How to crack a WiFi password with WPA/WPA2 Security
In this tutorial you will learn how to crack the WiFi password to a router secured with WPA/WPA2 encryption.
But before we start you should know that it is very difficult and often impossible to actually accomplish this for a number of reasons.
Firstly there are a number of steps required, you must be physically close the router you want to crack, you must be able to capture the wireless ‘handshake’ which is often difficult, you need a very good sized wordlist/file (one containing over 40 million words might not be enough). You need a powerful computer to process the wordlist and crack the WiFi password, on an old/slow machine this can take days!
Most importantly if the WiFi password is NOT in your wordlist file, you WILL NOT be able to crack it. A wordlist file contains words/names and common passwords, usually it will contain every word in a dictionary and common passwords like 12345678, 12345678a,12341234, 11223344, iloveyou, password etc.
When choosing a WiFi network to try and crack you must take this point in to consideration – a WiFi router with the network name ‘2WIRE205’ means the router is using the default network name and probably the default WiFi password which will be a random combination of letters and number like h84Ndj93 – unless this password is in your wordlist you WILL NOT be able to crack it. In fact you will have a better chance of cracking the WiFi password with one of the Apps on our homepage which contain default passwords.
Now if you see a WiFi network with the name like ‘Dave’s WiFi Network’ it means the user has changed the default network name and, probably the password to something easier to remember, there is a much better chance the WiFi password has been changed to a dictionary word (ie. a word found in a dictionary and in your wordlist file).
But it is still not guaranteed. And if you are tying to crack a WiFi password in an English speaking country you will need a wordlist full of English words. If you are trying to crack a WiFi password in a French speaking county you will need a wordlist full of French words, you get the idea.
OK, so know you are aware of this let’s begin the tutorial.
Most of the information contained in this tutorial can be found in a much more detailed guide on the Aircrack-ng website, Aircrack-ng being the suite of tools we are going to use, however their guide is very detailed and may be overwhelming for the average user. This guide is the ‘bare bones’ of the process and is designed to teach a beginner the process of WiFi hacking.
All commands you need to type will be in italics. All ‘0’ are the number 0, not the letter o.
- Open up a Linux penetration testing operating system (Backtrack 4/Backtrack 5 or Linux Kali), either from a live CD, live USB or using a Virtual Machine. Make sure you have a compatible WiFi adapter attached to your PC/laptop.
- Open a console window – instructions on how to get to this stage can be found here.
- Put your wireless adapter in to monitor mode by typing airmon-ng start wlan0
- Type airodump-ng mon0 to see all the available WiFi networks, you should see an output like the one below.
5. Now we need to choose a WiFi network to try and hack. Below is an explanation of the information shown, only the information required to hack the WiFi network is explained below.
The column ‘BSSID’ is the MAC address of the router, like a serial number (it has nothing to do with Apple Mac).
The ‘PWR’ is the received power of the router, the lower the number the better.
‘CH’ is the channel the router is using.
‘ENC’ is the type of encryption used (WEP/WPA/WPA2).
‘ESSID’ is the network name.
6. Now we are going to choose a WiFi network to target. The network with the name ‘homeland’ (ESSID) looks good as appears that the default network name has been changed and there is a chance the WiFi password has been too to something that might be in your wordlist.
7. Type the command airodump-ng -c 6 –bssid 52:07:26:3B:16:C1 -w homeland mon0
airodump-ng is the command
-c is the channel the WiFi network is using (6)
–bssis is the BSSID of the router (52:07:26:3B:16:C1)
-w is what we are going to name the file where the collected information is stored, to make it simple we will just give the file the same name as the network (homeland)
mon0 is the WiFi adapter we are using
Your screen should look like this now, only collecting information fr the network ‘homeland’.
8. We now need to capture the ‘Handshake’, this is when a device/user with the correct password connects to the WiFi network. You can just leave the computer running and wait for a client to connect, when you have captured the ‘handshake’ you should see an output like the one below with ‘WPA handshake: 52:07:26:3B:16:C1’ in the top right hand corner.
9. If you do not capture the ‘handshake’ automatically after a while then you will need to force a connected device off the network using the de-authentication command, when the device reconnects you will be able to capture the ‘handshake’.
9. To de-authenticate a connected device you need to type the command (replacing the MAC addresses with the ones of the network you are trying t hack)
aireplay-ng -0 1 -a 52:07:26:3B:16:C1 -c BB:57:D8:37:02:A6 mon0
aireplay-ng -0 is the command
1 is the number of attempts, start with 1 but it can be increased to improve the chance of disconnecting the device
-a 52:07:26:3B:16:C1 is the MAC address of the router
-c BB:57:D8:37:02:A6 is the MAC address of a connected device (shown in the ‘station’ column)
The ‘ACKs’ shows the number of acknowledgements received and sent, in the last attempt [9|27 ACKs] 27 where sent and 9 received, this is when the handshake should be captured.
You can now close both all the console windows.
10. The actual crack.
Type the command aircack-ng -w password.lst homeland-01.cap and press enter.
aircrack-ng is the command
-w denotes the wordlist file you are going to use
password.lst is the wordlist file
homeland-01.cap is the file which contains the captured handshake.
Now aircrack will just try every password in your wordlist, if it is contained in your wordlist it will display the correct WiFi password.
You can find a huge list of downloadable wordlists here.
As mentioned at the beginning of this tutorial hacking WiFi using this method is never guaranteed and some WiFi passwords cannot be cracked.
Please visit this page for more WiFi hacker tutorials.