Wireless Pentesting with Aircrack
This will be a walkthrough used to obtain wireless handshakes and PMKID using Aircrack-ng and crack it using Hashcat
This is for educational purposes and only to be performed on networks you have permission to do so.
My notes on Wireless in general can be found here.
My notes on Hashcat can be found here.
This will require having a WiFi Adapter that supports monitor mode, also known as packet injection.
I myself have and recommend these adapters:
- Alfa AWUS036ACM <– Capable of 2.4GHz and 5GHz
- Alfa AWUS036ACHM <– Capable of 2.4GHz and 5GHz
- Alfa AWUS036ACH <– Capable of 2.4GHz and 5GHz (This more than likely *will* require driver installation)
- Panda Wireless PAU09 N600 <– Capable of 2.4GHz and 5GHz
- Alfa AWUS036NEH
- Alfa AWUS036NH
- Panda Wireless PAU05
- TP-Link TL-WN722N
- Ralink USB WiFi RT5370
Aircrack-ng
Handshake
First we must find our adapter interface name and enable monitor mode on it.
.png)
sudo airmon-ng start (interface name)
.png)
Now we start scanning for networks
sudo airodump-ng (interface name)
.png)
.png)
Once we have found our target, we press CTRL+C to stop the scan
Now we focus our scan onto our target
sudo airodump-ng -c (channel) -w (SSID.cap) --bssid (bssid) (interface)
.png)
We can name the .cap file whatever we want, I typically just name it the targets SSID
Now we can see here at the bottom, we see BSSID, STATION, PWR, Rate, Lost, etc. this indicates if a device is connected to that network. This may not always show devices but is helpful to keep an eye on.
At this point we can simply wait for a device to connect to the network to obtain the handshake, or we send deauth packets to the network to force a device to reconnect to the network to obtain the handshake. We can do this in various ways.
In a second terminal:
sudo aireplay-ng -0 10 -a (bssid) (interface) will send 10 deauthentication packets to the network and stop.
sudo aireplay-ng -0 0 -a (bssid) (interface) will continuously send deauthentication packets to the network until you tell it to stop using CTRL+C
We can also deauthenticate a specific device that is connected to the network with sudo aireplay-ng -0 1 -a (bssid) -c (client station MAC) (interface).
.png)
Once we have obtained the handshake, we will see our airodump terminal change, it will specify in the top right with WPA Handshake: BSSID.
.png)
Note: We can also obtain PMKID with this method as well:
This is handshake is saved into the .cap file we specified we when target our airodump-ng scan.
Hash Cracking
So we now have our handshake in .cap format, we can crack the hash and find out the password.
Aircrack
We’ll start with aircrack-ng as that is what we originally captured our handshake with. When we chose the -w output with the SSID name, or whatever name you chose, the files are saved in whatever directory you ran that airodump-ng command from. You may have multiple files in there with that SSID name. Eg. Pixel.cap-01.cap, Pixel.cap-02.cap, Pixel.cap-03.cap, etc. The handshake SHOULD be in the most recent one, the one with the highest number. So lets run aircrack against that .cap file.
sudo aircrack-ng -w (wordlist) (.cap file)
.png)
Now depending on the password and the dictionary you chose, this may take some time. I chose to attack my phones hotspot as I am allowed to attack my own devices and made the password simple enough that the basic rockyou.txt file could crack it with ease. Once it has found it the cracking will stop and will tell you the password.
.png)
Hashcat
We have our PMKID in the .pcapng format, we can use hashcat to crack it. First we must use the hcxpcapng tool from HCXtools.
hcxpcapng -o CrackMe (.pcapng file)
.png)
Dictionary
If we want to use a dictionary attack, like using rockyou.txt for example
hashcat -a 0 -w 3 -m 22000 (hash file) (wordlist)
.png)
.png)
Depending on your hardware, the dictionary you chose, and the password, this may take some time. You can press S for a status to see the time time estimated on finishing, as well as the updated “Recovered.Total” to see the recovered keys”
We can run the same command again with –show appended to the end to see our cracked passwords.
.png)
Brute Force
If we wanted to run a brute force attack rather than a dictionary attack, it’s a similar command
hashcat -a 3 -w 3 -m 22000 (hash file) '?l?l?l?l?l?l?l'
Replace the ?l with whatever we deem fit.
* ?l = a-z
* ?u = A-Z
* ?d = 0-9
* ?h = 0-9a-f
* ?H = 0-9A-F
* ?s = !"#$%&'()\*+,-./:;<=>?@\[]^\_\`{|}\~
* ?a = ?l?u?d?s
* ?b = 0x00 - 0xff
This will cover the basics of the hash cracking with hashcat but it can get SO much more advanced with hashcat. Especially when using rules like OneRuleToRuleThemAllStill and modern wordlists like rockyou2021.txt.