# Aircrack-ng

### Aircrack-ng WEP Attack

* understand your pcap

```
capinfos wep.pcap
aircrack-ng wep.pcap
```

* it will prompt you to select the network, and then it will try to recover the key
* if your attack is successful the key will look something like this

```
E1:26:9E:0F:19:4A:A7:2A:9D:32:53:53:52
```

### WEP Key Decrypt Wireshark Capture

* with key in hand go to: **Edit | Preferences**
* **Expand Protocols tree**, and then scroll and select the **IEEE 802.11**

<figure><img src="https://2098276108-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FwXbmWAdfb5sb4Veuw2rn%2Fuploads%2FoCXdrvbfDkoHNk0UBTIW%2Fimage.png?alt=media&#x26;token=e3a9b93f-fbcd-489d-aa29-49ee281ac5f3" alt=""><figcaption></figcaption></figure>

* Make sure the Wireshark **Ignore the Protection bit** option is set to No.
* Make sure **Enable decryption** is selected
* To specify a key to use in decryption, click the **Edit...** button to open the WEP and WPA Decryption Keys dialog

<figure><img src="https://2098276108-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FwXbmWAdfb5sb4Veuw2rn%2Fuploads%2FNfweOfqaJmmkkKFyOPkM%2Fimage.png?alt=media&#x26;token=d02a8339-6351-4a07-81a7-1305e1f85a99" alt=""><figcaption></figcaption></figure>

* add your key by pressing the `+` button
* Hit Ok twice and your packets will be decrypted

### Four way Handshake Cracking

* Easy to filter on handshake traffic with `eapol` Wireshark filter
* If you have the 4 way handshake it can be cracked with

```
aircrack-ng -w word-list capture_handshake.pcap
```

* if that is failing due to the password not being in the wordlist you can easily add permutation to it

```
john -wordlist:word-list -rules -stdout > morewords
```

### hcxpcapngtool for Hashcat

* before being utilizing hashcat to crack to crack a handshake we need to conver it with hcxpcapngtool

```
hcxpcapngtool -o wifi.crackme wifi.pcap
```

* examining the file

```
cat wifi.crackme
WPA*01*2f28a275f277d17904ec948e51012bef*586d8f074e8f*a088b4583fa0*4d6f62696c65576946692034453846***
WPA*02*4acfe35de7bc8c44b19ba7bfcf2ce152*586d8f074e8f*a088b4583fa0*4d6f62696c65576946692034453846*
6148801ead3ac326e653a8e5417998245ff5819acd16aee63f0621081325378b*0103007702010a0000000000000000000
288fe22a134055f845914ffa8573f82db7d34f1dd65a12cae4790738a72c3f8ca000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000001830160100000fac040100000fac04010
0000fac023c000000*02
```

* there was only one handshake captured, however we can see two hashes.
* the first one is the PMKID and the second is the the four way handshake hash
* Note: The PMKID hash is outputted to the file even if that AP DOES NOT support PMKID. That means hashcat will never crack the hash if the AP does not support PMKID.
* the PMKID hash can be filtered out

```
hcxhashtool -i wifi.crackme --type=2 -o eapolhashonly
```

### Hashcat Mask Attack

* Many AP companies will have passwords with only partial variations, save yourself the time with a mask attack

```
hashcat -m 22000 -a 3 mobilewifi.crackme Wifi3E9F-?d?d?d?d?d?d --force
```

* `-m 22000 is for WPA2-PSK`