Catalog / Aircrack-ng Suite Cheatsheet
Aircrack-ng Suite Cheatsheet
A comprehensive cheatsheet for using the Aircrack-ng suite, a set of tools for assessing WiFi network security. Covers essential commands and options for capturing, analyzing, and cracking WEP/WPA/WPA2 keys.
Basic Capture and Monitoring
Interface Monitoring
|
Checks for interfering processes (e.g., NetworkManager) that could disrupt packet capturing. Often necessary to stop these services before proceeding. |
|
Puts the specified wireless interface into monitor mode. Example: |
|
Takes the specified wireless interface out of monitor mode. Example: |
|
Brings down an interface. Replace with your interface name, i.e. wlan0. |
|
Brings up an interface. Replace with your interface name, i.e. wlan0. |
|
Sets the interface to monitor mode. Replace with your interface name, i.e. wlan0. |
Packet Capture with airodump-ng
|
Starts capturing packets on the specified interface, displaying ESSIDs, BSSIDs, channels, and client information. |
|
Captures packets on a specific channel. Example: |
|
Writes captured packets to a file in Example: |
|
Targets a specific network by BSSID and channel. Example: |
|
Ignores the warning message about not being associated with an access point. |
|
Displays the manufacturer of the wireless network adapter. |
Analyzing Captured Data
Captured |
Important data to gather includes the BSSID of the target network, the number of data packets captured, and the presence of any handshakes (WPA/WPA2). |
Use |
WEP Cracking
WEP Cracking Fundamentals
WEP (Wired Equivalent Privacy) is an older, insecure encryption protocol. Cracking WEP typically involves capturing enough Initialization Vectors (IVs) and using |
The key is derived from statistical analysis of the IVs. The more IVs, the higher the probability of cracking the WEP key. |
Passive capturing |
Capturing IVs without actively injecting packets. Slower but less detectable. |
Active injection |
Actively injecting packets to generate more IVs. Faster but more detectable. |
Generating IVs
|
Sends ARP packets to the access point and captures the replayed packets to generate IVs. Requires a connected client. |
|
Sends fragmented packets to generate IVs. Can work without a connected client in some cases. |
|
Another method for generating IVs. Requires a valid packet to start. |
|
An interactive method for replaying packets. |
|
Deauthenticates a client from the network, forcing it to reauthenticate and capture a WPA handshake. |
Cracking WEP with Aircrack-ng
|
Attempts to crack the WEP key using the captured IVs in the |
|
Attempts to crack the WEP key using the PTW (P Fluhrer, I Mantin, A Shamir) attack, which is often faster. |
WPA/WPA2 Cracking
WPA/WPA2 Handshake Capture
To crack WPA/WPA2, you need to capture a 4-way handshake. This occurs when a client connects to the network. |
Use |
|
Sends a deauthentication packet to a specific client, forcing it to reconnect and perform the handshake. Targetting the client increases the chance of capturing the handshake quickly. |
|
Sends deauthentication packets to all clients associated with the AP, forcing them to reconnect and perform the handshake. Less targeted than specifying a client MAC. |
Cracking WPA/WPA2 with Aircrack-ng
|
Attempts to crack the WPA/WPA2 key using a dictionary attack. Requires a wordlist containing potential passwords. |
|
Specifies the BSSID of the target network. Can speed up the cracking process if multiple networks are in the capture file. |
Wordlists |
Popular wordlists include rockyou.txt (often found in Kali Linux) and custom wordlists tailored to the target. |
Hashcat |
For more advanced cracking, consider using Hashcat, which supports GPU acceleration and more sophisticated attack methods. |
PMKID Cracking
|
Captures PMKID (Pairwise Master Key ID), which can be used to crack WPA/WPA2 without capturing a full handshake in some cases. |
|
Converts the captured pcapng file to hcxt format for cracking. |
|
Cracks the PMKID using Hashcat. |
Advanced Techniques and Tools
airbase-ng
|
Tool to create a rogue access point, useful for man-in-the-middle attacks and capturing credentials. |
|
Creates a rogue AP on a specific channel with a specified ESSID. |
|
Enable probing and waits for a client to connect. |
packetforge-ng
|
Forges packets to inject into the network. |
Avoiding Detection
Change MAC address before starting: |
Use a low power setting for injection: |