Kali Wireless Attacks with Aircrack-ng

Introduction

In this lab, you will learn the basics of wireless penetration testing using Kali Linux and the Aircrack-ng toolset within the LabEx VM environment. The focus is on understanding key techniques for assessing wireless network security. You will practice enabling monitor mode on a wireless interface, capturing WPA handshakes, cracking WPA keys, and saving the results for documentation. Designed for beginners, this lab provides step-by-step guidance in a controlled setting to build foundational skills in wireless security testing. When you open the terminal, you will be automatically connected to the Kali Linux container's shell, ready to start practicing.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL kali(("Kali")) -.-> kali/KaliGroup(["Kali"]) kali/KaliGroup -.-> kali/term_ops("Kali Terminal") kali/KaliGroup -.-> kali/file_ctrl("File Management") kali/KaliGroup -.-> kali/pkg_ops("Package Management") kali/KaliGroup -.-> kali/wireshark_ops("Wireshark Tool") kali/KaliGroup -.-> kali/aircrack_ops("Aircrack-ng Tool") kali/KaliGroup -.-> kali/bash_code("Bash Scripting") subgraph Lab Skills kali/term_ops -.-> lab-552303{{"Kali Wireless Attacks with Aircrack-ng"}} kali/file_ctrl -.-> lab-552303{{"Kali Wireless Attacks with Aircrack-ng"}} kali/pkg_ops -.-> lab-552303{{"Kali Wireless Attacks with Aircrack-ng"}} kali/wireshark_ops -.-> lab-552303{{"Kali Wireless Attacks with Aircrack-ng"}} kali/aircrack_ops -.-> lab-552303{{"Kali Wireless Attacks with Aircrack-ng"}} kali/bash_code -.-> lab-552303{{"Kali Wireless Attacks with Aircrack-ng"}} end

Installing Essential Tools for Wireless Testing

In this first step, you will set up the necessary tools for wireless penetration testing inside the Kali Linux container in the LabEx VM environment. Since you are automatically connected to the Kali Linux container's shell when opening the terminal, there is no need to manually start the container or enter the shell. Let's begin by installing the essential tools required for the upcoming steps.

As a beginner, it's important to understand that Kali Linux is a powerful distribution for security testing, but not all tools are preinstalled in a minimal container setup. We will install aircrack-ng, a suite of tools for wireless network auditing, which includes utilities like airmon-ng for enabling monitor mode, airodump-ng for capturing packets, and aircrack-ng for cracking keys.

Run the following commands in the terminal to update the package list and install aircrack-ng. Press Enter after each command to execute it:

apt update
apt install -y aircrack-ng

These commands will refresh the package repository and install the aircrack-ng suite. The installation might take a few moments, so please wait until it completes.

After installation, verify that aircrack-ng is installed by checking its version. Type the following command and press Enter:

aircrack-ng --version

The expected output will show the version of aircrack-ng, confirming that the tool is ready for use. It might look like this:

Aircrack-ng 1.7

This step ensures that all necessary tools are available in the Kali Linux container for wireless testing. By installing aircrack-ng, you have prepared the environment for enabling monitor mode and capturing wireless traffic in the next steps. Make sure the installation completes successfully before moving forward.

Enabling Monitor Mode on Wireless Interface

Now that you have installed the necessary tools, let's move to enabling monitor mode on a wireless network interface inside the Kali Linux container. Monitor mode is essential for wireless penetration testing as it allows your wireless card to capture network traffic without connecting to any network.

For beginners, think of monitor mode as turning your wireless card into a passive listener. Normally, in "managed mode," the card only captures traffic meant for it. In monitor mode, it captures all nearby wireless traffic, which is crucial for tools like aircrack-ng to analyze data and identify vulnerabilities.

Since you are already in the Kali Linux container's shell (automatically connected when opening the terminal), let's start by identifying the wireless interface. Type the following command and press Enter to list all network interfaces:

iwconfig

The expected output will display a list of network interfaces. Look for a wireless interface, typically named wlan0 or similar. In this lab environment, assume the interface is wlan0. The output might look like this:

wlan0     IEEE 802.11  ESSID:off/any
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

Next, enable monitor mode on the wlan0 interface using the airmon-ng tool, which is part of the aircrack-ng suite you installed earlier. Run the following command and press Enter:

airmon-ng start wlan0

The expected output will indicate that monitor mode is enabled, and the interface name might change to wlan0mon. It could look like this:

Interface wlan0 is now in monitor mode as wlan0mon.

If there are any warnings about interfering processes, the tool might suggest killing them. In this lab environment, assume no such conflicts exist for simplicity.

Finally, verify that monitor mode is active by running the following command and pressing Enter:

iwconfig

The expected output should show the interface (e.g., wlan0mon) in monitor mode, like this:

wlan0mon  IEEE 802.11  Mode:Monitor  Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off

This confirms that monitor mode is successfully enabled. You have now prepared the wireless interface to capture traffic, which is a critical step before moving on to capturing WPA handshakes in the next step. Ensure the mode is set to Monitor before proceeding.

Capturing WPA Handshakes with Airodump-ng

With monitor mode enabled on your wireless interface, the next step is to capture a WPA handshake using the airodump-ng tool within the Kali Linux container. A WPA handshake is a set of packets exchanged when a device connects to a Wi-Fi network, and capturing it allows us to attempt cracking the password in later steps.

For beginners, understand that a WPA handshake doesn't contain the password directly but includes encrypted data that can be analyzed offline to guess the password. This process is ethical only in a controlled lab environment or with explicit permission on real networks. In this lab, we will simulate capturing a handshake in a safe setting.

Since you are already in the Kali Linux container's shell (automatically connected upon opening the terminal), let's start capturing wireless traffic. Run the following command and press Enter to begin monitoring all nearby networks on the wlan0mon interface:

airodump-ng wlan0mon

The expected output will display a live table of nearby Wi-Fi networks, showing details like BSSID (access point MAC address), ESSID (network name), CH (channel), and encryption type. It might look like this:

CH  6 ][ Elapsed: 1 min ][ 2023-10-01 12:00

BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC  CIPHER  AUTH  ESSID
00:14:22:AB:CD:EF  -30       10        5    0   6   54   WPA2 CCMP   PSK   TestNetwork

Let this run for a few seconds to observe the networks, then stop it by pressing Ctrl+C. For this lab, assume you have identified a target network with the ESSID TestNetwork, BSSID 00:14:22:AB:CD:EF, and operating on channel 6.

Now, focus on capturing traffic for this specific network to obtain the WPA handshake. Run the following command and press Enter to target the network and save the captured data to a file named handshake in the /root directory:

airodump-ng --bssid 00:14:22:AB:CD:EF --channel 6 -w /root/handshake wlan0mon

In this command, --bssid specifies the target network's MAC address, --channel sets the channel to listen on, and -w /root/handshake saves the data to a file. The expected output will show traffic specific to the target network. If a handshake is captured, you might see [ WPA handshake: 00:14:22:AB:CD:EF ] at the top right of the output. For this lab, assume a handshake is captured after a few seconds. Stop the capture by pressing Ctrl+C.

Verify that the capture file was saved by listing the contents of the /root directory. Run the following command and press Enter:

ls -l /root

The expected output should include a file named handshake-01.cap (or similar), like this:

-rw-r--r-- 1 root root 12345 Oct  1 12:05 handshake-01.cap

This confirms the captured data is saved. You have now successfully captured a WPA handshake, which will be used in the next step to attempt cracking the WPA key. Ensure the file exists before proceeding.

Cracking WPA Keys Using Aircrack-ng

Having captured a WPA handshake in the previous step, you are now ready to attempt cracking the WPA key using the aircrack-ng tool inside the Kali Linux container. This process involves testing potential passwords from a wordlist against the captured handshake data to find the correct key.

For beginners, cracking a WPA key means using a list of possible passwords (called a wordlist) to guess the correct one by comparing it with the encrypted data in the handshake. This is an offline process, meaning it doesn't interact with the target network during the attempt. In this lab, we will use a small sample wordlist for demonstration purposes.

Since you are already in the Kali Linux container's shell (automatically connected when opening the terminal), let's create a simple wordlist file in the /root directory. Run the following command and press Enter to open the nano editor and create a file named wordlist.txt:

nano /root/wordlist.txt

In the nano editor, type the following sample passwords, one per line:

password123
testwifi
admin123

Save the file by pressing Ctrl+O, then Enter to write the file, and finally Ctrl+X to exit nano. There will be no output for this action, but the file is now created.

Verify that the wordlist file exists by listing the contents of the /root directory. Run the following command and press Enter:

ls -l /root

The expected output should include wordlist.txt, like this:

-rw-r--r-- 1 root root  30 Oct  1 12:10 wordlist.txt

Now, use aircrack-ng to attempt cracking the WPA key with the captured handshake and the wordlist. Run the following command and press Enter, using the BSSID from the previous step and the paths to the files:

aircrack-ng -w /root/wordlist.txt -b 00:14:22:AB:CD:EF /root/handshake-01.cap

In this command, -w specifies the wordlist file, -b specifies the target network's BSSID, and the last argument is the path to the handshake file. The expected output will show the tool testing passwords from the wordlist. If successful, it will display the found key, like this:

KEY FOUND! [ testwifi ]

If no key is found, it will indicate that all passwords were tested without success. For this lab, assume the password testwifi is found. The process may take a few seconds to complete.

You have now attempted to crack a WPA key using aircrack-ng. In the next step, you will save this result for documentation. Ensure you see the key in the output before moving forward.

Saving the Cracked WPA Key

In this final step, you will save the cracked WPA key from the previous step into a text file for documentation purposes within the Kali Linux container. Saving the key ensures you have a record of your findings, which is a good practice in penetration testing for future reference or reporting.

For beginners, documenting results like a cracked key is important to keep track of your work. This step involves creating a simple text file to store the key and related network information. It's a straightforward process using basic file operations in the terminal.

Since you are already in the Kali Linux container's shell (automatically connected when opening the terminal), let's create a file named cracked_keys.txt in the /root directory to store the key. Run the following command and press Enter to open the nano editor:

nano /root/cracked_keys.txt

In the nano editor, type the following details about the cracked key, replacing testwifi with the actual password found in the previous step if different:

Network: TestNetwork
BSSID: 00:14:22:AB:CD:EF
Password: testwifi
Date: 2023-10-01

Save the file by pressing Ctrl+O, then Enter to write the file, and finally Ctrl+X to exit nano. There will be no output for this action, but the file is now created.

Verify that the file was saved by listing the contents of the /root directory. Run the following command and press Enter:

ls -l /root

The expected output should include cracked_keys.txt, like this:

-rw-r--r-- 1 root root  85 Oct  1 12:15 cracked_keys.txt

To ensure the contents are correct, display the file's contents by running the following command and pressing Enter:

cat /root/cracked_keys.txt

The expected output will show the text you entered, like this:

Network: TestNetwork
BSSID: 00:14:22:AB:CD:EF
Password: testwifi
Date: 2023-10-01

This confirms that the cracked key is saved successfully. You have now completed the process of documenting your findings, which wraps up the wireless penetration testing workflow in this lab. Ensure the file contents are correct before finishing.

Summary

In this lab, you have learned the fundamental steps of wireless penetration testing using Kali Linux and the Aircrack-ng toolset in the LabEx VM environment. You started by installing essential tools like aircrack-ng, then enabled monitor mode on a wireless interface to capture network traffic. Following that, you captured a WPA handshake, attempted to crack the WPA key using a wordlist, and finally saved the cracked key for documentation. These steps provide a solid foundation for understanding wireless security testing and the importance of securing networks against such vulnerabilities in a controlled setting.