Wi-fi Pentesting with Aircrack-ng
In this post we will use tools from a popular wireless networking penetration testing suite, Aircrack-ng, to demonstrate attacks on two common Wi-Fi security protocols: WEP and WPA2.
Aircrack-ng lists the following focus areas of their product:
Monitoring: Packet capture and export of data to text files for further processing by third party tools.
Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
Testing: Checking WiFi cards and driver capabilities (capture and injection).
Cracking: WEP and WPA PSK (WPA 1 and 2).
We will focus on the last aspect: Cracking with Aircrack-ng.
We’ve done some prep work already, using some of the Aircrack-ng tools (airmon-ng, airodump-ng, and aireplay-ng) to discover wireless networks and capture the authentication packets containing the key. All we have to do now is extract the key from the captured traffic.
So follow the following steps for Wi-fi pentesting with Aircrack-ng:
Step 1: Capture Packets
Let's look at the captured files. Do a listing of the wifihacking directory:
Step 2: Reading Capture Files
If you are curious what the contents of those files might be, let's open one with TShark. Issue the following command. Don't forget to pipe into more, otherwise the terminal will be flooded with output.
tshark -r wifihacking/wepcapture.cap | more
It may take a few seconds before packet data shows up in the terminal.
Hit Enter or Space a few times to scroll through the file. This is a lot of data to comb through looking for the key. Luckily, Aircrack-ng comes to the rescue.
Step 3: Cracking WEP
For the WEP capture, all we need to do now is run the following command:
Let the command run for some time. Here aircrack-ng is trying to calculate the key using the provided .cap file. After some time it provides us with the password of the access point. Easy. As a security best practice, don't use WEP encryption!
Step 4: Cracking WPA2
As with the previous step, airmon-ng, airodump-ng, and aireplay-ng were used to capture the 4-way handshake packets containing the WPA2 PSK. The file with captured traffic is called wpa2capture.cap.
We will use aircrack-ng again to crack the key, but this time we will have to use a wordlist. We will use the popular rockyou.txt wordlist, which comes with the standard install of Kali Linux. Run the command below to crack the password (-w specifies the path to our dictionary file). If the access point password is present in the dictionary file then aircrack-ng will extract and display the key.
aircrack-ng -w /usr/share/wordlists/rockyou.txt wifihacking/wpa2capture.cap
Please note that for WPA2, if the password is not present in the dictionary file, aircrack-ng will not be able to crack the password and may display "pass-phrase is not present in the dictionary" or some similar message. Therefore, a good countermeasure against such attacks is to use WPA2 encryption with strong passwords. Additional countermeasures include hiding the name of the wireless network and enabling MAC address filtering.
Also Read: Service Identification | Banner Grabbing