0. What is Aircrack-ng?

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured.
It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools. In fact, Aircrack-ng is a set of tools for auditing wireless networks.

You can download the debian package of aircrack-ng from this link.

1. Check Access Points and Ad-Hoc cells  in  range

The command iwlist is used to display important information from wireless network interfaces.
We will use this command to obtain a list of Access Points and Ad-Hoc cells in range, and a whole bunch of information about them (ESSID, Quality, Frequency, Mode...).

iwlist wlan0 scan

From the output we can identify the type of encryption of each network, so this is definitely the first step of our way.

2. Prepare the wireless LAN interfaces

You should always start by confirming that your wireless card can inject packets.

If you have a ralink chipset, and you need the RT63usb driver, download  this driver  (do not use the one in Debian because you will not be able to inject packets!).
Compile it and install it following the simple instructions in the Readme file. Load the driver with:

modprobe rt73

It is good to have two wireless LAN interfaces up and running.

Now we are ready for the first test: the injection test. We must set our cards to monitor mode and to the desired channel with airmon-ng prior to running any of the tests. 

3. Monitor Mode

First step: to put the interface into monitor mode, first right-click on the network icon in Gnome and de-select "Enable Networking" (i.e. so networking is disabled).

It is very important to stop all connection managers prior to using the aircrack-ng suite. In general, disabling “Wireless” in your network manager should be enough but sometimes you have to stop them completely. It can be done with:

airmon-ng check kill

We make sure all cards are off by

sudo iwconfig

If some device (i.e, mon3 ) is working we stop it with

airmon-ng stop mon1

We start now both cards in a certain channel (i.e., channel 11) (in my case, for misterious reasons, I have to start wlan1 prior to wlan0 to avoid problems in the injection tests):

sudo airmon-ng start wlan0 11
sudo airmon-ng start wlan1 11

As we can see from the messages on the screen, wlan0 becomes mon0 and wlan1 becomes mon1.
mon0 and mon1 are the names to be used fron now on.

4. Injection test

This is a basic test to determine if a card successfully supports injection:

aireplay-ng -9 mon0

You can check a hidden SSID or check a specific SSID with the following command:

aireplay-ng --test -e teddy

If Airodump-ng shows APs but they don't respond: The injection test uses broadcast probe requests. Not all APs respond to broadcast probe requests.
So the injection test may fail because the APs are ignoring the broadcast packets.
As well, you quite often can receive packets from APs further away then your card can transmit to.
So the injection test may fail because your card cannot transmit far enough for the AP to receive them.
In both cases, try another channel with multiple APs. Or try the specific SSID test described above.

5. Airodump-ng

Airodump-ng is used for packet capturing of raw 802.11 frames and is particularly suitable for collecting WEP IVs for the intent of using them with aircrack-ng.
Additionally, airodump-ng writes out several files containing the details of all access points and clients seen. For instance we can try:

sudo airodump-ng --output-format csv --write csv mon0

to get such kind of information.

6. Using aireplay-ng to deauthenticate the wireless client

It is as simple as this:

aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0

where -a indicates the MAC address of the AP and -c the MAC address of the client or station "under attack".

7. Changing the MAC address

It is useful to know how to change the MAC address of our card. In order to see all interfaces detected by your systemas well as their MAC addresses and hardware names type the following command:

sudo ip addr

Here is sample output:

1: lo:  mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
    link/ether 4c:22:d0:b8:78:ae brd ff:ff:ff:ff:ff:ff
3: wlan0:  mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:19:7e:53:8c:a3 brd ff:ff:ff:ff:ff:ff
    inet brd scope global wlan0
    inet6 fe80::219:7eff:fe53:8ca3/64 scope link
       valid_lft forever preferred_lft forever

It shows three interfaces: lo, eth0 and wlan0 (these are hardware names of them). MAC or hardware address is shown in link/ether line, e.g. current MAC address of eth0 is 4c:22:d0:b8:78:ae.

7.1 Using ifconfig

To Change MAC address using ifconfig, type the following commands:

ifconfig [interface name] down
ifconfig [interface name] hw ether [new MAC address]
ifconfig [interface name] up


ifconfig eth0 down
ifconfig eth0 hw ether 1A:2B:3C:4D:5E:6F
ifconfig eth0 up

and verify the changes.

7.2 Macchanger console utility

Install macchanger using command:

sudo aptitude install macchanger

Installed application makes it possible not only to change MAC address to defined one but also makes it possible:

    * Change MAC to random value
    * Apply MAC from list of vendors

For example to change MAC address of the interface to hardware address belonging to Linksys you can do the following:

macchanger --list=linksys

It will show that Linksys MAC addresses start with 00:0f:66. Now change MAC address of the interface:

sudo ifconfig eth0 down
sudo macchanger -m 00:0f:66:4e:16:88 eth0
sudo ifconfig eth0 up

You will see the following output in case of successful change of MAC address:

Current MAC: 4c:22:d0:b8:78:ae (unknown)
Faked MAC:   00:0f:66:4e:16:88 (Cisco-linksys)

Please notice that above mentioned ways to change MAC address in Debian implies that normal hardware address will be restored once you rebooted.

Raconet Linux