If you’re the admin of a home or business wireless network then it’s important that you know about wireless security - and one of the best ways to learn is to experiment. This guide shows you some simple attacks that any hacker can attempt on your network.
There are three common levels of wireless encryption. A network can be open - so require no key or password to connect - or it can use WEP encryption, or it can use WPA/WPA2 encryption. Throughout this tutorial, you’ll see how easy it is to monitor everything that happens on an open network, and then how to break in and do the same on a WEP network, and then how to crack WPA. You’ll see that WPA is so much harder to crack - and therefore so much more secure.
Obviously attempting to gain access to another person’s network is illegal in most countries, so please just try this on your own network, or with the network owner’s permission if that’s not you.
What you need
A computer running some form of Unix-based operating system is essential. The best choice is a PC running Linux or BSD.
If you’re a Mac owner then you do have a Unix-based OS, but some of the commands won’t work. It’s still possible to do quite a lot with a Mac though - see the note on Macs near the bottom of the tutorial. If you’re a Windows user then Cygwin or a virtual machine won’t cut it - install a proper Unix-based OS or run one from a Live CD.
Everything we’re going to do in this tutorial is in the terminal, so some familiarity with that would be ideal. Most of the commands will have
sudo in front of them - which means you’ll be running them with administrator privileges - so occasionally you’ll be asked to enter your admin password.
If you’re a Linux or BSD user then you need to make sure that you have the correct drivers installed and a compatible network card. The aircrack site has a guide but if that looks confusing then just try out the stuff below - you can probably do most, if not all of it without worrying about drivers too much.
aircrack-ng is a suite of tools that help you work with wireless networks. You’ll need the aircrack-ng suite installed for most of the attacks below. To get this on a Debian-based Linux installation (such as Ubuntu or Mint) go to the terminal and type:
sudo apt-get install aircrack-ng
On other flavours of Linux there will be a similar command instead of
apt-get - such as
yum. Just look it up in your Linux flavour’s documentation.
If at any point you come across a command that can’t be found on your system then try the above command, but replace
aircrack-ng with the command that’s missing. Chances are
apt-get (or its equivalent) will be able to install it for you.
The most important stage in any cracking task is gathering information. For wi-fi cracking, you need to know as much information about your computer and the networks around you as you can.
First - let’s find out about your computer’s networking features. Start with the
iwconfig command, which gives you information about the network adapters on your computer:
lo no wireless extensions. eth0 no wireless extensions. wlan0 IEEE 802.11bgn ESSID:off/any Mode:Managed Frequency:2.412 GHz Access Point: Not-Associated Tx-Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:on
This shows that you have three network adapters -
wlan0, but that only one of them (
wlan0) is a wireless device.
wlan0 will be the wireless adapter we use for the rest of the tutorial.
ifconfig wlan0, where
wlan0 is the wireless network adapter we found:
wlan0 Link encap:UNSPEC HWaddr AA-BB-CC-DD-EE-FF-00-00-00 UP BROADCAST NOTRAILERS PROMISC ALLMULTI MTU:1500 Metric:1 RX packets:1177841 errors:0 dropped:0 overruns:0 frame:0 TX packets:389365 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:408049502 (408.0 MB) TX bytes:61662376 (61.6 MB)
This will show some different information about your wireless card. Make a note of your
HWaddr, which is your card’s MAC address - you’ll need it later. You just need the first six entries in the form of
AA:BB:CC:DD:EE:FF - you don’t need to worry about the
00-00-00-00 bits afterwards.
Now let’s look at
iwlist, which can give you lots of information about what’s around you. The command
sudo iwlist wlan0 scan will tell your computer to carry out a scan for access points around you, and returns lots of interesting information about each access point:
Cell 01 - Address: XX:YY:ZZ:XX:YY:ZZ Channel:1 Frequency:2.412 GHz (Channel 1) Quality=30/70 Signal level=-80 dBm Encryption key:on ESSID:"SomeNetworkName" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 9 Mb/s 18 Mb/s; 36 Mb/s; 54 Mb/s Bit Rates:6 Mb/s; 12 Mb/s; 24 Mb/s; 48 Mb/s Mode:Master Cell 02 - Address: AA:BB:CC:DD:EE:FF Channel:1 Frequency:2.412 GHz (Channel 1) Quality=19/70 Signal level=-91 dBm Encryption key:off ESSID:"SomeOtherNetwork" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s Mode:Master Extra: Last beacon: 712ms ago
In the example above, there are two wifi networks in range, and
iwlist has told you what they’re called (their
ESSID), their unique BSSID address (
Address), what frequency they operate on, which channel they use, what bit-rates they support, whether they’re encrypted or not, and more.
Getting started with aircrack
Now that you know what’s on your PC and know what’s around you, it’s time to start exploring using the aircrack suite. There are two vital tools in the aircrack suite that you will use most commonly:
airmon-ng- puts your wireless network adapter into monitor mode. This means that it’s just watching, and not actively trying to connect to any network. When your wireless card is in monitor mode, you won’t be able to carry out other wireless tasks, such as connecting to the internet.
airodump-ng- captures information from your wireless card, shows you information on the screen about what it’s seeing, and saves everything to a capture file. It’s the information from the
airodumpcapture file that you will use for key cracking or for monitoring activity on your network.
You can carry out a good number of attacks with just these two commands.
Let’s start with a
airmon-ng. First type:
sudo airmon-ng check
If the command has no output, then all is well. But probably the command will show you something like this:
Found 4 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID Name 4696 NetworkManager 4699 wpa_supplicant 4853 avahi-daemon 4854 avahi-daemon
The list above shows you running processes that are known to use your wireless card, and that could get in the way of all of the other stuff we’re going to do. It’s often not necessary, but to avoid problems later on then you might like to kill them. Unfortunately some are easier to kill than others.
First try running
sudo airmon-ng check kill, which will attempt to kill them all politely. It will probably get rid of one or more of them. The rest are a bit more fussy, and liked to be closed down using commands such as:
sudo stop network-manager
sudo stop avahi-daemon
sudo killall wpa_supplicant
For safety, keep persisting until you’ve killed all of the rogue processes and
sudo airmon-ng check returns a blank result.
Now let’s put our wireless network adapter into monitor mode. Type
sudo airmon-ng start wlan0 - where wlan0 is the name of the wireless adapter we chose at the start of the tutorial. It will show something like the following:
Interface Chipset Driver wlan0 Atheros ath9k - [phy0] (monitor mode enabled on mon0)
What this tells us is that
airmon-ng has put
wlan0 into monitor mode, using a new adapter called
mon0. In fact, if you type
iwconfig now, you should find that you’ve got a new wireless adapter called
mon0 which is in
Mode: Monitor. The new
mon0 adapter is going to be important to us, because we’re going to use it for the rest of our aircrack commands.
Now let’s use
airodump-ng to start monitoring wireless activity around us, and dumping it into a file. Type the command:
sudo airodump-ng -w randomstuff mon0
You’ll end up with a screen that’s constantly updated and contains two sets of information. The top half of the output tells you what access points are around you, their address (
BSSID), their name (
ESSID), their encryption type, their channel and their bitrate. The bottom half tells you about other PCs or devices that are around you, the hardware address of the access point their connected to (
BSSID), and the hardware address of the device itself (
As you watch
airodump-ng run, you can learn more and more about the activity that’s around you, who’s connected to what and how active each network is. This information will be really important later on.
Ctl+C to stop
airodump-ng, and then type
sudo airmon-ng stop mon0 to take your wireless card back out of monitor mode.
mon0 will disappear from your
If you have a look in your current directory, you’ll find a whole load of new files there starting “randomstuff” - which is the value we gave to the
airodump-ng command. These files contain raw output from your wireless card while it was monitoring your surroundings. They’re fairly useless at this stage so you can delete them - but later these captures will become really important.
Capturing data on an open network
The first hacking attack we’ll do is to monitor the traffic on an open network, and dump it all to your hard drive. This shows just how amazingly insecure any open network is. If anyone actually cared about security then open networks would be banned, and instead places with public wi-fi would simply show their WPA key on a notice on the wall.
In this case lets imagine we’re targeting an open network called
MYOPENNETWORK which is on channel 6 and has the BSSID
XX:ZZ:YY:XX:ZZ:YY . We got this information from looking at the output from
airodump-ng in the steps above - hence the reason information gathering is so important.
Let’s put our wireless card back into monitor mode, but this time tell it to stick on channel 6, rather than scanning around like it normally would:
sudo airmon-ng start wlan0 6
And now let’s start
airodump-ng but tell it to save to a file called
opennetdump and just monitor traffic from
XX:ZZ:YY:XX:ZZ:YY) with the command:
sudo airodump-ng --channel 6 -w opennetdump --bssid XX:ZZ:YY:XX:ZZ:YY mon0.
You’ll see as
airodump-ng runs that it’s now a lot more focused - it will only show one access point, and it will show a smaller number of connected clients. Leave it running for about 5 to 10 minutes, and then press
Ctrl+C to stop it. Then type
sudo airmon-ng stop mon0 to take your card out of monitor mode.
Now let’s look at what you’ve caught.
airodump-ng will have saved its output to a number of files beginning
opennetdump - including one that contains all of the packets it’s captured called
opennetdump-01.cap. This file is in binary format, so not easy for us to read - but thankfully a command called
tcpdump will help you make sense of it. Type:
sudo tcpdump -r opennetdump-01.cap
All of the activity that you’ve captured on the network will be listed on your screen. You can add
-vvv to the command to get more detail and contents from every request that’s listed - including web page content. Simply add
> myoutputfile.txt to put it all into a text file for your perusal. So, for ultimate detail:
sudo tcpdump -r opennetdump-01.cap -vvv > myoutputfile.txt
Bear in mind that whenever you’re on an open network, anyone can be doing this to you. Unless you’re browsing sites using
HTTPS, everything you transmit - usernames, passwords, emails, bank details - can be captured and seen by everyone around you.
Capturing data on a WEP-encrypted network
WEP was one of the first attempts to encrypt wi-fi data. Unfortunately it was very flawed, and very easy to crack. Even more unfortunately, it’s still in heavy use today. But before we get onto cracking a WEP password, what about if you already know the password and want to just monitor the network’s traffic? If you tried the exercise above you’d find that all of the steps worked, but that the data that came back from
tcpdump was encrypted and couldn’t be viewed.
That’s where the command
airdecap-ng comes in handy. It takes the output from
airodump-ng and decrypts any encrypted data. If the WEP connection you’re monitoring is called
MYWEBNETWORK, it has a WEP key of
mywepkey, and you used
airodump-ng to save to a file called
capturefile then simply use the command:
sudo airdecap-ng -e MYWEPNETWORK -w mywepkey capturefile-01.cap
airdecap-ng will create a new file called
capturefile-01-dec.cap with the decrypted information, and you can use
tcpdump as before to convert it into plain text:
sudo tcpdump -r capturefile-01-dec.cap -vvv > myoutputfile.txt
As you can see - if you know the WEP key for any network then it’s very easy to then capture everything, decrypt it using the key and then analyse every little bit of information that’s flowing over it. So if you’re jumping on someone else’s WEP network then treat it like an open network, for the network administrator or any other user potentially knows everything you’re doing.
Collecting data to crack a WEP key
So far we’ve done lots of data analysis, but very little actual cracking. So let’s see how easy it is to crack a WEP network. As before - you need a target, and as much information about it as possible, especially the channel, BSSID and ESSID. Let’s pretend we’re targeting a network called WEPHACKME with a BSSID of XX:YY:ZZ:XX:YY:XX on channel 1.
We’ll put our wi-fi card into monitor mode again - and as before specify the channel you wish to target:
sudo airmon-ng start wlan0 1
We’ll then start
airodump-ng, telling it to save to
wephack and target the BSSID
XX:YY:ZZ:XX:YY:XX on channel 1, and also adding the option
--ivs which tells it to just capture packets called IVs, which are the packets we need to crack the WEP key:
sudo airodump-ng -w wephack --bssid XX:YY:ZZ:XX:YY:XX --channel 1 --ivs mon0
And now we wait. Or at least we could do. The longer you wait, the more data you collect and the more likely it is that your crack will be successful. Depending on the amount of traffic that’s flying over the network, it could be that you just have to sit there capturing packets for 5 minutes and you’ll have enough data to break the WEP key.
However some of you more impatient souls - and the ones who have absolutely the right drivers and wi-fi cards for aircrack - might like to speed things up a bit. You can do that through packet injection. If you don’t care about that, skip the next section.
Injecting WEP packets to speed up a WEP crack
To try to inject packets, open a new terminal window - leaving airodump running. You then want to try to trick your target access point into believing that you have authenticated with it. Try this command:
sudo aireplay-ng -1 0 -e WEPHACKME -a XX:YY:ZZ:XX:YY:XX -h AA:BB:CC:DD:EE:FF mon0
AA:BB:CC:DD:EE:FF is the hardware address of your network card, which you found in the Gathering Information section of this tutorial using
All going well, you should see output like the following. If you get an error message or something different to the below, then you can try some alternate commands from the aircrack Simple WEP Crack tutorial.
18:53:27 Sending Authentication Request (Open System) [ACK] 18:53:27 Authentication successful 18:53:27 Sending Association Request [ACK] 18:53:27 Association successful :-) (AID: 1)
Now that you’ve faked your authentication you need to inject some packets by listening to things called ARP requests and then replaying them to the access point. Make sure you do this quite soon after sending your fake authentication request. Use the command:
sudo aireplay-ng -3 -b XX:YY:ZZ:XX:YY:XX -h AA:BB:CC:DD:EE:FF mon0
aireplay-ng will tell you that it’s injecting ARP packets. Leave it for a while to allow it to collect a good amount of data, and then when you’ve run out of patience, press
Ctrl+C to stop it. Close down that terminal and go back to the one running
Cracking the WEP key
Whether you’ve run the injection attack in the section above, or just left
airodump-ng for ages to collect lots of IVs, at some point you’ll be ready to try cracking the WEP key. You can do this with
airodump-ng running - which means that if you actually haven’t collected enough IVs yet it doesn’t matter.
Open a new terminal window and type:
sudo aircrack-ng wephack-01.ivs
aircrack-ng will start crunching all of the numbers from the data that you’ve gathered, and will either tell you that it hasn’t got enough information, or will tell you that it’s found the WEP key. If it needs more information then leave
airodump-ng running, or try the injection attack again.
Aircrack-ng 1.0 [00:00:27] Tested 270610 keys (got 21952 IVs) KB depth byte(vote) 0 0/ 11 0A(30464) 6D(28672) 9F(27904) 49(27136) 63(26880) 1 0/ 5 57(32000) 18(30464) 6A(28416) B1(27904) 09(27648) 2 26/ 63 F2(25088) E5(25088) F7(25088) 81(24832) A5(24832) 3 0/ 13 B9(30976) 97(29440) C4(28928) DE(28416) C0(28160) 4 4/ 7 77(26624) 14(26368) 90(26368) 05(25856) 13(25856) KEY FOUND! [ 0A:57:F2:B9:84 ] Decrypted correctly: 100%
Once you’ve got your key, stop
airodump-ng by pressing
Ctrl+C and use
sudo airmon-ng stop mon0 to take your wireless card out of monitor mode.
Once you get good at this, you’ll be able to crack any WEP key in a good 5 to 10 minutes and then start monitoring the network for traffic that’s traveling through it. That’s why WEP is not a good solution a secure network.
Looking at cracking WPA and WPA2
WPA was introduced to fix all of the flaws in WEP and present a more secure solution for wi-fi encryption. WPA2 is a second generation, but doesn’t add much in the way of security, so can be considered synonymous. WPA comes in many different forms. The most common form - and the only one you can crack with aircrack - is WPA PSK, or WPA Publicly Shared Key. Like WEP, this has a key that each client machine needs to know before it can connect.
WPA PSK is pretty good - it is much harder to crack, and even if you know the PSK key it’s nowhere near as easy to monitor traffic from other clients. However, as every security expert knows, nothing is uncrackable, so let’s go over the theory for cracking WPA PSK and discover why a good password is vital.
Unlike WEP, WPA connections are encrypted not just with the WPA key, but with an extra value called a salt. The salt is agreed at the point at which the client connects - so if you don’t know the key and the salt then you can’t monitor connections. This key+salt combination also stops you from working out the key from packets that you’re monitoring on the network.
However there is one flaw - and that’s when a client first connects to the access point. During that process the WPA key is exchanged between the client and the access point and validated. This is called a ‘four-way handshake’, and if you can capture that then you can start working on decrypting the key.
Capturing the four-way handshake is very similar to capturing data for WEP - with just a few extra caveats - so let’s go through the various steps…
Capturing the data we need to crack a WPA key
Let’s say we’re wanting to crack a network called
MYWPANETWORK with a BSSID of
QQ:WW:EE:RR:TT:YY, that operates on channel 1. Hopefully you know that this network has clients attached because you saw them when you ran
airodump-ng at the start - and you’ll need these clients to capture their handshake. One of the clients has the address
We would firstly start
airmon-ng as usual:
sudo airmon-ng start wlan0 1
We then want to start
airodump-ng. You could just start it as normal with the command:
sudo airodump-ng --bssid QQ:WW:EE:RR:TT:YY --channel 1 -w wpahack mon0
That may work. You may find that if you wait long enough then you’ll capture a four way handshake. But unfortunately this is where a bit of experimentation is required - and the information you gathered about the networks at the beginning of the tutorial is extra useful.
You will not capture the four way handshake if your wireless card is not operating on the same channel, at the same frequency and at the same band as the client(s) that you’re targeting. So you may have to try adding options like
--band [a, b or g] to your
airodump-ng command, and also using
iwconfig to set your wireless card to a certain frequency before you start.
For example - remember the output you gathered from
iwlist at the beginning of the exercise. That may tell you that the network you’re targeting works at a frequency of 2.437 GHz. Before you start
iwconfig to set your network card’s frequency to match:
sudo iwconfig mon0 freq 2.437G
airodump-ng told us that this network was operating at a bit-rate of 54 mbits - which is wireless g. So we would use the
sudo airodump-ng --bssid QQ:WW:EE:RR:TT:YY --channel 1 --band g -w wpahack mon0
Of course that doesn’t guarantee that the client which you are targeting is connecting using wireless-g, so you could still miss the handshake and have to try something else.
You’ve also got the problem that the clients only send the handshake when they first connect - so if they connect at 9am and send the handshake then, they may not send another handshake until 9am the next morning. Thankfully - similar to the WEP hacking packet injection - you do have the ability to encourage a handshake when you need one, and therefore speed up the process.
Generating a four-way handshake
To generate a four-way handshake you need to persuade a client that is connected to the access point to disconnect. To do this, you can send some ‘deauthenticate’ messages to the client in the hope that it will think it has been disconnected and will attempt to reconnect, carrying out a four-way handshake.
Open a new terminal window and enter the command:
aireplay-ng -0 10 -a QQ:WW:EE:RR:TT:YY -c AA:BB:CC:DD:EE:FF mon0
This will send 10 deauthenticate messages to the client
AA:BB:CC:DD:EE:FF, pretending to be from the access point
QQ:WW:EE:RR:TT:YY. You can play with the number 10 to send more or fewer deauth requests.
Capturing the four-way handshake
Once you’ve captured the four-way handshake,
airodump-ng will suddenly show an additional
WPA Handshake notice at the top of the screen, followed by the client’s MAC address. There’s no point trying to continue with anything further until you’ve caught that handshake.
If it doesn’t arrive and you’ve tried sending deauthenticate messages, you should try playing with your
airodump settings to try alternate bands or frequencies. You can also try targeting a different client with your deauth messages.
Decrypting the WPA key
Once you’ve caught the handshake you can start using
aircrack-ng to start attacking the key. The only way to attack this key is through brute force using a dictionary file - or a big list of possible passwords.
Password dictionary files are available all around the web - and there are some great lists at Skull Security. Choose one or more to download, and save it to somewhere on your hard drive.
sudo aircrack-ng -w dictionary.txt wpahack-01.cap
… where dictionary.txt is the dictionary file that you are using.
aircrack-ng will then attempt every entry in the dictionary file until it’s tried them all, or until it’s discovered the correct value.
Capturing data on a WPA network
Because a client uses a salt to communicate with the access point on a WPA network, you can’t decrypt the data it sends to and from your access point without the salt value - and you can only capture the salt value remotely during the four way handshake. This makes it much harder to monitor network traffic than on an open or WEP network.
But if you have successfully captured the four way handshake for a particular client - maybe by sending it deauth messages - then you can decrypt it’s messages using
airdecap-ng like so:
sudo airdecap-ng -p WPAKEY -e NETWORKNAME output-01.cap
As with the open network demonstration it will save the file
output-01-dec.cap that you can convert to plain text using
A note about wireless cracking from a Mac
If you’re a Mac user then you can install the aircrack-ng suite from a project like Fink or MacPorts. These provide a wide range of open source software that’s been ported over to the Mac. Both projects are very similar, both are free and either is fine for use in this tutorial. They’re both very straightforward to install.
With Fink you can install the aircrack suite by typing:
sudo fink install aircrack-ng
And with MacPorts you can use:
sudo port install aircrack-ng
Even though most of the aircrack commands will work on your Mac,
airodump-ng won’t work. Instead you have a built-in command called
airport, which is nicely hidden away somewhere on your hard drive.
airport puts your wireless card into monitor mode and captures packets.
To find where
airport is on your Mac, type
sudo find / -name airport. Mine came back with:
You can then type the following to capture everything around you from your Mac:
sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport sniff
You can also tell the
airport command to sniff on a particular channel. To sniff on channel 1 for example, use
airport sniff 1.
Ctrl+C to stop the sniffer, and it will save all of your capture information into your
/tmp/ folder - telling you the file name it’s saved it to. The capture format is exactly the same as
airodump-ng, so you can feed it into
However beyond that you won’t get the flexibility you get with Linux. You can’t use
airport to inject packets or narrow down the sniffing to a particular access point for example - so it’s really only useful for breaking into WEP-secured access points or monitoring open and WEP networks.
Final thoughts: Securing your network
As you have seen, breaking in to a WEP or open network and gaining real insight into what people are doing is very easy. And we haven’t touched on what else an attacker could do once on your network - such as attacking samba shares or accessing other services on your intranet. WPA and WPA2 are much more secure and much more difficult to hack - but are still open to dictionary attacks.
To keep your network secure, make sure that you are using WPA to protect it, and make sure that your password is something that is not vulnerable to a dictionary attack. An auto-generated password comprising of upper and lower case characters, numbers and special symbols is the ideal - and the longer the better.