Kali Linux can be used for many things, but it probably is best known for its ability to penetration test, or “hack,” WPA and WPA2 networks. There are hundreds of Windows applications that claim they can hack WPA; don’t get them! They’re just scams, used by professional hackers, to lure newbie or wannabe hackers into getting hacked themselves. There is only one way that hackers get into your network, and that is with a Linux-based OS, a wireless card capable of monitor mode, and aircrack-ng or similar. Also note that, even with these tools, Wi-Fi cracking is not for beginners. Playing with it requires basic knowledge of how WPA authentication works, and moderate familiarity with Kali Linux and its tools. If you feel you have the necessary skills, let’s begin: kali linux hack wifi
These are things that you’ll need:
- A successful install of Kali Linux (which you probably have already done). If not, follow my tutorial here:
- A wireless adapter capable of injection/monitor mode. Some computers have network cards capable of this from the factory. If you’re, like most however, you’ll have to buy an external one. Here is a list of the best:
- A wordlist to attempt to “crack” the password once it has been captured
- Time and patients
- kali linux hack wifi
If you have these then roll up your sleeves and let’s see how secure your network is!
Important notice: Hacking into anyone’s Wi-Fi without permission is considered an illegal act or crime in most countries. We are performing this tutorial for the sake of penetration testing, hacking to become more secure, and are using our own test network and router.
By reading and/or using the information below, you are agreeing to our Disclaimer
Step One: kali linux hack wifi
Start Kali Linux and login, preferably as root.
Step Two: kali linux hack wifi
Plugin your injection-capable wireless adapter, (Unless your native computer wireless card supports it). If you’re using Kali in VMware, then you might have to connect the card via the icon in the device menu.
Step Three: kali linux hack wifi
Disconnect from all wireless networks, open a Terminal, and type airmon-ng
This will list all of the wireless cards that support monitor (not injection) mode. If no cards are listed, try disconnecting and reconnecting the adapter (if you’re using one) and check that it supports monitor mode. If you’re not using an external adapter, and you still don’t see anything listed, then your card doesn’t support monitor mode, and you’ll have to purchase an external one (see the link in the requirements). You can see here that my card supports monitor mode and that it’s listed as wlan0.
Step Four: kali linux hack wifi
Type airmon-ng start followed by the interface name of your wireless card. mine is wlan0, so my command would be: airmon-ng start wlan0
The “(monitor mode enabled)” message means that the card has successfully been put into monitor mode. Note the name of the new monitor interface, mon0.
A bug recently discovered in Kali Linux makes airmon-ng set the channel as a fixed “-1” when you first enable mon0. If you receive this error, or simply do not want to take the chance, follow these steps after enabling mon0:
Type: ifconfig [interface of wireless card] down and hit Enter.
Replace [interface of wireless card] with the name of the interface that you enabled mon0 on; probably called wlan0. This disables the wireless card from connecting to the internet, allowing it to focus on monitor mode instead.
After you have disabled mon0 (completed the wireless section of the tutorial), you’ll need to enable wlan0 (or name of wireless interface), by typing: ifconfig [interface of wireless card] up and pressing Enter.
Type airodump-ng followed by the name of the new monitor interface, which is probably mon0.
If you receive a “fixed channel –1” error, see the Edit above.
Airodump will now list all of the wireless networks in your area, and a lot of useful information about them. Locate your network or the network that you have permission to penetration test. Once you’ve spotted your network on the ever-populating list, hit Ctrl + C on your keyboard to stop the process. Note the channel of your target network.
Copy the BSSID of the target network
Now type this command:
airodump-ng -c [channel] –bssid [bssid] -w /root/Desktop/ [monitor interface]Replace [channel] with the channel of your target network. Paste the network BSSID where [bssid] is, and replace [monitor interface] with the name of your monitor-enabled interface, (mon0). The “–w” and file path command specifies a place where airodump will save any intercepted 4-way handshakes (necessary to crack the password). Here we saved it to the Desktop, but you can save it anywhere.
A complete command should look similar this:
airodump-ng -c 10 –bssid 00:14:BF:E0:E8:D5 -w /root/Desktop/ mon0
Now press enter.
Airodump with now monitor only the target network, allowing us to capture more specific information about it. What we’re really doing now is waiting for a device to connect or reconnect to the network, forcing the router to send out the four-way handshake that we need to capture in order to crack the password.
Also, four files should show up on your desktop, this is where the handshake will be saved when captured, so don’t delete them!
But we’re not really going to wait for a device to connect, no, that’s not what impatient hackers do. We’re actually going to use another cool-tool that belongs to the aircrack suite called aireplay-ng, to speed up the process. Instead of waiting for a device to connect, hackers can use this tool to force a device to reconnect by sending deauthentication (deauth) packets to one of the networks devices, making it think that it has to reconnect with the network.
Of course, in order for this tool to work, there has to be someone else connected to the network first, so watch the airodump-ng and wait for a client to show up. It might take a long time, or it might only take a second before the first one shows. If none show up after a lengthy wait, then the network might be empty right now, or you’re to far away from the network.
You can see in this picture, that a client has appeared on our network, allowing us to start the next step.
Leave airodump-ng running and open a second terminal. In this terminal, type this command:
aireplay-ng –0 2 –a [router bssid] –c [client bssid] mon0
The –0 is a short cut for the deauth mode and the 2 is the number of deauth packets to send.
-a indicates the access point/router’s BSSID, replace [router bssid] with the BSSID of the target network, which in my case, is 00:14:BF:E0:E8:D5.
-c indicates the client’s BSSID, the device we’re trying to deauth, noted in the previous picture. Replace the [client bssid] with the BSSID of the connected client, this will be listed under “STATION.”
And of course, mon0 merely means the monitor interface, change it if yours is different.
My complete command looks like this:
aireplay-ng –0 2 –a 00:14:BF:E0:E8:D5 –c 4C:EB:42:59:DE:31 mon0
Upon hitting Enter, you’ll see aireplay-ng send the packets. If you were close enough to the target client, and the deauthentication process works, this message will appear on the airodump screen (which you left open):
This means that the handshake has been captured, the password is in the hacker’s hands, in some form or another. You can close the aireplay-ng terminal and hit Ctrl + C on the airodump-ng terminal to stop monitoring the network, but don’t close it yet just incase you need some of the information later.
If you didn’t receive the “handshake message,” then something went wrong in the process of sending the packets. Unfortunately, a variety of things can go wrong. You might just be too far away, and all you need to do is move closer. The device you’re attempting to deauth might not be set to automatically reconnect, in which case you’ll either have to try another device, or leave airodump on indefinitely until someone or something connects to the network. If you’re very close to the network, you could try a WiFi spoofing tool like wifi-honey, to try to fool the device into thinking that you’re the router. However, keep in mind that this requires that you be significantly closer to the device than the router itself. So unless you happen to be in your victim’s house, this is not recommended.
Do note that, despite your best efforts, there are many WPA networks that simply can’t be cracked by these tools. The network could be empty, or the password could be 64 characters long, etc.
This concludes the external part of this tutorial. From now on, the process is entirely between your computer, and those four files on your Desktop. Actually, it’s the .cap one, that is important. Open a new Terminal, and type in this command:
aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap
-a is the method aircrack will use to crack the handshake, 2=WPA method.
-b stands for bssid, replace [router bssid] with the BSSID of the target router, mine is 00:14:BF:E0:E8:D5.
-w stands for wordlist, replace [path to wordlist] with the path to a wordlist that you have downloaded. I have a wordlist called “wpa.txt” in the root folder.
/root/Desktop/*.cap is the path to the .cap file containing the password. The * means wild card in Linux, and since I’m assuming that there are no other .cap files on your Desktop, this should work fine the way it is.
My complete command looks like this:
aircrack-ng –a2 –b 00:14:BF:E0:E8:D5 –w /root/wpa.txt /root/Desktop/*.cap
Now press Enter.
Aircrack-ng will now launch into the process of cracking the password. However, it will only crack it if the password happens to be in the wordlist that you’ve selected. Sometimes, it’s not. If this is the case, you can try other wordlists. If you simply cannot find the password no matter how many wordlists you try, then it appears your penetration test has failed, and the network is at least safe from basic brute-force attacks.
Cracking the password might take a long time depending on the size of the wordlist. Mine went very quickly.
If the phrase is in the wordlist, then aircrack-ng will show it too you like this:
The passphrase to our test-network was “notsecure,” and you can see here that it was in the wordlist, and aircrack found it.
If you find the password without a decent struggle, then change your password, if it’s your network. If you’re penetration testing for someone, then tell them to change their password as soon as possible.
How to Hack WPA/WPA2 Wi Fi with Kali Linux
This wikiHow teaches you how to find out the password for a WPA or WPA2 network by hacking it with Kali Linux.
-1 Understand when you can legally hack Wi-Fi. In most regions, the only time you can hack a WPA or WPA2 network is when the network either belongs to you or belongs to someone who has given you explicit consent to hack the network.
- Hacking networks that don’t meet the above criteria is illegal, and may constitute a federal crime.
Download the Kali Linux disk image. Kali Linux is the preferred tool for hacking WPA and WPA2. You can download the Kali Linux installation image (ISO) by doing the following:
- Go to https://www.kali.org/downloads/ in your computer’s web browser.
- Click HTTP next to the version of Kali you want to use.
- Wait for the file to finish downloading.
Attach a flash drive to your computer. You’ll need to use a flash drive with at least 4 gigabytes of space for this process.
Make your flash drive bootable. This is necessary in order to be able to use the USB flash drive as an installation location.
- You can also use a Mac for this step.
Place the Kali Linux ISO file on the flash drive. Open the flash drive, then drag the downloaded Kali Linux ISO file into the flash drive’s window.
- Make sure you leave your USB flash drive plugged in after you finish this process.
Install Kali Linux. To install Kali Linux on your computer, do the following:
- Prompt your Windows computer to restart.
- Enter the BIOS menu.
- Set your computer to start from your USB drive by finding the “Boot Options” (or similar) section, selecting your USB drive’s name, and moving it to the top of the list.
- Save and exit, then wait for the Kali Linux installation window to appear (you may have to restart your computer one more time).
- Follow the Kali Linux installation prompts.
Buy a Wi-Fi card that supports monitoring. You can find Wi-Fi cards online or in tech department stores. Make sure that your Wi-Fi card allows monitoring (RFMON), or you won’t be able to hack a network.
- Many computers have built-in RFMON Wi-Fi cards, so you might want to try the first four steps of the next part before buying one.
- If you’re using Kali Linux in a virtual machine, you will need a Wi-Fi card regardless of your computer’s card.
Log into your Kali Linux computer as root. Enter your root username and password when logging in.
- You will need to be on your root account at all times during the hacking process.
Plug your Wi-Fi card into your Kali Linux computer. Doing so will immediately prompt the card to begin setting up and downloading drivers for itself; if prompted, follow the on-screen instructions to complete the setup. Once you’re done with this step, you can proceed with hacking your selected network.
- If you’ve already set up the card on your computer before, you’ll still have to set it up for Kali Linux here by plugging it in.
- In most cases, simply attaching the card to your computer will be enough to set it up.
Open your Kali Linux computer’s Terminal. Find and click the Terminal app icon, which resembles a black box with a white “>_” on it.
- You can also just press Alt+Ctrl+T to open the Terminal.
Enter the Aircrack-ng installation command. Type in the following command, then press ↵ Enter:
sudo apt-get install aircrack-ng
Enter your password when prompted. Type in the password you use to log into your computer, then press ↵ Enter. This enables root access for any other commands executed in Terminal.
- If you open another Terminal window (as you may later in this article), you may have to run a command with the sudo prefix and/or enter your password again.
Install Aircrack-ng. Press Y when prompted, then wait for the program to finish installing.
Turn on airmon-ng. Type in the following command, then press ↵ Enter.
Find the monitor name. You’ll find this in the “Interface” column.
- If you’re hacking your own network, it will usually be named “wlan0”.
- If you don’t see a monitor name, your Wi-Fi card doesn’t support monitoring.
Begin monitoring the network. You can do so by typing in the following command and pressing ↵ Enter:
airmon-ng start wlan0
- Make sure you replace “wlan0” with the name of your target network if it’s different.
Enable a monitor mode interface. Enter the following command:
Kill any processes that return errors. In some cases, your Wi-Fi card will conflict with running services on your computer. You can kill these processes by entering the following command:
airmon-ng check kill
Review the monitor interface name. In most cases, the name will be something like “mon0” or “wlan0mon”.
ell your computer to listen to nearby routers. To get a list of all routers in range, enter the following command:
- Make sure you replace “mon0” with whatever your monitor interface name was in the last step.
Find the router you want to hack. At the end of each string of text, you’ll see a name; find the one belonging to the network you want to hack into.
Make sure the router is using WPA or WPA2 security. If you see “WPA” or “WPA2” immediately to the left of the network’s name, you can proceed; otherwise, you cannot hack the network.
Note the MAC address and channel number of the router. These pieces of information are to the left of the network’s name:
- MAC address — This is the line of numbers on the far-left side of your router’s line.
- Channel — This is the number (e.g., 0, 1, 2, etc.) directly to the left of the WPA or WPA2 tag.
Monitor your selected network for a handshake. A “handshake” occurs when an item connects to a network (e.g., when your computer connects to a router). Enter the following code, making sure to replace the necessary components of the command with your network’s information:
airodump-ng -c channel --bssid MAC -w /root/Desktop/ mon0
- Replace “channel” with the channel number you found in the last step.
- Replace “MAC” with the MAC address you found in the last step.
- Remember to replace “mon0” with whatever your interface name was.
- Here’s an example address:airodump-ng -c 3 –bssid 1C:1C:1E:C1:AB:C1 -w /root/Desktop/ wlan0mon
Wait for a handshake to appear. Once you see a line with the tag “WPA handshake:” followed by a MAC address in the upper-right corner of the screen, you can proceed.
- If you’re not in a waiting mood, you can force a handshake using a deauth attackbefore continuing with this part.
Exit airodump-ng, then open the desktop. Press Ctrl+C to quit, then make sure you can see the “.cap” file on your computer’s desktop.
Rename your “.cap” file. While not strictly necessary, this will make it easier to work with later. Enter the following command to change the name, making sure to replace “name” with whatever you want to name the file:
mv ./-01.cap name.cap
- If your “.cap” file isn’t named “-01.cap”, replace “-01.cap” with whatever your “.cap” file’s name is.
Convert the “.cap” file into “.hccapx” format. You can do this by using Kali Linux’s converter. Enter the following command, making sure to replace “name” with your file’s name:
cap2hccapx.bin name.cap name.hccapx
- You can also go to https://hashcat.net/cap2hccapx/ and upload the “.cap” file to the converter by clicking Choose File and selecting your file. Once the file is uploaded, click Convert to convert it and then download it back onto your desktop before proceeding.
Install naive-hashcat. This is the service you’ll use to crack the password. Enter the following commands in order:
sudo git clone https://github.com/brannondorsey/naive-hashcat cd naive-hashcat curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
- If your computer doesn’t have a GPU, you’ll need to use aircrack-ng instead.
Run naive-hashcat. Once it finishes installing, enter the following command (making sure to replace any instance of “name” with your “.cap” file’s name):
HASH_FILE=name.hccapx POT_FILE=name.pot HASH_TYPE=2500 ./naive-hashcat.sh
Wait for the network password to be cracked. Once the password is cracked, its string will be added to the “name.pot” file found in the “naive-hashcat” directory; the word or phrase after the last colon in the string is the password.
- It can take anywhere from a few hours to a few months for the password to be cracked.
Download a dictionary file. The most commonly used dictionary file is “Rock You”. You can download it by entering the following command:
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
- Keep in mind that aircrack-ng will not be able to crack the WPA or WPA2 password if the password isn’t in the word list.
Tell aircrack-ng to begin cracking the password. Enter the following command, making sure to use the necessary network information when doing so:
aircrack-ng -a2 -b MAC -w rockyou.txt name.cap
- If you’re cracking a WPA network instead of a WPA2 network, replace “-a2” with -a.
- Replace “MAC” with the MAC address you found in the last section.
- Replace “name” with your “.cap” file’s name.
Wait for Terminal to display the results. When you see a “KEY FOUND!” heading appear, aircrack-ng has found the password. You’ll see the password displayed in brackets to the right of the “KEY FOUND!” heading.
Using Deauth Attacks to Force a Handshake
Understand what a deauth attack does. Deauth attacks send malicious deauthentication packets to the router you’re trying to break into, causing the Internet to disconnect and ask the Internet user to log back in. Once the user logs back in, you will be provided with a handshake.
Monitor your network. Enter the following command, making sure to enter your network’s information where necessary:
airodump-ng -c channel --bssid MAC
- For example:airodump-ng -c 1 –bssid 9C:5C:8E:C9:AB:C0
Wait for something to connect to the network. Once you see two MAC addresses appear next to each other (and a string of text that includes a manufacturer name next to them), you can proceed.
- This indicates that a client (e.g., a computer) is now connected to the network.
Open a new Terminal window. You can just press Alt+Ctrl+T to do this. Make sure airodump-ng is still running in the background Terminal window.
Send the deauth packets. Enter the following command, making sure to substitute your network’s information:
aireplay-ng -0 2 -a MAC1 -c MAC2 mon0
- The “2” refers to the number of packets to send. You can increase or decrease this number, but keep in mind that sending more than two packets can cause a noticeable security breach.
- Replace “MAC1” with the left-most MAC address at the bottom of the background Terminal window.
- Replace “MAC2” with the right-most MAC address at the bottom of the background Terminal window.
- Remember to replace “mon0” with your interface name that you found when your computer initially looked for routers.
- An example command looks like this:aireplay-ng -0 3 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0
Re-open the original Terminal window. Go back to the background Terminal window when you’re done sending the deauth packets.
Look for a handshake. Once you see the “WPA handshake:” tag and the address next to it, you can proceed with hacking your network.
- The best free parental control software 2020
- kali linux hack wifi