Demonstrating password strength using Aircrack-ng

This demonstration of cracking WPA or WPA2 passwords using Aircrack-ng is based on the many YouTube tutorials and blogs.

Its purpose is to quickly demonstrate to users how poor passwords are vulnerable. One of the great benefits of using Aircrack-ng in a demonstration is that the user-interface looks just like a scene from a movie.

It is important to note that a number of the steps can be completed before the demonstration starts.

Initial requirements for the demonstration
The demonstration uses minimum equipment and is portable.

  • Laptop / PC – ideally with virtualization software
  • Kali Linux (free) and a suitable wifi adapter, such as Alfa AWUS036NEH
  • Safe Wi-Fi hotspot, such as a smartphone to attack
  • If you are not using a virtual machine to run Kali, another device to connect to the wifi hotspot

Step 1 – monitor mode
Start by putting the wireless adapter into monitor mode ( monitor mode allows packets to be captured without having to associate with an access point or ad-hoc network first).

Command: airmon-ng start wlan0

The adapter might be referred to as something like wlan0mon. To confirm it is in monitor mode, use command iwconfig and check the mode.

Step 2 – display wifi access point in range
Initially set the password for the safe wifi access point to something like testtest or password, which can quickly be cracked.

Command: airodump-ng wlan0mon

Note – airodump-ng hops from channel to channel and shows all access points it can receive beacons from.

The upper data block shows the access points found and the lower block shows the clients.  Key fields to note

BSSID The MAC address
PWR Signal strength. Some drivers don’t report it
Beacons Number of beacon frames received.
Data Number of data frames received
CH Channel the AP is operating on
ENC Encryption)
ESSID The network name. Sometimes hidden
STATION The MAC of the client itself
Probes Network names (ESSIDs) this client has probed

Step 3 – capture the handshake and save it to a file called captfile
Consider changing directory to Documents so the captured handshake is saved there.

Command: airodump-ng –bssid [08:86…] -c 6 –write captfile wlan0mon

Note -c is channel
Copy and paste the appropriate details of the safe wifi access point. This is sometimes easier using a separate terminal window.

Initially, it will look like the following:

Use host wifi or another device to connect to the safe wifi access point. When airodump-ng captures a handshake the top line changes.

Step 4 – Aircrack-Ng the password
If a single client handshake is captured use

command: aircrack-ng captfile -01.cap -w dictionary_file

If multiple handshakes are captured use

command: aircrack-ng -w dictionary_file -b [mac of client] captfile-01.cap

Note – dictionary_file is the name of the dictionary file. Try rockYou.txt from John the Ripper or a customer dictionary.

You can repeat the process from step 2 with a more complex password to show how much longer a better password takes to crack.