How to Hack WPA/WPA2 Wi Fi with Kali

Linux
Written by
Jack Lloyd
|
Edited by
Nicole Levine, MFA
Last Updated: June 23, 2022

Want to find out if your Wi-Fi network is easy to hack? As a Kali Linux user, you have
hundreds of pre-installed security auditing and penetration testing tools at your disposal.
These tools are intended for ethical hacking—finding and repairing weak spots in a
network—and not for illegal purposes. To find out if a WPA/SPA PSK network is
susceptible to a brute-force password attack, you can use a suite of tools called
aircrack-ng to hack the key. We'll show you how!

Part Part 1 of 2:
1 Starting Monitor Mode
Log into your Kali desktop as root. This logs you in to the desktop
1 environment as the root user.
If you haven't enabled root logins in Kali and are using KDE or GNOME,
run sudo apt install kali-ro o t - l o g i n at the prompt.[1]
Once
installed, you can set a root password by running sudo password (no
username) and entering a new root password. At that point, you can log in
to the desktop as root.

Plug your Wi-Fi card (if needed). If you don't have a Wi-Fi card that
2 allows monitoring (RFMON) or you're using Kali Linux in a virtual machine,
you'll need to attach an external card that does.
In most cases, simply attaching the card to your computer will be enough
to set it up. Check the instructions for your Wi-Fi card to be sure.
If you're not sure if your Wi-Fi card supports monitoring, it doesn't hurt to
try these next few steps.
Advertisement

Disconnect from Wi-Fi. To successfully test a network, you'll want to

3 make sure your computer is not actively connected to Wi-Fi—not even to
the network you're testing.
In a terminal window, run the airm o n-ng command. This tool come
4 with Kali Linux as a part of the aircrack-ng package, and will show you the
names of the connected Wi-Fi interface(s). You'll want to take note of what you
see under the "Interface" header for your card.
If you don't see an interface name, your Wi-Fi card doesn't support
monitoring.

Run airm o n-ng start wlan0 to start monitoring the network. If

5 the name of your Wi-Fi interface isn't wlan0, replace that part of the
command with the correct name. This gives you a new virtual interface name,
which will usually be something like mon0 , which you'll see next to "(monitor
mode enabled)."
If you see a message that says "Found processes that could cause
trouble," run airm o n-ng check kill to kill them.

Run airo d ump-ng mon0 to view the results. Replace mon0 with
6 the correct virtual interface name if that's not what you saw earlier. This
displays a data table for all Wi-Fi routers in range.

Find the router you want to hack. At the end of each string of text, you'll
7 see a router name.
Make sure the router is using WPA or WPA2 security. If you see "WPA" or
"WPA2" in the "ENC" column, you can proceed.

Find the BSSID and channel number of the router. Now you'll want to
8 make note of the values of the "BSSID" and "CH" fields for the router you
want to hack. These pieces of information are to the left of the network's name.

Monitor the network for a handshake. A "handshake" occurs when an

9 item connects to a network (e.g., when your computer connects to a
router). You need to wait until a handshake occurs so you capture the data
necessary to crack the password. To start monitoring, run the following
command:
airo d ump-ng -c numb e r --b s sid xx:x x :xx:xx:xx:xx -w
/roo t /Desktop/ mon0
Replace the word number with the channel number you saw, and the
xx:xx:xx:xx:xx:xx with the BSSID.
As long as this command stays running, you'll be monitoring for all
connections and new handshakes.

Advertisement
Part Part 2 of 2:
2 Logging and Cracking the Password
Understand what a deauth attack does. A deauth attack sends
1 deauthentication packets to the router you're trying to break into, causing
uses to disconnect and requiring them to log back in. When a user logs back
in, you will be provided with a handshake. If you don't do a deauth attack, you
might have to wait around for a long time for a handshake to complete—you'll
need that handshake to crack the password.
If you already see a line with the tag "WPA handshake:" followed by a MAC
address in the output of the airo d ump-ng command, skip to Step 5—
you have what you need to crack the password and don't need to send
deauth packets.
Remember—use these tools for ethical purposes only.

Wait for something to connect to the network. Once you see two
2 BSSID addresses appear next to each other—one labeled BSSID (the Wi-
Fi router) and the other labeled STATION (the computer or other device)—this
this means a client is connected. To force them into a handshake, you'll now
send them deauth packets that kill their connection.

Open a new terminal. Make sure airodump-ng is still running in original

3 terminal window, and drag it to another place on your desktop so both
terminals are visible.

Send the deauth packets. Run this command, replacing STAT I ON

4 BSSI D with the BSSID of the client that connected to the network, and
NETW O RK BSSID with the router's BSSID: aire p lay-ng -0 2 -a
STAT I ON BSSID -c NETW O RK BSSID mon 0 .
This command will send 2 deauth packets to disconnect the client from the
network.[2]
Don't try to send more than this—sending too many packets
could prevent the client from reconnecting and generating the handshake.
As long as you're close enough to the target client, they'll be disconnected
from the router and forced to reconnect with a handshake. If this doesn't
work, move closer to the client.
As soon as the client reconnects, all of the information you'll need to crack
the password will be available.

In the original terminal window, press Control + C to quit airodump-

5 ng. This stops the dump and saves a file ending with .cap to your
desktop.
Decompress the rockyou.txt wordlist. To crack the password, you'll
6 need a wordlist. Fortunately, since you're using Kali Linux, you have
several already in /usr/share/wordlists.[3]
The one we'll want to use is called
rock y ou.txt , but it's zipped up by default. To unzip it, run gzip -d
/usr / share/wordlists/roc k y o u . t x t . g z .
You won't be able to crack the password if it's not in the wordlist. You can
always try one of the other wordlists if rockyou.txt doesn't crack the
password.

Run the command to crack the password. You'll use a tool called
7 airc r ack-ng , which come with Kali Linux, to do so. The command is
airc r ack-ng -a2 -b NETW O RK BSSID -w
/usr / share/wordlists/roc k y o u . t x t / r o o t / D e s k t o p /* . c a p .
Replace NETWORK BSSID with the BSSID for the router.
Depending on the strength of the password and the speed of your CPU,
this process can take anywhere from a few hours to a few days.
If you're cracking static WEP key network instead of a WPA/WPA2-PSK
network, replace -a2 with -a1 .[4]

Look for "KEY FOUND!" in the terminal window. When you see a "KEY
8 FOUND!" heading appear, aircrack-ng has found the password, which will
appear in plain text.

Advertisement

Community Q&A

Question

What is a word list, and how do I find one?

Community Answer

A word list is a file with passwords in it. RockYou is a good one.

Question

Where can I download Kali Linux?

Community Answer

Go to kali.org. At the top of the page, there is a Download tab. Once you open
that, it will pull up the list of current downloads.

Question

Who created Kali Linux?

Community Answer

Kali Linux is a Debian-derived Linux distribution designed for digital forensics

and penetration testing. It is maintained and funded by Offensive Security Ltd.
Mati Aharoni, Devon Kearns and Raphaël Hertzog are the core developers.

Question

Why are some commands are not working in the Kali Linux in VirtualBox?

Community Answer

With VirtualBox, you'll need an external WiFi Adaptater, and this adaptater
must handle monitor mode.

Question

Is it only for randomly generated passwords?

Community Answer

Not exactly, it is able to crack specific selected passwords but it may not be
able to hack something complicated.
Question

How much time will it take for cracking the password?

Sourabh Joshi
Community Answer

It may take few seconds or many hours. It depends on how difficult the
password is. Hacking is not an easy task, you need to be patient.

Question

Will I notice any symptoms on my router when I try this?

Community Answer

You should not notice any symptoms if there is no Wi-Fi connection indicator.
In some cases, LED lamp on your router starts blinking if the connection is
being established.

Question

Is this like a dictionary attack?

Community Answer

Partly, it could be considered dictionary attack, but often the wordlists contain
much more than just words from the dictionary. The words could be made up
of numbers, letters and special characters.

Question

What is a flash drive?

Community Answer

A "flash drive" is a USB memory stick.

Question

After attempting to run naivehashcat, I got "dicts/rockyou.txt: No such file

or directory". What does that mean? What should I do?

Community Answer

This means that the file you are trying to target does not exist. Make sure you
copy the path of the file correctly into the terminal.

Advertisement

Tips

Using this method to test your own Wi-Fi for weak spots before launching a
server is a good way to prepare your system for similar attacks.

Advertisement

Warnings

Sending more than two death packets may cause your target computer to
crash, thus arousing suspicion.

Hacking into anyone’s Wi-Fi without permission is illegal in most countries.

Only perform the above steps on a network that either belongs to you or for
which you have explicit consent to test.

Advertisement

References

1. https://www.kali.org/docs/general-use/enabling-root/
2. https://www.aircrack-ng.org/doku.php?id=cracking_wpa
3. https://www.kali.org/tools/wordlists/
4. https://www.aircrack-ng.org/doku.php?id=aircrack-ng
Advertisement