A comprehensive guide to cracking wi-fi using the aircrack suite

If you’re the admin of a home or business wireless network then it’s important that you know about wireless security - and one of the best ways to learn is to experiment. This guide shows you some simple attacks that any hacker can attempt on your network.

There are three common levels of wireless encryption. A network can be open - so require no key or password to connect - or it can use WEP encryption, or it can use WPA/WPA2 encryption. Throughout this tutorial, you’ll see how easy it is to monitor everything that happens on an open network, and then how to break in and do the same on a WEP network, and then how to crack WPA. You’ll see that WPA is so much harder to crack - and therefore so much more secure.

Obviously attempting to gain access to another person’s network is illegal in most countries, so please just try this on your own network, or with the network owner’s permission if that’s not you.

What you need

A computer running some form of Unix-based operating system is essential. The best choice is a PC running Linux or BSD.

If you’re a Mac owner then you do have a Unix-based OS, but some of the commands won’t work. It’s still possible to do quite a lot with a Mac though - see the note on Macs near the bottom of the tutorial. If you’re a Windows user then Cygwin or a virtual machine won’t cut it - install a proper Unix-based OS or run one from a Live CD.

Everything we’re going to do in this tutorial is in the terminal, so some familiarity with that would be ideal. Most of the commands will have sudo in front of them - which means you’ll be running them with administrator privileges - so occasionally you’ll be asked to enter your admin password.

If you’re a Linux or BSD user then you need to make sure that you have the correct drivers installed and a compatible network card. The aircrack site has a guide but if that looks confusing then just try out the stuff below - you can probably do most, if not all of it without worrying about drivers too much.

Installing aircrack-ng

aircrack-ng is a suite of tools that help you work with wireless networks. You’ll need the aircrack-ng suite installed for most of the attacks below. To get this on a Debian-based Linux installation (such as Ubuntu or Mint) go to the terminal and type:

sudo apt-get install aircrack-ng

On other flavours of Linux there will be a similar command instead of apt-get - such as yum. Just look it up in your Linux flavour’s documentation.

If at any point you come across a command that can’t be found on your system then try the above command, but replace aircrack-ng with the command that’s missing. Chances are apt-get (or its equivalent) will be able to install it for you.

Gathering information

The most important stage in any cracking task is gathering information. For wi-fi cracking, you need to know as much information about your computer and the networks around you as you can.

First - let’s find out about your computer’s networking features. Start with the iwconfig command, which gives you information about the network adapters on your computer:

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11bgn  ESSID:off/any  
          Mode:Managed  Frequency:2.412 GHz  Access Point: Not-Associated   
          Tx-Power=20 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

This shows that you have three network adapters - eth0, lo and wlan0, but that only one of them (wlan0) is a wireless device. wlan0 will be the wireless adapter we use for the rest of the tutorial.

Next try ifconfig wlan0, where wlan0 is the wireless network adapter we found:

wlan0     Link encap:UNSPEC  HWaddr AA-BB-CC-DD-EE-FF-00-00-00  
          UP BROADCAST NOTRAILERS PROMISC ALLMULTI  MTU:1500  Metric:1
          RX packets:1177841 errors:0 dropped:0 overruns:0 frame:0
          TX packets:389365 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:408049502 (408.0 MB)  TX bytes:61662376 (61.6 MB)

This will show some different information about your wireless card. Make a note of your HWaddr, which is your card’s MAC address - you’ll need it later. You just need the first six entries in the form of AA:BB:CC:DD:EE:FF - you don’t need to worry about the 00-00-00-00 bits afterwards.

Now let’s look at iwlist, which can give you lots of information about what’s around you. The command sudo iwlist wlan0 scan will tell your computer to carry out a scan for access points around you, and returns lots of interesting information about each access point:

Cell 01 - Address: XX:YY:ZZ:XX:YY:ZZ
          Channel:1
          Frequency:2.412 GHz (Channel 1)
          Quality=30/70  Signal level=-80 dBm  
          Encryption key:on
          ESSID:"SomeNetworkName"
          Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 9 Mb/s
                    18 Mb/s; 36 Mb/s; 54 Mb/s
          Bit Rates:6 Mb/s; 12 Mb/s; 24 Mb/s; 48 Mb/s
          Mode:Master
Cell 02 - Address: AA:BB:CC:DD:EE:FF
          Channel:1
          Frequency:2.412 GHz (Channel 1)
          Quality=19/70  Signal level=-91 dBm  
          Encryption key:off
          ESSID:"SomeOtherNetwork"
          Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                    9 Mb/s; 12 Mb/s; 18 Mb/s
          Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
          Mode:Master
          Extra: Last beacon: 712ms ago

In the example above, there are two wifi networks in range, and iwlist has told you what they’re called (their ESSID), their unique BSSID address (Address), what frequency they operate on, which channel they use, what bit-rates they support, whether they’re encrypted or not, and more.

Getting started with aircrack

Now that you know what’s on your PC and know what’s around you, it’s time to start exploring using the aircrack suite. There are two vital tools in the aircrack suite that you will use most commonly:

  • airmon-ng - puts your wireless network adapter into monitor mode. This means that it’s just watching, and not actively trying to connect to any network. When your wireless card is in monitor mode, you won’t be able to carry out other wireless tasks, such as connecting to the internet.
  • airodump-ng - captures information from your wireless card, shows you information on the screen about what it’s seeing, and saves everything to a capture file. It’s the information from the airodump capture file that you will use for key cracking or for monitoring activity on your network.

You can carry out a good number of attacks with just these two commands.

Let’s start with a airmon-ng. First type:

sudo airmon-ng check

If the command has no output, then all is well. But probably the command will show you something like this:

Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID	Name
4696	NetworkManager
4699	wpa_supplicant
4853	avahi-daemon
4854	avahi-daemon

The list above shows you running processes that are known to use your wireless card, and that could get in the way of all of the other stuff we’re going to do. It’s often not necessary, but to avoid problems later on then you might like to kill them. Unfortunately some are easier to kill than others.

First try running sudo airmon-ng check kill, which will attempt to kill them all politely. It will probably get rid of one or more of them. The rest are a bit more fussy, and liked to be closed down using commands such as:

sudo stop network-manager
sudo stop avahi-daemon
sudo killall wpa_supplicant

For safety, keep persisting until you’ve killed all of the rogue processes and sudo airmon-ng check returns a blank result.

Now let’s put our wireless network adapter into monitor mode. Type sudo airmon-ng start wlan0 - where wlan0 is the name of the wireless adapter we chose at the start of the tutorial. It will show something like the following:

Interface	Chipset		Driver

wlan0		Atheros 	ath9k - [phy0]
				(monitor mode enabled on mon0)

What this tells us is that airmon-ng has put wlan0 into monitor mode, using a new adapter called mon0. In fact, if you type iwconfig now, you should find that you’ve got a new wireless adapter called mon0 which is in Mode: Monitor. The new mon0 adapter is going to be important to us, because we’re going to use it for the rest of our aircrack commands.

Now let’s use airodump-ng to start monitoring wireless activity around us, and dumping it into a file. Type the command:

sudo airodump-ng -w randomstuff mon0

You’ll end up with a screen that’s constantly updated and contains two sets of information. The top half of the output tells you what access points are around you, their address (BSSID), their name (ESSID), their encryption type, their channel and their bitrate. The bottom half tells you about other PCs or devices that are around you, the hardware address of the access point their connected to (BSSID), and the hardware address of the device itself (Station).

As you watch airodump-ng run, you can learn more and more about the activity that’s around you, who’s connected to what and how active each network is. This information will be really important later on.

Press Ctl+C to stop airodump-ng, and then type sudo airmon-ng stop mon0 to take your wireless card back out of monitor mode. mon0 will disappear from your iwconfig output.

If you have a look in your current directory, you’ll find a whole load of new files there starting “randomstuff” - which is the value we gave to the airodump-ng command. These files contain raw output from your wireless card while it was monitoring your surroundings. They’re fairly useless at this stage so you can delete them - but later these captures will become really important.

Capturing data on an open network

The first hacking attack we’ll do is to monitor the traffic on an open network, and dump it all to your hard drive. This shows just how amazingly insecure any open network is. If anyone actually cared about security then open networks would be banned, and instead places with public wi-fi would simply show their WPA key on a notice on the wall.

In this case lets imagine we’re targeting an open network called MYOPENNETWORK which is on channel 6 and has the BSSID XX:ZZ:YY:XX:ZZ:YY . We got this information from looking at the output from iwlist and airodump-ng in the steps above - hence the reason information gathering is so important.

Let’s put our wireless card back into monitor mode, but this time tell it to stick on channel 6, rather than scanning around like it normally would:

sudo airmon-ng start wlan0 6

And now let’s start airodump-ng but tell it to save to a file called opennetdump and just monitor traffic from MYOPENNETWORK (BSSID XX:ZZ:YY:XX:ZZ:YY) with the command:

sudo airodump-ng --channel 6 -w opennetdump --bssid XX:ZZ:YY:XX:ZZ:YY mon0.

You’ll see as airodump-ng runs that it’s now a lot more focused - it will only show one access point, and it will show a smaller number of connected clients. Leave it running for about 5 to 10 minutes, and then press Ctrl+C to stop it. Then type sudo airmon-ng stop mon0 to take your card out of monitor mode.

Now let’s look at what you’ve caught. airodump-ng will have saved its output to a number of files beginning opennetdump - including one that contains all of the packets it’s captured called opennetdump-01.cap. This file is in binary format, so not easy for us to read - but thankfully a command called tcpdump will help you make sense of it. Type:

sudo tcpdump -r opennetdump-01.cap

All of the activity that you’ve captured on the network will be listed on your screen. You can add -vvv to the command to get more detail and contents from every request that’s listed - including web page content. Simply add > myoutputfile.txt to put it all into a text file for your perusal. So, for ultimate detail:

sudo tcpdump -r opennetdump-01.cap -vvv > myoutputfile.txt

Bear in mind that whenever you’re on an open network, anyone can be doing this to you. Unless you’re browsing sites using HTTPS, everything you transmit - usernames, passwords, emails, bank details - can be captured and seen by everyone around you.

Capturing data on a WEP-encrypted network

WEP was one of the first attempts to encrypt wi-fi data. Unfortunately it was very flawed, and very easy to crack. Even more unfortunately, it’s still in heavy use today. But before we get onto cracking a WEP password, what about if you already know the password and want to just monitor the network’s traffic? If you tried the exercise above you’d find that all of the steps worked, but that the data that came back from tcpdump was encrypted and couldn’t be viewed.

That’s where the command airdecap-ng comes in handy. It takes the output from airodump-ng and decrypts any encrypted data. If the WEP connection you’re monitoring is called MYWEBNETWORK, it has a WEP key of mywepkey, and you used airodump-ng to save to a file called capturefile then simply use the command:

sudo airdecap-ng -e MYWEPNETWORK -w mywepkey capturefile-01.cap

airdecap-ng will create a new file called capturefile-01-dec.cap with the decrypted information, and you can use tcpdump as before to convert it into plain text:

sudo tcpdump -r capturefile-01-dec.cap -vvv > myoutputfile.txt

As you can see - if you know the WEP key for any network then it’s very easy to then capture everything, decrypt it using the key and then analyse every little bit of information that’s flowing over it. So if you’re jumping on someone else’s WEP network then treat it like an open network, for the network administrator or any other user potentially knows everything you’re doing.

Collecting data to crack a WEP key

So far we’ve done lots of data analysis, but very little actual cracking. So let’s see how easy it is to crack a WEP network. As before - you need a target, and as much information about it as possible, especially the channel, BSSID and ESSID. Let’s pretend we’re targeting a network called WEPHACKME with a BSSID of XX:YY:ZZ:XX:YY:XX on channel 1.

We’ll put our wi-fi card into monitor mode again - and as before specify the channel you wish to target:

sudo airmon-ng start wlan0 1

We’ll then start airodump-ng, telling it to save to wephack and target the BSSID XX:YY:ZZ:XX:YY:XX on channel 1, and also adding the option --ivs which tells it to just capture packets called IVs, which are the packets we need to crack the WEP key:

sudo airodump-ng -w wephack --bssid XX:YY:ZZ:XX:YY:XX --channel 1 --ivs mon0

And now we wait. Or at least we could do. The longer you wait, the more data you collect and the more likely it is that your crack will be successful. Depending on the amount of traffic that’s flying over the network, it could be that you just have to sit there capturing packets for 5 minutes and you’ll have enough data to break the WEP key.

However some of you more impatient souls - and the ones who have absolutely the right drivers and wi-fi cards for aircrack - might like to speed things up a bit. You can do that through packet injection. If you don’t care about that, skip the next section.

Injecting WEP packets to speed up a WEP crack

To try to inject packets, open a new terminal window - leaving airodump running. You then want to try to trick your target access point into believing that you have authenticated with it. Try this command:

sudo aireplay-ng -1 0 -e WEPHACKME -a XX:YY:ZZ:XX:YY:XX -h AA:BB:CC:DD:EE:FF mon0

Note that AA:BB:CC:DD:EE:FF is the hardware address of your network card, which you found in the Gathering Information section of this tutorial using ifconfig.

All going well, you should see output like the following. If you get an error message or something different to the below, then you can try some alternate commands from the aircrack Simple WEP Crack tutorial.

18:53:27  Sending Authentication Request (Open System) [ACK]
18:53:27  Authentication successful
18:53:27  Sending Association Request [ACK]
18:53:27  Association successful :-) (AID: 1)

Now that you’ve faked your authentication you need to inject some packets by listening to things called ARP requests and then replaying them to the access point. Make sure you do this quite soon after sending your fake authentication request. Use the command:

sudo aireplay-ng -3 -b XX:YY:ZZ:XX:YY:XX -h AA:BB:CC:DD:EE:FF mon0

aireplay-ng will tell you that it’s injecting ARP packets. Leave it for a while to allow it to collect a good amount of data, and then when you’ve run out of patience, press Ctrl+C to stop it. Close down that terminal and go back to the one running airodump-ng.

Cracking the WEP key

Whether you’ve run the injection attack in the section above, or just left airodump-ng for ages to collect lots of IVs, at some point you’ll be ready to try cracking the WEP key. You can do this with airodump-ng running - which means that if you actually haven’t collected enough IVs yet it doesn’t matter.

Open a new terminal window and type:

sudo aircrack-ng wephack-01.ivs

aircrack-ng will start crunching all of the numbers from the data that you’ve gathered, and will either tell you that it hasn’t got enough information, or will tell you that it’s found the WEP key. If it needs more information then leave airodump-ng running, or try the injection attack again.

                                 Aircrack-ng 1.0


                 [00:00:27] Tested 270610 keys (got 21952 IVs)

   KB    depth   byte(vote)
    0    0/ 11   0A(30464) 6D(28672) 9F(27904) 49(27136) 63(26880) 
    1    0/  5   57(32000) 18(30464) 6A(28416) B1(27904) 09(27648) 
    2   26/ 63   F2(25088) E5(25088) F7(25088) 81(24832) A5(24832) 
    3    0/ 13   B9(30976) 97(29440) C4(28928) DE(28416) C0(28160) 
    4    4/  7   77(26624) 14(26368) 90(26368) 05(25856) 13(25856) 

                         KEY FOUND! [ 0A:57:F2:B9:84 ] 
	Decrypted correctly: 100%

Once you’ve got your key, stop airodump-ng by pressing Ctrl+C and use sudo airmon-ng stop mon0 to take your wireless card out of monitor mode.

Once you get good at this, you’ll be able to crack any WEP key in a good 5 to 10 minutes and then start monitoring the network for traffic that’s traveling through it. That’s why WEP is not a good solution a secure network.

Looking at cracking WPA and WPA2

WPA was introduced to fix all of the flaws in WEP and present a more secure solution for wi-fi encryption. WPA2 is a second generation, but doesn’t add much in the way of security, so can be considered synonymous. WPA comes in many different forms. The most common form - and the only one you can crack with aircrack - is WPA PSK, or WPA Publicly Shared Key. Like WEP, this has a key that each client machine needs to know before it can connect.

WPA PSK is pretty good - it is much harder to crack, and even if you know the PSK key it’s nowhere near as easy to monitor traffic from other clients. However, as every security expert knows, nothing is uncrackable, so let’s go over the theory for cracking WPA PSK and discover why a good password is vital.

Unlike WEP, WPA connections are encrypted not just with the WPA key, but with an extra value called a salt. The salt is agreed at the point at which the client connects - so if you don’t know the key and the salt then you can’t monitor connections. This key+salt combination also stops you from working out the key from packets that you’re monitoring on the network.

However there is one flaw - and that’s when a client first connects to the access point. During that process the WPA key is exchanged between the client and the access point and validated. This is called a ‘four-way handshake’, and if you can capture that then you can start working on decrypting the key.

Capturing the four-way handshake is very similar to capturing data for WEP - with just a few extra caveats - so let’s go through the various steps…

Capturing the data we need to crack a WPA key

Let’s say we’re wanting to crack a network called MYWPANETWORK with a BSSID of QQ:WW:EE:RR:TT:YY, that operates on channel 1. Hopefully you know that this network has clients attached because you saw them when you ran airodump-ng at the start - and you’ll need these clients to capture their handshake. One of the clients has the address AA:BB:CC:DD:EE:FF.

We would firstly start airmon-ng as usual:

sudo airmon-ng start wlan0 1

We then want to start airodump-ng. You could just start it as normal with the command:

sudo airodump-ng --bssid QQ:WW:EE:RR:TT:YY --channel 1 -w wpahack mon0

That may work. You may find that if you wait long enough then you’ll capture a four way handshake. But unfortunately this is where a bit of experimentation is required - and the information you gathered about the networks at the beginning of the tutorial is extra useful.

You will not capture the four way handshake if your wireless card is not operating on the same channel, at the same frequency and at the same band as the client(s) that you’re targeting. So you may have to try adding options like --band [a, b or g] to your airodump-ng command, and also using iwconfig to set your wireless card to a certain frequency before you start.

For example - remember the output you gathered from iwlist at the beginning of the exercise. That may tell you that the network you’re targeting works at a frequency of 2.437 GHz. Before you start airodump-ng use iwconfig to set your network card’s frequency to match:

sudo iwconfig mon0 freq 2.437G

Then airodump-ng told us that this network was operating at a bit-rate of 54 mbits - which is wireless g. So we would use the airodump command:

sudo airodump-ng --bssid QQ:WW:EE:RR:TT:YY --channel 1 --band g -w wpahack mon0

Of course that doesn’t guarantee that the client which you are targeting is connecting using wireless-g, so you could still miss the handshake and have to try something else.

You’ve also got the problem that the clients only send the handshake when they first connect - so if they connect at 9am and send the handshake then, they may not send another handshake until 9am the next morning. Thankfully - similar to the WEP hacking packet injection - you do have the ability to encourage a handshake when you need one, and therefore speed up the process.

Generating a four-way handshake

To generate a four-way handshake you need to persuade a client that is connected to the access point to disconnect. To do this, you can send some ‘deauthenticate’ messages to the client in the hope that it will think it has been disconnected and will attempt to reconnect, carrying out a four-way handshake.

Open a new terminal window and enter the command:

aireplay-ng -0 10 -a QQ:WW:EE:RR:TT:YY -c AA:BB:CC:DD:EE:FF mon0

This will send 10 deauthenticate messages to the client AA:BB:CC:DD:EE:FF, pretending to be from the access point QQ:WW:EE:RR:TT:YY. You can play with the number 10 to send more or fewer deauth requests.

Capturing the four-way handshake

Once you’ve captured the four-way handshake, airodump-ng will suddenly show an additional WPA Handshake notice at the top of the screen, followed by the client’s MAC address. There’s no point trying to continue with anything further until you’ve caught that handshake.

If it doesn’t arrive and you’ve tried sending deauthenticate messages, you should try playing with your iwconfig and airodump settings to try alternate bands or frequencies. You can also try targeting a different client with your deauth messages.

Decrypting the WPA key

Once you’ve caught the handshake you can start using aircrack-ng to start attacking the key. The only way to attack this key is through brute force using a dictionary file - or a big list of possible passwords.

Password dictionary files are available all around the web - and there are some great lists at Skull Security. Choose one or more to download, and save it to somewhere on your hard drive.

Then run:

sudo aircrack-ng -w dictionary.txt wpahack-01.cap

… where dictionary.txt is the dictionary file that you are using. aircrack-ng will then attempt every entry in the dictionary file until it’s tried them all, or until it’s discovered the correct value.

Capturing data on a WPA network

Because a client uses a salt to communicate with the access point on a WPA network, you can’t decrypt the data it sends to and from your access point without the salt value - and you can only capture the salt value remotely during the four way handshake. This makes it much harder to monitor network traffic than on an open or WEP network.

But if you have successfully captured the four way handshake for a particular client - maybe by sending it deauth messages - then you can decrypt it’s messages using airdecap-ng like so:

sudo airdecap-ng -p WPAKEY -e NETWORKNAME output-01.cap

As with the open network demonstration it will save the file output-01-dec.cap that you can convert to plain text using tcpdump.

A note about wireless cracking from a Mac

If you’re a Mac user then you can install the aircrack-ng suite from a project like Fink or MacPorts. These provide a wide range of open source software that’s been ported over to the Mac. Both projects are very similar, both are free and either is fine for use in this tutorial. They’re both very straightforward to install.

With Fink you can install the aircrack suite by typing:

sudo fink install aircrack-ng

And with MacPorts you can use:

sudo port install aircrack-ng

Even though most of the aircrack commands will work on your Mac, airmon-ng and airodump-ng won’t work. Instead you have a built-in command called airport, which is nicely hidden away somewhere on your hard drive. airport puts your wireless card into monitor mode and captures packets.

To find where airport is on your Mac, type sudo find / -name airport. Mine came back with:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport

You can then type the following to capture everything around you from your Mac:

sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport sniff

You can also tell the airport command to sniff on a particular channel. To sniff on channel 1 for example, use airport sniff 1.

Press Ctrl+C to stop the sniffer, and it will save all of your capture information into your /tmp/ folder - telling you the file name it’s saved it to. The capture format is exactly the same as airodump-ng, so you can feed it into airdecap-ng, aircrack-ng or tcpdump.

However beyond that you won’t get the flexibility you get with Linux. You can’t use airport to inject packets or narrow down the sniffing to a particular access point for example - so it’s really only useful for breaking into WEP-secured access points or monitoring open and WEP networks.

Final thoughts: Securing your network

As you have seen, breaking in to a WEP or open network and gaining real insight into what people are doing is very easy. And we haven’t touched on what else an attacker could do once on your network - such as attacking samba shares or accessing other services on your intranet. WPA and WPA2 are much more secure and much more difficult to hack - but are still open to dictionary attacks.

To keep your network secure, make sure that you are using WPA to protect it, and make sure that your password is something that is not vulnerable to a dictionary attack. An auto-generated password comprising of upper and lower case characters, numbers and special symbols is the ideal - and the longer the better.