Aircrack-ng is not a single tool, but rather a suite of tools that can be used to hack a wireless network. In this article, though, it is used to secure a wireless network by discovering its vulnerabilities. Read on to see how this can be done.
Security in networks is very vital for small as well as large organisations. Not only does it help in maintaining the confidentiality of a clients and employers data, but it is also important for retaining trade secrets to overcome competition. Wireless networks form an important mode of communication as wired networks tend to incur more infrastructure costs. But are wireless networks sufficiently secure? Lets have a look at a common scenario.
Bobs start-up company, XYZ Pvt Ltd, has a few wireless access points. He has his network configured over the WEP protocol with simple dictionary based passwords like YOUCANTGUESS. He is really annoyed with the repeated unauthentication of legitimate users from the Wi-Fi network. After a few such compromises, he changes his Wi-Fi passwords but the attacks continue. This continuous mischief irritates him and he has no idea why this is happening.
He contacts Eve, a security analyst, for help. Eve investigates the situation and explains how wireless protocols function. She provides him with the basic details of the two algorithms used in a majority of wireless networks: WEP (Wired Equivalent Privacy) and WPA/WPA2 (Wi-Fi Protected Access).
Wired Equivalent Privacy (WEP)
This algorithm is based on the RC4 stream cipher and CRC checksum mechanism to provide confidentiality and integrity. Open System authentication and Shared Key authentication are the two methods of authentication used in WEP.
1. Open System authentication: In this case, the WLAN client need not provide its credentials to the access point during authentication. Any client can authenticate with the access point.
2. Shared Key authentication: In this authentication mechanism as shown in figure 1, the WEP key is used for authentication in a four-step handshake process:
a. The client sends an authentication request to the access point.
b. The access point responds to the request with a clear-text challenge.
c. The client encrypts the challenge-text using the configured WEP key and sends the encrypted message to the access point.
d. The access point decrypts the response and verifies if the decrypted text matches the challenge-text. It authenticates the client if the match is found.
In spite of the mechanisms used, this algorithm has a number of vulnerabilities and can be easily cracked. Various techniques, based on brute force attacks and analysis of the IVs (initialisation vectors), were discovered that led to deprecation of this algorithm.
Wi-Fi Protected Access (WPA)
WPA is a more secure algorithm that was developed in 2003 to address a few of the vulnerabilities that existed in WEP. WPA is mainly based on TKIP (temporal key integrity protocol), which uses a unique encryption key for each data packet sent over the network. The pre-shared key (PSK) used in TKIP is a 256-bit entity used for authentication. Figure 2 gives diagrammatic representation of WPA algorithm.
WPA is much more secure than WEP. This is because in the case of the latter, every data packet has the same key, which can be easy to find by capturing a sufficient number of packets. In WPA, its difficult to get the key because every data packet has a unique key. But there are also a few loopholes that can be exploited. WPA can be compromised using Denial of Service attacks.
Wi-Fi Protected Access II (WPA2)
WPA2, also known as RSN (robust security network), is the most recent and highly secure algorithm, which enforces mandatory usage of the AES (advanced encryption standard). Another significant security enhancement has been the introduction of CCMP [counter mode with CBC (cipher block chaining) MAC (message authentication code) protocol]. CCMP uses AES instead of TKIP as the underlying encryption mechanism and, hence, prevents various attacks that were designed based on the RC4 cipher used in TKIP.
After some research, Eve concludes that WPA2 is secure enough to get rid of the kind of attacks Bobs office suffers from and, hence, configures the entire network over WPA2. Yet, even after such heightened countermeasures, Bobs network again gets compromised by some mischievous attackers. Alarmed at the situation, he again contacts Eve for help. During her research, she comes across one such tool that suits her needs. She advises Bob to use Aircrack-ng to internally spot the weak access points and enhance his networks security to avoid future attacks. Since Bob is unaware of the functionality of Aircrack-ng, Eve provides a brief overview.
Aircrack-ng stands for Aircrack new generation and is an advanced network auditing software used for sniffing and cracking wireless networks. It is mainly used for testing the weaknesses of wireless networks by breaking into the network using the WEP and WPA-PSK keys recovered by decrypting the gathered encrypted packets. This tool can be used across Linux as well as Windows platforms, but has limited support in Windows.
The block diagram given in Figure 3 gives a brief description of the tool.
Bob is determined to patch up the weak links in his network; so he asks Eve to demonstrate how the tool is used to prevent various attacks. Eve tells him how to install the tool on the Ubuntu 14.04 platform and then gives the procedure to detect the vulnerable access points.
The package manager can be used to install the tool by using the following commands at the terminal:
$sudo apt-get install build-essential $sudo apt-get install aircrack-ng
Capturing packets: The first step involves turning on the monitor mode of the interface in order to capture the packets required, i.e., to carry out sniffing. Airmon-ng is used for this task.
On the command line, type the following commands in the same sequence:
$Iwconfig: It lists all the active wifi interfaces. $Airmon-ng stop ath0 (considering ath0 is an active wireless interface) $Airmon-ng start wifi0
Airodump scans for the active networks and captures the packets for further analysis. It also shows the MAC addresses of the access points and those of the systems/clients connected to each of them. This helps Bob to figure out and filter the unwanted systems and/or access points.
$airodump-ng -c X -w mycapture ath0
Here, X is the channel number of the access point.
The command above captures the various handshake packets that can be used for analysing the security
of the network.
Aireplay-ng is used to administer some traffic into the network as passive sniffing involves a lot of time. This tool will inject fake authentication packets into the network to collect IVs in a short time span.
The command used is provided below:
$aireplay-ng -3 b base station MAC address h client Mac address ath0
Airodump-ng is used here to make a note of the packets in a file called ACapture.cap. Now, to crack the key, Aircrack-ng is used on the .cap file and the key is retrieved, as follows:
$aircrack-ng z capture.cap
Airodump-ng is again used on the packets that are captured. Deauth packets are then injected using Aireplay:
$aireplay -0 8 a [base station MAC] c [client device MAC] ath0
When the client reconnects, Airodump captures the handshake.
Again, Aircrack-ng is used to carry out a brute force attack, as follows:
$aircrack-ng -w passwordlist.txt -b [base station MAC] capture.cap
where passwordlist.txt is a dictionary of passphrases.
So, this is what Eve did to save Bobs network from mischief-makers:
- She updated Bobs password, which now comprises letters, numbers and special characters, while his network continued working over WPA2.
- She installed a firewall over the Wi-Fi router and turned on MAC address filtering.
- She assigned IP addresses to all the systems that were connected to the Wi-FI, thus preventing non-employees from getting into the network because they would never get an IP address assigned to them.
Bob was never troubled anymore.