Snafu Code Logo
HOME LEARN PROJECTS ABOUT

Getting Started with Aircrack-ng

In this guide we are going to go over the basics of the Aircrack-ng suite of tools. Aircrack is a powerful tool kit designed to assess WiFi network security. It can be used for monitoring, recording data, attacking devices and cracking passwords. Aircrack is also well suited for scripting, and can easily be used in your own custom bash scripts. Although Aircrack is primarily used on Linux, it also avilable for Winodws(limited functions) and MacOS. For this guide I am running Kali Linux on a Raspberry Pi, but you shouldn't have a problem following along if you are using VMware, VirtualBox or something similar.

If you don't like reading, you can watch the video of this tutorial.

(Note: Change video to 1080p for best viewing quality)


Prerequisites

I'm going to make the foolish assumption that you have some basic knowledge of Linux, using the command line, and that you already have a WiFi adapter that supports monitor mode. For more information about WiFi adapters see the Aircracks help guide here. Of course you will also need to have Aircrack installed on you your system. If you are running Kali no need to worry, it comes as one of the pre-installed tools. If you are running one of the other flavors of Linux, you may have to install it yourself. To check if you already have it, open a terminal and type in aircrack-ng --help.

(user@kali)-$ aircrack-ng --help

Aircrack-ng
If you have it installed, you will something similar to this output. If it says "Command not found", you will need to install it yourself. See the Aircrack download page for links and instructions.

Getting Started

Getting started with Aircrack is actually quite easy, and a little bit of knowledge will get you a long way. Aircrack contains many tools all for different purposes. A good place to start is finding and monitoring network traffic. Once we identify the network we are interested in, we can zero in and do some interesting things. With your wifi adapter connected to your computer, open up a terminal. The first thing we are going to do is check the network devices we have avilable on our computer.

(user@kali)-$ ip a

ip a
Runnig the ip a command will bring up a list of your network devices and some details about them. The main things we are looking for here is a wlan interface. Keep in mind that your screen will look a little different depending your setup and what kind of devices you are using. Looking at the output in Figure 2, we see a few things.
  1. lo: - Which stands for loopback. This is a virtual network interface that is typically used for diagnostics and allows your computer to act as a local server.
  2. eth0: - This is the wired ethernet interface. If you are using a virtual machine such as VMWare Player, eth0 is actually going to be the the wireless interface of your main OS.
  3. wlan0: - This is the first wireless interface. If you are using a virtual machine wlan0 will typically be your USB wifi adapter. If you are runnig a Raspberry Pi wlan0 will be the onboard wireless card, and wlan1 will be your USB wifi adapter.


Fig3 ip a
Note all the details of your network interfaces such as ipv4/6 and MAC address. This is a quick way to find some of your network details, it is similar to running ipconfig /all on windows. Now that we have identified the wireless interface we are going to use, we need to put it into monitor mode. First run airmon-ng to kill any process that may interfare with the interface we are going to be using.
(user@kali)-$ sudo airmon-ng check kill

Fig4 check kill
Running this command stops any services that could potentially cause problems with using your wifi adapter in monitor mode. This is important, if you skip this step you will probably run into problems later on. Next we need to actually put our wifi adapter into monitor mode.
(user@kali)-$ sudo airmon-ng start wlan1
Note: When you put your wifi adapter into monitor mode it may change it's name to something like wlan1mon. Fig5 monitor mode
Where wlan will be the name of the interface you want to use. At the bottom it should say monitor mode enabled once we run this command. To double check this we can run iwconfig or iw dev.
(user@kali)-$ iwconfig
or
(user@kali)-$ iw dev

Check monitor mode
Now that we have our wifi adapter set up and in monitor mode, we are ready to explore the networks around us.

Finding Networks

With our wifi adapter now configured we can begin scanning for networks. Using airodump-ng we can find avilable wifi networks within range. An import feature of airodump is the details it gives you about devices it discovers. These details include ESSID, MAC Address, channel and encryption type. Airodump also captures raw 802.11 frames that we can later analyize in wireshark. This is a tool that you will constently use and it is worth taking some time to understand it's features and how to use them.

(user@kali)-$ sudo airodump-ng wlan1
wlan1 is the name of my wifi adapter, make sure to change it to the name of yours if it's different than wlan1.
As soon as your run this command you will see a lot of data output. Airodump searches for all access points withing range of you wifi adapter and displays their details. If you are in a crowded area such as an apartment you will see a ton of access points show up. To stop scanning you can either press Ctrl+C or press the Q key twice. You can also pause your scan by pressing your spacebar key.
Airodump scan
This might seem like a lot of information at first, once you learn what each part is it will make more sense. I'm going to give a brief overview of everything here, but I reccomend you check out the offical Aircrack-ng documentation for a more in-depth explanation of each part.
Here's a quick overview of the important things. Now that we have an idea of what some of this information means lets target a network and capture some data from it. I sugguest targeting your own network. I have a network named TEST_NETWORK that I am going to be targeting. While you are running airodump you can press the O to turn on colors, and if you press the Tab key you can highlight different networks of interested. Use the arrow keys to move the highlight up and down, and press M to mark. You don't have to do this, but it makes things easier when you are dealing with a lot of networks.
Now that I have my network identified, I am going to filter my scan using the --bssid and --channel option in the command line. The --bssid is going to be that MAC address of your target network, and --channel and the channel number of your target network.
(user@kali)-$ sudo airodump-ng --bssid ff:ff:ff:ff:ff:ff --channel 2 wlan1

Airodump-ng
Now that the scan is refined, we see BSSID and STATION at the bottom. BSSID is of course still the MAC of your target access point, but now we also see STATION, which is devices that are connected to that access point. This is important because it is often very usful to see what kind of devices we have access to and can potentially exploit. For example, in this case I have my phone connected to my TEST_NETWORK. I can now take advantage of this and conduct a man-in-the-middle attack if I wanted to. That is a little outside the scope of this tutorial, but I will show you have to deauth a device and capture the handshake. First, I'm going to add one more option to the command line, -w capfile.
(user@kali)-$ sudo airodump-ng --bssid ff:ff:ff:ff:ff:ff --channel 2 -w capfile wlan1
Take note here, the -w command will save the raw 802.11 frames into a .cap file for us. We can analyize this data later in Wireshark, or in this case, we will use it to break the password on this network. the text that comes after -w will be the name of the file, in this case I'm just calling it capfile. You can name your file whatever you want. Your file command should look like this.
Airodump-ng write to file
With this command running in your current terminal, open up another terminal. In this terminal we are going to use a new command, called aireplay to send deauth packets to help us capture the handshake.
(user@kali)-$ sudo aireplay-ng --deauth 10 -a ff:ff:ff:ff:ff:ff -c 00:00:00:00:00:00 wlan1
With airodump running in youe first terminal, run this aireplay command in your second terminal.

Aireplay-ng
Now check your first screen, the one running airodump. What we are looking for here is the handshake capture.
Airodump Handshake
You'll notice in the top right of therminal "WPA handshake: ff:ff:ff:ff:ff:ff", once we see this, we know that we have successfully captured the handshake. If you do not see this handshake message yet, try sending more deauth packets with aireplay. Remember that setting the deauth number to 0 will send packets indefinetly. Now we can stop both of our terminals. Hit Ctrl + C to stop airodump. If you are still sending deauth packets in your second terminal, go ahead and stop that as well. Now in you first terminal we are going to crack the password for our target network. For this we will use aircrack and a wordlist.
(user@kali)-$ sudo aircrack-ng -w /usr/share/wordlist/rockyou.txt -b 00:00:00:00:00:00 capfile*.cap

Aircrack-ng password
Once we run this command aircrack will start running the password list against the capture files, you can watch the progess as it goes through the password list until it finds a match.
Aircrack-ng
Once it does find a match, it will stop running and display the password for the network.

Aircrack-ng password cracked
And that's it! Depending on the length of your password list and the speed of you computer this can take quite awhile. If the password does not exsist in your password list aircrack will let you know that no password was found. Since you have the handshake data captured in a cap file you can run it against multiple password lists. Remember that this technique is brute force, which one of the most basic forms of cracking a password, but it's the easist to learn and is a great place to start.

Summary

In this guide we learned some of the basic feauters of Aircrack-ng. We set our wifi adapter to monitor mode, scanned for networks, found a target access point and than we started a deauth attack in order to capture a handshake and than cracked the networks password. This is just an introduction to Aircrack-ng and is only a small example of what we can do. I encourage you to read the documention on the offical Aircrack-ng page to become more familiar with it's many feauters and options.