This demonstration of cracking WPA or WPA2 passwords using Aircrack-ng is based on the many YouTube tutorials and blogs.
Its purpose is to quickly demonstrate to users how poor passwords are vulnerable. One of they great benefits of using Aircrack-ng in a demonstration is that the user-interface looks just like scene from a movie.
It is important to note that a number of the steps can be completed before the demonstration starts.
Initial requirements for the demonstration
The demonstration uses minimum equipment and is portable.
- Laptop / PC – ideally with virtualization software
- Kali Linux (free) and a suitable wifi adapter, such as Alfa AWUS036NEH
- Safe Wifi hotspot, such as smartphone to attack
- If you are not using a virtual machine to run Kali, another device to connect to the wifi hotspot
Step 1 – monitor mode
Start by putting the wireless adapter into monitor mode ( monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first).
Command: airmon-ng start wlan0
The adapter might be referred to as something like wlan0mon. To confirm it is in monitor mode, use command iwconfig and check the mode.
Step 2 – display wifi access point in range
Initially set the password for the safe wifi access point to something like testtest or password, which can quickly cracked.
Command: airodump-ng wlan0mon
Note – airodump-ng hops from channel to channel and shows all access points it can receive beacons from.
The upper data block shows the access points found and the lower block shows the clients. Key fields to note
|BSSID||The MAC address|
|PWR||Signal strength. Some drivers don’t report it|
|Beacons||Number of beacon frames received.|
|Data||Number of data frames received|
|CH||Channel the AP is operating on|
|ESSID||The network name. Sometimes hidden|
|STATION||The MAC of the client itself|
|Probes||Network names (ESSIDs) this client has probed|
Step 3 – capture the handshake and save it to a file called captfile
Consider changing directory to Documents so the captured handshake is saved there.
Command: airodump-ng –bssid [08:86…] -c 6 –write captfile wlan0mon
Note -c is channel
Copy and paste the appropriate details of the safe wifi access point. This is sometimes easier using a separate terminal window.
Initially it will look like the following:
Use host wifi or another device to connect to the safe wifi access point. When airodump-ng captures a handshake the top line changes.
Step 4 – Aircrack-Ng the password
If a single client handshake is captured use
command: aircrack-ng captfile -01.cap -w dictionary_file
If multiple handshakes are captured use
command: aircrack-ng -w dictionary_file -b [mac of client] captfile-01.cap
Note – dictionary_file is the name of the dictionary file. Try rockYou.txt from John the Ripper or a customer dictionary.
You can repeat the process from step 2 with a more complex password to show how much longer a better password takes to crack.