Aircrack-NG is a multi-purpose suite of tools for monitoring wireless networks, capturing wireless traffic, managing network interfaces, executing attacks (infrastructure and client), cracking wireless passphrases, and decrypting captured wireless traffic. Excellent documentation for this tool suite and the many operations that can be executed with it can be found at https://www.aircrack-ng.org/documentation.html. Common operations used during wireless testing are listed below for convenience.
Common Operations
Recording or monitoring wireless network traffic (airodump-ng):
Airodump-ng dumps frames captured on the listening interface for further analysis when the –w option is used. Otherwise, this command just displays network and client information for further analysis. The monitoring channel and SSID filtering can be specified in the command for greater control.
airodump-ng --ignore-negative-one [Interface name] -w [Capture file prefix]
Deauthenticating wireless clients (aireplay-ng):
Aireplay-ng sends forged deauthentication frames to clients, forcing them to switch access points or reauthenticate to the same access point. This attack can be used to Uncloak Hidden SSIDs or expedite attacks like Pre-Shared Key (PSK) Attacks and Enterprise Network Attacks. The deauthentication frames appear to come from the MAC address of the access point to which the client is associated. The frames can target a single client MAC (-c switch) or all stations associated with the access point (-c switch omitted). The count indicates the number of deauthentication attacks to send. ACKs in the output generally means that the deauthentication attack was received.
aireplay-ng --ignore-negative-one 0 [Count] -a [Access point MAC] -c [Client MAC]
Enabling/disabling monitor mode (airmon-ng):
Airmon-ng is used to control control services on the test system and enable/disable monitor mode. Monitor mode support is important because without it, a network interface will only display traffic destined to or originating from the test system. In most cases, during testing, the attacker wants to see all traffic within range of the adapter. The first command listed below checks to see if common services that will interfere with monitor mode are running, and then kills those services. The second command
airmon-ng check kill
airmon-ng [Start|Stop] [Interface name] [Channel]
Passphrase Recovery (aircrack-ng):
Aircrack-ng is used to recover WEP keys or PSK passprhases used for authentication and encryption on a given wireless network. For PSK recovery, simply pass the tool a dictionary and the packet capture containing the handshake for the target network. The tool will present a list of networks to choose from. Select the ordinal value associated with the target network and cracking will begin. To reduce the amount of noise in the tool interface, use the “eapol” filter in Wireshark and extract the displayed packets for your target network.
aircrack-ng -w [Dictionary] [Packet capture file]
The SSID of the target network is used in the four-way handshake during authentication. PSK cracking can be expedited by pre-computing a dictionary using the known SSID in advance.
Captured Traffic Decryption (airdecap-ng):
Airdecap-ng will decrypt the contents of encrypted 802.11 frames found in a pcap file. The output of the command will indicate the number of encrypted frames found in the capture and the number that were decrypted as a result of the operation.
airdecap-ng -e [SSID] -p [Recovered PSK][Packet capture file]