The two prime factors fuelling the rapid growth of Wi-Fi are the constant advancements in Wi-Fi technology, and the Wi-Fi capability in almost all consumer electronic (CE) devices that are being manufactured today — laptops, smartphones, cameras, printers/scanners, televisions, music players, etc.
As mentioned earlier, attackers are using the security weaknesses/vulnerabilities in Wi-Fi networks or Wi-Fi capable devices to intrude into them. After such an intrusion, attackers can maliciously exploit the network/device for their personal gains. Assisting these attackers in their mission is the availability of a variety of tools to detect and exploit various Wi-Fi vulnerabilities.
Among these tools, one that stands out is Aircrack-ng. It’s an open source utility, freely available for use, and is very popular equally among crackers and Wi-Fi penetration testers/auditors alike. It is the most comprehensive toolkit for troubleshooting and auditing Wi-Fi networks, and covers the earlier as well as the latest-known Wi-Fi exploits and vulnerabilities.
Aircrack-ng is basically a suite of tools that has been crafted to achieve the following objectives:
- Capture raw Wi-Fi packets in an intended airspace, on various channels of interest, and then analyse them to show the various Wi-Fi networks and Wi-Fi clients that were operating during the collection period.
- Break WEP and WPA PSK (pre-shared key)-type Wi-Fi networks by exploiting the known vulnerabilities of such networks.
- Injection/replay of Wi-Fi packets into the airspace.
- Exploit the weaknesses present in various Wi-Fi clients, to establish fake connections with such clients, in order to launch man-in-the-middle type of attacks.
Aircrack-ng can be installed on a Linux operating system (Fedora, Red Hat, Ubuntu, etc.) by compiling the source code on the host machine. As of this writing, the latest version of Aircrack-ng is 1.1, and you can obtain its source code here.
For Aircrack-ng tools to work, you need a compatible wireless card, and an appropriately patched driver. You can learn more about compatible cards on the project homepage. However, since installing patched drivers for Aircrack-ng can be tedious and complicated for many users, you can instead use the BackTrack Live Linux distribution, in the form of a Live CD/DVD/USB, to run Aircrack-ng flawlessly. Aircrack-ng and many patched wireless drivers (as required by Aircrack-ng) are already included in the BackTrack distribution.
Aircrack-ng, being a suite of tools, consists of a number of independent tools, each one accomplishing a certain task. To achieve certain objectives related to Wi-Fi auditing/cracking/troubleshooting, one or more tools of the suite are used in combination. Here are some of the important tools included in the suite.
This tool is very basic, and is used primarily to enable or disable the monitor mode on a wireless interface. It is frequently used in combination with other tools. Monitor mode puts the wireless interface into a promiscuous state, to enable it to sniff all the Wi-Fi data within range. You can also specify the channel for the monitor mode via this tool.
The basic usage is
airmon-ng <start|stop> <interface> [channel], where
<start|stop> indicates if you wish to start or stop the interface;
<interface> specifies the interface name;
[channel] optionally sets the card to a specific channel.
This tool captures raw Wi-Fi packets through the wireless interface that’s in monitor mode, and dumps them into one or more file formats. The dumped file can be used by other tools for specific analysis. Along with capturing the raw traffic, Airodump-ng also displays in the output screen, a list of detected Access Points (APs) and wireless clients.
The list contains details for APs, such as, the SSID, the channel, encryption mechanism, authentication method, power level, etc. For wireless clients, the list shows the connected AP, power level, data rate, etc. Airodump-ng provides a variety of options, such as the use of a single channel or multiple channels for capturing and filtering output screen results on the basis of AP BSSID, etc. These options provide great flexibility in various scenarios. If one has a connected GPS receiver, then Airodump-ng can also log the coordinates of the found APs.
The basic usage is
airodump-ng <options> <interface>, where
<options> indicates one or more options to be used while running the tool; and
<interface> indicates the monitor mode interface to be used for capturing the Wi-Fi traffic.
Some commonly used options are:
-f <msecs>— time in milliseconds between hopping channels, if multiple channels are used.
--output-format <formats>— possible output formats are pcap, ivs, cvs, gps, kismet, netxml. The option can be specified multiple times if more than one output format is required.
--bssid <BSSID>— filter APs by BSSID value.
--channel <channels>— comma-separated list of channels for capture.
--write <prefix>— dump file prefix.
Example 1: If you wish to limit the Wi-Fi data capture to a single AP with BSSID
00:11:22:33:44:55 operating on channel “8” using the interface
ath0, and write the captured data into a file with prefix
capture and output format
pcap, then issue the following command:
airodump-ng -c 8 --bssid 00:11:22:33:44:55 -w capture --output-format pcap ath0
This is the main tool, used for recovering keys of WEP- and WPA PSK-based Wi-Fi networks. Aircrack-ng is able to break the WEP key once enough encrypted packets have been captured with Airodump-ng. The two methods used for breaking the WEP key are PTW and the FMS/Korek method.
PTW is the default, and requires a few data packets, particularly ARP request/reply packets, to crack the WEP key. However, PTW is limited to breaking of 40- and 104-bit WEP keys. The FMS/Korek method incorporates brute-force cracking and other statistical mechanisms to discover the WEP key. It requires a relatively large number of captured data packets, and is often used when the PTW method fails. To crack WPA/WPA2 PSK, only the dictionary method is supported, for which a capture of four WPA handshake packets is required.
The basic usage is
aircrack-ng <options> <capture file(s)>, where
<capture file(s)> is a comma-separated list of captured-data files, either in
Some of the commonly used options are:
-a <amode>— forces either WEP (by specifying the value 1) or WPA/WPA2-PSK (specify 2) cracking.
-b <bssid>— BSSID value (AP MAC address) is used to select the target network for key cracking. All data packets in the capture files that contain the same BSSID value are used for cracking.
-e <essid>— The ESSID value is used to select the target network for key cracking, and thus use only corresponding data packets in the capture files.
-K— Invokes the Korek WEP cracking method.
-z— Invokes the PTW WEP cracking method (the default in the latest version).
-w <word-list path>— Used to specify the path of a word-list file for the WPA dictionary attack.
Example 2: If you wish to recover the WEP key for an AP with the MAC address
00:11:22:33:44:55, and the corresponding capture file is
output.cap, then you needs to invoke Aircrack-ng as follows:
aircrack-ng -b 00:11:22:33:44:55 output.cap
If the command is successful, the WEP key for the target network will be displayed on the screen.
Example 3: If you wish to recover the WPA PSK for an AP with the MAC address
00:11:22:33:44:55, using the word-list file
password.lst (required for a dictionary attack), and the corresponding capture file is
output.cap, then run the following command:
aircrack-ng -b 00:11:22:33:44:55 –w password.lst output.cap
If the command is successful, and the WPA PSK is contained in the word-list/dictionary file, then this key will be displayed on the screen.
Aircrack-ng includes many optimisations to standard key-cracking algorithms, and hence is much faster than other available Wi-Fi key cracking programs. One can run Aircrack-ng and Airodump-ng simultaneously, as Aircrack-ng will auto-update when new packets are captured by Airodump-ng. Aircrack-ng is widely used by crackers to recover keys of WEP and WPA/WPA2 PSK to intrude into the network, while Wi-Fi penetration testers use the same tool to test the effectiveness of a WEP or WPA/WPA2-PSK key.
The primary goal of this tool is to generate Wi-Fi traffic to be used later by Aircrack-ng to crack the WEP and WPA PSK keys. To achieve this goal, Aireplay is designed to implement the following attacks, which inject one or more Wi-Fi packets into the network:
- De-authentication attacks: Aireplay-ng can send de-authentication packets to one or more clients that are associated with an AP, in order to capture the WPA handshake, discover hidden SSIDs, or generate ARP requests (to be used in WEP cracking).
- Fake authentication attacks: In these attacks, Aireplay-ng sends authentication and association packets to a WEP AP to associate with it. This may be needed when no clients are connected to the AP, and you need to generate Wi-Fi traffic to break the WEP key of the AP.
- Interactive packet replay attacks: In such cases, one can choose a specific packet to replay (inject) from the live flow of packets in the wireless card, or from a pcap format file. Replaying particular packets in a WEP Wi-Fi network can generate more traffic, which can be used by Aircrack-ng to recover the WEP key.
- ARP request replay attacks: These attacks are very useful to generate enough ARP traffic that can be used by Aircrack-ng to break the WEP key using the PTW method. Here, Aireplay-ng listens for an ARP packet, and then retransmits it to the AP, which in turn generates an ARP packet again that is then replayed once more by Aireplay-ng. This process is repeated until enough ARP packets (for WEP cracking) are generated by the AP.
- Café Latte attacks: This is useful to obtain the WEP key from an unassociated client. In this, Aireplay-ng listens for an ARP packet from the client, then modifies it and sends it back to the client, so that the client generates a new ARP packet. When enough ARP packets are generated by the client, encrypted correctly with the client WEP key, Aircrack-ng can be used to recover the WEP key from those packets.
The basic usage is
aireplay-ng <options> <replay interface>, where
<options> indicates the attack type and associated options and
<replay interface> indicates the wireless interface to be used for replay (injection).
Some of the common options are:
- Attack options (select the attack type)
-0— De-authentication attack.
-1— Fake authentication attack.
-2— Interactive packet replay attack.
-3— ARP request replay attack.
-6— Café Latte attack.
- Filter options (for filtering a packet from a source)
-b <bssid>— Mac address of the AP
-d <mac>— Destination MAC address
-s <mac>— Source Mac address
-m <len>— Minimum length of the packet
-n <len>— Maximum length of the packet
-u <type>— Type of packet
-v <subt>— Subtype of packet
- Replay options (to be used while replaying for a particular attack)
-x <nbpps>— Number of packets per second
-a <bssid>— Set AP MAC address
-c <dmac>— Set destination MAC address
-h <smac>— Set source MAC address
- Source options (to select a source of packets for an interactive packet replay attack)
-r <file>— pcap file to be used for source of selection/filtering packets.
Example 4: If you wish to de-authenticate (disconnect) a client
00:0F:22:33:44:55 associated to an AP with the MAC address
ath0 as the replay interface, then you invoke Aireplay-ng as follows:
aireplay-ng -0 -a 00:11:22:33:44:55 -c 00:0F:22:33:44:55 ath0
This tool is used to decrypt the WEP/WPA/WPA2 capture files. Also, it can be used to strip the wireless headers from an unencrypted wireless capture file. The output is a new file with the suffix as
-dec.cap, which is basically the decrypted/stripped version of the input file.
The basic usage is
airdecap-ng <options> <pcap file>, where
<pcap file> indicates the input pcap file. Some of the common options are:
-l— Do not remove MAC header
-b <bssid>— Mac Address of the AP to select the packets in the input file for decryption
-k <pmk>— WPA/WPA2 Pairwise Master key in Hex
-w <key>— WEP key in Hex
-p <pass>— WPA/WPA2 passphrase
-e <essid>— SSID of the network to select the packets in the input file for decryption
Example 5: If you wish to decrypt the packets from a WPA network with the ESSID
decrypt-test and the passphrase
password, from the input file
wpa.cap, then you need to invoke Airdecap-ng as shown below:
airdecap-ng -e ‘decrypt-test’ -p password wpa.cap
Looking over some of the most important tools in the Aircrack-ng suite, you might have got a clearer picture of the comprehensiveness of the suite. Apart from the tools described, Aircrack-ng contains many more for various other purposes. The Aircrack-ng website is very well maintained in terms of documentation for the various tools, from their usage perspective.
People who are still unaware of Wi-Fi security weaknesses and loopholes that can lead to intrusion and malicious attacks from outsiders should learn that Aircrack-ng is really a great suite to test your Wi-Fi setup. With it, you can locate unwanted APs at an office, check that authorised Wi-Fi networks are appropriately encrypted, and test the strength of the encryption pass-phrase and keys.
In recent times, Aircrack-ng has been fully ported to the Nokia N900, making it far more convenient for users, who can now carry the most popular Wi-Fi auditing tool in their pockets.