If you want to check the security of your Wi-Fi wireless network, one of the most important programs you should use is the Aircrack-ng suite. This security suite is specifically geared towards auditing wireless networks with WEP, WPA and also WPA2 encryption. Within this suite, we have different tools that deal with different aspects, such as monitoring packages, active attack on targets, check the compatibility of WiFi cards and, finally, the cracking of the wireless network. Today at RedesZone we are going to explain all the tools of the Aircrack-ng suite and how all of them are used.
What is the Aircrack-ng suite and what is it for?
Aircrack-ng is a suite of programs that will allow us to perform wireless WiFi audits of routers and WiFi access points. This suite is one of the most used to try to hack or crack WiFi networks with WEP, WPA and also WPA2 encryption on different computers. This software is a complete audit suite that is divided into different programs specifically designed for a specific task, we do not have a « large » program that based on arguments perform different actions. In order to facilitate the user the use of the different tools, depending on what we are interested in doing with the wireless network, we will have to use one program or another.
This security suite focuses specifically on four well-differentiated areas of cybersecurity on wireless networks:
Monitoring: This software allows you to capture all packets from a wireless network, export the data to text files and also to other formats to be analyzed by other programs. For example, we can capture all packets from the WiFi network and analyze them with the WireShark program.
Attacks: We can do replay attacks, disauthentication attacks, mount a fake access point for victims to connect, and even inject packets into the wireless network.
Testing: We will be able to check if the WiFi card is compatible with the different attacks, and also if we can configure it in monitor mode and if it is capable of injecting packets into the network.
Cracking: Allows you to directly crack WEP, WPA, and WPA2 encryption based on dictionary or brute force.
This software is compatible with Windows, Linux, Unix and macOS operating systems, in fact, we have the source code available so that we can compile it ourselves in our operating system. In the vast majority of cases, if you want to perform wireless audits, you are going to use a Linux based operating system since we will have perfect compatibility, especially for the drivers of the different WiFi network cards since they usually support monitor mode and packet injection.
A very important aspect is that this suite of programs is available by default in the popular Kali Linux distributions and also in WifiSlax, This latest distribution is specifically designed for Wi-Fi wireless audits.
Another very important feature is that all tools are executed through the command line, this allows you to automate different attacks based on scripts. It is also true that we can take advantage of this to have graphical user interfaces, but there comes a time when using the command line is much faster. This project of the Aircrack-ng suite is more alive than ever, and that is that they have recently released the latest version 1.7 with a huge number of improvements in operation, optimization of commands and new options, all after 2 years from the previous version.
Now that you know what the aircrack-ng suite is, we are going to briefly explain all the tools that we have incorporated and how each one is used.
Aircrack-ng installation
The software for Aircrack-ng is available on the website of the utility itself. But, first, you must go to the Aircrack-ng download page to get the installer.
We have two versions of Aircrack-ng available for Windows on this page. One of them requires the user to create a DLL to connect the Aircrack-ng software to the wireless NIC of the computer. The expectation that potential users are prepared to take this step, or even know how to do it, demonstrates the exclusivity of the Aircrack-ng community. Unfortunately, the creator of this tool will not facilitate the use of the utility.
Fortunately, the second version of Aircrack-ng for Windows does not require the user to be a graduate in Computer Science, This version is linked to wireless NIC through the Riverbed AirPcap driver, it is available on the Riverbed AirPcap download page if you don't have it on your Windows device.
Linux, Unix and macOS users can download the source code and compile it. If you have Kali Linux, it already has Aircrack-ng on your computer.
Tool operation
The aircrack-ng suite is made up of a large number of tools, each of which is specifically designed for a specific purpose, so they are all very important depending on the different attacks you are going to perform. Next, we explain what each of them is for, and we will explain some of the most common commands.
airmon-ng
This program allows us to enable monitor mode on the WiFi network card, this program is used to kill the process of network managers who may be using the card, in order to put it in monitor mode. In a WiFi audit, putting the card in monitor mode is the first step in order to perform the rest of the usual attacks.
The use of airmon-ng is very simple, the syntax is as follows:
If you want to show WiFi cards: airmon-ng
airmon-ng < start | stop > < interface > [ channel ]
airmon-ng < check | check kill >
The first command allows us to see a list of all the WiFi cards that we have connected to our computer.
The second command is the one we must use to start the interface in monitor mode with the command « start », or stop it with the command « stop », We must also choose the physical interface to use, and we can even listen to the card on a certain channel or on all of them.
The third command allows us to check what other processes are interfering with the aircrack-ng suite, in order to kill all the processes ( kill ) and so we have no problems. In the case of killing all the processes that are interfering, we can execute the command « airmon-ng check kill » and it will do it automatically.
This program has other arguments such as « verbose » to see at a low level everything that is happening and if there is any type of problem.
airbase-ng
This tool allows us to attack wireless clients instead of the access points themselves. This tool is really versatile and very flexible, so it will allow us to perform a lot of attacks:
-Lets you capture the handshake of the WPA and WPA2 protocol.
-It acts as an ad-hoc access point for clients to connect.
-Allows you to act as a full access point.
-Filter by SSID or client MAC address.
-Possibility of manipulating and forwarding packages.
-Ability to encrypt sent packets and decrypt received packets.
The goal of this program is for customers to partner with the Fake AP, not the actual access point. Real customers will send probing requests for configured networks, and these frames will allow us to link customers to our Fake AP that we configure. The AP will respond to any survey request with an appropriate probing response, so customers are instructed to connect to the airbase-ng BSSID. Because of this, it is possible that making this attack interrupts the real APs around us, so it would be advisable to use filters to minimize this « damage » to other APs. The options that we have available in airbase-ng are very wide, so we are going to indicate the main commands that we can use to perform certain specific actions.
If we want to create a false access point called « RedesZone » to capture the WPA handshake, we have to enter the following command:
airbase-ng -c 9 -e RedesZone -z 2 wlan0
-c: specifies the channel used.
-e: specifies the SSID of the AP.
-z 2: specifies the encryption mode. Although we could also use 4 to use CCMP ( WPA2 with AES ).
wlan0: is the physical interface of the WiFi card.
In the event that it is WPA2 AES, we have to change the -z to value 4, like this:
airbase-ng -c 9 -e RedesZone -z 4 wlan0
The rest of the parameters would be exactly the same.
This program has many other attacks, also for older WEP networks.
airodump-ng
airodump-ng is the software that is responsible for capturing packets on the wireless network, it is capable of capturing the raw frames of the 802.11 standard, and monitor mode is essential for it to work perfectly. This program is essential to crack WEP and WPA networks, in the first case it is capable of capturing initialization vectors, and in the second case it is capable of capturing the handshake of wireless clients, to later try to crack them with aircrack-ng which is the program in charge of it.
Other very important features of this software is that it works through the command line, therefore, we will be able to make our own scripts easily and quickly, to get a lot of information about all the WiFi networks around us. Before running airodump-ng, it is essential that you use airmon-ng in order to put your wireless card in monitor mode, otherwise it will not work.
This program has many options and filters to only capture certain information, then we will give you some examples. The syntax of this program is as follows:
airodump-ng < options > < interface >
If you want to capture all the packages from all WiFi channels and view all the data, you must put the following command:
airodump-ng wlan0
In the case of wanting to monitor only certain WiFi channels or a specific channel, you can put:
airodump-ng -c 6 wlan0
airodump-ng -c 1,6,11 wlan0
If you want to filter via WiFi networks with WPA, then you must put the following order:
airodump-ng – encrypt wpa wlan0
If you want to filter by BSSID, then you must put:
airodump-ng – bssid 00:01:02:03:04:05 wlan0
In the event that you want to write all the data to a file, you will have to use additional arguments:
airodump-ng -w file – output-format pcap wlan0
As you can see, this program is really complete.
aireplay-ng
The objective of this program is to generate traffic on wireless networks with WEP and WPA, with the aim of subsequently cracking them with aircrack-ng. There are different attacks that we are going to be able to carry out, among which are the disauthentication attacks to capture the WPA handshake, it also allows false authentications, replay packets to speed cracking of WEP networks, and even packet injection. This program is quite related to packetforge-ng, because it is possible to create specifically designed frames as we want.
Next, you have a complete list of all the attacks that it is capable of carrying out, the number of the attack is very important because it is the one that we will have to put in the order.
0: Deauthentication
1: Fake authentication
2: Interactive packet replay
3: ARP request replay attack
4: KoreK chopchop attack
5: Fragmentation attack
6: Cafe-latte attack
7: Client-oriented fragmentation attack
8: WPA Migration Mode
9: Injection test
The syntax for using airplay-ng is as follows:
aireplay-ng < options > < replay interface >
In the event that we want to make a disauthentication attack, we have to execute the following:
aireplay-ng -0 1 -a MAC_AP -c MAC_CLIENTE_WIFI wlan0
This is one of the most widely used attacks if you want to crack a WPA or WPA2 network, since we can force disauthentication to the client to later capture the handshake with airodump-ng.
aircrack-ng
This program is the core of the suite that gives it its name, the objective of this program is to recover the passwords of WEP, WPA and also WPA2. There are different modes of cracking, usually done by brute force, by dictionary, or a combination of both methods. Depending on the wireless network we want to crack, we will have to use some commands or others, we are going to teach you a WPA and WPA2 cracking once we have captured the handshake with airodump-ng.
The syntax for using this program is as follows:
aircrack-ng [ options ] < capture file ( s ) >
This program allows adding multiple input files, although the normal thing is to use only one capture where we have the handshake of the wireless network.
Let's imagine that we want to crack the password WPA or WPA2 based on a password dictionary, the command you need to execute is as follows:
aircrack-ng -w password_dictionary.lst * .cap
This command will take the files with the .cap extension of the directory, and will test one by one all the passwords that we have contained in the key dictionary. Once we have done so, we will have to choose which of the WiFi networks that we have captured the handshake we want to crack, as a configuration wizard.
It is also possible to use different dictionaries as input to crack a specific handshake, the syntax would be as follows:
aircrack-ng -w password_dictionary1.lst, password_dictionary2lst, password_dictionary3.lst, password_dictionary4.lst * .cap
In case you want to automate this, you can use the « -e ESSID » argument to select the SSID from the WiFi access point to crack, so you don't ask us and do it all only automatically.
1Password will notify you of committed accounts
airdecap-ng
This program is quite simple, the objective is to decrypt the catches of WEP, WPA and WPA2. It can also be used to remove all headers from an unencrypted ( wireless capture when the access point is unencrypted of any kind ). This program will generate a new file that ends in « -dec.cap » which is the decrypted version of the input file.
The syntax of this program is as follows:
airdecap-ng [ options ] < pcap file >
Let's imagine that we want to remove all the headers from a screenshot of an open WiFi network, we can execute the following command:
airdecap-ng -b MAC_AP open-network.cap
Let's imagine that we want to decrypt the entire capture where WPA or WPA2 is being used, we have to execute the following command:
airdecap-ng -e ‘ wifi network name ’ -p password_WPA capture.cap
As you can see, it is an easy way to have a decrypted capture, although we could also do the same with Wireshark through the graphical user interface.
Other tools
Within the aircrack-ng suite there are other very specific tools that will allow us to increase the functionalities we have seen, for example, we have very interesting tools such as airdecloak-ng, airdrop-ng, airgraph-ng, airolib-ng, airserv-ng, airtun-ng, besside-ng, dcrack, easside-ng, packetforge-ng, tkiptun-ng, wesside-ng. Depending on our needs and what we want to do, we can use some of them to greatly facilitate the task of wireless audits.
For example, one of the most notable would be dcrack, this tool allows us to crack WPA and WPA2 keys distributed on various computers, with the aim of increasing CPU power and reducing the time it takes to crack a password. This program uses a client-server mode, we have a server that will be the coordinator of the different clients that connect to it, the user will send commands to the server and then send the necessary data to the clients.
As you have seen, this suite is really complete because we have a lot of tools, in addition, is modular so we can run each tool separately to have even more options.
Advantages and disadvantages of Aircrack-ng
Aircrack-ng is a classic hacker tool. But, like most classics, it's old, And much of the excitement of getting this famous free hacking system dissipates when you discover that WiFi designers know everything about this system and have taken steps to block it.
It is a tool that can be used completely free and also has versions for both Windows and Unix, Linux and macOS, in fact, Kali Linux is installed by default and you can also decrypt the wireless network.
By cons, the application is a little difficult to install and is not very intuitive since the user interface is practically non-existent and its greatest strength lies in deciphering WEP encryption than in most cases are no longer used and in addition to this there are utilities like WPA-TKP that do not work quite well.
Is it legal to use Aircrack?
In these aspects, it is normal that questions always arise about whether using this type of tool is illegal. And the truth is that no, it is not illegal. But here we must mention that although the application is not outside the law, the uses that can be given if they can become so. Therefore, all responsibility will fall on the user who uses Aircrack, how he uses it and the purpose for which it is used.
This is something that is specified in the Penal Code. And to understand it we must treat a password as a security method. Therefore, a crime would be incurred, when you access something by skipping this measure. And generally any of the available security levels. This means that if someone accesses our email, computer or any social network, it would be a crime. Even here you can set another to older, since it is different to access a service to stay within the service.
This may carry some penalties. And it is that according to the Penal Code, prison terms of between 6 months and 2 years can be established. But these can be increased in case some other conditions are met, as if it is done on behalf of a criminal group.
Here everything leans towards two factors. On the one hand we have the privacy of people, and on the other hand the security of computer systems. Therefore everything can vary depending on the medium that is attacked. If we focus on some services such as Facebook, prison terms of around 5 years are known. Therefore here we can see the variability of the penalties according to the situation that is being treated and all its factors.
Conclusions
We have seen that the Aircrack-ng suite is truly complete software for performing WiFi wireless audits of any router or access point. This software allows you to crack networks with WEP in a really low time, however, today this type of encryption is given low by the WiFi Alliance, so it's really weird that we can meet these kinds of networks right now. The same is true for WPA encryption, it is hardly used today because it is considered « deprecated » in favor of WPA2, which is currently used mostly.
Although many of these tools are oriented to WEP networks that are no longer used, the truth is that we still have different attacks that we can perform on networks with WPA2. If you want to test the security of any WPA2 network, this audit suite is what you are looking for, and it is simply the best one. Also, keep in mind that distributions specifically geared towards wireless audits bring it by default, but also include different scripts and other programs based on this suite, to make it easier for users to use all tools.