Hacking WPA-Secured WiFi



Like any security algorithm, WPA and WPA2 have security flaws that allow them to be hacked. WPA2 is the best WiFi security algorithm compared to WPA and WEP. However, WPA2 is still not secure enough. In fact, anybody with a decent amount of computer knowledge can hack WPA and WPA2.

Keep in mind that Kali Linux (formerly called "Backtrack") is not needed for hacking. Linux users can use their preferred distro. Also, hacking can be helpful when people must find or prove the presence of security flaws. Please use all of this knowledge for good and not evil. In addition, get permission from the WiFi owner before hacking.

NOTE: All of these commands in this tutorial should be run with Root privileges.

Obtaining the Tools
To begin, install the needed packages. Some distros contain the needed tools in the default repos and others do not. If they are not in the Ubuntu repos, users may need to add the "ppa:darklordpaunik8880/kalibuntu" PPA by typing "apt-add-repository ppa:darklordpaunik8880/kalibuntu". Once the repos are add, then on Debian-based systems, users can type "apt-get install aircrack-ng". The "aircrack-ng" package adds many WiFi hacking tools and the package's dependencies provide additional utilities.

Once the utilities are obtained, open a terminal and type "airmon-ng". This will display a list of detected WiFi devices on the local system that support monitoring (this feature is needed). Then, type "airmon-ng start INTERFACE" where "INTERFACE" is the desired wireless device (such as "wlan0") that supports monitoring. The terminal should display a monitor interface name (such as "mon0").

NOTE: After running the last command, you should see “(monitor mode enabled)” in the output.

Next, type "airodump-ng MONITOR-INTERFACE" (where "MONITOR-INTERFACE" is usually mon0). If a "fixed channel –1" error message is seen, then execute "ifconfig INTERFACE down" (such as wlan0) and retry the airodump-ng command. After the whole hacking process, remember to type "ifconfig INTERFACE up" to make the wireless card connect to the Internet as before.

The airodump-ng command will return a list of detected Wifi hotspots. Look for one that uses WPA or WPA2 encryption (ENC), CCMP as the cipher, and PSK as the authentication method (AUTH). Once a hotspot has been selected, write down the ESSID, BSSID, and channel (CH). With the gathered information, type a command using the format "airodump-ng -w DIRECTORY -c CHANNEL --bssid BSSID MONITOR-INTERFACE". The chosen directory is used to store files containing the handshake authentication data used when a device connects to the WiFi. Now, when a client connects or reconnects to the Wifi, your system will watch how the authentication process occurs.

Waiting for a client to reconnect may take a while. Thankfully, this process can be sped up. In that same terminal output, look under the "Station" heading and look for a BSSID. Write down that BSSID which is the BSSID of a client connected to the selected WiFi. In a new terminal, type "aireplay-ng –0 2 –a WIFI-BSSID –c CLIENT-BSSID MONITOR-INTERFACE" using the gathered information. The "-0" parameter means deauth mode will be used and "2" deauth packets will be sent. This will trigger the router to reconnect/reauthenticate the chosen client. This is how the authentication process can be analyzed.

On the terminal with airodump-ng running, a "WPA handshake" message should appear. The aireplay-ng terminal can be closed. Keep the four generate files that are placed in the selected directory and remember to write down the WPA handshake hexadecimal number.

Now, the collected data can be analyzed locally to crack the password. With the gathered data, type a command in the form "aircrack-ng -a2 -b WIFI-BSSID -w WORDLIST-PATH DIRECTORY/*.cap". Use "-a1" for WPA and "-a2" for WPA2. The directory is the same one chosen previously. The wordlist file is a plain-text file containing many possible passwords. Be sure to obtain a wordlist file.

Obtain wordlist files -

If the process is successful, then the user will see a "KEY FOUND!" message and the message will display the password. It is possible to create a password secure enough that offers protection against this process.

This article can be used to test and ensure that the WPA or WPA2 security used by the WiFi is secure. If not, then the admins can make changes until the network is secure. Two methods for greatly strengthening the wireless network include enabling MAC address filtering and using a long and complex password. In addition, it may help to change the wireless password occasionally.

Further Reading


Last edited:


Sean Swiggett

I'm assuming if I'm running Kali already, the process will be the same. I currently have a Chromebook that is running Kali from the SD port that I would like to try this with.


I'm assuming if I'm running Kali already, the process will be the same. I currently have a Chromebook that is running Kali from the SD port that I would like to try this with.
Yes, the process is the same on all systems once the utilities are obtained. I mentioned the PPA for people using distros that lack the tools.


I think there is a way to combine aircrack with a command called Crunch


Instead of relying on a Dictionary File, you direct Crunch to pass every possible letter number combination within given parameters. Yes, I'm sure this could take a helluva long time.

#crunch 0 25 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ0123456789 | aircrack-ng --bssid aa:aa:aa:aa:aa:aa -w- handshakefile.cap

For getting the WPA handshake, there is a nice tool available called Wifite.

I'm sure these are available for Kali, but I'm not sure if they're in general Ubuntu repos.


@Nibble , yes. Add the PPAs, check your repos, obtain pre-made *.deb files, or build the source code.

Members online

Latest posts