Nicholas Dechert Programming, Web Development, and Information Security

Capturing Packets with Aircrack-ng

Setup

Before you can start using Aircrack, you need to set it up, and for that you need to choose which OS will be best for you. In the case of Windows, you’ll need to assemble your own DLL’s, which I wouldn’t recommend if you don’t know what you’re doing. For Linux you need to learn how to use the OS, but Aircrack will most likely work out of the box. I recommend downloading Virtualbox for your current OS, and picking a Linux distro to install as the virtual machine. This way, you run a computer within a computer. Your current OS is your main, and your Linux machine is just a program.

For this tutorial, I will be using Linux Mint without the VM.

You will also need a wifi card, integrated or external, and it needs to be compatible with Aircrack. Compatibility is determined by chipset, not manufacturer. The Aircrack website has a page dedicated to helping you with this and you should check it out.

I will be using a Panda Wireless PAU05 USB wifi dongle.

Updates

First off, you should make sure your packages and distro are up to date. Ideally you should do this every time you’re going to install something if some time has passed since you last updated. It’s simple and only takes a minute. Update the apt repository by running sudo apt-get update

(Forgive the mouse in the pictures, didn’t realize Mint keeps it) Run apt-get update

Then, run sudo apt-get upgrade

Run apt-get update

Finally, run sudo apt-get dist-upgrade

Run apt-get dist-upgrade

Now, your system should be up to date. These steps are necessary to make sure you have all necessary headers and files in case you need to compile from source code.

NOTE: If you are on a completely fresh system, you may need to install compliers with sudo apt-get install build-essential

With that done, we can install the Aircrack suite and start capturing packets.

Installation

Depending on your repositories, you may have Aircrack available for download. You can check by running apt search aircrack

apt search aircrack

Aha! We do have it. Lets check what version it is with apt show aircrack

apt show aircrack

Now, here you may have a choice. This version is 1.1-6, and as of writing the newest version is 1.2-RC3. I like to keep things up to date, so I’m going to use the newest version. It is available for download on www.aircrack-ng.org. If you want to install the older version, run sudo apt-get install aircrack-ng. If you take the newer version, you will need to compile the source code. Good thing we updated in the beginning!

Download and extract the source code to a directory. Then, navigate there and run sudo make

sudo make

Well, our headers are up to date, but we have unmet dependencies. To compile Aircrack we will need to install the development version of openssl (the development version includes the headers; in this case, hmac.h). Depending on your distro, it may be under a different name. Use apt search ssl to find a ton of packages, and look for one similar to ‘libssl-dev’

libssl-dev

Install it with sudo apt-get install libssl-dev, then run sudo make again. Hopefully this time you have all the dependencies met. If you still have errors check Installing Aircrack-ng From Source.

Note: After compiling or installing, you may get a ‘command not found’ error from your terminal when running aircrack. Closing the current one and opening a new one solved this for me.

BE WARNED

From here on out it is up to you to be responsible. Only attack networks you have authorization to mess with. Unauthorized access to a computer network is a felony in the US, and illegal in most countries.

Capturing Packets

Now for the meat of the tutorial. With your wireless device attached, run sudo airmon-ng to list your wireless devices.

sudo airmon-ng

My card is interface ‘wlan0’. Take note of yours if you have multiple. Now we need to set the card into monitor mode. Do this with sudo airmon-ng start wlan0.

Your card should now be in monitor mode. You can check by running sudo airmon-ng again. Take note of the card name now, as it will have changed. If you’re using the older version of aircrack, it may be ‘mon0’. With the newer versions this changed, and now lists as ‘wlan0mon’.

With your card in monitor mode, you can now scan for networks with airodump-ng. run sudo airodump-ng wlan0mon

airodump-ng

In the top left, you see the current channel, time elapsed, and date/time. Below that are all the connectible wireless devices and their information. The last block contains the devices connected to the connectible devices. In this case, we see two MAC addresses connected to Hacklab. Hacklab has the BSSID of 40:16:7E:BF:6C:A8, and my laptop is 00:21:6A:43:CA:A6. We can also see that Hacklab is running on channel 11 in the ‘CH’ section. Issue a stop command (ctrl-z) to stop the process, and run airodump-ng again, only this time on channel 11, and write to a file named ‘test’:

sudo airodump-ng -c 11 -w test wlan0mon

‘-c’ sets the channel, and ‘-w’ tells where to create the capture files. We set the channel so that we don’t hop channels and possibly miss the handshake, as it can only monitor one channel at a time. It may be worthwhile for you to create a ‘pcaps’ directory to store your files, as they can add up very quickly.

With that terminal open and writing to a file, open a new terminal. In this one we will run aireplay-ng, which will enable us to force a capture. The handshake only happens when a device connects to the network, not while it is connected. We could wait for my laptop to shut down, start back up, and connect to the network; but that could be a very long wait. We want the handshake now, and aireplay-ng will do that for us by forcing my laptop to reconnect.

In your fresh terminal, type sudo aireplay-ng -0 10 -a <ROUTER MAC> -c <CLIENT MAC> wlan0mon

‘-0’ stands for ‘deauth’, 10 is the number of times to issue, ‘-a’ signals the MAC address for the Access Point, and ‘-c’ signals the MAC address of a connected client. Aireplay creates packets that look like they come from the Access Point that are directed to a client. These packets contain a deauthentication message which disconnects the client from the AP. If the client has the ‘connect automatically’ option checked on their device, the device will scan for networks again, find one they know, and connect to it completely on its own. Airodump in the other terminal sees the connection and saves the handshake. No waiting involved!

aireplay-ng

Airodump confirms this capture at the top ‘status bar’, as we see ‘WPA handshake: 40:16:7E:BF:6C:A8’. Stop airodump and close the terminal. We have successfully captured our handshake, and can now crack the password.

Cracking

To crack with aircrack and with most other programs, you need either a dictionary or output from another program (such as Crunch). A dictionary (or wordlist) is simply a file containing potential passwords. You can create your own by making a .txt file, writing your password in it and saving it. You can download dictionaries on the web at many places. I will use the RockYou.txt dictionary to crack my password.

In the terminal, type sudo aircrack-ng -w wordlists/Rock* pcaps/test*.cap

‘-w’ signals the location of the dictionary, and the last argument is always the location of the .cap file. In most linux distros, the * character stands for ‘wildcard’, meaning it will search for files beginning with anything before the * and ending with anything after.

aircrack

Now, you simply wait for aircrack to test all passwords in the file provided, and to hopefully find a key.

key

My password, which happened to be my name in this instance, was found in the RockYou.txt dictionary, freely downloadable by anyone. Looks like I’ll have to make a stronger password.

And thats it. I hope this tutorial helps you out.

In the future, I will replace this bit of text with links to the other, faster ways passwords can be cracked. Check again soon!

The Long Awaited Update

So, its been a while. Far too long in fact. But, I needed to get a job, get a car, and move to a better, cheaper place. All that took a good while and made it hard to continue learning about infosec and programming, and to give and update to this blog, mainly because there wasn’t a lot to say. Now that life is mostly stable though, I can continue.

While staying active with this stuff was difficult, it wasn’t impossible. I ended up looking for a podcast to listen to in the bits of time that I had at home, and for while I was at work, since we could use earbuds. I found a great one called ‘Security Now’ over at Gibson Research Corporation that talks a lot about how the Internet works, how encryption works, how the two work together, and how certain exploits work. I started from the very beginning (very bottom, 2005) and its very much so worth it. Every episode builds on the previous ones, so you could start anywhere but you may miss some stuff. Either way its great, and you should definitely give it a try (don’t mind the first episode, quality is a bit low but they fix that right quick).

Aside from listening to podcasts, I’ve been learning Python. I tried Java and C++, but settled on Python because, well, I found I just kept coming back to learn it. C++ was incredibly boring, at least in the way it was presented to me. However I see that there is a hell of a lot of potential with it, which is probably why a lot of great programmers use it. I’ll probably try and learn C++ after SQL, after Python, as I want to get a good grip on one language and then see what I can do with it. With SQL, I can start SQL injection and actually understand what I’m doing (hopefully). I feel like learning a skill and then applying it to pen testing is a good system, since I’ll only be using knowledge I feel confident with. I don’t want to give myself too much to chew by just throwing everything that exists onto my plate; I’ve tried stuff like that before and it doesn’t end well. Anyway if you wanna learn Python, I’ve been learning over at Code Academy. It has a nice layout and presents things in an easy to understand manner. I love it, and hope they add more languages in the future.

There are a few more thins I’ve been doing, namely cracking my own wifi, but that’s a post of its own and I think I’ll cover that in my next update, coming sometime this year. I’ll show you how I installed Kali Linux, captured my packets, and set up my GPUs to crack my password. I’ll also hopefully have a method to show you how to crack passwords with a crappy laptop that has no Internet connection, but I still have to get that working myself. Once I’ve got it, I’ll write the post for you. But until then, I’m off!

The Beginning of Everything

And so, after some set up, a lot of learning and a bit of testing, a blog is now live and hosted on github. For me, this is a very exciting day. The idea of a blog has always interested me, and I’ve set up a few in the past on various free hosting sites, but I always ran into a problem with them: I had nothing to blog about. Sure, I could write about my boring day to day adventures, but boring day to day adventures are boring. I needed something to write about. I needed a purpose.

Three days ago, I finally found that purpose. While browsing r/netsecstudents I came across this post to rawhex, which explained how someone can get infosec experience when that person isn’t in an infosec job. There’s a lot of great information in that post, but the thing that stood out to me the most was the fact he mentioned writing paper about something, even lightly, infosec related and putting that onto a github blog. I didn’t know a github blog was a thing, and since I had always been interested in a blog and had just started using github, I felt I had found a really neat combo. Not only that, I had found a purpose for my blog: to detail my adventures in the world of infosec and pen testing. Hurray!

I spent the rest of the night thinking about how I would set up my blog the next day, and everything that would entail. I saw so many good things coming out of it, but I also found something I felt was morally wrong: I was setting up a blog about my adventures purely as a display of my knowledge to help convince future employers to hire me. Now to me, that seemed incredibly selfish and a horrendous waste of time, energy and potential. I was preparing to publish something on the Internet purely for my own gain, aimed at only a few people, hopefully employers, without knowing if it would even help me get a job. Immediately, that old problem resurfaced.

That’s boring.

A blog is supposed to be read by people interested in what the blogger is blogging about, not by a few potential employers who may very well never even read this. My blog would still lack a true purpose and be run purely under the façade of something helpful to put on my resume or CV. I don’t want to be a liar, even to myself, so I needed another purpose. I thought for a while, and tried to create my ideal image of what this blog should be, and what I could make it into. Pretty quickly, I was able to remember two things that would serve as a new purpose:

  • I love, and am good at, helping people, and
  • I want a single, centralized place to learn everything about pen testing. From the command line to real world job situations.

And thus, I had a selfless purpose for a blog that other people may actually be inclined to read and maybe even learn from. A lot of pen testing-for-newbies sites are written by people who are no longer newbies. They’ve had real world experience and know everything a pen tester needs to know. But what they don’t fully know is to what extent we actual newbies don’t know. Many assume that the reader has experience with the command line, or knows their way around the unix file system, or other qualities. This never helped me, because I don’t know the command line. I don’t know my way around unix. I’m the family tech guy who is pretty ok with computers, has built a few, and can solve a lot of everyday customer help style problems. But venturing deeper into the OS isn’t something I’ve often done, and I don’t know all that awaits in the darkness down there. Its all complex, confusing and… interesting.

I want to know more, but finding easy to read guides is hard, and I’m sure I’m not the only one thinking that. So I decided that I would brave all the confusion and craziness and write a blog detailing my adventures. I’d write about what I learned, give some examples of how it works, and link to the site I learned it from. Eventually I’d have written a slightly unorganized guide on how to go from Computer Scrub Lord to Hacking Genius. Then, I could write an organized, easy to read, step by step guide about everything a pen tester could ever want to know. Something that could really help people like me who are adequate (through a professionals eyes) with a computer and understand technology pretty well, but don’t quite have the knowledge base to jump right into CTF and wargames. I could do something great.

So join me on my adventures through the crazy darkness. Compare and share what you know and what you’ve learned. Follow along and learn with me and we might just become the pen testers we’ve dreamed of, and additionally but undoubtably,

really cool.