Now with the help of Aircrack-ng, Airodump-ng, and Hashcat, it is easy to crack the WPA/WPA2 Wi-Fi Routers.

These WPA/WPA2 passwords are not strong enough to hold the intruder. These passwords are weak and easy to crack in any networks. It is not exhaustive, but it holds enough information about the system which helps in testing your own network’s security or break into someone’s other network which is nearby you.

This process is totally a passive attack this means there will be no notification to the user about your access to the network. It doesn’t provide any information about the user using the network or attacker using the password.

The actual speed of the reconnaissance process is very slow in this process however an optional active DE authentication attack can be used to speed up the process.

The process of cracking WPA/WPA2 passwords requires a general knowledge of the computer and commands to operate it along with the wireless card in your system which supports the monitor mode. The process is based Linux operating system (recommended KALI LINUX) and on the command line hence the user has to be up to date with the command-line and Kali Linux environment.

 The first step is to have Aircrack-ng installed in your system if it is there installed you are ready to go or else you can install the Aircrack-ng using the following command.

Cracking a Wi-Fi Network

Monitor Mode

Monitor mode is a radio frequency monitor mode which allows a computer system to track or monitor all traffic received from all the wireless network. This is done with the wireless network interface controller (WNIC). This allows packets to be captured without having to associate with an access point or ad-hoc network first and is also used for packet sniffing. It is one of the 8th modes that 802.11 wireless cards can operate.

Begin the process by listing wireless interfaces that support monitor mode. This can be achieved by the following command:

If your wireless card does not support monitor mode then the list of the interface is not displayed. This means you have to recheck your wireless card installation and retry again.

And if everything goes correctly you will get the list of all the wireless interface name such as wlan0. Now proceed next with placing the interface into monitor mode but be sure you are using the correct name. The name of the wireless interface can be different depending upon the system.

You should now see a new monitor mode interface listed (likely mon0 or wlan0mon).

Find Your Target

Now the next step starts with the listening to the desired network. Start listening to 802.11 Beacon frames broadcast by nearby wireless routers using your monitor interface:

Airodump-np mon0

You will get the output as follows:

Capture a 4-Way Handshake

WPA/WPA2 uses a 4-way handshake to authenticate devices to the network. It is important to capture on these handshakes in order to crack the network password. These handshakes occur whenever a device connects to the network. This handshake is captured by directing airmon-ng to monitor traffic on the target network using the channel and BSSID values which is discovered from the previous command.

The process is time consuming hence you have to wait until you get something like [ WPA handshake: bc:d3:c9:ef:d2:67 at the top right corner of the screen.

Once you have captured a handshake, press ctrl-c to quit airodump-ng.  Now after the process is completed you will see a .cap file wherever you have executed the command airodump-ng. This capture file is used to crack the network password using the further process.

Rename the file to reflect the network name that needs to crack:

Here hackme is a network that we are trying to crack the password.

Cracking the Network Password

This is the final step which lead to the password crack of the network. If you have access to a GPU, I highly recommend you to use hashcat for this action.  Naïve-hashcat is a simple tool created for this process which makes the hashcat more easy and simple to operate. And in case of no access to a GPU, there are various online GPU cracking services that you can go through and perform the remaining process. Some of the popular know GPU are GPUHASH.me and OnlineHashCrack. It is also possible with the Aircrack-ng and you can go through it.

Most WPA/WPA2 routers come with strong 12 characters with random passwords that many users leave unchanged. This can be a beneficial point to use for cracking one of these types of the passwords which is recommended using the Probable-wordlists WPA-length dictionary files.

Cracking with naive-hashcat (Recommended)

Naïve-hashcat uses a various dictionary, rule, combination, and mask ( preciously smart brute force) attacks and it can take days or even months to run for the high strength passwords. Hence the process duration depends on the strength of the passwords used.

The initial file format required is .hccapx hence it is required to convert the available .cap format file to the equivalent hashcat file format .hccapx. This is also available online by uploading the file formate .cap to https://hashcat.net/cap2hccapx/ or using the cap2hccapx tool directly.

Cap2hccapx.bin hackme.cap hackme.hccapx

Now, naive-hashcat is required in the system hence download the naive-hashcat and run.

The cracked password is always stored in the file named with the file name you have used from the beginning but the format will be .pot. For instance, here the password will be stored in a file named hackme.pot. Hence always keep checking this file once you have done the process. The content of the POT_FILE will be something like this:

In this , e have both network name as well as password. The two characters separated by : are network name and password. i.e

Network name: HP

Password: YOUhaveDoneiT

Cracking with Aircrack-ng

The basic principle behind this Aircrack-ng is that it uses basic dictionary attacks which are running on your CPU. It depends on the wordlist and dictionary principle.

# download the 134MB rockyou dictionary file
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

Note, that if the network password is not in the wordlist you will not crack the password.

If the password is cracked you will see a KEY FOUND! message in the terminal followed by the plain text version of the network password.

List of the Commands used (summary)