Module 7: Aircrack-ng Essentials
Airmon-ng
Running airmon-ng without any parameters displays the status and information about the wireless interfaces on the system:
kali@kali:~$ sudo airmon-ng
PHY Interface Driver Chipset
phy0 wlan0 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
Airmon-ng check
It's important to identify and terminate processes like Newtork Manager which can interfere with the tools in the Aircrack-ng suite. The check parameters checks for and lists these processes:
kali@kali:~$ sudo airmon-ng check
Found 3 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
1885 NetworkManager
1955 wpa_supplicant
2015 dhclientUsing airmon-ng with the check kill paremeters will try to gracefully stop known services and kill the rest of the processes:
Airmon-ng start
Placing our wlan0 interface in monitor mode:
Starting monitor mode on a specific channel:
Running iw to show our monitor mode interface's information:
We can also use iwconfig however it is deprecated:
The --verbose option outputs release information from lsb_release -a, kernel information from uname -a, virtual machine detection, and details about connected interfaces.
In comparison, the output with --debug provides slightly more details derived from system commands:
Airmon-ng stop
Disabling monitor mode with the stop parameter:
Airodump-ng
Airodump-ng Usage
Run airodump-ng without parameters to display the options. The options most often used are for saving to a file, filtering by BSSID, and capturing only on a specific channel:
-w prefix
Saves the capture dump to the specified filename
--bssid BSSID
Filters Airodump-ng to only capture the specified BSSID
-c channel(s)
Forces Airodump-ng to only capture the specified channel(s)
Sniffing with Airodump-ng
Initiating our first sniffing session, only capturing on channel 2:
Airodump-ng Fields in the top section
BSSID
The MAC address of the AP
PWR
The signal level reported by the card, which will get higher as we get closer to the AP or station
RXQ
Receive Quality as measured by the percentage of frames successfully received over the last 10 seconds
Beacons
Number of announcement frames sent by the AP
# Data
Number of captured data packets (if WEP, this is the unique IV count), including data broadcast packets
#/s
Number of data packets per second measured over the last 10 seconds
CH
Channel number taken from beacon frames. Note that sometimes frames from other channels are captured due to overlapping channels
MB
Maximum speed supported by the AP. 11=802.11b, 22=802.11b+, up to 54 is 802.11g and anything higher is 802.11n or 802.11ac
ENC
Encryption algorithm in use. OPN=no encryption, "WEP?"=WEP or higher (not enough data to choose between WEP and WPA/WPA2), WEP=static or dynamic WEP, and WPA or WPA2 if TKIP or CCMP is present. WPA3 and OWE both require CCMP
CIPHER
The cipher detected: CCMP, WRAP, TKIP, WEP, WEP40, or WEP104
AUTH
The authentication protocol used. One of MGT (WPA/WPA2/WPA3 Enterprise), SKA (WEP shared key), PSK (WPA/WPA2/WPA3 pre shared key), or OPN (WEP open authentication)
ESSID
The so-called SSID, which can be empty if the SSID is hidden
Airodump-ng Fields in the bottom section
BSSID
The MAC address of the AP
STATION
The MAC address of each associated station
Rate
Station's receive rate, followed by transmit rate
Lost
Number of data frames lost over the last 10 seconds based on the sequence number
Packets
Number of data packets sent by the client
Probes
The ESSIDs probed by the client
Precision Sniffing
Specifying the channel, bssid, and the output file we'd like when performing a dump:
Airodump-ng Output Files
By default, using the -w option will output to PCAP, CSV, Kismet legacy CSV, Kismet legacy NetXML, and Log CSV. GPS coordinates can be included with the -g option and the Initialization Vectors with the --ivs option (only useful for WEP cracking).
We can limit file formats generated by using the --output-format option followed by a comma separated list of file formats.
Airodump-ng Interactive Mode
Space
Pause/Resume output
Tab
Enables/Disables scrolling through the AP list
Up/Down Arrows
When scrolling through the AP list is enabled, provides scrolling
M
Cycles through color options for a selected AP
A
Cycles through display options:
APs and stations (default)
APs and stations plus ACK statistics
APs only
Stations only
S
Cycles through sorting options:
Amount of beacons
Amount of data packets
Packet rate
Channel
Max data rate
Encryption
Cipher
Authentication
ESSID
First seen
BSSID
Power level
I
Inverts the sorting
D
Resets to the default sorting (by power level)
Airodump-ng Troubleshooting
No APs or Clients are Shown
Verify there are APs on current channel.
Make sure card works in managed mode.
Unload the driver (rmmod) and reload it with modprobe.
Check dmesg for errors.
Little or No Data Being Captured
Specify a channel.
Get closer to the AP.
Confirm in monitor mode.
Confirm no network processes/services causing interference.
Airodump-ng Stops Capturing After a Short Period of Time
Confirm no network processes/services causing interference.
Check dmesg for firmware issues.
SSIDs Displayed as "<length: ?>"
Get closer to the AP.
"Fixed channel" Error Message
Confirm no network processes/services causing interference.
Confirm your card can use the specified channel.
No Output Files
Confirm the -w or --write parameters were used with a filename prefix.
Confirm you're looking in the directory included in the path for output files (default is directory airodump-ng was run from).
Aireplay-ng
Aireplay-ng supports the following attacks:
0
Deauthentication
1
Fake Authentication
2
Interactive Packet Replay
3
ARP Request Replay Attack
4
KoreK ChopChop Attack
5
Fragmentation Attack
6
Café-Latte Attack
7
Client-Oriented Fragmentation Attack
8
WPA Migration Mode Attack
9
Injection Test
Aireplay-ng Replay Options
All available options for aireplay-ng attacks:
-x nbpps
Number of packets per second
-p fctrl
Set frame control word (hex)
-a bssid
Access point MAC address
-c dmac
Destination MAC address
-h smac
Source MAC address
-e essid
Target AP SSID
-j
arpreplay attack: inject FromDS packets
-g value
Change ring buffer size (default: 8)
-k IP
Destination IP in fragments
-l IP
Source IP in fragments
-o npckts
Number of packets per burst (-1)
-q sec
Seconds between keep-alives (-1)
-y prga
Keystream for shared key authentication
-B
Bit rate test
-D
Disable AP detection
-F
Chooses first matching packet
-R
Disables /dev/rtc usage
Aireplay-ng Injection Test
Basic Injection Test:
Injection test for a specific SSID:
Card-to-Card (Attack) Injection Test:
Aireplay-ng Troubleshooting
Aireplay-ng does not Inject Frames
Ensure you're using the correct monitor mode interface.
Aireplay-ng Hangs with No Output
Confirm wireless card is on the same channel as the AP.
interfacexmon is on channel Y, but the AP uses channel Z
Confirm monitor mode was started in the correct channel.
Check for network processes/services causing interference.
Aireplay-ng General Troubleshooting Tips
Look for deauthentication or disassociation messages during injection.
Ensure wireless card driver is properly patched and installed.
Be physically close enough to the AP.
Verify monitor mode.
Verify channel matches the AP.
Aircrack-ng
Aircrack-ng is CPU intensive and will fully use all the CPUs. Laptops typically aren't built for constant CPU load for long periods of time. This can raise the temperature of the CPU significantly. If the laptop's cooling system is inadequate, the CPU will be throttled, which will reduce performance. Sometimes, the cooling system can't even handle throttled CPUs, and the CPU may end up suddenly turning off to protect itself and other components from damage. Adding an active cooling pad might help. We can also monitor the temperatures. In Linux we'll do this with the lm-sensors command.
Aircrack-ng Benchmark
Running benchmark mode:
Airdecap-ng
Removing Wireless Headers
Removing wireless headers from an unencrypted capture file. Using -b to specify the BSSID and setting the AP MAC to keep:
Airdecap-ng saved the data packets linked to 34:08:04:09:3D:38 into a new capture file, with -dec (decrypted) appended to the original filename: opennet-01-dec.cap.
Airgraph-ng
Clients to AP Relationship Graph
The Clients to AP Relationship (CAPR) graph type displays the relationships between clients and APs. Running airgraph-ng with the -o option to output to a file name, the -i option to input an airodump-ng .csv file, and -g to define a CAPR graph:
Clients Probe Graph
The Client Probe Graph (CPG) displays relationships between wireless clients and probed networks. Creating this graph with a airodump-ng .csv file, and specifiying the graph type as CPG with -g CPG:
Last updated