Hacking WPA/WPA2 Protected WiFi Network Using Kali Linux

Today am gonna show you can Hack a WPA/wpa2 WiFi Network Using Kali Linux, Start Kali Linux and identify yourself, preferably as root. And Plugin your wireless adapter capable, (unless your computer card supports). If you use Kali in VMware, then you may have to connect the card via the ImageIcon in the device menu.

Step 1:

Fist, disconnect from all wireless networks by the following command open a new terminal and type airmon-ng stop wlan0 press enter then type again airmon-ng check kill press enter.

(if you are facing any problem here? use these commands (ifconfig wlan0 down) (service networking stop) (service network-manager stop)

Step 2:

Now open a Terminal and type airmon-ng

This will list all the wireless cards that support mode monitor (no injection). If no cards are listed, try unplugging and reconnecting the card and confirm that it supports monitor mode. You can check if the card supports monitor mode by ifconfig typing another terminal, if the card is listed in ifconfig, but does not show up in airmon-ng, then the card does not support it. In my case am using Alfa AWUS036H,

You can see here that my card supports monitor mode and is listed as wlan0.

Step 3:

Type airmon-ng start followed by the interface of your wireless card. mine is wlan0, so my order would be: airmon-ng start wlan0

“(Monitoring mode enabled)” means a message that the card has been put into monitor mode. Note the name of the new monitor interface, mon0.

If  your network didnt down type the following commands

airmon-ng stop wlan0

airmon-ng check kill

Step 4:

Now type airodump-ng wlan0mon.

Airodump will now list all the wireless networks in your area and a lot of useful information about them. Locate your network or the one you have penetration test permission. Once you have spotted your network on the still populating list, press Ctrl + C on your keyboard to stop the process.

Step 5:

Write down the channel of your target network. Copy the BSSID from the target network.
Now type this command:
airodump-ng –bssid [bssid] -c [channel] –write /root/Desktop/ [monitor interface]
Replace [channel] with the channel of your target network. Paste the network BSSID where [bssid] is, and replace [monitor interface] with the name of your monitor-enabled interface, (mon0).

A full command should look like this:
airodump-ng –bssid 10:62:EB:12:FD:55 -c 6 –write /root/Desktop/hackwifi wlan0

Now, press enter.

Step 8:

Airodump now monitors only the target network, allowing us to gather more accurate information about it. What we are really at the moment is waiting for a device to connect or reconnect to the network, forcing the router to send the four-way handshake that we must enter in order to break the word of past. In addition, four files should appear on your desktop, this is where the handshake will be saved when it has been captured, so do not delete them.

But we’re not really waiting for a device to connect, no, it’s not what Impatient pirates do. We will actually use another tool that belongs to the aircrack-ng called aireplay-ng, to speed up the process. Instead of waiting for a device to connect, hackers use this tool to force a device to reconnect by sending deauthentication (deauth) packets to the device, making it look like it has to reconnect with the router.

Of course, for this tool to work, there must be someone else connected to the network first, so look at the airodump-ng and wait for a client to show up. It might take a while, or it could only take a second before the first watch. If no appear after a long wait, the network could be empty right now, or you are too far from the network.

You can see on this picture, that the customer has appeared on our network, which allows us to start the next step.

Step 9:

let airodump-ng run and open a second terminal. In this terminal, type this command:
aireplay-ng  –deauth [number of packets to sent] -a [router bssid] then type interface wlan0mon
The –deauth is a shortcut for the deauth mode and 2 is the number of packets to send deauth.
-a tells the access point (router) to do bssid, replace [bssid router] with the BSSID of the target network, which in my case is 10:62:EB:12:FD:55.

My complete command looks like this:
aireplay-ng  –deauth 10 -a 10:62:EB:12:FD:55 wlan0mon

hack wifi kali linux

By hitting Enter, you will see aireplay-ng send packets, and in a few moments, you should see this message appear on the airodump-ng screen!

This means that the handshake has been captured, the password is in the hands of the hacker, in one form or another. You can close the aireplay-ng terminal and press Ctrl + C on the airodump-ng terminal to stop monitoring the network, but do not close again just in case you need some of the information later.

Step 10:

This concludes the external part of this tutorial. From now on, the process is entirely between your computer and these four files on your desktop. In fact, one .cap, which is important. Open a new terminal, and type this command:
aircrack-ng -w [word list path] -b [bssid]] /root/Desktop/*.cap

-a is the aircrack method will use to break the handshake, 2 methods = WPA.
-b means bssid, replace [bssid router] with the BSSID of the target router, mine is 00:14: BF: E0: E8: D5.
-w stands for wordlist, replace [wordlist path] with the path to a list of words that you have downloaded. I have a word list called “wpa.txt” in the root folder.
/root/Desktop/*.cap is the path to the file containing .cap the password, the * means wild card in Linux, and since I’m assuming there are no other files .cap on your desk, it works well it’s like that.

My full command looks like this:
aircrack-ng -a2 -b 00: 14: BF: E0: E8: D5 -w /root/wpa.txt /root/Desktop/*.cap

alfa wireless adaptor for hacking

Now press Enter.

Step 12:

Aircrack will now embark on the process of cracking the password. However, it will only crack if the password happens to be in the list of words you have selected. Sometimes he is not. If that’s the case, then you can congratulate the owner for being “impenetrable”, of course, only after you have tried all the word lists that a hacker could use or do!

cracking password using aircrack-ng
cracking password using aircrack-ng


Cracking the password could take a long time depending on the size of the word list. Mine went very fast. If the phrase is in the word list, then Aircrack will show you too much like this: The password for our test-network was “nonsecure,” and you can see here that aircrack found. If you find the password without a decent fight, then change your password, if it is your network.

Leave a Reply