Aircrack-ng | How to Hack WiFi? Cracking WEP, WPA, WPA2 on Kali!

In this article, I’m going to demonstrate you- how easily a WiFi using WEP, WPA or WPA2 security can be hacked using Aircrack-ng toolkit. Later, I’ll also teach ways to protect your WiFi.

Prerequisite: Read This Article First: Basics of WiFi hacking and security!

Aircrack-ng Tool Kit – Basic Steps!

If you’re planning to hack any WiFi using aircrack-ng tool kit, you need to follow some common steps regardless of the type of security and encryption being used.

Let’s begin the Hacking – Open the Terminal and type the program name:

Kali Linux Terminal
[email protected]:~#airmon-ng

This tool will show the list of WiFi adapters you have. If you see your wireless card listed then most probably it is working.

/************* IMAGE *************/

Now you have to turn your wireless card into monitoring mode so that it can listen up all nearby WiFi networks.

Kali Linux Terminal
[email protected]:~# airmon-ng start wlan0

Now, your wireless card (i.e. wlan0) is in monitoring mode (i.e. mon0). If you have more than one wireless card then, choose the best one among wlan0 or wlan1 or wlan2 as appropriate.

Now, to see the details of all wireless networks around you, the command is:

Kali Linux Terminal
[email protected]:~# airodump-ng mon0

Note that mon0 might be mon1, mon2 or mon3 etc. depending upon the number of monitoring mode already running on your system.

Now from here, the steps for hacking WEP and WPA2 (or WPA) are slightly different.

Cracking WEP Key on Kali Linux

I hope, till here airodump-ng is successfully running for you. Now, you have to choose a target (In my case, it’s ESSID: HIMANSHUNEGI.ORG, channel: 4 and bssid: 0C:D2:B5:03:43:68).

You should choose an AP that you had created as taught in Basics of WiFi hacking and security!

Capturing Key

HIMANSHUNEGI.ORG is using WEP Security right now.

We’ll begin by capturing its IVS packets which usually have encrypted password. The command for this is as follows:

Kali Linux Terminal
[email protected]:~# airodump-ng –w HIMANSHUEGI.ORG –c 4 –bssid 0C:D2:B5:03:43:68 –ivs mon0

Let me explain the command to you:

  • -w is for writing to file i.e. HIMANSHUNEGI.ORG (a new file will be created with this name with a postfix -01 or -02 if HIMANSHUNEGI.ORG-01 already exist).
  • -c is used for channel (CH) which in our case is 4.
  • –ivs tells to capture only ivs packets.
  • mon0 is current monitoring mode we are interested in using.

Now, wait for few minutes until you capture 10,000+ ivs packets (the more, the better).

As already mentioned in prerequisite article, time duration will be much lesser if good amount of data is being transferred over network and access point is close (good signal strength).

If there is no activity on the WiFi network then you won’t be able to capture enough packets. But, you can always try to de-authenticating clients from AP in order to generate data packets, try any of the following command:

Terminal | Deauth Send To All
[email protected]:~# aireplay-ng -0 5 -a 0C:D2:B5:03:43:68 mon0

OR

Kali Linux Terminal
[email protected]:~# aireplay-ng -0 5 -a 84:1B:5E:50:C8:6E -c 88:53:2E:0A:75:3F mon0

Let me explain the command to you:

  • -0 is for de-authentication
  • 5 indicates number of packets to be send
  • -a is bssid of HIMANSHUNEGI.ORG
  • -c is the client we want to de-associate!

Run any of the above aireplay-ng command for few seconds and stop it (using Ctrl+C). Hopefully, it’ll generate some data packets; repeat the process until you have at least 10K IVS packets.

Cracking Key

When you have enough packets captured, you can try cracking WEP key of the WiFi network.

Kali Linux Terminal
[email protected]:~# aircrack-ng HIMANSHUNEGI.ORG-01.cap

Notice that the file name got changed, this program automatically appends -01, -02, -03 etc. to the file name. It depends upon the no. of file with the same name exists.

After a couple of minutes you will find the password. The WEP key (password in hex representation) is 3937353536 and ASCCI value is 97556. Both will work fine as password.

Troubleshooting: If you were unable to repeat this whole WiFi hacking process, there might be following reasons:

  • You had typed wrong command or passed incorrect values (such as incorrect channel number, bssid or anything).
  • You might not have captured enough ivs packets (collect at least +10,000).
  • There is possibility that your wireless card is not working properly. In this case, get an external WiFi adapter (mentioned in prerequisite article).

Hacking WPA or WPA2 WiFi | Kali

Follow, the common Aircrack-ng steps till airodump-ng command. Now, we have to choose a target (In my case, it’s ESSID: HIMANSHUNEGI.ORG, channel: 4 and bssid: 0C:D2:B5:03:43:68).

You should choose an AP that you had created as taught in Basics of WiFi hacking and security!

NOTE: Steps for hacking WPA or WPA2 WiFi using aircrack-ng are same.

Capturing Handshake

Now, HIMANSHUNEGI.ORG is using WPA2 Security. Our aim is to capture handshake packets which will have encrypted password. The command for this is as follows:

Kali Linux Terminal
[email protected]:~# airodump-ng –w HIMANSHUEGI.ORG –c 4 –bssid 0C:D2:B5:03:43:68 –ivs mon0

Let me explain the command to you:

  • -w is for writing to file i.e. mtnl-org (if not present, it’ll be created)
  • -c is used for channel (CH) which is in our case 4.

Now note that, handshake happens only when a client tries to connect to a WiFi access point. In, order to make a client reconnect and re-authenticate itself to WiFi access point, we need to disassociated it using aireplay-ng de-authentication command.

Kali Linux Terminal
[email protected]:~# aireplay-ng -0 5 -a 0C:D2:B5:03:43:68 mon0

Run the above command and then wait for handshake packet to get captured. This will usually take few seconds. If not, then repeat the aireplay-ng command.

Cracking WPA or WPA2 Password

When you have enough packets captured, you can try cracking WPA or WPA2 WiFi password.

Kali Linux Terminal
[email protected]:~# aircrack-ng HIMANSHUNEGI.ORG-01.cap –w /root/dictionary/rockyou.txt

Notice that the file name got changed, this program automatically appends -01, -02, -03 etc. to the file name. It depends upon the no. of file with the same name exists.

Countermeasures: Secure your WiFi

You should always focus on auditing (and tightening) your own WiFi security (instead of going Jail for hacking someone’s WiFi).

Following are some security tips to protect your WiFi:

  • Never choose WEP Security for WiFi. You should only choose WPA or WPA2 Security.
  • Don’t enable WPS security option as it’s vulnerable to WPS Pin Attack. Google for WPS CVE (Common Vulnerabilities and Exposures).
  • Always choose a strong password.
  • Change your WiFi password periodically (every week or month). Even if someone gets your WiFi’s password somehow, then they shouldn’t be able to enjoy it for longer.
  • Finally, try to audit your own wireless security.
Shares 0