How to crack wifi password using aircrack
Assignment given by The HackerU for the students in Batch 3 of Master in Cyber Security (Red Team) to write a blog on wifi password cracking using aircrack.
Accessing a wireless network
What is Wifi Network. A wifi or a wireless network is a network that is connected without using any wires. These are the networks that use radio waves to link computers and other devices together.
What do you need to access the Wifi network :
- A device that has wireless-network enabled (laptop, smartphone, etc.)
- You will need to be within the transmission radius of a wireless network access point (a WiFi router)
- If the network is password protected, then you’ll need its password to gain access.
Type of Wireless Network Authentication
WEP and WPA are two of the most commonly used authentication techniques in a wireless network. WEP and WPA (along with WPA2) are names for different encryption tools used to secure your wireless connection. Encryption scrambles the network connection so that no one can “listen in” to it and look at which web pages you are viewing, for example. WEP stands for Wired Equivalent Privacy, and WPA stands for Wireless Protected Access. WPA2 is the second version of the WPA standard.
Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP, recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits), was at one time widely in use and was often the first security choice presented to users by router configuration tools.
WEP authentication works using two methods:
- Open System Authentication (OSA) — OSA helps you gain access to any WEP network as well as receive files that aren’t encrypted
- Shared Key Authentication (SKA) — SKA allows a computer equipped with a wireless modem to gain full access to any WEP network and exchange both encrypted and unencrypted data.
In Open System authentication, the WLAN client does not provide its credentials to the Access Point during authentication. Any client can authenticate with the Access Point and then attempt to associate. In effect, no authentication occurs. Subsequently, WEP keys can be used for encrypting data frames. At this point, the client must have the correct keys.
In Shared Key authentication, the WEP key is used for authentication in a four-step challenge-response handshake:
- The client sends an authentication request to the Access Point.
- The Access Point replies with a clear-text challenge.
- The client encrypts the challenge-text using the configured WEP key and sends it back in another authentication request.
- The Access Point decrypts the response. If this matches the challenge text, the Access Point sends back a positive reply.
After the authentication and association, the pre-shared WEP key is also used for encrypting the data frames using RC4.
At first glance, it might seem as though Shared Key authentication is more secure than Open System authentication since the latter offers no real authentication. However, it is quite the reverse. It is possible to derive the keystream used for the handshake by capturing the challenge frames in Shared Key authentication. Therefore, data can be more easily intercepted and decrypted with Shared Key authentication than with Open System authentication. If privacy is a primary concern, it is more advisable to use Open System authentication for WEP authentication, rather than Shared Key authentication; however, this also means that any WLAN client can connect to the AP. (Both authentication mechanisms are weak; Shared Key WEP is deprecated in favor of WPA/WPA2.)
WPA and WPA2
The recommended solution to WEP security problems is to switch to WPA2. WPA was an intermediate solution for hardware that could not support WPA2. Both WPA and WPA2 are much more secure than WEP. WPA was designed as an interim software-implementable solution for WEP that could forestall immediate deployment of new hardware.
Using some encryption is always better than using none, but WEP is the least secure of these standards, and you should not use it if you can avoid it. WPA2 is the most secure of the three. If your wireless card and router support WPA2, that is what you should use when setting up your wireless network.
How to crack wifi password
The objective is to capture the WPA/WPA2 authentication handshake and then use aircrack-ng to crack the pre-shared key.
This can be done either actively or passively. “Actively” means you will accelerate the process by deauthenticating an existing wireless client. “Passively” means you simply wait for a wireless client to authenticate to the WPA/WPA2 network. The advantage of passive is that you don’t actually need injection capability and thus the Windows version of aircrack-ng can be used.
Here are the basic steps we will be going through, we will be using passive mode and wait for a wireless client to authenticate to the WPA/WPA2 network :
1. Start the wireless interface in monitor mode on the specific AP channel
2. Start airodump-ng on AP channel with filter for bssid to collect authentication handshake
3. Run aircrack-ng to crack the pre-shared key using the authentication handshake
Connect wifi adapter to Kali and check the connection
Check connection using below command. Here we can see that one wifi adapter is connected to wlan0
Step 1 — Start the wireless interface in monitor mode. Enable the wifi to monitoring mode using below command
airmon-ng start wlan0
you can use the command airmon-ng stop wlan0 to stop the monitoring mode
We can see from the above that monitoring mode is enable on wifi “wlan0”. You can also check the wifi mode with below command.
We can see that Interface is on monitoring mode( “wlanmon”- mon is monitoring mode)
The Interface has changed from “wlan0” to “wlan0mon”.
We can also use the command iwconfig to check the wifi mode.
Step 2 — Start airodump-ng on AP channel with filter for bssid to collect authentication handshake. Now we are ready to sniff into other available wifi in the surroundings. We can use below command to sniff into surroundings wifi.
We can see form the above the number of wifi available in the surroundings. We will try attacking wifi Amin_2.4_Ext. We will note down the corresponding BSSID and the channel, which will be required for further exploitation
Start airodump-ng to collect authentication handshake
The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.
airodump-ng wlan0mon — bssid A4:2B:8C:01:01:F7 -c 8 — write wpa_crack
· — bssid A4:2B:8C:01:01:F7 is the access point MAC address.
· -c 8 is the channel for the wireless network
· -write wpa_crack is the file name, the file which will contain the IVs.
· Wlan0 is the interface name.
From the above we can see no client is connected to wifi. As soon as some device is connected to the wifi we will capture the EAOPL in the file wpa.crack
In the screen above, notice the “WPA handshake: A4:2B:8C:01:01:F7” in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake and the packets are captured in “wpa_crack-12.cap” file.
We can now open wireshark, and check the packets and search for eapol to check the traffic captured
Step 3 — Run aircrack-ng to crack the pre-shared key using the authentication handshake
We will use the bruteforce attack to crack the password using dictionary rockyou.txt. We will use the below command.
aircrack-ng wpa_crack-12.cap -w /usr/share/wordlists/rockyou.txt
Note: Password will be found only if the passcode is available in the dictionary. You can use Rainbowtable wordlist or other wordlist available on the net to match the password. You can also create your own wordlist using Crunch, CeWL etc.