WiFi Pentesting with Airodump-ng

by Juan Morales

Free Internet!

Well, not really……The purpose of this article is to demonstrate different forms of Wi-Fi network attacks (with permission of course!) using none other than the Aircrack Suite. We will cover a slew of different attacks and capabilities of the Aircrack Suite. For the purposes of demonstration, I will be using an Alfa AWUS036ACH Wi-Fi USB adaptor though you can use any compatible wireless network adaptor that supports monitor and AP modes as well as packet injection. Without further ado, let’s go ahead and demonstrate how we can test different Wi-Fi standards.

Pre-Connection

Before capturing WPA handshakes for the purpose of cracking the password, we are going to go over two attacks (packet sniffing and deauthentication). Within the Aircrack Suite there is a tool named Airodump-ng. Airodump-ng serves as a packet sniffer, it also helps in attaining information regarding the networks in our vicinity and can even tell us information about the clients connected to those networks. In order to start using Airodump, we must first set our Wi-Fi adaptor to monitor mode. Monitor mode simply enables the Wi-Fi adaptor to receive different types of Wi-Fi packets, including “Beacon Packets”, which are sent by APs (Access Points) at regular intervals, “Deauthentication Packets”, which essentially reset a client’s network connection, and much more. The ability to receive the host of different packets is what allows Airodump not only to display different APs in the vicinity but also display clients connected to them. To enable monitor mode, we first issue a command to disable our wireless interface, kill any processes that may interfere with monitor mode, set it to monitor, and then re-enable the interface as can be seen in the following screenshot:

Packet Sniffing

Now that monitor mode has been enabled, we can go ahead and start sniffing Wi-Fi signals around us by running Airodump and specifying our interface:

Upon running the command, we are met with output similar to the following screenshot:

As can be seen, the list outputs the APs in the surrounding area. Since we are white hats, we will be attacking our own Wi-Fi networks. In the above image, the “ESSID” displays the typical name of your Wi-Fi network. The “BSSID” is the AP’s MAC address, while “PWR” general indicates the strength of the signal (the lower the number, the stronger the signal, and thus the closer you are to the AP). Now that we have the detailed information about our AP, we can use Airodump to target our AP and begin the process of packet sniffing as follows:

Attaching the “—write” option lets us write out the packets captured in multiple file formats. Of particular importance is the .cap file format. “wlan0” is the network interface we have been using. Upon running this command, we are greeted with a screen similar to the one where we ran “airodump-ng wlan0”, the only difference this time being that we specified a specific AP from which we want to sniff traffic and thus we are also shown the clients connected to the specified AP as follows:

The stations listed are MAC addresses of the clients connected to my home AP. From the screenshot, it can also be noted that we are only intercepting packets from the single BSSID/AP as all the values are all the same. As long as this screen has not been cancelled (ctrl + c), it will continue to sniff packets and write them to the “apPacketSniff” files we specified in the last command. There is, however, an issue that most should be aware of……since we are in the pre-connection portion of this tutorial, and the fact that I had to put my wireless NIC in monitor mode, I’m no longer connected to my network. Being that the network, as can be seen in the screenshot above, is encrypted through WPA2 and we are not connected to the network, when we attempt to open the “apPacketSniff.cap” file to inspect its contents, it will all be encrypted:

Deauthentication

A deauthentication attack essentially enables us to kick off any client, from any network, without the need to be authenticated to that network. This can almost be considered a type of spoofing attack as it involves us taking the MAC address of the client and “requesting” to disconnect from the AP, and in turn, we then assume the MAC address of the AP and “grant” the request to be disconnected. Luckily, we have a tool within the Aircrack Suite that can do all this without having to do it manually and it is called Aireplay-ng. Aireplay, like Airodump has a host of different attacks it can conduct. In the following example, we are going to send a deauthentication request to all clients on the AP:

This terminal, as can be seen, is split vertically into two screens. On the right-hand side, we can see the command we issued highlighted in yellow “aireplay-ng –deauth 1 -a {MAC Address}”. I chose to simply send one deauth packet for demonstration, because if we are attempting to capture the handshake, we don’t want to alert anyone to the fact we may be testing the AP, thus sending the single deauth packet disconnects hosts for an imperceptible period of time. If we look at the left-hand side of the screen on the Airodump output, highlighted in yellow, we can see a new field has been generated, aptly named “WPA handshake: {MAC Address}”, implying that we have captured the WPA handshake in the process of disconnecting clients and having them reconnect once again. This WPA handshake is going to play a major role in us being able to test the security of the Wi-Fi connection. Also note the output of the aireplay command, particularly “this attack is more effective when targeting a connected wireless client”. If we choose to heed the instructions, the full command will be as follows:

“# airepay-ng –deauth 1 -a {AP MAC ADDRESS} -c  {CLIENT/STATION MAC ADDRESS} wlan0”

Please also note the above command is intended for target networks running on a 2.4Ghz frequency; if you are testing a network running on 5Ghz frequency you will append the “-D” option to the command.

Connection

Now that we have captured our handshake specifying the “—write” parameter within the command, we can use that capture, which contains the WPA Handshake, and compile or download a wordlist to brute force the password of the AP. (The handshake does not contain the key itself, but rather a Message Integrity Code the AP uses to verify a valid password. Also, in this particular instance, I chose to download a simple list from Daniel Miessler’s SecLists.) To brute force the password, we use the actual “Aircrack” tool as can be seen:

Running the command, we get the following output along with the cracked password:

Evil Twin Attack

If we happen to be targeting a particular client connected to an AP, we can create an evil twin attack to get that client to connect to our network. An evil twin attack is a custom AP that resembles the target AP down to the same name (ESSID) and MAC address. We will use the “airbase-ng” tool to carry out this attack as follows:

We can then issue a deauthentication request, as demonstrated earlier, against the target AP and, so long as our signal strength is stronger than their AP, the client will automatically connect to our evil twin AP! (note: you can turn up the power on your evil twin connection by specifying so on the network interface being used and through the following command: “# iwconfig wlan0 txpower {#}***” )

*** the number specified in this parameter may be different in different countries, here in the US, in particular, the maximum number that can legally be specified within this option is “27”***

Decrypting with Known Key

When we have successfully brute forced a key, we can actually use that key to decrypt previous captures. As was demonstrated at the beginning of this article, when we used Wireshark to attempt to view apPacketSniff.cap, the data displayed was encrypted and could not be deciphered. Now that we have the key, we can use the “airdecap-ng” tool to process that packet capture along with the key and attempt to decipher the data, as can be seen in the following screenshot:

The above command targets the same “-b” BSSID and “-e” ESSID we’ve been using until now. The “-o” parameter outputs the decrypted capture to the specified file name, “-p” we insert the captured key/password and, lastly, we specify the initial encrypted file. We can now use Wireshark, as previously shown, to attempt to inspect the contents/data of the file:

Note that not all packets were decrypted, however, with enough packets sniffed, we may still be able to retrieve valuable and sensitive data.

Conclusion

This brings us to the end of this article, although not all features have been used/displayed. The Aircrack Suite is capable of many things; for example, we didn’t even cover WEP cracking (fairly outdated and most routers don’t even allow it as an encryption method anymore) but there are features that can be used in its exploitation if ever found in the wild, and if no one seems to be using that network, one can turn to packet injection to capture enough traffic, so one can crack the WEP key, however, I invite the reader to go ahead and, if interested, learn this on their own!