When it comes to learning pentesting, one of the most frequently asked questions we receive is, “how do I hack WiFi?” It is often the first hands-on challenge aspiring hackers want to try. Your being here is proof positive.
That’s great! Hacking WiFi is a fantastic exercise. It’s a chance for you to learn command line tools, wireless protocols, enumeration, and password cracking. In this article, we’ll teach all these things to you. We’ll discuss the technology, how the attacks work, and what hardware you need. Finally, we’ll set up a lab and practice it together.
So get ready because we’re going to teach you how to hack WiFi with Kali Linux.
We want to be absolutely clear on this point. As much fun as it might seem to hack into your neighbor's wireless network or a secured network at a friend’s house, hotel, or other location, don’t do it. You need to have permission from the network owner if you are to do any kind of hacking or penetration testing on their systems.
It might not seem like a big deal, but hacking a system without permission can hold extremely steep legal penalties, including jail time, depending on your location. Such laws include:
- The Computer Fraud and Abuse Act (United States)
- Sections 184, 342.1, 380, and 430 of the Criminal Code of Canada (Canada)
- Computer Misuse Act 1990 (England)
- Sec. 202a and 202b of the German Criminal Code (Germany)
- Information Technology Act Sec. 43 and 66 (India)
- The Act on the Prohibition of Unauthorised Computer Access (Japan)
Before We Begin
There’s some background we need to cover before you can start hacking. This will include the necessary hardware, software, and an understanding of wireless technologies and dictionary attacks.
To hack a wireless network, you need a wireless card with two features:
- Make sure your card supports monitor mode/promiscuous mode
- Make sure you card is capable of performing packet injection
We have bad news for you. It is almost certain that your onboard network card is incapable of this. You will need to purchase an external network adapter - and it has to have these specific (and uncommon) abilities.
For this article, we will be using Kali Linux with the ALFA AWUS036NEH Long Range adapter. This particular adapter is now end-of-life and discontinued, but it still serves its purpose. You can see our top choices for Kali Linux-compatible WiFi adapters here.
Set Up Kali
If you don’t have Kali Linux installed, see our article How To Install Kali Linux on VirtualBox.
To connect your wireless adapter, follow these steps.
First, make sure your virtual machine instance is shut down.
Next, plug in your USB network adapter.
Now go to the VirtualBox manager. Select your Kali instance, click the list icon, and choose Details.
You will now see a page giving you various details about your virtual machine instance, such as the base memory, any shared folders connected to it, and the hard disk details.
Click on USB to bring up the USB settings menu. Now click the green plus sign on the right-hand side.
You want to add your new network adapter. It may not list the manufacturer, but instead list the chipset, as you can see in our image below. Once selected, click OK.
Back on the manager Windows, click Network this time. We want to disable all network adapters for this virtual machine, so unclick Enable Network Adapter in all four tabs. Click OK. Now all communication will be through our wireless card.
Once done, Kali is ready.
Different Wireless Technologies
We won’t go into the entire history of the 802.11 wireless standards. Instead, we’re just going to talk about encryption.
There are several encryption types to choose from when securing a wireless network. Those include
- WPA2 Enterprise
WEP stands for Wired Equivalent Privacy. Despite the name, it is far from being as private as a wired connection. This is completely depreciated, as it can be hacked in literally seconds. Some routers will still come with it as an option for legacy reasons. Never use it. Most businesses know better. If you see it on a penetration test, you can clock out early that afternoon, as it is the easiest wireless hack you’ll ever perform.
The common encryption methods you will run into are WPA2 and WPA2 Enterprise. The difference between them, in a very high-level and simplified explanation, is the Enterprise version will have a secure login for every member of the domain. This means instead of one password to access the WiFi for everyone (like you would see at home), each user would have their own username and password.
Attacking WPA2 Enterprise is beyond the scope of this article. Many businesses small to medium-sized businesses and any home routers are likely to be set to WPA2, which is what we will be hacking today.
What Are Dictionary Attacks?
A dictionary attack is the process of running through a preset list of words to see if any match the password you are looking to crack. For this, you need a password list to try.
This differs from a brute force attack, which tries every combination of characters based on the rules you prescribe. For example, if you know the password is between six and eight characters and contains upper and lower case letters and numbers but no special characters, the brute force attack might try “Aaaaa1,” “AAaaa1,” “AAAaa1,” etc., until it finds a match.
Each attack has its benefits and drawbacks. A dictionary attack is guaranteed to work eventually. The problem is a complex password (12 characters, upper and lower case letters with numbers and symbols) could literally take tens of thousands of years to crack with current technology. We doubt you’ll want to sit for this long looking to get WiFi access.
A dictionary attack is only as strong as its password list. However, if the password is on that list, the cracking will be much faster. There are many bad password policies in place, and while people are getting better at protecting their email and other online accounts, things like WiFi still take a back seat.
For our lab, we will be using a password list included with Kali Linux. You can find it here:
It contains 477 passwords, which is fine for our practice lab. When trying this for real, have many different password lists handy. Start with the smaller ones and hope for a quick win, if it doesn’t work, try larger ones. You can always see if the company has had a security breach before, you might find some passwords they’ve used in the past sitting online.
Setting Up Our Practice Lab
Since we don’t want to try and hack any of our neighbors, we’ll set up a practice lab to hack into.
There is a caveat we want to mention before going further.
If you set up your actual router with a vulnerable password, you are putting your network at risk. We instead recommend finding an old router collecting dust that you can use solely for the purpose of this lab.
We also want to point out that if this router is in any way connected to your home network, it is still a vulnerable access point. You also run the risk of creating a rouge DHCP server which can cause issues with your home network.
The best scenario is a separate router not connected to the internet or any other device in your home. All we need is for it to broadcast WiFi. We will connect a single wireless device to it for testing purposes, like a cellphone, when the time is right.
We can’t walk through the setup wizard for every possible router, but they all function similarly. Check your manufacturer’s website for details on logging into the administrator controls. Usually, you connect a computer physically to the router and go to 192.168.0.1 or a similar IP address.
If your router is in a factory default state, it will likely prompt you to set up your network.
There are a few specific settings we want to prepare.
First, set any network name you want. Some recommendations include:
Second, choose a password from the password list we mentioned in the previous section. In our lab, we went with w0rkplac3rul3s.
Lastly, make sure the security mode is set to WPA2-Personal.
Confirm you can discover this network with other devices, and you’re ready to go.
Other Articles You Might Like
How to Hack WiFi With Kali Linux
We’re now going to go through the step-by-step process of hacking a WPA2-Personal WiFi network.
There are several programs we can use, but this article will only focus on using the Aircrack-NG suite of tools. We encourage you to try some of the other tools mentioned in the Frequently Asked Questions.
In most cases, a network card only listens for traffic sent to its MAC Address. Promiscuous mode (also called monitor mode) tells the card to listen to all traffic, not just traffic directed to it.
Let’s switch to root using the command
sudo su. You will be prompted for your Kali password.
ifconfig to see what our network card is. We see below it’s wlan0.
iwconfig we see the adapter is currently in managed mode (not monitor).
We will use Airmon-NG to set the adapter to monitor mode enabled.
First, we end any processes that might interfere using the command
airmon-ng check kill
Then change the adapter’s mode using
airmon-ng start wlan0
Use whatever your adapter name is, if different. Your adapter name will change, adding the letters “mon” to the end (for monitor). In our case, it became wlan0mon
Scanning For Networks
Now that we are in monitor mode, we can begin scanning. We will use the program Airodump-NG, with the -i flag to indicate the interface to listen on, then the name of our interface (which in our case is wlan0mon).
airodump-ng -i wlan0mon
We are picking up all kinds of traffic. Let’s examine what we see.
- BSSID is the MAC address of the access points we can see.
- CH is the channel they are running on (WPA2 typically runs on channel 1, 6, or 11).
- ENC is the encryption method. In this picture we see two open networks, and many WPA2.
- AUTH is the authentication method used to connect to the network. PSK stands for pre-shared key.
- ESSID is the common name of the wireless network. We can see our target network, as well as the MAC address and the channel it is running on.
- STATION lists the MAC address of devices connected to the different networks.
Now that we know our target’s BSSID, let’s capture packets only going to our target and save it as a capture file. We will use Airodump-NG again, with the --channel flag to indicate the channel to listen on, the --bsside flag to let it know what device to listen to, and the -- write command to name the capture.
airodump-ng --channel 1 --bssid EC:AD:E0:AB:93:34 --write HackDump wlan0mon
All the data is now being saved to a capture file. We can see one device connected to this network (the phone we connected to this access point - connect a device if you haven’t already).
What we want to capture is a device successfully connecting to the network. We call this the handshake. The best way for us to accomplish this is to run an attack against the connected device and kick it from the network. It will attempt to reconnect, allowing us to capture the handshake.
In a new terminal, we will run Aireplay-NG using the following flags
--deauth <num> (we will use the number zero, which means keep attacking until we say stop)
And then list the interface
aireplay-ng --deauth 0 -a EC:AD:E0:AB:93:34 -c F2:98:XX:XX:XX:XX wlan0mon
After letting this run for a while, hit ctrl+c to stop the attack. In roughly 10 seconds, we had enough information in the capture to start cracking. You can also stop the packet capture in the other terminal window now.
You can see all the files that were saved. The *.cap file is the one we need.
Cracking the Password
We will use the program aircrack-ng to run a dictionary attack against the captured handshake and try to break the password. We are using the fern-wifi common password file, as mentioned earlier.
The command is:
aircrack-ng HackDump-01.cap -w /usr/share/wordlists/fern-wifi/common.txt
The cracking attempts begin. We already know the password was in this list. In under one second, Aircrack-NG tried 400 passwords and found the correct one. We now have access to this network.
This example was under ideal conditions. We knew the password was on our short list. In real life, you will likely be building your own password lists based on what you know of the target. You may also need to take other measures, such as spoofing your MAC Address to bypass whitelisting.
Still, this exercise proves that wireless networks are only as secure as the passwords you choose. Even with very secure passwords, other ways exist to infiltrate a network. We didn’t touch on hacking WPS, which can be a quicker method to gain access, or setting up an evil twin to try and social engineer credentials.
There are many different methods to hack WiFi, and we encourage you to test out different methods and programs. Check out our Member Section to see all our course offerings. You might especially like the ones below.