Hacking Wi-Fi with Aircrack-ng

Aircrack-ng is a Wi-Fi security auditing tool specifically 802.11 WEP and WPA/WPA2-PSK. It is also used for cracking the WEP and WPA/WPA2-PSK keys for gaining access to a network. Aircrack-ng is used by learning individuals and security professionals to test the security, reliability of wireless networks.

It can be installed by using the following command on the terminal:

sudo apt-get install aircrack-ng

The attacks range from Wifi Disconnection to obtaining handshakes to cracking passwords. The attacks are to be performed by obtaining the consent of the owner or only on those networks that are owned by you.

The first thing that we need to have to successfully attack, audit a network is a Wi-Fi adapter that has monitor mode and allows packet injection. The reason we have to use an external adapter is that the inbuilt adapter that comes along with the PC doesn’t support monitor mode and packet injection. Monitor mode allows the adapter to view and monitor all the traffic received from the wireless network. This mode enables packets to be captured without having to connect or link with an access point.

Wifi hacking

Cracking WEP

WEP(Wired Equivalent Privacy) is a Wi-Fi security protocol, its intention was to provide data confidentiality comparable to that of a traditional wired network. The flaw that we are targeting is Initialisation Vectors(IV), these IVs are 24 bits long. For encryption, Wired Equivalent Privacy (WEP) can use only a 64-bit or 128-bit number, which is made up of a 24-bit Initialization Vector (IV) and a 40-bit or 104-bit default key. The use of short keys reduces the encryption strength because short keys are easy to break, Also it uses an algorithm called RC4 that is deprecated. The Wired Equivalent Privacy (WEP) also creates a detectable pattern for attackers.

  • Each packet is encrypted using a unique key stream.
  • Random initialization vector (IV) is used to generate the keys streams.
  • The initialization vector is only 24 bits
  • IV + Key (password) = Key stream.

The catch here is that the IVs are repeated in a busy network. And this is the vulnerability we are going to use, Repeated IVs can be used to determine the keystream, and ultimately break the encryption.

We first need to capture a large number of packets so that we can get enough IVs and store it in a file. The problem here is that if the network is not busy, it would take some time to capture the IVs. We then need to analyze the captured IV and crack the key.

To have aircrack-ng conduct a WEP key attack on a capture file, pass it the filename, either in .ivs or .cap/.pcap format.

aircrack-ng filename.pcap

Cracking WPA/WPA2

Wi-Fi Protected Access2- Pre Shared Key is a method of securing one’s network using the option of Pre-Shared key authentication. This kind of mechanism is generally designed for a home environment and not for an enterprise network. The network in this case is encrypted using a plaintext passphrase between 8-63 characters. The passphrase along with the network SSID is used to generate unique encryption keys for each client. Which are constantly changed, thus it is near impossible that the keys are repeated and we can get hold of it. Hacking into a network using WPA/WPA2 protocol is difficult due to the complex algorithm it uses.

Hacking wifi wpa2 | cybervie

There are two popular methods used to crack WPA/WPA2

WPS method

WPS is a feature that can be used with WPA & WPA2. This allows clients to connect to the network without a password. The authentication is done using an 8 digit pin. This is a vulnerability that exists in routers that ship with this feature enabled by default. Many routers have a specific button dedicated to WPS service. Although this feature can be made redundant by disabling the WPS service using the Configure Router page, unfortunately, most people don’t care about disabling it.

hacking eifi wps | cybervie

Generally, WPS forces devices to use an 8-digit numerical PIN system that bypasses the passphrase. As 8 digits pins are comparatively smaller, all the possible combinations can be tried in a shorter time period. This PIN is always checked in groups of two 4-digit codes, and the connecting device is informed whether the four-digit section is correct.

Wordlist method

Unlike in the case of WEP, the WPA/WPA2 packet contains no useful data. The only packet that contains data of our interest is the handshake packet. These are 4 packets that are sent to the client to connect to the network. The handshake doesn’t any data that helps to retrieve the key. Rather it helps to verify whether a key is valid or not. 

We run the following command to intercept the handshake packets.

airodump-ng –bssid –channel 1 –write wpa_handshake mon0

This command will write the handshake to the wpa_handshake file.

To obtain a handshake we need to disconnect the client so that when the connection is re-established we can intercept it.

airplay-ng -0 1 -a B6:14:6C:7E:40:9D -c 00:0F:B5:AE:CE:9D mon0
  • here 0 means deauthentication and we are sending 1 deauthentication packet here.
  • -a B6:14:6C:7E:40:9D is the MAC address of the access point
  • -c 00:0F:B5:34:30:30 is the MAC address of the client to deauthenticate
  • mon0 is the interface name

Finally, we use the handshake to verify our key. We create a wordlist and/or download some popular ones from the internet like the rockyou.txt. This method is known as the Dictionary Bruteforce attack. If the wordlist contains the password, it outputs the password.

aircrack-ng wpa wpa_handshake.cap -w rockyou.txt

Share the Post...

About Cybervie

Cybervie provides best cyber security training program in hyderabad, India.This cyber security course enables you to detect vulnerablities of a system, wardoff attacks and manage emergency situations. Taking a proactive approach to security that can help organisations to protect their data, Cybervie has designed its training module based on the cyber security industry requirements with three levels of training in both offensive and defensive manner, and use real time scenarios which can help our students to understand the market up-to its standard certification which is an add on advantage for our students to stand out of competition in an cyber security interview.

More Info – Click Here

Recent Posts

Follow Us on Youtube

Cyber Security Training Program 2020

Cyber security Course offered by Cybervie prepares students for a path of success in a highly demanding and rapidly growing field of cyber security. The course is completely designed with an adaptable mindset, where the program allows the student to complete the course work at their own pace while being able to complete weekly assignments. Hence, also making it convenient for busy working professionals to pursue the training to help them advance their career in cyber security.

Cybervie has designed the training module based on the cyber security industry requirements in both offensive and defensive manner, using real time scenarios which help our students to understand the market standards.

Sign up for our Newsletter

Interested in Cyber Security Training Program 2020 – Click Here

Open chat
Hello 👋
How can we help you?