How to use aircrack-ng for Wi-Fi Recon and Hacking

One of the most popular exploits for new hackers to try is cracking Wi-Fi access points. Before someone can even consider attacking a Wi-Fi AP, they need the MAC address of the target AP (also know as the BSSID), the MAC address of the client, and the channel the AP is operating on. All this information and more can be found using the tools in the aircrack-ng suite. This suite of tools is included by default in every version of Kali, so if you’ve got you real hacker hat on you don’t need to apt-get anything.

The first step to get started is to put your wireless network card into monitor mode. This mode allows your card to see all the traffic around it similarly to promiscuous mode for wired network cards. The aircrack way of doing this is as follows:

root@kali: ~# airmon-ng start wlan0

wlan0 in this case is the default wireless network interface if the command runs into trouble make sure that wlan0 is in fact there using the ifconfig command. Once your wireless card is in monitor mode airmon-ng will rename the interface something like “wlan0mon” take note of this rename it will be important later.

Now that we are listening to all the packets flying by our heads its time to start doing something with them and that is where airodump-ng command comes into play. Airodump-ng captures and displays the key data from all the broadcasting APs as well as the clients connected to those APs. The command to do this is as follows:

root@kali: ~# airodump-ng wlan0mon

Airodump-ng will split the output screen into an upper and lower portion. The upper portion has information on the broadcasting APs including:

1. BSSID: MAC address of the AP or client
2. PWR: power of the AP (the strength of the signal)
3. Beacons:how many beacon frames have been detected
4. #Data: data throughput rate
5. #/s: how many packets have traversed the wireless card
6. CH: channel (1-14)
7. MB: theoretical throughput limit
8. ENC: encryption protocol
9. CIPHER: cipher used for encryption
10. AUTH: authentication type
11. ESSID: (also know as the SSID)

Now that all the information needed to crack the AP lets get to the crack itself. To crack the Wi-Fi password you can open three terminals or tabs in the same terminal. In the first you would enter commands similar to the following:

root@kali: ~# airodump-ng -c 10 --bssid 01:02:AA:BB:CC:22 -w <capture_output> wlan0mon

That command captures all the packets traversing the AP on channel 10 (-c 10) to the location of your output file (-w <file_name>). In the second terminal we are going to use aireplay-ng to deauthenticate anyone connected to the AP. This will force them to reauthenticate with the AP. The reason for this we are going to be capturing the authentication hash that gets passed in the four-way handshake. This speeds up the creaking process as you would need a large amount of random packets captured otherwise. The command to do this is as follows:

root@kali: ~# aireplay-ng --deauth 100 -a 01:02:AA:BB:CC:22 -c AO:A2:E1:33:7C:E5 wlan0mon

And in the last terminal, we can use a password list to find the password in the captured hash file (this will be the output in .cap format). This command will do just that:

root@kali: ~# aircrack-ng -w wordlist.dic -b 01:02:AA:BB:CC:22 capture_output.cap