1- Boot into Kali Linux. Open Terminal.
3- Enable monitor mode on wireless device
in terminal type
airmon-ng start wlan0
This will create a new monitor mode interface which will be wlan0mon or mon or wlan1mon , you should remember this or will have to check again from step 2.
If you face error just isse the followng command to correct it automatically and again run the above command
airmon-ng check kill
4- Select the taget Wifi Router or Access Point.
We need to fix a target WiFi Access Point (Router) we want to crack, to focus our attack we need Access Point’s (router) BSSID and Channel. Type the following commmand.
we get a complete list of all reachable Access points with their BSSID Channel and Signal Strength , Type of Encryption. We are intrested only in BSSID and Chanel because rest we are going to crack. in th command above wlan0mon is the monitor mode interface we created in step 3. Choose your Victim based on Signal Strength which is in PWR Cloumn. When you got your Victim Access Point ( Router) you can stop this process by Ctrl+ C
5- Now we start packet capturing from th Victim by the following command
airodump-ng --bssid (AP BSSID address) -c (chaneel no) -w (file name you want to save with) (monitor interface)
So here I type
airodump-ng --bssid F4:F2:6D:4E:3D:8E -c 3 -w WPAcrack wlan0mon
6- To capture a 4-wayhandshake we need clients connected to the Access Point to Reauthenticate with Access point, the already connected devices a=are listed in Station Column in step 5. So we can issue a command to send Deauthenticate signals to Access Point so that the try to reauthenticate and we capture Handshake.
aireplay-ng --deauth -a (BSSID of the network) -c (MAC address of the client) -100 (for deauntheticate "100" for no of packets to send) (monitor interface)
aireplay-ng --deauth 1000 -a F4:F2:6D:4E:3D:8E wlan0mon
aireplay-ng --deauth 1000 -a F4:F2:6D:4E:3D:8E -c 9C:99:A0:F2:05:19 wlan0mon
7- After a few Successful handshake Capture we are ready to Crack the password and get it in Plain Text.
Here we can see in Hilighted that Handshake from a Particular Client Captured. We can also check our present Working Directory for the Captured handshake File
the default synatx for aircrack-ng is
aircrack-ng -w (location of the password list) (cap file *.cap)
So here we do start the bruteforce on captured 4-way Handshake file by
aircrack-ng -w 'wordlist.txt' WPAcrack-01.cap
Depending on the CPU and other hardwaer Specifications of your System this process will take some time as it may have to go through testing millions of passwords, So make a good but short wordlist to cut sort the number attempts and time taken. On
We need a Dictionary or Wordlist file to use Sample Pawwords from ,
How to Create a good wordlist with crunch– How To Make Good Wordlist using Crunch
Default Wordlist in Backtrack is at – /pentest/passwords/worldlists/darkc0de.lst
Default Wrdlist in Kali can be located and coppied in current working directory with the command below
cp /usr/share/wordlists/rockyou.txt.gz .
Unzip / Extract the wordlist file from the compressed file with this command
Get the number of passwords in this wordlist file rock
wc -l rockyou.txt
14344392 passwords in this.
NOTE: A good wordlist should be short in case you know the person very well and can guess the password, so a wordlist can be generated consisting of his house number , name, love affairs, mobile number, date of birth and similar info. It may also be very random in that case you need a much bigger wordlist to try your patience. It may take even 10 Hours of time in that case. You may also download wordlists available on net or try the Dictionary for whole words.
How To Disable monitor mode wlan0mon
airmon-ng stop wlan0mon
Don’t forget to restart the network manager. It is usually done with the following command:
service network-manager start