.
Check our your card here: Wireless Card Compatibility
For this tutorial, I’ll be using an Alfa AWUS051NH V2 external wireless adapter. I use it a lot and I like.
Once you have Aircrack installed and a compatible wireless adapter, you’re ready to get rocking.
Pre-Launch Setup
Let’s see what the interface is for our wireless adapater.
1 | $ iwconfig |
You might see something like this:
wlan0 IEEE 802.11abgn ESSID:off/any
In this case, wlan0 is the interface I want to use.
1 | $ airmon-ng check kill |
I always do a “check kill” to make sure there’s nothing that will cause issues. Next, I’ll get my wireless adapter set up in monitor mode.
1 | $ airmon-ng start wlan0 |
In the above command I’m telling airmon-ng to start up my adapter in monitor mode. After it finishes, I’ll end up with a response that ends with something like this:
(monitor mode enabled on mon0)
So from here out, we’ll be using mon0 as the interface. Keep in mind that if your output was something like wlan0mon, then wlan0mon is the interface you should be using.
Additionally, you can do another iwconfig command to see your interfaces. The one you should use will say: Mode:Monitor.
Blanket Scanning
Let’s get started by illuminating the whole world. Ok, just a little piece. We’ll let our adapter passively listen for any activity in range.
1 | $ airodump-ng mon0 |
When you do this, your card is basically going to cycle through channels picking up data. As such, it won’t capture everything, but it will give you a quick feel for the area.
In your terminal, you’ll now see something like this:
1 | CH 1 ][ Elapsed: 1 min ][ 2015-07-21 05:37 |
I’ve changed the data some, but you’ll get the idea.
The three listings on top are access points (APs). You have their BSSID, which you’ll use for targeting, their signal power, beacons received, channel they are operating on, encryption type (OPN = open network), ESSID, etc.
On the bottom are two listings that are clients who are connected (or connecting) to APs.
BTW, the first AP listed is hiding their SSID. It’s safer right? No. As I’ll show in a bit, it’s trivial to grab the real SSID.
Channel Scanning
Ok, so now you know how to fire up some passive listening. Let’s drill down a little bit and just listen to channel 1. The advantage here is we will just be focused on a single channel, so we won’t miss as many packets as we did when we scanned all channels.
Run this command (again, if your interface isn’t mon0, change the command):
1 | $ airodump-ng -c 1 mon0 |
And now we’re getting all of channel 1’s goodness.
Once you have an access point’s information, you can focus in further. Let’s do that.
I’ll be focusing on the hidden AP earlier in this example as it’s my test router.
Focused Scanning
This command will be slightly different in that I’ll be writing all the capture data to files and specifying a bssid to target. Note that you can write (-w filename) whenever you want, such as when we did the broad scan.
Note: When you pass -w to airodump-ng, it will start writing all its data to multiple files. You get a .cap, .csv, .kismet.csv and .kismet.netxml. These files can be used in other programs and/or for other uses. For example, you can open the .cap file in WireShark and see all the packets it captured.
1 | $ airodump-ng -c 1 -w hiddenguy --bssid 1X:1x:1X:1X:1X:1X mon0 |
After running that command, I got this:
1 | CH 1 ][ Elapsed: 8 s ][ 2015-07-21 06:12 |
In the above example, you’ll notice the hidden AP and all of it’s data along with two clients who are connected to the AP.
Before we get any deeper, let’s talk about hidden SSIDs.
Hidden Access Points
Ok, so hiding your SSID doesn’t make you safe. Let’s just get that out there in the open right now.
Having said that, IMHO, you want to do it on your router(s) anyway. It’s kind of like disabling the right click on a picture on a website. It doesn’t tech-minded people from grabbing the picture, but it does stop most “normals.”
Here’s why hidden SSID fails.
Your client device (let’s say your phone) looks for a trusted network when the WiFi is on and it’s not connected. It does this by sending out probes for the network(s) it’s looking for. If one of the APs (like your home router) sees the probe for it, the AP will respond back with its information, which is out in the open for all to see. Once this happens, you know the SSID of the “hidden” router.
I also like how the hidden AP is letting you know how many characters are in it’s SSID (14 in our example). It’s a fun guessing game if you want!
Two ways to find the SSID of a hidden router
- Passive: Just focus in on the router and listen and wait. Once a client device goes to look for the AP, you’ll have a shot at picking up the information you seek. You don’t need to do anything when using Aircrack. If you’re actively monitoring the AP and this happens, Aircrack will update the ESSID with the appropriate name. Done.
- Active: Who has time to wait? I want that SSID and I see a client or two connected right now. What to do? Simple. De-auth the client and wait for the re-connect to happen. In a section below, I’ll go into de-authing.
Handshaking For Access
Alright, we’re almost home free (well kind of). The whole reason we’re “attacking” this test router is to crack that WPA2 key and gain sweet access to its goodness. To do this, we need to capture the 4-way handshake (EAPoL 1-4).
The passive way this can be accomplished is to simply listen and record a single AP and its activity (so “focused scanning”). If you were to open up the CAP file in WireShark, you’ll probably see 1-2 of the 4 EAPol packets all day long. Just keep waiting. You need a client to authenticate and you need to get all four packets.
And for those who are impatient, you can go active and de-auth clients to capture the handshake (probably) quickly. Again, see de-authing below.
De-Authing A Client
Ok, so you’ve decided to go active attack mode. Here’s the command to run:
1 | $ aireplay-ng -0 1 -a 1X:1X:1X:1X:1X:1X: -c 54:54:54:54:54:54 mon0 |
In the above command, you’re going to send 1 deauth (-0 1) to the client (-c) of an AP (-a) on interface mon0.
You may need to perform this attack multiple times and/or on multiple clients. Also, you can increase the # of deauth sent by doing -0 2 or -3 10 or whatever. Try to go with the minimum needed, which is why starting with 1 is a good first move.
Handshake Captured
How do you know when you have the handshake? Simple: Look for something like this:
1 | CH 1 ][ Elapsed: 1 mins ][ 2015-07-21 06:29 ][ WPA handshake: 1X:1X:1X:1X:1X:1X |
And there it is. See “WPA handshake” up in the upper right? That’s letting you know that you have all that’s needed to continue forward. Once you have this, you can exit out of scanning.
Sweet! What now?
WPA/WPA2 Cracking
I’m not going to go into what to do with the cap file much here, but for simple sake, you can do a dictionary attack on it like this:
1 | $ aircrack-ng demo.cap -w words.txt |
In the above command, demo.cap is the .cap file you created when you used the -w when scanning. And then replace words.txt with your dictionary file name.
If your attack succeeds, Aircrack will present you with a screen saying something like:
1 | KEY FOUND! [ ThisIsMyPasswordSighPwnedAgain7 ] |
Leveling Up
This tutorial was fairly simple, but don’t be fooled. There’s a lot more out there for you to do. From here, I’d start reading the Aircrack tools manual pages (or —help) to get a feel for all the options you have.
1 | $ airodump-ng --help |
Next, look into HashCat. Using aircrack-ng is fine for simple tests, but if you were to do more advanced cracking, using HashCat is a good idea. GPU cracking is much better than CPU cracking.
Finally, start looking into Kismet and Wireshark if you haven’t done so already. I’ll be writing up some tutorials on both of these in the future.