0. What is Aircrack-ng?
Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that
can recover keys once enough data packets have been captured.
implements the standard FMS attack along with some optimizations like
KoreK attacks, as well as the all-new PTW attack, thus making the
attack much faster compared to other WEP cracking tools. In fact,
Aircrack-ng is a set of tools for auditing wireless networks.
You can download the debian package of aircrack-ng from this link.
1. Check Access Points and Ad-Hoc cells in range
The command iwlist is used to
display important information from wireless network interfaces.
We will use this command to obtain a list of Access Points and Ad-Hoc cells in range, and a whole
bunch of information about them (ESSID, Quality, Frequency, Mode...).
From the output we can identify the type
encryption of each network, so this is definitely the first step
of our way.
2. Prepare the wireless LAN
You should always start by confirming that your wireless card can
If you have a ralink chipset, and you need the RT63usb driver,
driver (do not use the one in Debian because you will not be
able to inject packets!).
Compile it and install it following the simple instructions in the
Readme file. Load the driver with:
It is good to have two wireless LAN interfaces up and running.
Now we are ready for the first test: the injection test. We must set
our cards to monitor mode and
to the desired channel with airmon-ng prior to running any of
3. Monitor Mode
First step: to put the interface into monitor
mode, first right-click on the network icon in Gnome and
de-select "Enable Networking" (i.e. so networking is disabled).
It is very important to stop all connection managers prior to using the
suite. In general, disabling “Wireless” in your network manager should
be enough but sometimes you have to stop them completely. It can be
We make sure all cards are off by
If some device (i.e, mon3 ) is working we stop it with
We start now both cards in a certain channel (i.e., channel 11) (in my
case, for misterious reasons, I have to start wlan1 prior to wlan0 to
avoid problems in the injection tests):
start wlan0 11
start wlan1 11
As we can see from the messages on the screen, wlan0 becomes mon0 and wlan1 becomes mon1.
mon0 and mon1 are the names to be used fron
4. Injection test
This is a basic test to determine if a card successfully supports
You can check a hidden SSID or check a specific SSID with the following
--test -e teddy
If Airodump-ng shows APs but they don't respond: The injection test
uses broadcast probe requests. Not all APs respond to broadcast probe
So the injection test may fail because the APs are ignoring the
As well, you quite often can receive packets from APs further away then
your card can transmit to.
So the injection test may fail because your card cannot transmit far
enough for the AP to receive them.
In both cases, try another channel with multiple APs. Or try the
specific SSID test described above.
Airodump-ng is used for packet capturing of raw 802.11 frames and is
particularly suitable for collecting WEP IVs for the intent of using
them with aircrack-ng.
Additionally, airodump-ng writes out several files containing the
details of all access points and clients seen. For instance we can try:
csv --write csv mon0
to get such kind of information.
6. Using aireplay-ng to
deauthenticate the wireless client
It is as simple as this:
00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0
where -a indicates the MAC address of the AP and -c the MAC address of
the client or station "under attack".
7. Changing the MAC address
It is useful to know how to change the MAC address of our card. In
order to see all
interfaces detected by your systemas well as their MAC addresses
and hardware names type the following command:
sudo ip addr
Here is sample output:
1: lo: mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft
2: eth0: mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 4c:22:d0:b8:78:ae brd ff:ff:ff:ff:ff:ff
3: wlan0: mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:19:7e:53:8c:a3 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.18/24 brd 192.168.1.255 scope global
inet6 fe80::219:7eff:fe53:8ca3/64 scope link
valid_lft forever preferred_lft
It shows three interfaces: lo, eth0 and wlan0 (these are hardware names
of them). MAC or hardware address is shown in link/ether line, e.g.
current MAC address of eth0 is 4c:22:d0:b8:78:ae.
7.1 Using ifconfig
To Change MAC address using ifconfig, type the following commands:
[interface name] down
[interface name] hw ether [new MAC address]
[interface name] up
hw ether 1A:2B:3C:4D:5E:6F
and verify the changes.
7.2 Macchanger console utility
Install macchanger using command:
Installed application makes it possible not only to change MAC address
to defined one but also makes it possible:
* Change MAC to random value
* Apply MAC from list of vendors
For example to change MAC address of the interface to hardware address
belonging to Linksys you can do the following:
It will show that Linksys MAC addresses start with 00:0f:66. Now change
MAC address of the interface:
macchanger -m 00:0f:66:4e:16:88 eth0
You will see the following output in case of successful change of MAC
Current MAC: 4c:22:d0:b8:78:ae (unknown)
Faked MAC: 00:0f:66:4e:16:88 (Cisco-linksys)
Please notice that above mentioned ways to change MAC address in Debian
implies that normal hardware address
will be restored once you rebooted.