January 20, 2016

Wifi Air Assault with the Aircrack-ng Suite

airodump-ng on big screen

Grant using airodump-ng on the big screen.

While conducting an Air Assault on a wireless network, my weapon of choice is the Aircrack-ng suite.  The suite contains around 18 tools depending on the version, but I will only mention a few here (Airmon-ng, Airodump-ng, Aireplay-ng, and most famously Aircrack-ng).  I used a separate application named Crunch to create a brute-force dictionary.

Airmon-ng (Enable Monitor Mode)

Before you can crack anything, you must listen to who is talking across the air, and before that your adapter must be switched into monitor mode.

  1. You will more than likely need to buy a USB wifi adapter capable of using monitor mode.  Only certain chipsets work.  I have a few with an Atheros chipsets, for this demo I used one by a company named ALFA with the model number of AWUS036NH.
  2. Type airmon-ng, to see which wifi interfaces are available to use.
  3. Type airmon-ng start wlan1.  Pending of course that wlan1 is the correct interface.  Yours might be wlan0, wlan2, etc.
  4. You may have to use airmon-ng check kill, to stop other things from using it.  Then try airmon-ng start wlan1 again.
  5. If this works then running airmon-ng again will show that wlan1 is now wlan1mon (because it’s monitoring).

Airodump-ng (Target Sniffing)

  1. Type airodump-ng wlan1mon, to monitor the air traffic.
  2. If everything is working correctly, you will see the screen split into two sections (look at the selfie above).  The TOP section will have these fields:
    • BSSID = MAC address of the access point. In the Client section, a BSSID of “(not associated)” means that the client is not associated with any AP. In this unassociated state, it is searching for an AP to connect with.
    • PWR = Signal level reported by the card. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station. If the BSSID PWR is -1, then the driver doesn’t support signal level reporting. If the PWR is -1 for a limited number of stations then this is for a packet which came from the AP to the client but the client transmissions are out of range for your card. Meaning you are hearing only 1/2 of the communication. If all clients have PWR as -1 then the driver doesn’t support signal level reporting.
    • Beacons = Number of announcements packets sent by the AP. Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.
    • #Data = Number of captured data packets (if WEP, unique IV count), including data broadcast packets.
    • #/s = Number of data packets per second measure over the last 10 seconds.
    • CH = Channel number (taken from beacon packets).
      Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference.
    • MB = Maximum speed supported by the AP. If MB = 11, it’s 802.11b, if MB = 22 it’s 802.11b+ and higher rates are 802.11g. The dot (after 54 above) indicates short preamble is supported. Displays “e” following the MB speed value if the network has QoS enabled.
    • ENC = Encryption algorithm in use. OPN = no encryption,“WEP?” = WEP or higher (not enough data to choose between WEP and WPA/WPA2), WEP (without the question mark) indicates static or dynamic WEP, and WPA or WPA2 if TKIP or CCMP is present.
    • CIPHER = The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory, but TKIP is typically used with WPA and CCMP is typically used with WPA2. WEP40 is displayed when the key index is greater then 0. The standard states that the index can be 0-3 for 40bit and should be 0 for 104 bit.
    • AUTH = The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).
    • ESSID = Shows the wireless network name. The so-called “SSID”, which can be empty if SSID hiding is activated. In this case, airodump-ng will try to recover the SSID from probe responses and association requests. See this section for more information concerning hidden ESSIDs.
  3. The BOTTOM section will have these fields:
    • BSSID (same as above).
    • STATION = MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of “(not associated)”.
    • PWR (same as above).
    • Rate = This gets a little tricky  because there is two numbers here.  They are the transmit rate in Mbps.  Notice that it looks like 0e- 1e, 0 - 1, or 36 - 24, etc. with a left side dash right side.  Look at the first two column which are BSSID (on the left) and STATION (just to the right of it).  Those correspond to the rate of each, so BSSID is xmitting 36Mbps – STATION is xmitting 24Mbs.
    • Lost = The number of data packets lost over the last 10 seconds based on the sequence number. See note below for a more detailed explanation.
    • Frames =
    • Probe = The ESSIDs probed by the client. These are the networks the client is trying to connect to if it is not currently connected.
  4. Once you pick a target, note the Channel and the BSSID values.  You will need them to feed the next steps.
  5. Pay attention here because skipping this step will cost you time and effort.  Hit Ctrl-C to stop the airodump-ng wlan1mon command’s execution.  I know it looks cool, but the leaving this up causes the wifi channel to cycle through the available channels and make you miss many packets that you are listening for.  Imagine trying to watching game 7 of the Stanley Cup Final in overtime, only to have your 2 year old playing with the remote and flipping though the channels.   Sorry for the hockey reference, but I’m a hockey player.
  6. Leave the first terminal session intact and fire up a second terminal session.
  7. From the  second terminal session, type airodump-ng -w NETGEAR53 -c 6 --bssid 90:00:00:00:D3:26 wlan1mon
    • -w is the switch that gives a name to the capture file.  NETGEAR53 is the name of the file that I wanted to use which coincidently is also the ESSID.
    • -c is the switch that identifies the channel to listen on.  Channel 6 in this example.
    • --bssid tells airodump-ng which BSSID to capture traffic for.  We are targeting the router who is 90:00:00:00:D3:26.
    • wlan1mon is the interface in which to capture traffic on.
  8. Now leave this second terminal session running for a few minutes until you see one or many BSSID and STATIONS conversations happening.
  9. You will need to pick one.  For the example, I am going with a BSSID (e.g. 90:00:00:00:D3:26) to STATION (A4:00:00:00:F4:DE) conversations for the next step.  For best results take the one that has the highest Frames count.  Copy both addresses and move on to the aireplay-ng step.

Aireplay-ng (Make a WPA Handshake Happen)

If you’ve done everything correct up to this point then you are currently capturing some interesting traffic, but without a WPA Handshake, you are wasting your time. Let’s force one to happen by kicking a STATION off of the BSSID (Access Point) and making them do the handshake again while we are listening.

  1. Now for the sake of simplicity open up a third terminal session.
  2. I’ve had success with using the Deauthentication option of aireplay-ng.  Here you will need to recall the BSSID and STATION MAC addresses from the previous airodump-ng session.
  3. Type aireplay-ng -0 2 -a 90:00:00:00:D3:26 -c A4:00:00:00:F4:DE wlan1mon
    • -0 refers to the type of attack mode.  Deauthenticate is what I chose for the example but there are other options.
    • 2 refers to the count of deauth attempts to make.
    • -a 90:00:00:00:D3:26 is the MAC address of the Access Point (BSSID).
    • -c A4:00:00:00:F4:DE is the MAC address of the Client (STATION).
    • wlan1mon is the wifi adapter that is in monitor mode, to which I’m using to capture traffic with.
  4. Hit return and you should see something like:Aireplay-ng
  5. ACKs greater than 0 are good, such as the 60 and 63 above.
  6. Now flip back to the second terminal session and look the top line if you see the last part of that line say [ WPA handshake: followed by the MAC address of the BSSID, then you can move onto the next steps (Crunching and Cracking).

WpaHandshake

Crunch (Building a Brute Force Dictionary)

Before you can attempt to crack anything stronger than WEP, you will need a brute-force dictionary file.  That’s where crunch comes in.  Be prepared these files get massive because they contain every possible combination of the characters that you tell it to use.  Crunch is beyond the scope of this demo. But here is one example:

  • crunch 8 8 abcdefghijklmnopqrstuvwxyz0123456789 -o lowerAlphaNumbersSize8.dict

Aircrack-ng

  1. Type aircrack-ng NETGEAR53 -w lowerAlphaNumbersSize8.dict to get it going.
  2. Now this is the part where you wait for days (literally) while it brute forces the key.  The longer the key is, the exponentially longer it takes to crack.  If the length of the key is long enough it become infeasible to crack in a lifetime, hence it’s strength.
  3. With any luck the dictionary contains the key and will display KEY FOUND and display it for your enjoyment.

Disclaimer: For speed sake, I shortened the dictionary to only contain the lowercase letters needed for the key and the dictionary only contained 8 character combinations.  So aircrack-ng was only going to attempt aaaaaaaa through wwwwwwww.  This still took nearly 20 minutes and 342,392 attempts before it found a match.