Table of Contents
If you aspire to become an ethical hacker or a penetration tester, one of the areas you will cover is Network Hacking. That involves spoofing MAC addresses, Deauthentication attacks, Bypassing MAC filtered networks, Hacking WEP/WPA/WPA2 wifi passwords, WPS exploitation, and much more.
This post will give a step-by-step guide on How to hack WiFi passwords (WPA / WPA2) using Kali Linux.
You must have an installed setup of Kali Linux. You can easily install Kali Linux (if you don't have one) in a couple of minutes using Oracle VirtualBox or any other similar software. All the tools we will use are open-source and already pre-installed on Kali Linux.
Step-1: Understanding 2.4 GHz and 5 GHz WIFI Networks
The 802.11 standard provides several distinct radio frequency ranges (WIFI bands) for use in Wi-Fi communications. Some of the most common bands are 2.4 GHz and 5 GHz. These WIFI bands:
- Determine the frequency range that is used to support communication
- Determine the channels that are used to support communication
- Client devices need to support the band used by the router to communicate with it. Therefore, if the router uses the 5 GHz frequency, your device needs to support this band to connect to the router.
- Data could be sniffed from a certain band if the wireless adapter used supports the band.
Currently, most routers support both bands, and you can enable any of them or both at once.
From the router image above, the WIFI band 2.4 GHz is referred to as Wireless while the 5 GHz band is referred to as Wireless 5G. When cracking WIFI passwords, your network card needs to support the frequency band used by the WIFI network you want to crack. Therefore, if you want to crack a 5 GHz network, and your network card only supports 2.4 GHz, this WIFI network will not even be visible to your PC.
Step-2: Understanding Managed Mode and Monitor Mode
Since we will be capturing data packets sent by the router, we need to understand the difference between Managed mode and Monitor mode. Any device that supports a wireless connection uses a Network Interface Card (NIC). Most of them are inbuilt, but nowadays, you can purchase a USB network card and connect to a WIFI network much easier. A Network Interface Card, by default, is set to Managed mode. That means it can only capture packets sent directly to it by the router. Packets that contain our MAC address as the destination address.
To capture as many packets as possible that will aid us in the WIFI password cracking process, we need to put our card in Monitor mode. That way, we can capture packets sent to us and any other device around us.
Enable Monitor Mode
Execute any of the commands below to see the name of the wireless card n your device.
# ifconfig # ip link
By default, wireless cards on Kali start with the name
wlan. My device supports two wireless cards. From the image below, you can see I have wlan0 and wlan1.
To enable mode on our device, we will use a tool called
airmon-ng. Execute the command below and replace the name
wlan1 with the name of your card.
# airmon-ng start wlan1
To confirm whether your card was successfully put in monitor mode, execute the command below:
At times, you might need to stop troublesome processes before putting your card in monitor mode. They will interfere by changing channels and sometimes putting the interface back in managed mode. Execute the command below:
# airmon-ng check kill
Step-3: Packet Sniffing with Airodump-ng
With our card successfully put on monitor mode, we can start the packet sniffing process. Execute the command below, replacing
wlan1 with the name of your card.
# airodump-ng wlan1
A window similar to the one below will open.
The top section shows information about the routers/access points within the proximity of our wireless card in monitor mode. The bottom section shows us the client devices and which networks they are connected to. To hack WIFI passwords, much of the information we need is in the top section. Let's look understand what the different columns represent in detail.
- BSSID: This represents the MAC address of our router or Access point.
- PWR: This column shows how close or far the router is to our device. From the image above, the one with -1 is very close, while -81 shows it's very far.
- Beacons: These are the packets sent by the Access Point to announce its presence.
- # Data: This column represents the captured data packets
- #/s: The number of packets captured in the last 10 seconds
- CH: The channel which the Access Point is communicating on
- MB: The maximum speed supported by the Access Point
- ENC: The Encryption algorithm used by the Access Point
- CIPHER: The Cipher detected on the network
- AUTH: The mode of authentication supported by the Access Point
- ESSID; The name of the WIFI network
In this step, we sniffed packets, but we did not store them. It was just a random sniffing attack. Now, let's do a targeted packet sniffing and use the captured packets to hack WIFI password.
Step-4: Targeted Packet Sniffing
In this tutorial, we will hack the password of the Safaricom Home-2 WIFI network. However, there is a catch! The image above shows that the network uses the WPA2 encryption algorithm—one of the most secure algorithms used in WIFI security.
To crack this type of encryption, we will need to capture as many Handshake packets as possible. These are the packets transmitted between the Access Point (Router) and the Client device when establishing a connection. We will use the syntax below.
airodump-ng --bssid <AP_MAC_Address> --channel <AP_Channel> --write <File_Name> <Wireless_Card> E.g # airodump-ng --bssid E4:AB:89:AA:74:1B --channel 12 --write SafaricomCapture wlan1
SafaricomCapture is the name of the file where we will store the captured packets.
Now, we have one problem. Handshake packets are only transmitted only when a client connects to a router. Once the connection is established, we cannot capture any more handshake packets. However, what if there was a way we could disconnect clients from our network, and when they reconnect, we capture as many handshake packets as possible. Luckily there is.
Step-5: Deauthentication Attack
While the Targeted Packet Sniffing is still running, we can open a new Terminal window and perform a deauthentication attack. This kind of attack removes users from the WIFI network, and when they reconnect, you can capture as many handshake packets as possible.
We will use the syntax below using a tool called.
aireplay-ng --deauth <no_of_deauth_packets> -a <AccessPoint_MAC> <WirlessCard> E.g #aireplay-ng --deauth 50 -a E4:AB:89:AA:74:1B wlan1
If you wanted to disconnect a particular device, you would use the syntax below:
aireplay-ng --deauth <no_of_deauth_packets> -a <AccessPoint_MAC> -c <client_MAC> <WirlessCard>
Step-6: How to hack WiFi - Using a Wordlist Attack
Once we have captured enough packets, we can start the password cracking process. Execute the
ls command on your working directory. You will see several files with the name of the file containing the captured packets. We will use the file with the
.cap extension. The tool we will use for cracking is
We can actually start cracking the WIFI password as the packet sniffing is going on - we rack packets as we continue collecting more. We will use the syntax below:
aircrack-ng <packets_file_name> -w <wordlist_path> E.g # aircrack-ng SafaricomCapture-01.cap -w /usr/share/wordlists/mywordlist.txt
From the image above, you can see we successfully cracked the password of the WPA2 WIFI network.
With a wordlist large enough, you can hack WIFi passwords easily. However, if the password is very complex, it will take some time - from 10 minutes, 2 hours to more than a day. You can speed up the cracking process by using a powerful GPU instead of a CPU or use Rainbow tables. If all that fails, you will need to use social engineering and dupe a user into revealing the WIFI password.