Technology, Tutorials, Wireless Security

How To Crack WPA/WPA2 Wi-Fi Passwords Using Aircrack-Ng In Kali

September 14, 2017

Introduction (The Ultimate Guide To Cracking WPA/WPA2 Wireless Networks)

This article teaches you how to easily crack WPA/WPA2 Wi-Fi passwords using the Aircrack-Ng suite In Kali Linux.

Not only will you learn the basics, but I will also provide you the best tips and educational resources on increasing your chances of executing successful dictionary-based brute force attacks on captured WPA handshakes.

With practice, you’ll become a seasoned pro in less than a century!

Before we begin, you’ll require the following:

  • Kali Linux (could be live CD, installed OS, or virtual machine).
  • A WiFi adapter that is able of injecting packets and going into “monitor” mode. Unless you are lucky to have a computer with factory network cards that possess this capability, then you’ll probably need to purchase an external WiFi adapter.
  • Multiple diverse wordlists to attempt to crack the WPA handshake password once it has been captured by airdump-ng.
  • Having computing power, resources, and money isn’t enough. Time, dedication, consistency, and patience are required to succeed.

NOTE: This tutorial is for educational purposes only. You acknowledge that you are using your newly acquired knowledge to perform penetration testing on your own test network environment and router device.

This article is split into four sections in which I strive to explain most simply the following:

  • How to easily hack a Wi-Fi network’s WPA/WPA2 handshake password so you can learn quickly and retain this information for the future.
  • I will provide effective troubleshooting solutions for issues/bugs surrounding external WiFi adapters and the common problems that prevent you from cracking a WiFi’s password.
  • I will give you the best tips on obtaining the WiFi’s password using the Aircrack-ng suite which will lead to higher success. Along, I will provide an illustration of the differences between the pros and the amateurs which ultimately illuminate my former objective of this article.
  • Lastly, I will provide download links to many different wordlists that I recommend that you can use to crack WEP/WPA/WPA2.

Let’s start!

How to Easily Hack A Wi-Fi Network’s WPA/WPA2 Handshake Password

Penetration Of A Wireless Network Starts With Logging Into Kali

If you haven’t already login to Kali, the default login information is: root (Username) and toor (Password)

Plug In A Compatible Packet Injection WiFi Card Into Your Computer’s USB Port

Plug in the external WiFi adapter into your computer’s USB port. If your computer already has a factory WiFi card, then nevermind. If you are using virtualization software, there is going to be an icon that you need to click on and select the device. Make sure to add the USB device filter if you are using VirtualBox.

Recommended USB Wi-Fi Plug-And-Play Cards For Kali Linux

Here is my list of top three recommended USB plug-and-play cards Wi-Fi cards for Kali Linux:

TP-Link WN722 (2.4GHz, first version only)

 

 

 

 

 

 

 

 

 

Alfa AWUS036NHA (2.4GHz)

 

 

 

 

 

 

 

Alfa AWUS036H (2.4GHz)

 

 

 

 

 

 

 

 

Plug-and-play USB Wi-Fi adapters mean that no drivers are required to get the external Wi-Fi card working. Just plug in the external card into a USB port and enjoy.

Open A Terminal In Kali

Find Your Wireless Card’s Chipset and Driver Using Airmon-ng

In terminal, type in: airmon-ng

This will show all of the WiFi cards that can go into monitor mode. If you don’t see the external WiFi adapter, disconnect and reconnect it via the USB port.

Put Your Wireless Card’s Interface Into Monitor Mode Using Airmon-ng

Type in terminal: airmon-ng start interface0   

If your WiFi card’s interface is wlan0, you type: airmonng start wlan0.

A “monitor mode enabled” message indicates that the wireless card has been successfully entered into monitor mode.

Use ifconfig Command To Check That The Monitor Interface Has Been Established

Type in the terminal: ifconfig

You shall see the new monitor interface information (whether it shows mon0 or wlan1mon like our example) which indicates that your WiFi card’s interface has been successfully put into monitor mode using the preceding Airmon-ng start command.

Use Airodump To Display All Of The WiFi Networks At Your Location

In terminal, type: airodump-ng interface (Replace interface with the new monitor interface which may be mon0 or wlan1mon like the example above).

The next step is paying attention to is the vast amount of information that is presented to you in terminal.

Airodump displays all WiFi networks at your location along with other information about the networks.

Find your network that you are authorized to pentest.

After you found your network, hit Ctrl + C on your keyboard to stop Airodump. Remember the channel of the particular network.

Keep the terminal open.

Copy the BSSID of the WiFi network.

Use Airodump To Monitor Only The Target WiFi Network

Type in the following command into terminal:

airodump-ng -c (number of channel) -bssid (thetargetsbssid) -w /root/Desktop (name of monitor interface)

Replace (number of channel) with the channel of your target’s WiFI network.

Next step is to paste the network’s BSSID in (thetargetsbssid) without the brackets of course.

Replace (name of monitor interface) with the name of your own interface like mon0.

The “-w” parameter tells Airodump where to save the intercepted WPA handshake which is used to crack the WiFi password. Currently, we have it saved on our Desktop. You can choose where you want to save it.

Press enter in terminal.

An example of an Airodump command used to attempt for the interception of the WPA handshake looks like this:

airodump-ng -c 1-bssid 00:00:00:00:00:00 -w /root/Desktop mon0

The 00s are replaced with your target’s BSSID.

Airodump Will Now Attempt To Obtain More Information Of The WiFi Network

What we do is briefly wait for a device to either connect or reconnect to the wireless network. This compels the router to give the four-way WPA handshake which will be saved to our chosen location when captured. It’s important not to delete the files.

You will see four files saved to our chosen location (Desktop). The handshake is saved there if successfully captured.

We can wait for a little bit until one of the target’s device connects. We can also decide to use another tool in the Aircrack suite called aireplay-ng which will compel a device to reconnect via Aireplay sending out deauthentication packets to one of the wireless network devices. It’s basically a trick to make the device believe that it has to reconnect to the network.

Leave The Terminal Running Airodump Open

Open A New Terminal And Run Aireplay By Typing The Following Command In Terminal:

aireplay-ng -0 2 -a (router’s BSSID) -c (client’s BSSID) (monitor interface)

Obviously, someone on the network has to be connected first. Observe Airodump do its job. Wait a little for a client to make an appearance. You might have to wait a while. If you don’t see a client appear after a prolonged time, then it might be because the network has no client connected or you are too far from the router.

What the Aireplay parameters mean:

–0 refers to the deauthentication mode. 2 refers to the number of deauthentication packets to transmit.

-a = AP’s BSSID. Replace (router’s BSSID) with the target’s wireless network BSSID.

PRO TIP: If you see multiple devices connecting to the router, and you use aireplay to send the deauth packets to one station, and it fails to capture the WPA handshake after numerous attempts, try to send the deauth packets to another station that is currently connected to the target’s router as listed in Airodump (like the second connected station below).

Often times, sending the deauth packets to another device can and has successfully captured the WPA handshake which is needed to crack the WiFi’s password. Inexperienced pentesters typically think that the first station listed in Airodump has the greatest chance of successfully being deauthed. But this is not always the case, the second station, or the following stations listed in Airodump can have a higher chance of receiving the deauth packets. This is something to always keep in mind for ethical hackers when hacking WiFi networks using the Aircrack suite.

Once you see that the WPA handshake been successfully captured, you can press Ctrl + C on the Airodump terminal to stop monitoring. It’s best to keep the Airodump terminal window open since the information may be valuable for later usage. The password is essentially in the hacker’s possession, and all he has to do is crack it with brute force.

There is an easier and less confusing, automated way of capturing the WPA handshake using Wifite, but we’re only going to be focusing on Airodump-ng since this article emphasizes the Aircrack-ng suite. Capturing the WPA handshake is essential for brute forcing the password with a dictionary based attack. Without the WPA handshake captured, we can’t proceed with a traditional brute force.

Use Aircrack Along With A Dictionary Wordlist To Crack The Password.

It’s time to use your computer now and the cap file on your Desktop to crack the WiFi password.

This process is largely dependant on:

  • Your choice of wordlists.
  • Your machine’s computing resources and power.

Type in the following command into terminal:

aircrack-ng -a2 -b 00:00:00:00:00:00 -w /root/Desktop/rockyou.txt /root/Desktop/*.cap

The 00s are replaced with your target’s BSSID.

The “-a” parameter refers to the method aircrack will deploy to crack the WPA handshake with 2 indicating the WPA method.

The “-b” parameter refers to the target router’s BSSID. Replace the BSSID appropriately with the target.

The “-w” parameter refers to the dictionary wordlist which needs to be replaced with the path to a wordlist that you have downloaded and decided to use.

One of the finer dictionary wordlists included in Kali Linux is “rockyou.txt” located in “/usr/share/wordlists” Unzipping it is easy, just enter ‘gzip -d /usr/share/wordlists/rockyou.txt.gz‘ Make sure to add “established weak” passwords that are being used by the target you are pen-testing. Oh yeah, and add these passwords to the very top as to ensure they are used first.

NOTE: A list of wordlists to download is available at the end of this tutorial!

/root/Desktop/*.cap refers to the path in which the .cap file holds the passwords. If there aren’t any other .cap files located on the Desktop, the * wildcard should suffice. If not, just replace with the exact file name.

Press Enter in the terminal.

Wait For Aircrack To Crack The WPA Handshake

Aircrack will attempt to crack the WiFi password using the wordlist you have chosen. This process requires you to wait. If the password is not in the wordlist, then the password won’t be cracked until you have chosen a wordlist that contains the target’s password.

If the password has been located in the wordlist then Aircrack will indicate it in terminal like the following:

Simple Troubleshooting For Not Being Able To Get WPA Handshake After Sending Deauth Requests To Client

If you are not able to get the handshake after several deauth requests, it is mostly likely because your clients are too far from you. The same thing occurs with injection attacks like ARP. To fix this issue, simply re-position your equipment (computer, external WiFi adapter) to be as close to the client’s access point (router) and the clients.

Another reason may be because a hardware issue relating to your network device being obsolete and incompatible that is causing this issue. Hence, your network device is unable to capture packets from other protocols. For instance, if your device runs 802.11g and the WiFi network itself is 802.11n.

It’s important to remember that your wireless card has the ability to quickly obtain packets, but it’s not too good at establishing them. Therefore, strong positioning is crucial in your success of obtaining the WPA handshake. Sometimes you might find yourself in the situation where you cannot capture the WPA Handshake. However, on another day, you are able to easily.

Troubleshooting Steps

Fixed Channel, “AP is on another channel”

If you get a ‘fixed channel’ while using the aircrack-ng suite (while airmoning, airodumping, or aireplaying) and you keep switching to different channels automatically in action, you can fix this by entering the following commands into the terminal after you are finished (particularly using airmoning):

airmon-ng check kill

airmon-ng start wlan0

————————–

What’s nice about the above commands is that no patches are required, and you don’t need to use other drivers except for those in Kali. Not a lot of people know about this convenient, easy solution. Your wireless card will remain in a “fixed channel” mode which lets you accomplish your pentesting objectives without errors and interference. You might need to type in those above commands every time you start/reboot Kali Linux, especially if you’re using virtualization software like VMware or VirtualBox as these kinds of problems tend to show up more frequently on virtual machines.

If you get the fixed channel -1 error, you may prefer using other commands rather than the above. Instead, you could use the following commands when you are starting monitor mode:

airmon-ng start interface (if wlan0 is your interface)

ifconfig wlan0mon down

iwconfig wlan0mon mode monitor

ifconfig wlan0mon up

Problems After Using Airmon-ng

If you encounter problems after using airmon-ng, type in the following command into terminal:

airmon-ng stop mon0

————————–

The above command will remove your mon0 interface without actually taking down interfaces.

You’ll see something like this in terminal:

Interface                  Driver

mon0                       [phy0]  (removed)

To confirm that your mon0 interface has been removed successfully, use ‘ifconfig’ to check. You shouldn’t see mon0 listed among other interfaces like eth0, lo, and wlan0.

If your network isn’t working correctly after airmoning, type in the following commands into terminal:

service network-manager start

dhclient [interface]

NOTE: An example to put in would be wlan0.

Checking Current Services That May Affect Airmon-ng

You can check current running processes that may potentially affect airmon-ng, by typing in terminal:

airmon-ng check

Tips On How To Successfully Crack The WPA Handshake Password Easily

The reality is that you must have different wordlists ready.

As a pentester, you don’t know what your target’s WiFi password is, it could very much be the opposite of one of your other networks. For example, one network may use a fairly simple password like mere words and numbers, while another may utilize symbols along with words and numbers.

Capitalization may exist with another network’s password. Hence, you might successfully obtain the password on the first try, or you might need to switch another wordlist.

Brute Force > Wi-Fi Network

Like most cryptography, brute force will always win in the end if provided sufficient time. It’s all a matter of time. This is particularly true when it comes to cracking the WiFi network’s password since there are no brute force protections implemented which allow the pentester to brute force without interruption.

Take Advantage Of Peoples’ Inherent Weaknesses And Flaws To Exploit Their Security

The aforementioned fact pertains the truth that most ordinary people are going to use simpler passwords rather than come up with sophisticated passwords since they are harder to remember. Human beings are inherently lazy and make mistakes. If everyone used complex passwords, pentesting wouldn’t be a business and Kali wouldn’t bother to include these tools in their Linux distribution. Hence, this makes brute forcing a viable technique for penetrating through the walls of WPA/WPA2. It’s just that it may take a lot, but eventually, the pentester will get there.

A pro wireless pentester will always take advantage of the fact that the majority of ordinary people will use WiFi passwords that will be easy to remember and be cracked. People want to start connecting to their own WiFi networks quickly so they can gratify instantly.

Do you honestly expect them to open up a password manager and copy/paste the password prior to connecting to their own WiFi network like they do for the other authentication required services? (They probably don’t even use a password manager at all.) That notion alone will bring chuckles among the daily users of the Internet.

The more complex a password is, the more difficult it is to remember. Complexity in a password doesn’t mean it can’t be cracked. It can and it will. The pro clearly knows all of this. This is the kind of mindset that an amateur ought to internalize.

Have more computing resources available for cracking the WPA handshake.

The speed of cracking a WPA handshake will partially depend on the processing power of your machine, the graphics card, etc. Having a machine with superior specs ensure maximum efficiency in brute forcing. While not everyone can possess a super computer, a capable machine is extremely affordable in this day and age. Moreover, multiple machines for pen testing should never be ruled out.

Differences Between A Pro And An Amateur Wireless Penetration Tester

What separates a professional wireless penetration tester from an amateur is the ability of the pro to sort the information shown like BSSID, PWR, Beacons, #Data, etc. into neatly isolated documents for further analysis. Organizing is key. For instance, being able to categorize one type of channel from another. The pro does this with extreme familiarity and ease without much thought. The pro ought to document what worked and what didn’t. He’ll likely have many terminals open at the same time while he is pen-testing on his Kali Desktop.

Don’t Always Aim For WPS Vulnerabilities

Don’t rely solely on exploiting the Wi-Fi Protected Setup (WPS) in modern routers since most will block PIN attempts.

There are possible ways to circumvent those protections, but it’s questionable whether it’s truly worth your time figuring and doing so when brute force will always succeed if prepared and executed properly.

Wordlists That I Recommend Looking At For Penetrating WEP/WPA/WPA2 Wireless Networks

7GB Password List From RenderLab

33GB Password List From RenderLab

Openwall

More Openwall

Different Language Dictionaries From Openwall

Again, More Openwall

Cerias Purdue

Outpost9

Vulnerability Assessment

Packet Storm Security

Ai UGA

Cotse

More Cotse

Conclusion

I’ve provided some valuable information on cracking WPA/WPA2 encrypted wireless networks in this tutorial.

More importantly, the advice provided is really something that a pen tester should always embrace.

Security will always have flaws, and there will always be people there to exploit its inevitable weaknesses.

Hope you guys found this tutorial helpful!

Feel free to leave a comment below or check out my other articles.

Wishing you the best!

You Might Also Like

Back to top
%d bloggers like this: