March 18, 2018

Hacking WIFI Password using Aircrack

I’m very used to hacking WIFI passwords. I know various methods of doing it. The most basic one I’m going to illustrate here next. Today we are going to hack WIFI passwords using Aircrack-ng. Aircrack-ng is widely used tool which can hack wifi networks within minutes depending on the strength of the password which is used. It comes pre-installed in Kali Linux.

The most common types of wireless security are Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is a notoriously weak security standard. The password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WPA was a quick alternative to improve security over WEP. Cracking of wireless networks is the defeating of security devices in Wireless local-area networks. WLANs – also called Wi-Fi networks are inherently vulnerable to security lapses. There are two basic types of vulnerabilities associated with WLANs: those caused by poor configuration and those caused by weak encryption.

The weakness in the WPA2-PSK system is that the encrypted password is shared in what is known as the 4-way handshake. When a client authenticates to the access point (AP), the client and the AP go through a 4-step process to authenticate the user to the AP. If we can grab the password at that time, we can then attempt to crack it.

So, Let the hacking begin.


  1. Let’s start the whole process by putting our wireless adapter in monitor mode. This is similar to putting a wired adapter into observation mode. It allows us to see all the available wireless traffic aka Wi-Fi networks around us. So let’s open a terminal and type:
    airmon-ng start wlan0

  2. Now you can observe that airmon-ng has just changed your wlan0 adapter id to wlan0mon or mon0 as per your wireless adapter. If you get any sort of processes that’re conflicting, kill those processes by typing
    kill process_id

  3. As our wireless adapter is in monitor mode, it can see all the wireless traffic nearby. We can capture the required traffic using airodump-ng command. airodump-ng grabs all the traffic nearby and displays critical information of the wireless networks including the BSSID or the MAC address of the AP, Power, Number of Beacons, Number of Data Frames, Channel, Transfer Rate, Encryption status (if any) , and finally the ESSID or the name of the wireless network which most refer as the SSID. We can use airodump-ng by typing
    airodump-ng wlan0mon

  4. Now we can the see the APs’ which are to the near proximity of our hacking station. All the visible APs are listed in the upper part of the screen and the clients who are connected to the respective APs are listed in the lower portion of the screen.

  5. In this step, we focus airodump-ng to work on single AP, and on one channel which we’re trying to hack and capture critical data from it. We need the BSSID and the channel of the AP to do this. So, open another terminal and type
    airodump-ng --bssid 5C:F1:88:89:7F:E2 -c 1 --write WPAhack wlan0mon
    5C:F1:88:89:7F:E2 is the BSSID of the AP
    -c 1 is the channel the AP which we are working on
    WPAhack is the file we want to write to
    wlan0mon is the monitoring wireless adapter

  6. For capturing the packet which consists the password which is usually encrypted. For this to happen, first we’ve to kick off a client from the victim’s Wi-Fi network for a four-way handshake to happen. So, we usually DOS the network to kick all the users or a single user using the IP of the victim client. So, for this to happen, let’s type
    aireplay-ng --deauth 100 -a 5C:F1:88:89:7F:E2 wlan0mon
    100 is the number of de-authenticate frames you want to send
    5C:F1:88:89:7F:E2 is the BSSID of the AP
    wlan0mon0 is the monitoring wireless adapter

  7. In the previous step, we bounced the user off their own AP, and now their device usually tries to re-authenticate automatically. Now airodump-ng will attempt to capture their encrypted password which is usually 4-way handshake. We can check the progress in the top right corner of the airodump-ng screen as “WPA handshake”.

  8. As we have the encrypted password, lets try decrypting it using aircrack-ng tool available in Kali as aircrack-ng or darkc0de in BackTrack. We had already saved the encrypted password as WPAhack. So, lets start it by typing
    aircrack-ng WPAhack-01.cap -w /usr/share/wordlists/rockyou.txt.gz
    WPAhack-01.cap is the name of the file we’ve previously saved our captured encrypted password file
    /usr/share/wordlists/rockyou.txt.gz is the path to our passsword file or the wordlist

  9. The whole process of cracking could be relatively slow. Depending upon the length of the password list, our CPU resources and complexity of the password, we could be waiting a few minutes to a few days or even few years! Usually it depends on what type of CPU we are using so that it could work on number of passwords per second. Hence results may vary. When it successfully cracks the password, we’ll be able to see it on the screen. If the password file or the word list is critical, better use the default word list such as rockyout.txt usually default in Kali. It could save some time in this area.

That’s all. Hope, you find this cool & interesting.