Learn Ethical Hacking Episode #31: Aircrack-ng and Crunch Usage Example (Part 2)


If you find yourself needing assistance at any point throughout the tutorial series, feel free to enroll in The Complete Ethical Hacking Course Bundle for 1 on 1 help!


Below is a list of the courses included in the bundle:

The Complete Ethical Hacking Course for 2018!
Certified Ethical Hacker Boot Camp for 2018!
The Complete Ethical Hacker Course: Beginner to Advanced!
Build an Advanced Keylogger for Ethical Hacking!

Hello everybody and welcome to this tutorial. Let’s continue from where we left off in the previous video.

I have a live capture here in progress, I’m going to go ahead and cancel it, and now I will take the information that I need. So, the next command that we’re going to use, again, is airodump-ng. We will use it in combination with a few aditional arguments in order to conduct a more precise scan, so that we can capture the four-way handshake which we need in order to continue with the exercise. Go ahead and type in airodump, and you don’t need to memorize the full command. You can type in air, and then press Tab twice. If it doesn’t work after Tabbing twice, press it how ever many times until you find the command you need. The terminal will tell you what your possibilities are. What we need is airodump, and this is the command that we need. Go ahead and type in O, Tab it again, it will give you fewer options, dump-ng, and that’s it. One of the first things that we’re going to need to do is specify the channel on which my wireless is functioning. For this particular exercise I will be using channel 6. So, channel 6, and what is the BSSID? This is the BSSID. Don’t attempt to retype it, copy/paste it just to be sure it is entered in correctly. If you miss a single a single character here, nothing will be achieved. Now we need a file to write to. I will name mine SCAN_test. The final thing that I’m going to need is this BSSID. Go ahead and copy it, and we’ll just reformat this a bit. I’m fairly certain it would work like this as well, but we always want to make our code nice and clean so that it can be read and understood for troubleshooting purposes. When you have commands, text, and code spread around, it can be difficult to figure out what is where. Maybe you can in that moment, but try doing it the next day and it can be difficult to pick up where you left off. Go ahead and press Enter.

Okay, so what does it say? No interface specified. Every time you do this you actually do need to specify an interface. Mine is wlp2s0, that is my wireless interface that is currently in monitor mode, so press ENTER, and there we go. Our scan is now in progress. I have another device that is connected to the network, that’s this device, it’s BSSID, and station. A station is a device that is connected to this access point. You will not be able to perform this exercise if you do not have any stations that are connected to your access point. This is because you have nothing to deauthenticate, there is nothing conducting the authentication process which you can capture. We will be deauthenticating this device, and this is also a method that you can use in order to perform a DoS attack on a wireless network. It is nearly guaranteed to work. Pretty much any public wireless network will be vulnerable to this, and you will be able to deauthenticate every device on the network. This, of course, is susceptible to misuse. I would like to ask you, since I am doing this for educational purposes, not to do that.

Anyway, that being said, we need to use aireplay-ng, and this is used for deauthentication purposes. We’ll just go ahead and type it in, air, and once again I will use Tab to complete the command, replay-ng. What I want to do is pass an argument of -0, and then I’m going to give it the 0 again. I will explain in a moment what these are, – a, and the MAC address of the access point. We don’t need the BSSID flag there. These two arguments state the number of deauthentication transmissions that you wish to send. If you put a 0 in it sends it into an infinite loop. You will permanently be deauthenticating pretty much every device on this particular MAC address. For example, if you wish to temporarily disrupt connections you can type in 10, or 9, or something like that. There are even options to deauthenticate particular clients. But, for the time being, I’m going to send a general deauthentication request transmission. This will deauthenticate everybody on this particular wireless access point. Since it is my wireless access point, I don’t really care. I only one device associated with it, and that device will be disconnected shortly. If you wish to verify this, you can connect your cell phone, and you can connect them to your Wi-Fi access points, and then you can try performing a DoS attack on yourself to see how it works. If you have any troubles, feel free to ask me in the question section. The procedure is exactly the same as what I’m doing now. You will then notice that the Wi-Fi connection on your phone is breaking. When that starts happening, when the deauthentication request start being sent, try accessing a website through your cell phone. You will see that you can’t because there is something obstructing your connection, and you are no longer associated with that access point. I would recommend trying this as it’s a fantastic exercise. You cannot cause any damage to your network or devices. As soon as the deauthentication requests stop your connection will be restored.

Let’s go ahead and execute our command. One of the downsides of aircrack is that you need to type in the interface every single time. Excellent! I am now broadcasting the deauthentication signal. Sure enough, I have lost connection to the network on all of my devices. Leave it running for a while just to make sure that you have deauthenticated the device, because you cannot see the device that you are deauthenticating. At a certain point of time, after a couple of minutes, maybe less, you can cancel it. Due to the proximity I can go ahead and cancel it now, and my device will automatically try to reconnect. Once it does, I will capture that authentication, and it should work just fine. In a moment, we should get a four-way handshake in the upper right corner, and there we go. It says WPA handshake for this MAC address. At this point of time, you can go ahead and stop the capture process as there is really no longer a point to do it. We have captured the information that we needed. It’s all here.

In the next tutorial we will take apart the file which we have captured, and see what we can do with it, and how we can actually crack it. That is the difficult part of this process. Capturing traffic is not a problem, finding the
wireless access point is not a problem, the problem is cracking the encryption itself. Now, keep in mind you must absolutely have at least one device that is associated with this access point, and the BSSID. If there are several devices you may want to consider a different denial of service attack. You shouldn’t deauthenticate them all. Select a few and leave them running. So, if you have 10 or 20 devices, you can select 5 of them. If just 5 of them don’t work they’ll usually look to the person next to them, or something like that, and they’ll see that it’s working for them. So, the general conclusion that pretty much everybody draws from that is, oh, it has to have something to do with my device. Let me just attempt to reconnect to the network. We will go over this in great detail when we cover denial of service attacks, but for the time being just know that it is an option. In any case, I bid you farewell, and I sincerely hope to see you in the follow-up tutorial where we will actually crack the code.

The remainder of the tutorial videos can be found in this YouTube playlist:


You can also enroll in the course and download the videos for offline viewing:


Subscribe on YouTube – https://www.youtube.com/c/JosephDelgadillo?sub_confirmation=1

Follow on Steemit – https://steemit.com/@jo3potato

Leave a Reply

Your email address will not be published. Required fields are marked *