Aircrack-ng: Securing Wireless Networks

By Shubhra Rana - April 2, 2015

Aircrack-ng is not a single tool, but rather a suite of tools that can be used to hack a wireless network. In this article,
though, it is used to secure a wireless network by discovering its vulnerabilities. Read on to see how this can be
done.

Security in networks is very vital for small as well as large organisations. Not only does it help in maintaining the
confidentiality of a client s and employer s data, but it is also important for retaining trade secrets to overcome
competition. Wireless networks form an important mode of communication as wired networks tend to incur
more infrastructure costs. But are wireless networks sufficiently secure? Let s have a look at a common
scenario.

Bob s start-up company, XYZ Pvt Ltd, has a few wireless access points. He has his network configured over the
WEP protocol with simple dictionary based passwords like YOUCANTGUESS . He is really annoyed with the
repeated unauthentication of legitimate users from the Wi-Fi network. After a few such compromises, he
changes his Wi-Fi passwords but the attacks continue. This continuous mischief irritates him and he has no idea
why this is happening.
He contacts Eve, a security analyst, for help. Eve investigates the situation and explains how wireless protocols
function. She provides him with the basic details of the two algorithms used in a majority of wireless networks:
WEP (Wired Equivalent Privacy) and WPA/WPA2 (Wi-Fi Protected Access).

Figure 1: Shared key authentication mechanism

Wired Equivalent Privacy (WEP)

This algorithm is based on the RC4 stream cipher and CRC checksum mechanism to provide confidentiality and
integrity. Open System authentication and Shared Key authentication are the two methods of authentication used
in WEP.
1. Open System authentication: In this case, the WLAN client need not provide its credentials to the access point
during authentication. Any client can authenticate with the access point.

2. Shared Key authentication: In this authentication mechanism as shown in figure 1, the WEP key is used for
authentication in a four-step handshake process:
a. The client sends an authentication request to the access point.
b. The access point responds to the request with a clear-text challenge.
c. The client encrypts the challenge-text using the configured WEP key and sends the encrypted message to the
access point.
d. The access point decrypts the response and verifies if the decrypted text matches the challenge-text. It
authenticates the client if the match is found.
In spite of the mechanisms used, this algorithm has a number of vulnerabilities and can be easily cracked.
Various techniques, based on brute force attacks and analysis of the IVs (initialisation vectors), were discovered
that led to deprecation of this algorithm.
Figure 2: WPA technique

Wi-Fi Protected Access (WPA)

WPA is a more secure algorithm that was developed in 2003 to address a few of the vulnerabilities that existed in
WEP. WPA is mainly based on TKIP (temporal key integrity protocol), which uses a unique encryption key for each
data packet sent over the network. The pre-shared key (PSK) used in TKIP is a 256-bit entity used for
authentication. Figure 2 gives diagrammatic representation of WPA algorithm.

WPA is much more secure than WEP. This is because in the case of the latter, every data packet has the same
key, which can be easy to find by capturing a sufficient number of packets. In WPA, it s difficult to get the key
because every data packet has a unique key. But there are also a few loopholes that can be exploited. WPA can
be compromised using Denial of Service attacks.

Wi-Fi Protected Access II (WPA2)

WPA2, also known as RSN (robust security network), is the most recent and highly secure algorithm, which
enforces mandatory usage of the AES (advanced encryption standard). Another significant security
enhancement has been the introduction of CCMP [counter mode with CBC (cipher block chaining) MAC
(message authentication code) protocol]. CCMP uses AES instead of TKIP as the underlying encryption
mechanism and, hence, prevents various attacks that were designed based on the RC4 cipher used in TKIP.

After some research, Eve concludes that WPA2 is secure enough to get rid of the kind of attacks Bob s office
suffers from and, hence, configures the entire network over WPA2. Yet, even after such heightened
countermeasures, Bob s network again gets compromised by some mischievous attackers. Alarmed at the
situation, he again contacts Eve for help. During her research, she comes across one such tool that suits her
needs. She advises Bob to use Aircrack-ng to internally spot the weak access points and enhance his network s
security to avoid future attacks. Since Bob is unaware of the functionality of Aircrack-ng, Eve provides a brief
overview.

Aircrack-ng stands for Aircrack new generation and is an advanced network auditing software used for sniffing
and cracking wireless networks. It is mainly used for testing the weaknesses of wireless networks by breaking
into the network using the WEP and WPA-PSK keys recovered by decrypting the gathered encrypted packets. This
tool can be used across Linux as well as Windows platforms, but has limited support in Windows.

The block diagram given in Figure 3 gives a brief description of the tool.
Bob is determined to patch up the weak links in his network; so he asks Eve to demonstrate how the tool is used
to prevent various attacks. Eve tells him how to install the tool on the Ubuntu 14.04 platform and then gives the
procedure to detect the vulnerable access points.

Figure 3: Block diagram of aircrack-ng

Installation
The package manager can be used to install the tool by using the following commands at the terminal:

$sudo apt-get install build-essential

$sudo apt-get install aircrack-ng

Usage
Capturing packets: The first step involves turning on the monitor mode of the interface in order to capture the
packets required, i.e., to carry out sniffing. Airmon-ng is used for this task.
On the command line, type the following commands in the same sequence:

$Iwconfig: It lists all the active wifi interfaces.

$Airmon-ng stop ath0 (considering ath0 is an active wireless interface)
$Airmon-ng start wifi0

Airodump scans for the active networks and captures the packets for further analysis. It also shows the MAC
addresses of the access points and those of the systems/clients connected to each of them. This helps Bob to
figure out and filter the unwanted systems and/or access points.

$airodump-ng -c X -w mycapture ath0

Here, X is the channel number of the access point.

The command above captures the various handshake packets that can be used for analysing the security
of the network.
Aireplay-ng is used to administer some traffic into the network as passive sniffing involves a lot of time. This tool
will inject fake authentication packets into the network to collect IVs in a short time span.
The command used is provided below:

$aireplay-ng -3 b ‘base station MAC address’ h ‘client Mac address’ ath0

Airodump-ng is used here to make a note of the packets in a file called ACapture.cap . Now, to crack the key,
Aircrack-ng is used on the .cap file and the key is retrieved, as follows:

$aircrack-ng z capture.cap

Airodump-ng is again used on the packets that are captured. Deauth packets are then injected using Aireplay:

$aireplay -0 8  a [base station MAC] c [client device MAC] ath0

When the client reconnects, Airodump captures the handshake.

Again, Aircrack-ng is used to carry out a brute force attack, as follows:

$aircrack-ng -w passwordlist.txt -b [base station MAC] capture.cap

where passwordlist.txt is a dictionary of passphrases.

So, this is what Eve did to save Bob s network from mischief-makers:

She updated Bob s password, which now comprises letters, numbers and special characters, while his
network continued working over WPA2.
She installed a firewall over the Wi-Fi router and turned on MAC address filtering.
She assigned IP addresses to all the systems that were connected to the Wi-FI, thus preventing non-
employees from getting into the network because they would never get an IP address assigned to them.
Bob was never troubled anymore.

Shubhra Rana
The author is a software development engineer at Dell R&D, Bengaluru, and is
interested in network security and cryptography.

Share this:

 Facebook  Twitter  More

 Shubhra Rana
The author is a software development engineer at Dell R&D, Bengaluru, and is interested in network security and
cryptography.