Wi-Fi is becoming nearly ubiquitous technology for wireless local area networks in today’s world, at places such as offices, restaurants, homes, airports, hotels, etc. However, with increased Wi-Fi usage and awareness, hackers (rather, crackers, but using the more commonly used term) are using the security weaknesses/vulnerabilities in Wi-Fi networks or Wi-Fi capable devices to intrude into them. This article discusses Aircrack-ng, a security tool that can be used by attackers—and also the “white hats”, who seek to secure a network by trying to break into it and fixing the flaws that are found.
The two prime factors fuelling the rapid growth of Wi-Fi are: constant advancements in Wi-Fi technology, and the now by-default Wi-Fi capability in almost all consumer electronic (CE) devices being manufactured today—laptops, smart-phones, cameras, printers/scanners, televisions, music players, etc.
As mentioned earlier, attackers are using the security weaknesses/vulnerabilities in Wi-Fi networks or Wi-Fi capable devices to intrude into them. After such an intrusion, the hacker can maliciously exploit the network/device for his personal gains. Assisting these Wi-Fi hackers in their mission is the availability of a variety of tools to detect and exploit various Wi-Fi vulnerabilities.
Among these tools, one which stands out is Aircrack-ng. Aircrack-ng is an open-source utility, freely available for use, and is very popular equally among hackers and Wi-Fi penetration testers/auditors. It is the most comprehensive toolkit for troubleshooting and auditing Wi-Fi networks, and covers the previous and the latest-known Wi-Fi exploits and vulnerabilities.
Aircrack-ng is basically a suite of tools that are crafted to achieve the following major objectives:
Capturing raw Wi-Fi packets in an intended airspace, on various channels of interest, and then analysing the captured packets to show various Wi-Fi networks and Wi-Fi clients that were operating during the collection time period.
Breaking WEP and WPA PSK (pre-shared key)-type Wi-Fi networks by exploiting the known vulnerabilities of such networks.
Injection/replay of Wi-Fi packets into the airspace.
Exploitation of weaknesses present in various Wi-Fi clients, to establish fake connections with such clients, in order to launch man-in-the-middle type of attacks.
Installation
Aircrack-ng can be installed on a Linux operating system (Fedora, Red Hat, Ubuntu, etc.) by compiling the source code on the host machine. The latest version of Aircrack-ng is 1.1; the corresponding source package can be had from
http://download.aircrack-ng.org/.
For Aircrack-ng tools to work, you need a compatible wireless card, and appropriately patched driver. You can learn more about compatible cards at
http://www.aircrack-ng.org. However, since installing patched drivers for Aircrack-ng can be tedious and complicated for many users, you can instead use the BackTrack Live Linux distribution, in the form of a Live CD/DVD/USB, to run Aircrack-ng flawlessly. Aircrack-ng and many patched wireless drivers (as required by Aircrack-ng) are already included in the BackTrack distribution. Refer to
http://backtrack.offensive-security.com/index.php?title=HCL:Wireless for a comprehensive list of supported cards, and drivers, included in the Backtrack distribution. Also, an introductory article on BackTrack was published in the October issue of LFY; you may want to read that too.
Aircrack-ng utilities
Aircrack-ng, being a suite of tools, consists of number of independent tools, each one accomplishing a certain task. To achieve certain objectives related to Wi-Fi auditing/cracking/troubleshooting, one or more tools of the suite are used in combination. Here are some of the important tools included in the suite.
Airmon-ng
This tool is very basic, and is used primarily for enabling or disabling the monitor mode on a wireless interface. It is frequently used in combination with other tools. Monitor mode puts the wireless interface into promiscuous state, to enable it to sniff all the Wi-Fi data within range. You can also specify the channel for the monitor mode via this tool.
The basic usage is airmon-ng [channel], where indicates if you wish to start or stop the interface; specifies the interface name; [channel] optionally sets the card to a specific channel.
Airodump-ng
This tool captures raw Wi-Fi packets through the wireless interface that’s in monitor mode, and dumps them into one or more file formats. The dumped file can be used by other tools for specific analysis. Along with capturing the raw traffic, Airodump-ng also displays in the output screen, a list of detected Access Points (APs) and wireless clients. The list contains details; for APs, SSID, channel, encryption mechanism, authentication method, power level, etc. For wireless clients, the list shows the connected AP, power level, data rate, etc. Airodump-ng provides a variety of options, such as the use of a single channel or multiple channels for capturing, filtering output screen results on the basis of AP BSSID, etc. These option provide great flexibility in various scenarios. If one has a connected GPS receiver, then Airodump-ng can also log the coordinates of the found APs.
The basic usage is airodump-ng , where indicates one or more options to be used while running the tool; indicates the monitor mode interface to be used for capturing the Wi-Fi traffic. Some commonly used options are:
-f | Time in milliseconds between hopping channels, if multiple channels are used. |
–output-format | possible output formats are pcap, ivs, cvs, gps, kismet, netxml. The option can be specified multiple times if more than one output format is required. |
–bssid | filter APs by BSSID value. |
–channel | comma-separated list of channels for capture. |
| dump file prefix. |
Example: If you wish to limit Wi-Fi data capture to a single AP with BSSID ‘00:11:22:33:44:55’ operating on channel ‘8’ using the interface ‘ath0’, and write the captured data into a file with prefix ‘capture’ and output format ‘pcap’, then your command will be:
airodump-ng -c 8 –bssid 00:11:22:33:44:55 -w capture –output-format pcap ath0
This is the main tool, used for recovering keys of WEP- and WPA PSK-based Wi-Fi networks. Aircrack-ng is able to break the WEP key once enough encrypted packets have been captured with Airodump-ng. The two methods used for breaking the WEP key are PTW and FMS/Korek method. PTW is the default, and requires few data packets, particularly ARP request/reply packets, to crack the WEP key. However, PTW is limited to breaking of 40- and 104-bit WEP keys. The FMS/Korek method incorporates brute-force cracking and other statistical mechanisms to discover the WEP key. It requires a relatively large number of captured data packets, and is often used when the PTW method fails.
For cracking WPA/WPA2 PSK, only the dictionary method is supported, for which a capture of four WPA handshake packets is required.
The basic usage is aircrack-ng , where is a comma-separated list of captured-data files, either in .pcap or .ivs format. Some of the commonly used options are:
| -a | Forces either WEP (by specifying the value 1) or WPA/WPA2-PSK (specify 2) cracking. |
| -b | BSSID value (AP MAC address) is used to select the target network for key cracking. All data packets in the capture files that contain the same BSSID value are used for cracking. |
| -e | The ESSID value is used to select the target network for key cracking, and thus use only corresponding data packets in the capture files. |
| -K | Invokes the Korek WEP cracking method. |
| -z | Invokes the PTW WEP cracking method (the default in the latest version). |
| -w | Used to specify the path of a word-list file for the WPA dictionary attack. |
Example: If you wish to recover the WEP key for an AP with the MAC address ‘00:11:22:33:44:55′, and the corresponding capture file is ‘output.cap’, then one needs to invoke Aircrack-ng as:
aircrack-ng -b 00:11:22:33:44:55 output.cap
If the command is successful, the WEP key for the target network will be displayed on the screen.
Example: If you wish to recover the WPA PSK for an AP with the MAC address ‘00:11:22:33:44:55′, using the word-list file ‘password.lst’ (required for a dictionary attack), and the corresponding capture file is ‘output.cap’, then one needs to run the command:
aircrack-ng -b 00:11:22:33:44:55 –w password.lst output.cap
If the command is successful, and the WPA PSK is contained in the word-list/dictionary file, then this key will be displayed on the screen.
Aircrack-ng includes many optimisations to standard key-cracking algorithms, and hence is much faster than other available Wi-Fi key cracking programs. One can run Aircrack-ng and Airodump-ng simultaneously, as Aircrack-ng will auto-update when new packets are captured by Airodump-ng. Aircrack-ng is widely used by hackers to recover keys of WEP and WPA/WPA2 PSK, to intrude into the network, while Wi-Fi penetration testers use the same tool to test the effectiveness of a WEP or WPA/WPA2-PSK key.
Aireplay-ng
The primary goal of this tool is to generate Wi-Fi traffic to be used later by Aircrack-ng for cracking the WEP and WPA PSK keys. To achieve this goal, Aireplay is designed to implement the following attacks, which inject one or more Wi-Fi packets into the network:
De-authentication attack: Aireplay-ng can send de-authentication packets to one or more clients that are associated with an AP, in order to capture the WPA handshake, discover hidden SSIDs, or generate ARP requests (to be used in WEP cracking).
Fake authentication attack: In this attack, Aireplay-ng sends authentication and association packets to a WEP AP to associate with it. This may be needed when no clients are connected to the AP, and you need to generate Wi-Fi traffic to break the WEP key of the AP.
Interactive packet replay attack: In this attack, one can choose a specific packet to replay (inject), from the live flow of packets from the wireless card, or from a pcap format file. Replaying particular packets in a WEP Wi-Fi network can generate more traffic, which can be used by Aircrack-ng to recover the WEP key.
ARP request replay attack: This attack is very useful to generate enough ARP traffic that can be used by Aircrack-ng to break the WEP key using the PTW method. Here, Aireplay-ng listens for an ARP packet, and then retransmits it to the AP, which in turn generate an ARP packet again, which is then replayed once more by Aireplay-ng. This process is repeated until enough ARP packets (for WEP cracking) are generated by the AP.
Café Latte attack: This attack is useful to obtain the WEP key from an un-associated client. In this, Aireplay-ng listens for an ARP packet from the client, then modifies it and sends it back to the client, so that the client generates a new ARP packet. When enough ARP packets are generated by the client, encrypted correctly with the client WEP key, Aircrack-ng can be used to recover the WEP key from those packets.
The basic usage is aireplay-ng , where indicates the attack type and associated options and indicates the wireless interface to be used for replay (injection). Some of the common options are:
Attack options (select the attack type)
| -0 | De-authentication attack. |
-1 | Fake authentication attack. |
-2 | Interactive packet replay attack. |
-3 | ARP request replay attack. |
-6 | Café Latte attack. |
Filter options (for filtering a packet from a source)
-b | Mac address of the AP |
-d | Destination MAC address |
-s | Source Mac address |
-m | Minimum length of the packet |
-n | Maximum length of the packet |
-u | Type of packet |
-v | Sub-type of packet |
Replay options (To be used while replaying for a particular attack)
-x | Number of packets per second |
-a | Set AP MAC address |
-c | Set destination MAC address |
-h | Set source MAC address |
Source options (to select a source of packets for an interactive packet replay attack)
-r : pcap file to be used for source of selection/filtering packets.
Example: If you wish to de-authenticate (disconnect) a client ‘00:0F:22:33:44:55′ associated to an AP with the MAC address ‘00:11:22:33:44:55′, using ‘ath0’ as the replay interface, then you invoke Aireplay-ng as:
aireplay-ng -0 -a 00:11:22:33:44:55 -c 00:0F:22:33:44:55 ath0
Airdecap-ng
This tool is used to decrypt the WEP/WPA/WPA2 capture files. Also, it can be used to strip the wireless headers from an unencrypted wireless capture file. The output is a new file with the suffix as ‘
-dec.cap’, which is basically the decrypted/stripped version of the input file. The basic usage is
airdecap-ng , where
indicates the input
pcap file. Some of the common options are:
-l | Do not remove MAC header |
-b | Mac Address of the AP to select the packets in the input file for decryption |
| WPA/WPA2 Pairwise Master key in Hex |
-w | WEP key in Hex |
| WPA/WPA2 passphrase |
-e | SSID of the network to select the packets in the input file for decryption |
Example: If you wish to decrypt the packets from a WPA network with the ESSID ‘decrypt-test’ and the pass-phrase ‘password’, from the input file ‘wpa.cap’ , then you need to invoke Airdecap-ng as:
airdecap-ng -e ‘decrypt-test’ -p password wpa.cap
Other documentation
Looking over some of the most important tools in the Aircrack-ng suite, you might have gotten a hint of the comprehensiveness of Aircrack-ng. Apart from the tools described, Aircrack-ng contains many other tools for various other purposes. The Aircrack-ng website
http://www.aircrack-ng.org/ is very well maintained in terms of documentation of various tools, from their usage perspective.
People who are still unaware of Wi-Fi security weaknesses and loopholes, which can lead to intrusion and malicious attacks from outsiders, should learn that Aircrack-ng is really a great suite for testing your Wi-Fi set-up. With it, one can locate unwanted APs at an office place; check that authorised Wi-Fi networks are appropriately encrypted; and test the strength of the encryption pass-phrase and keys. In recent times, Aircrack-ng has been fully ported to the Nokia N900, making it far more convenient for users, who can now carry the most popular Wi-Fi auditing tool in their pockets.
