The document provides an overview of cracking WiFi networks using aircrack-ng and related tools. It discusses network basics like MAC addresses and wireless modes like managed and monitor. It then covers specific attacks like deauth attacks to disconnect clients, capturing handshakes using airodump-ng and packet injection with aireplay-ng. Finally it discusses cracking encrypted networks starting with older WEP encryption through WPA and WPA2 using captured handshakes and wordlist attacks with aircrack-ng. The document serves as a guide to common WiFi cracking techniques.

2. Abhash Kumar Jha
WiFi
Cracking

3. TABLE OF
CONTENTS
Introduction &
Basics
Deauth Attack and
Fake AP
01
02
03
04
05
Gaining Access-WEP
Gaining Access –
WPA(WPS)
Gaining Access-
WPA2

4. Introduction and
Basics
01

5. Network Basics
A network is nothing but a number of devices connected together sharing data and
resources!
 All devices (wired or wireless) achieve this using same principle:
 One device acts as a server and server contains data which is shared between
connected devices
 In most Wi-Fi devices , server is a router and the shared data is the INTERNET!
 All devices have a MAC address.
 Each Packet has the source MAC address and Destination MAC Address.

6. Changing MAC address

7. Wireless Modes
There are eight modes that 802.11 wireless cards can operate in: Master (acting as an
access point), Managed (client, also known as station), Ad hoc, Repeater, Mesh, Wi-Fi
Direct, TDLS and Monitor mode.
However we are only going to talk about 2 modes :
 Managed Mode : Here our Wi-Fi card acts like a client i.e. Only directed packets are received by
our card.
 Monitor Mode : Here our Wi-Fi(NIC) card will sniff all the packets near it
(whether directed to it or not.)

8. Sniffing using airodump-ng
 Airodump-ng is a program that is a part of aircrack-ng package, it's a
packet sniffer that allows us to capture all the packets that are in our
Wi-Fi card range. We can also scan all Wi-Fi networks around us and
gather info about them.
 Using Airodump-ng:
> airmon-ng start [interface]
> airodump-ng [mon_interface]

10. Lets see how we can compact our view to only our target.
For instance, I only want to view BMSCE_Hostel
> airodump-ng –channel [CH] --bssid [BSSID] –write [filename] [interface]

11. De-auth Attack and
Fake AP creation
02

12. De-auth Attack
This attack is used to disconnect any device from any network within our range even if network
is protected with a key.
 Hacker send deauthentication packets to the router pretending to be target
machine(by spoofing its MAC address)
 At the same time , the hacker send packets to the target machine (pretending to be
router) telling it that it needs to re-authenticate itself.
 We’ll be using a tool called aireplay-ng.
> aireplay-ng –deauth[number of packets] –a [AP’s BSSID] [INTERFACE]
--To de-authenticate all clients in a specific network
> aireplay-ng –deauth[number of packets] –a [AP’s BSSID] –c [target’s BSSID] [INTERFACE]
--To de-authenticate a specific client in a specific network

14. Creating a Fake AP(honeypot)
Fake Access Point are made usually open to attract more number of people and sniff packets in between.
To accomplish this , we will need two Networks card:
1. NIC1 – One connected to internet (can be wired also)
2. NIC2 – Other to broadcast the AP.

16. Gaining Access-WEP
03

17.  WEP is an old encryption , but it is still used in some networks.
 It uses an algorithm called RC4.
Each packet is encrypted at the AP and then is decrypted at the client.
 WEP ensures that each packet has a unique key stream by using a 24-bit
random Initializing Vector (IV) , this IV is contained in text as plain text.
 Now what do you think is the flaw in this encryption?
24-bit is a very short number and in a busy network , we can get 2 packets with same IVs.
Then we can use aircrack-ng to determine the key stream and WEP key using statistical attacks.
Now , there are two cases which would occur:
 Basic Case : Traffic of network is high i.e. large number of packets
are transferred between sender and receiver.
 Idle AP : The network is shallow , there is no exchange of packet
whatsoever. Or no clients are connected to it.

18. Tackling the Basic Case:
This is a easy one to handle, we can just run airodump-ng to log all the traffic from target network:
> airodump-ng –channel [CH] --bssid [BSSID] –write [filename] [interface]
Ex: airodump-ng –channel 6 –bssid 11:22:33:44:55:66 –write out wlan0mon
At the same time , we shall use the aircrack-ng to try and crack the key using the capture file
> aircrack-ng [filename]
Ex: aircrack-ng out01.cap

20. The Idle AP case
In this case , we have to inject packets into the traffic in order to force the router to
create new packets with new IVs.
But before we can inject any packet into the traffic, we have to authenticate our Wi-Fi
card with AP as APs’ ignore any request that are not associated with it.
This can be done easily by aireplay-ng:
If the fakeauth is successful , the value under AUTH column will change to “OPN”.
> aireplay-ng --fakeauth 0 –a[target MAC] –h [our MAC] [interface]

21. Now that we have authenticated with the AP,we can use a method called
• ARP Request Reply

22. ARP Request Reply
 In this method , after authenticating with target AP, we will wait for an ARP Packet.
 We will capture this packet and inject this packet again into the traffic
 This will force the AP to generate a new packet with new IV.
 This process is repeated until number of IVs captured is sufficient to crack the key.
> aireplay-ng --arpreplay –b [target MAC] –h [our MAC] [interface]

26. Gaining Access :
WPA(WPS)
04

27. WPS(Wi-Fi Protected Setup)
 WPS is a feature that allows users to connect to WPS enabled networks , using a WPS push
button or by clicking on WPS functionality.
 Authentication is done using a 8 digit long pin,
 This is relatively a very small number and can be brute forced i.e. can be guessed.
 A tool called reaver can then recover WPA/WPA2 key from the pin.

28. We are going to use a tool called wash to scan all the WPS enabled network nearby:
> wash –i [interface]
Steps:

29. As mentioned before reaver tool is used to get WPS PIN and can also find WPA PSK(will
explain in coming slides)
> reaver –b [target BSSID] –c [channel] –i[interface]

30. Gaining Access-
WPA/WPA2
05

31.  In WPA,each packets is encrypted with a unique temporary key, this means no. of data
we collect is irrelevant.
THIS IS A PROBLEM !
 Before trying to access a WPA/WPA2 Network ,we essentially need to know how they work.
 When client(Supplicant) establishes a successful connection with an AP(Authenticator), To
encrypt and share keys, a 4-way handshake takes place!

32. Key Terminologies:
 MSK (Master Session Key): The master session is the first key which is generated either from
802.1X/EAP.
 GTK (Group Temporal Key) : Group temporal key is used to encrypt all broadcast and multicast traffic
between an access point and multiple client devices. GTK is the key which is shared between all client
devices associated with 1 access point. For every access point, there will be a different GTK which will be
shared between its associated devices.
 GMK (Group Master Key) : Group master key is used in a 4-way handshake to create GTK discussed
above. GTK is generated on every access point and shared with the devices connected to this AP.

33.  PTK(Pairwise Transient Key): Pairwise transit key is used to encrypt all unicast traffic
between a client station and the access point. PTK is unique between a client station
and access point. To generate PTK, client device and access point need the following
information.
PTK = PRF (PMK + Anonce + SNonce + Mac (AA)+ Mac (SA))
 PMK(Pairwise Master Key): Pairwise master is key generated from master session
key (MSK).It is used to generate PTK.

34. 4-WayHandshake

35. Message-1 Message-2

36. Message-3

37. Full -
Conversation

38. WPA packets is not useful as they do not contain any info that can be used to crack the key.
The only packets that contain information that can help us crack the password is the
handshake packets.
• Every time a client connects to the AP , a 4-way handshake occurs as explained.
• By capturing the handshake , we can use aircrack to launch a word list attack against the
handshake.

39. Capturing a Handshake
Handshake packets are sent every time a client associates with target AP.
1. Start airodump-ng on target AP
2. Wait for a client to connect to AP. But do we have that much time? I mean
think for a network where no new clients will likely to connect to it for days ,
years in some cases.
Do we know something which can help???
>airodump-ng –channel[CH] –bssid[BSSID] –write[filename] [interface]
> aireplay-ng --deauth [number of packets] –a[AP MAC] –c [target MAC] [interface]
De-auth attack!!
We can de-authenticate a connected client for a short amount of time so that
it will connect back automatically to AP

42. Creating a wordlist
You can either download a wordlist from the internet(I’ll be sharing links 🧐 )
OR you can create your own wordlist by using a tool called crunch.
> ./crunch [min] [max] [characters = lower|upper|numbers|symbols] –t [pattern] –o [file]
Ex: ./crunch 6 8 123456!”$* -t a@@@@b –o wordlist

43. Now that we have created the wordlist , only thing left is using aircrack-ng to crack the key.
Aircrack-ng combines the password in wordlist with AP-name (ESSID) to compute the
Pairwise Master Key(PMK) and compare it with handshake .
>aircrack-ng [Handshake file] –w [wordlist]
Ex- aircrack-ng handshake01.cap –w listpass

45. THANK YOU