DEV Community


Posted on • Updated on


Crack WPA/WPA2 Wi-fi Password

This is a brief walk-through tutorial that illustrates how to crack Wi-Fi networks that are secured using weak passwords. It is not exhaustive, but it should be enough information for you to test your own network’s security or break into one nearby. The attack outlined below is entirely passive (listening only, nothing is broadcast from your computer) and it is impossible to detect if you do not actually use the password that you crack. An optional active DEAuthentication attack can be used to speed up the reconnaissance process and is described at the end of this blog.
If you are familiar with this process, you can skip the descriptions and jump to a list of the commands used at the bottom.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use.

Getting Started
This tutorial assumes that you:
• Have a general comfortability using the command-line
• Are running a Debian-based Linux distro (preferably Kali Linux)
• Have Aircrack-ng installed (sudo apt-get install aircrack-ng)?
• Have a wireless card that supports monitor mode (I use this one for me)

Cracking a Wi-Fi Network

Monitor Mode:
Firstly, switch your wireless LAN to monitor mode by typing:

Alt Text
Begin by listing wireless interfaces that support monitor mode with:

Alt Text
If you do not see an interface listed, then your wireless card does not support monitor mode

We will assume your wireless interface name is wlan0 but be sure to use the correct name if it differs from this. Next, we will place the interface into monitor mode:

Alt Text
Run iwconfig. You should now see a new monitor mode interface listed (likely mon0 or wlan0mon).
Find Your Target
Start listening to 802.11 Beacon frames broadcast by nearby wireless routers using your monitor interface:

Alt Text
You should see output similar to what is below.

Alt Text
For the purposes of this demo, we will choose to crack the password of my network, “Patanwala”. Remember the BSSID MAC address and channel (CH) number as displayed by airodump-ng, as we will need them both for the next step.

Capture a 4-way Handshake
WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. You don’t have to know anything about what that means, but you do have to capture one of these handshakes in order to crack the network password. These handshakes occur whenever a device connects to the network, for instance, when your neighbour returns home from work. We capture this handshake by directing airmon-ng to monitor traffic on the target network using the channel and bssid values discovered from the previous command.

Alt Text
Now we wait… Once you’ve captured a handshake, you should see something like [ WPA handshake: bc:d3:c9:ef:d2:67 at the top right of the screen, just right of the current time.
Once you have captured a handshake, press ctrl-c to quit airodump-ng. You should see a .cap file wherever you told airodump-ng to save the capture (likely called -01.cap). We will use this capture file to crack the network password. I like to rename this file to reflect the network name we are trying to crack:

Alt Text
Crack the Network Password
The final step is to crack the password using the captured handshake. If you have access to a GPU, I highly recommend using hashcat for password cracking.

Cracking With naive-hashcat (recommended)
Before we can crack the password using naive-hashcat, we need to convert our .cap file to the equivalent hashcat file format (.hccapx) You can do this easily by either uploading the .cap file to or using the cap2hccapx tool directly.

Alt Text
Next, download and run naive-hashcat:

Alt Text
Naive-hashcat uses various dictionary, rule, combination, and mask (smart brute-force) attacks and it can take days or even months to run against mid-strength passwords. The cracked password will be saved to hackme.pot, so check this file periodically. Once you have cracked the password, you should see something like this as the contents of your POT_FILE:

Alt Text
Where the last two fields separated by: are the network name and password, respectively.

Cracking with Aircrack-ng
Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack, you need a wordlist. I recommend using the infamous rockyou dictionary file:

Alt Text
Note: if the network password is not in the wordlist you will not crack the password.

Alt Text
If the password is cracked, you will see a KEY FOUND! message in the terminal followed by the plain text version of the network password.

Alt Text
Deauth Attack
A deauth attack sends forged DEauthentication packets from your machine to a client connected to the network you are trying to crack. These packets include fake “sender” addresses that make them appear to the client as if they were sent from the access point themselves. Upon receipt of such packets, most clients disconnect from the network and immediately reconnect, providing you with a 4-way handshake if you are listening with airodump-ng.

Use airodump-ng to monitor a specific access point (using -c channel --bssid MAC) until you see a client (STATION) connected. A connected client look something like this, where is 64:BC:0C:48:97:F7 the client MAC.

Alt Text
Now, leave airodump-ng running and open a new terminal. We will use the aireplay-ng command to send fake deauth packets to our victim client, forcing it to reconnect to the network and hopefully grabbing a handshake in the process.

Alt Text
You can optionally broadcast deauth packets to all connected clients with:

Alt Text
Once you’ve sent the deauth packets, head back over to your airodump-ngprocess, and with any luck you should now see something like this at the top right: [ WPA handshake: 9C:5C:8E:C9:AB:C0. Now that you have captured a handshake you should be ready to crack the network password.

List of Commands
Below is a list of all the commands needed to crack a WPA/WPA2 network, in order, with minimal explanation.

Alt Text
I hope the procedure was clear and understandable.

If you have any doubts regarding this, then do comment down below.
And, if you end-up liking what you see then do share it with your Tech-Freak friends and family.

Top comments (0)

An Animated Guide to Node.js Event Loop

Node.js doesn’t stop from running other operations because of Libuv, a C++ library responsible for the event loop and asynchronously handling tasks such as network requests, DNS resolution, file system operations, data encryption, etc.

What happens under the hood when Node.js works on tasks such as database queries? We will explore it by following this piece of code step by step.