In tutorial we will learn how to use airmon-ng (scripts from aircrack-ng package) to discover wireless networks around us. Then we will deauthenticate clients from a specific wireless network so that we can capture the four-way handshake, then we will decrypt the handshake to find the WiFi password.
The network I will attack in this tutorial is a network that I own, I’m not attacking someone else’s network. Please do not use the information for non-ethical purposes. What I’m sharing here is for educational purposes only
before we get start let’s see what you’ll need:
- WiFi network adapter that supports monitor mode.
- Kali Linux or any Linux Distro with Aircrack-ng suite installed.
- Password dictionary (wordlist)
Let’s begin, first thing we must check for the wifi adapter if it’s connected to kali Linux to do so please type the command below:
Step 1: open up your terminal and type
This will show you all the networking interfaces connected to your device.
if your wireless network adapter is connected and recognized in your operating system you should see the ” wlan0 ” as you can see in the photo above, Please note the name may change if you have more then one connected wireless adapter.
Step 2: Now to enabled monitor mode type the following command
sudo airmon-ng start wlan0
- sudo gives us root privileges (root privileges is requested for airmon-ng)
- Airmon-ng is used to enable and disable monitor mode on wireless interfaces.
- wlan0 is your wireless interface
Monitor mode is enabled, now we should kill all PID that is interfering with the adapter, Those processes are highlighted in red in the above example.
There is tow way to kill those processes :
- First using airmon-ng check kill
- Second thru pgrep, and it’s the way I prefer
- by typing kill followed by the number of the processes
why we should stop those processes ? they may cause trouble during the process.
kill 508 1420
Step 3: Okay, so now let’s discover wireless networks around us. To do that we use the command sudo airodump-ng wlan0.
To stop the searching processing, and keep the list of discovered network
press Ctrl + C.
As you can see a whole bunch of a wireless networks is discovered. So here are the BSSID or MAC addresses of the wireless networks in the first Colum.
The network I’m interested in is the one named Kail on channel 1, Take note of the channel number and the the MAC address of the target access point. in my case:
- Channel: 1
- BSSID: 50:D4:F7:E5:66:F4
we’re gonna use the command sudo airodump-ng -c 1 -w kali —bssid wlan0.
kali This is the name of the file that we’re gonna store the captures in. the channel that we’re gonna attack is one, the BSSID that we’re gonna attack is 50:D4:F7:E5:66:F4 and the interface we’re gonna use is wlan0.
Step 4: To Start capturing the packets of your target network type the following command:
airodump-ng -c 1 -w kali --bssid 50:D4:F7:E5:66:F4 wlan0
So in this window we are capturing the packets trying to capture 4 way handshake, now open a second window to deauthenticate clients from the network. this act will speed up the processing of capturing the handshake.
For deauthenticate we will use aireplay-ng
aireplay-ng -0 0 -a 50:D4:F7:E5:66:F4 wlan0
We haven’t captured the four-way handshake but as soon as I deauthenticate clients we get the WPA handshake as you see in the image below.
now after we have successfully captured the WPA handshake, stop aireplay-ng and airodump-ng using Cntrl+c
Step 5: Cracking the password How to decrypt four way handshake
in the terminal type “ls” to list all the current directories and files.
Select the file with “.cap“ extension it should be named kali-01.cap and type the following command:
aircrack-ng -w wordlist.txt kali-01.cap
For the Wordlist Check this article: Best Password dictionary
What aircrack-ng tool is comparing the hash inside the .cap file with the hashes of the passwords listed inside the wordlist.txt file by converting every single line from text to hash and when the hashes match, we know the password.
Now all you have to do is wait till you see ( KEY Found ( your key is here 😉 ).
All Step in few lines
- airodump-ng wlan
- airodump-ng -c 2 -w wifi –bssid 50:D4:F7:E5:66:F4 wlan0
- aireplay-ng -0 0 -a C4:6E:1F:F6:34:B8 wlan0mon
- aircrack-ng -w wordlist.txt kali-01.cap
so we learned how to crack WPA2 but keep in mind The most important part in all of this is your wifi adapter so make sure you have aircrack compatible wifi adapters