Hacking WPA WiFi

This topic was published by and viewed 3052 times since "". The last page revision was "".

Viewing 1 post (of 1 total)
  • Author

  • DevynCJohnson
    • Topics - 437
    • @devyncjohnson

    Like any security algorithm, WPA and WPA2 have security flaws that allow them to be hacked. WPA2 is the best WiFi security algorithm compared to WPA and WEP. However, WPA2 is still not secure enough. In fact, anybody with a decent amount of computer knowledge can hack WPA and WPA2.

    Keep in mind that Kali Linux (formerly called "Backtrack") is not needed for hacking. Linux users can use their preferred distro. Also, hacking can be helpful when people must find or prove the presence of security flaws. Please use all of this knowledge for good and not evil. In addition, get permission from the WiFi owner before hacking.

    NOTE: All of these commands in this tutorial should be run with Root privileges.

    Obtaining the Tools

    To begin, install the needed packages. Some distros contain the needed tools in the default repos and others do not. If they are not in the Ubuntu repos, users may need to add the "ppa:darklordpaunik8880/kalibuntu" PPA by typing apt-add-repository ppa:darklordpaunik8880/kalibuntu. Once the repos are add, then on Debian-based systems, users can type apt-get install aircrack-ng. The "aircrack-ng" package adds many WiFi hacking tools and the package's dependencies provide additional utilities.

    The wordlists can be obtained at the links below.


    Once the utilities are obtained, open a terminal and type "airmon-ng". This will display a list of detected WiFi devices on the local system that support monitoring (this feature is needed). Then, type "airmon-ng start INTERFACE" where "INTERFACE" is the desired wireless device (such as "wlan0") that supports monitoring. The terminal should display a monitor interface name (such as "mon0").

    NOTE: After running the last command, you should see "(monitor mode enabled)" in the output.

    Next, type airodump-ng MONITOR-INTERFACE (where "MONITOR-INTERFACE" is usually mon0). If a "fixed channel -1" error message is seen, then execute ifconfig INTERFACE down (such as wlan0) and retry the airodump-ng command. After the whole hacking process, remember to type ifconfig INTERFACE up to make the wireless card connect to the Internet as before.

    The airodump-ng command will return a list of detected Wifi hotspots. Look for one that uses WPA or WPA2 encryption (ENC), CCMP as the cipher, and PSK as the authentication method (AUTH). Once a hotspot has been selected, write down the ESSID, BSSID, and channel (CH). With the gathered information, type a command using the format airodump-ng -w DIRECTORY -c CHANNEL --bssid BSSID MONITOR-INTERFACE. The chosen directory is used to store files containing the handshake authentication data used when a device connects to the WiFi. Now, when a client connects or reconnects to the Wifi, your system will watch how the authentication process occurs.

    Waiting for a client to reconnect may take a while. Thankfully, this process can be sped up. In that same terminal output, look under the "Station" heading and look for a BSSID. Write down that BSSID which is the BSSID of a client connected to the selected WiFi. In a new terminal, type aireplay-ng -0 2 -a WIFI-BSSID -c CLIENT-BSSID MONITOR-INTERFACE using the gathered information. The "-0" parameter means deauth mode will be used and "2" deauth packets will be sent. This will trigger the router to reconnect/reauthenticate the chosen client. This is how the authentication process can be analyzed.

    On the terminal with airodump-ng running, a "WPA handshake" message should appear. The aireplay-ng terminal can be closed. Keep the four generate files that are placed in the selected directory and remember to write down the WPA handshake hexadecimal number.

    Now, the collected data can be analyzed locally to crack the password. With the gathered data, type a command in the form aircrack-ng -a2 -b WIFI-BSSID -w WORDLIST-PATH DIRECTORY/*.cap. Use "-a1" for WPA and "-a2" for WPA2. The directory is the same one chosen previously. The wordlist file is a plain-text file containing many possible passwords. Be sure to obtain a wordlist file.

    If the process is successful, then the user will see a "KEY FOUND!" message and the message will display the password. It is possible to create a password secure enough that offers protection against this process.


    This article can be used to test and ensure that the WPA or WPA2 security used by the WiFi is secure. If not, then the admins can make changes until the network is secure. Two methods for greatly strengthening the wireless network include enabling MAC address filtering and using a long and complex password. In addition, it may help to change the wireless password occasionally.

    Further Reading

Viewing 1 post (of 1 total)