aircrack-ng
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.
aircrack-ng
Aircrack-ng can recover the WEP key once enough encrypted packets have been captured with airodump-ng. This part of the aircrack-ng suite determines the WEP key using two fundamental methods. The first method is via the PTW approach (Pyshkin, Tews, Weinmann). The default cracking method is PTW. This is done in two phases. In the first phase, aircrack-ng only uses ARP packets. If the key is not found, then it uses all the packets in the capture. Please remember that not all packets can be used for the PTW method. This Tutorial: Packets Supported for the PTW Attack page provides details. An important limitation is that the PTW attack currently can only crack 40 and 104 bit WEP keys. The main advantage of the PTW approach is that very few data packets are required to crack the WEP key.
Cracking
aircrack-ng -b 00:01:02:03:04:05 dump-01.cap
Crack WEP Key
This command cracks a WEP key using the captured packets. Cryptographic attacks can be used to reveal the real password.
aircrack-ng -b <BSSID> <capture_file>
Crack WPA/WPA2-PSK Key
This command cracks a WPA/WPA2-PSK key using a wordlist and the captured handshake. It attempts to match the captured password key with possible passphrases from the wordlist.
aircrack-ng -w <wordlist> -b <BSSID> <capture_file>
airmon-ng
This script can be used to enable monitor mode on wireless interfaces. It may also be used to kill network managers, or go back from monitor mode to managed mode. Entering the airmon-ng command without parameters will show the interfaces status.
Start wireless in monitor mode
airmon-ng start <interface>
Stop wireless in monitor mode
airmong-ng stop <interface>
Listening on monitor mode
airodump-ng -i <monitor_interface>
Kill disturbing processes that use wireless devices
airmon-ng check kill
Turn off monitor mode for a specific network interface
sudo airmon-ng stop <wlan0mon>
airodump-ng
Comming soon
aireplay-ng
The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. With the packetforge-ng tool it's possible to create arbitrary frames.
First open a window with an airodump-ng sniffing for traffic (see above). aireplay-ng and airodump-ng can run together. Wait for a client to show up on the target network. Then start the attack
aireplay-ng --arpreplay -b 00:01:02:03:04:05 -h 00:04:05:06:07:08 wlan0mon
Injection support
aireplay-ng --fakeauth 0 -e "your network ESSID" -a 00:01:02:03:04:05 wlan0mon
Most devices don't support injection - at least not without patched drivers. Some only support certain attacks. Take a look at the compatibility page, column aireplay. Sometimes this table is not up-to-date, so if you see a “NO” for your driver there don't give up yet, but look at the driver homepage, the driver mailing list or our Forum. If you were able to successfully replay using a driver which is not listed as supported, don't hesitate to update the compatibility page table and add a link to a short howto. (To do this, request a wiki account on IRC.)
The first step is to make sure packet injection really works with your card and driver. The easiest way to test it is the injection test attack. Make sure to perform this test prior to proceeding. Your card must be able to successfully inject in order to perform the following steps.