IMPORTANT NOTE: I am posting this to share what I know and how I did it. I did the following steps on a test environment that I created. Do not go around and try these steps against WiFi networks that you don't personally own. Even against your employer's network, you will need written permission from the network owner before you can perform these hacking steps against WiFi that you don't own. Please don't try this against your neighbor's WiFi or on public networks such as Starbucks or hotel networks.
One of the first things to consider before learning to use a tool is to know if you have the necessary hardware equipment to perform the functions of the tool you want to learn, which in this tutorial is the Aircrack-ng.
Below are the tools I used to complete this tutorial:
1. WiFi Network Adapter
A WiFi network adapter that has the capability to switch to monitor mode is the main tool to use Aircrack-ng. Laptops come with a built-in wireless network card, but these network cards do not have the option to switch to monitor mode. There are many cheap WiFi network adapter for sale, but I chose Alfa AWUSO36NH because it has been highly recommended by users who performed some sort of wireless sniffing and cracking.
(a)
2. Wireless Router
Our goal in this tutorial is to obtain access to the network, through cracking the password to authenticate to the SSID broadcasted by the wireless router. I used my 4 years old Netgear N750 Gigabit Router as the target router.
(b)
3. Laptops
A laptop that has Kali Linux installed to run Aircrack-ng and another that connects to the target wireless router.
Aircrack-ng
Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security:
· Monitoring: Packet capture and export of data to text files for further processing by third party tools.
· Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
· Testing: Checking WiFi cards and driver capabilities (capture and injection).
· Cracking: WEP and WPA PSK (WPA 1 and 2).
All tools are command line which allows for heavy scripting. A lot of the GUIs have taken advantage of this feature. It works primarily Linux but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2. (Aircrack-ng)
Tutorial (Step-by-step)
This tutorial is divided into two parts. The first is using Aircrack-ng to crack the pre-shared key for a WEP setup wireless network and for a WPA2 configured wireless network.
A. WEP-Enabled WiFi:
1. Connect the WiFi network adapter to the laptop that is running Kali Linux.
2. Once the WiFi network adapter is plugged in, open up a terminal on Kali and type “iwconfig” without the quotation marks to check if Kali recognizes the WiFi network adapter.
The image above shows us the wireless interface is wlan0.
3. Before we can start sniffing and cracking the wireless network’s password, the wireless network interface needs to be set in “monitor” mode. This can be done by executing the command “airmon-ng start wlan0” without the quotes.
(1) This is to declare what you want to do with the interface, in this instance we want it to start being in monitor mode.
(2) The wireless interface that we want to be in monitor mode
(3) Confirms that it is in monitor mode
(4) It tells us the new name of the interface now that it is in monitor mode, in this instance it is wlan0mon
4. If you need to turn off the wireless interface’s monitor state, enter the command “airmon-ng stop wlan0mon” without the quotes.
(1) What mode do you want the interface to be in
(2) The name of the interface that is currently in monitor mode
(3) Tells us the status of the interface after executing the command
5. Next, is to enter the command “airodump-ng wlan0mon” to start seeing all the available wireless network around us that are broadcasting.
6. Once the command on step 5 is executed, you will be presented with a list of available wireless networks broadcasting around you, like the image below:
(1) Current channel it is scanning
(2) BSSID column is the mac address of the broadcasting wireless router
(3) The channel of the respective broadcast
(4) Encryption used
(5) ESSID is the network name or commonly known as SSID
(6) This is the name of the network that we are trying to crack the password
7. Once we have identified the network that we want to attack, copy the BSSID and ran the command “airodump-ng -c 9 –bssid (paste BSSID of the target network here) wlan0mon” this command will isolate the specified network to be monitored, so we don’t see a lot of activity being monitored.
(1) -c represents channel
(2) This is the channel of the target network
(3) BSSID or mac address of the target router
(4) The interface in monitor mode
8. You will see the image below, showing only the target network being monitored. And if you look at the “Frames” section, that number will continue to rise as clients connect to the target router.
(1) The mac address of the target router
(2) The mac address of the client connected to the target router
(3) Data gathered from monitoring the interaction between the client and router
9. Now, that we have collected data or the proper term is IV which stands for Initialization Vector, is a random number used in combination with a secret key as a means to encrypt data. This number is sometimes referred to as a nonce or “number occurring once,” as an encryption program uses it only once per session. (“What is an Initialization Vector? – Definition from Techopedia”)
We are now ready to use aireplay. Aireplay is used to inject frames or generate traffic for use of Aircrack-ng to crack WEP and WPA or WPA2 keys. Enter the command “aireplay-ng -3 -b (paste the target router’s mac address here) wlan0mon”
(1) This number is unique to aireplay, this is to tell aireplay what type of attack to perform. -3 means an ARP request replay attack.
(2) This means BSSID
(3) The mac address of the target router
(4) The interface that is currently in monitor mode
10. Last and final step is to run Aircrack-ng to crack the password used to authenticate to the target network, run the command “aircrack-ng NETGEAR11.cap” where NETGEAR11.cap is the file where all the IVs are stored. Aircrack-ng will go through the IVs collected and will present the key when found, as shown below:
The image below shows the WEP key as found on the router’s administration page:
(1) Shows that WEP was used in this network
(2) Key that was set up to authenticate to the wireless network
B. WPA/WPA2-Enabled WiFi
The steps to crack a WPA/WPA2 is almost similar when cracking a WEP-enabled wifi. You can follow steps 1 through 8 of the WEP-Enabled WiFi section, then replace the command in step 9 with “aireplay-ng -0 20 -a (paste the target router’s mac address here) -c (paste the client connected to router’s mac address here) wlan0mon” this command will send a deauthentication request so the client disconnects from the target router, and when the client starts the authentication handshake to the router, we will be able to capture the handshake and crack the password from it.
(1) -0 means we want a deauthentication attack performed
(2) 20 is the number of deauthentication packets to transmit
(3) This is the wireless router’s mac address
(4) The client’s mac address
(5) -c means we are referring to the client who is connected to the router
(6) The wireless interface in monitor mode
Then we run the command “aircrack-ng -a2 (paste the target router’s mac address here) -w (wordlist file here) (location of the .cap file from capturing IVs here)” this command will go through the all the possible letter combination stored in the wordlist file and compare it to the password found from the WPA/WPA2 handshake between the deauthenticated client and reauthenticated to the router:
Below is the key to authenticate to the network as found on the router’s administration page:
(1) The name of the wireless network or ESSID
(2) The security used to authenticate to the network
(3) Key setup to authenticate
No comments:
Post a Comment