Security check
Security check

Security Scanning with Aircrack-Ng


A security department of a wireless solutions vendor.


To check WiFi access points for vulnerabilities and password-cracking possibilities.


The client gave us a device for testing: an access point with the OpenWrt Chaos Calmer V1.0.0 operating system and LuCI Master web interface.

To scan the device for security, our engineers used Aircrack-ng, a set of programs to work with wireless networks: intercept traffic, check encryption keys, and perform pen tests.

The PC on which we captured and analysed the data had the following tech specs:

  • Kali Linux distribution: a system that integrates all Wi-Fi diagnostic tools.
  • A processor with SSE, AVX, and AVX2 instructions support, accelerating the analysis of collected data, including WPA/WPA2 key hashes.

We also used a network adapter that supports monitoring mode (promiscuous mode). With its help, we can track all the traffic received via a wireless channel.

Testing access point

We tested the device for vulnerability to password cracking in a few steps:

  • We created a WiFi access point with WPA2 encryption on the device, set the name "QAopenwrt2g" and the password "adminadmin".
  • Also, we configured the Aircrack-ng system on the PC. To do this, we disabled the internal network configuration programmes "wpa_supplicant" and "NetworkManager":

$ sudo pkill wpa_supplicant
$ sudo pkill NetworkManager

The network adapter operation was switched to the monitoring mode (promiscuous mode):

$ sudo airmon-ng start wlan0
  • We launched the "airodump-ng" utility and collected information about WiFi hotspots. Airodump-ng found our access point "QAopenwrt2g":
$ sudo airodump-ng wlan0
Airodump ng termina
  • We collected detailed information on WiFi clients of the "QAopenwrt2g" access point using the airodump-ng utility.
    We intercepted the data of a WiFi connection with a WiFi client. To do this, we provided the Aircrack-ng utility with the data of the connected WiFi client: the access point's WiFi channel and MAC address.
$ sudo airodump-ng -c 6 -w dump --bssid B8:6A:97:35:C2:35 wlan0

As a result, we saw with whom the WiFi point exchanges data. We also got file with data packets of WiFi AP and WiFi client communication:

WiFi AP and WiFi client communication
  • To speed up the handshake packet capture, we force the client to disconnect from the network using the aireplay-ng utility:
$ sudo aireplay-ng -0 0 -a B8:6A:97:35:C2:35 -c 64:DD:E9:DA:71:86 wlan0
As a result, a "handshake" message was intercepted (see the screenshot below):
Handshake message
  • Then, we decoded the message using a pre-prepared wordlist "wordlist.txt".

With the help of the crunch utility, we prepared a list of words to crack the hash key which was used in the handshake data packet:

crunch <min> <max> <charset> -t <pattern> – o <filename.lst>
crunch 10 10 admin -t admin – o wordlist.txt
We found the hash key password using the list of words from "worldlist.txt" and used the command:

$ aircrack-ng -w wordlist.txt dump-01.cap

Wordlist and command
  • In the list of 78125 lines, we found a matching password on line number 59570 in 8 minutes and 57 seconds. Time to pass through 1 element of the list by a single-core PC with processor frequency 2 GHz (Celeron 550) = 0.009 seconds.

Business Value

We found several vulnerabilities in the access point that could cause hacking. As a result, our client has modified the devices, ensured additional security, and signed a contract to supply these WiFi access points to an enterprise-segment company.

Other cases

Tell us about your project

All submitted information will be kept confidential.