OWN YOUR NEIGHBOR'S WIFI WITH AIRCRACK-NG

This is a walkthrough of how I cracked my WPA/WPA2 WiFi router password in some minutes. Note this is only for educational purposes, hence do not attack a network that isn’t yours or one without permission to.

Just being a campus student, I really don’t have an external wireless adapter but it is crucial as it gives you a faster, more reliable connection to your available network signals through the USB port instead. Either way, you just need your internal adapter for your machine. Whether you have(after plugging in) or not, type the following command:

iwconfig

It is similar to ifconfig in Linux or ipconfig in Windows just that it is dedicated to wireless networks. Observe your network card(for example, mine in the picture below is wlan0).

After installing aircrack-ng, it comes with multiple tools to enable us to own our network. First, we will use airmon-ng. To ensure airmon-ng is not running any other processes, we kill any that might be running by the command:

airmon-ng check kill

Now, we need to convert our network card to monitor mode by airmon-ng using the command:

airmon-ng start networkCard

Replace networkCard with your network card’s number(for my case wlan0). Note the name changes, especially ending with a mon. Mine becomes wlan0mon. Boom! monitor mode is up and running.

Now we use a tool called airdump-ng to list all the available networks. Your network should definitely appear. Use the following command:

airodump-ng networkCardmon

Replace networkCardmon with the name of your network card in monitor mode. Now we have our target up. The most important outputs of our commands are the BSSID (which is the MacAddress) and the CH(channel number).

We need to capture a 4-way handshake in our router. This is the process of exchanging 4 messages between an access point and the client device to generate some encryption keys which can be used to encrypt actual data sent over a Wireless medium. We can achieve this by the command:

airodump-ng -c CHnumber --bssid macAddress -w filename wlan0mon

CHnumber is the channel number of the network we are attacking and the macAddress is the BSSID.Replace them with your respective values. Check for my case:

As you can see, there are multiple devices I have connected to my network and each one of these has a BSSID to identically identify it.

We can speed this process up(I don’t wanna be here for ages.Maybe you got time :| ) by performing a deauthentication attack. This means we will interfere with the communication between the router and a device. The device will proceed to reconnect to the network and this gives us the perfect chance to capture the handshake. Note that when doing penetration testing, you might need to perform deauth attack on different devices since you don’t want to interfere completely with the service of one machine.

The following command performs the deauthentication attack:

aireplay-ng -0 1 -a macAddress -c clientAddress wlan0mon

“-0” is for the deauth attack, and 1 is for the times we will perform the attack. macAddress is the BSSID of the network while clientAddress is the STATION of the target device. Replace these with your respective values.

Once you have the handshake captured, you will see a message that your capture has been stored in a file.

Check the files in your current directory. According to how many devices you deauthenticated and the success of your attack, you may have multiple .cap files. These contain the data capture.

Finally, we will need to crack the capture. This is the most challenging part and you will need good wordlists to aid in the cracking process. Linux(especially Kali) has inbuilt wordlists which are large and powerful(e.g /usr/share/wordlists/rockyou.txt). You can use the inbuilt ones or get one from the internet(e.g from github)I created my wordlist in a file, wordlist.txt. We use aircrack.ng to crack our capture:

aircrack-ng -w wordlist -b macAddress filename

Replace the wordlist with your wordlist, macAddress with your network BSSID and filename with the file the capture has been stored in.

BOOM!!! Key found. Got it. Seems I had used a bad password for my network and it didn’t even take time for the hacker(thecyberlearner) to be in my network. This is so risky since an hacker can do all sorts of things from your network. Normalize a strong password policy. Even if eventually they are gonna get in, give them a hard time to do so.