How to Hack Wi-Fi Passwords (The Complete Guide)
Before we dive right into the tutorial:
- This tutorial is meant for all kinds of people out there, whether you are a fresh newbie who has just laid hands on the keyboard to the mega-genius geeks who can alter the reality of their dimension without having The Citadel involved.
- You can always just scroll-by if you get an idea of what’s coming up.
- This article will also cover some concepts to read by, just in case you want to understand the cogwheel of this. (I would be putting such conceptual paragraphs as separate blocks of text) In case you don’t want all that understanding, you can just scroll-by those too.
- Whether doing this is illegal or not, depends on how and where you use it. I mean come on, anything you do can become illegal if you do it for the wrong purpose. The author does not hold any responsibility for any of the actions (or consequences of it), committed by the reader of this article. It's like having a knife; either you can productively cut veggies or food for cooking, or go around stabbing. Choice is yours, I've got no hand in this.
Index of contents
With those out of the way, let’s begin.
I assume that the person reading this would have, at the very least, used Microsoft Windows. For those of you who didn’t know, there is another family of operating systems, like Windows or Mac OS, which is free, lighter and often tailor-made for specific purposes alone — The GNU/Linux Operating system(s).
For this tutorial, we’ll need:
- A USB stick of minimum 8GB
- A laptop or a PC with a Wi-Fi Card/Adaptor
We’ll be using Kali Linux for doing this.
For this tutorial to work, your Wi-Fi Card should be able to switch into “Monitor Mode”. It can only be easily determined once we boot into Kali Linux. So there is a chance that you wouldn’t be able to proceed once you get to know that your card does not support Monitor Mode. But hey, don’t be disheartened. You’ll have made a valuable tool already by then… If you wanna take a step further and find it within Windows itself, go here.
What is Kali Linux?
Kali Linux is a usage-specific, “version” or more correctly, distro (short for distribution) made on top of Debian Linux (which is yet another distro). This was specially made for the purpose of Penetration Testing and Ethical Hacking. As a matter of fact, the things mentioned in this article can be done in any Linux distro except the fact that you’ll have to individually install all the programs that are being mentioned. These programs come pre-installed in Kali Linux, which is the reason why it is highly preferred.
Oh, and Linux is a family of free and open-source operating systems. Do learn about them. It’s a whole world in itself.
We’ll need to download two files from the Internet.
One, will be the ISO file of Kali Linux. ISO files are just compressed disks containing programs (well, sorta). And two, will be a tool for writing the ISO into a USB Drive — Rufus.
There are various versions of both of these. But for this tutorial, and for further convenience, I will be using Kali Linux 2019.3 and Rufus 3.11. The following two links will directly download them for you.
Of course, you can use later versions of both. But when it comes to Kali Linux, they branched out their ISOs into Live USB and Installation versions from ver.2020 and later. So I prefer sticking to ver.2019 rather than 2020.
What is Rufus?
Rufus is a free and open-source portable application for Microsoft Windows that can be used to format and create bootable USB flash drives or Live USBs. (I just copied that from Wikipedia.)
Plus-point is that Rufus requires no installation. Download the 1 MB program and you are good to go!
What do you mean by Live USB and Installation?
In simple words, the ISO can be run in two ways; either by partitioning your disk space and installing the ISO to that dedicated partition (a.k.a Dual-Booting) or by directly running the ISO from the USB itself (a.k.a Live USB).
Live USB is highly portable, though slightly less powerful than an installation. We’ll be using a Live USB in this tutorial
Setting up Kali Linux
- Plug-in your USB. (Warning! : Everything in your USB will be wiped clean. Back up any important files) I am using an 8GB SanDisk USB.
- Launch Rufus. By default, your USB device name would appear under “Device”. If not, click on the box and choose the name of your USB device.
- Choose “Disk or ISO image (Please select)” under “Boot selection” if not already selected. Then click on “SELECT”. Browse to where you saved the Kali Linux ISO and choose it.
- Under “Persistent partition size”, slide the slider or type in a value for setting the size. This isn’t compulsory, but I very highly recommend this. Making a persistent partition will help you to save settings and created files inside Kali. They won’t get wiped out once you turn off your system. Without persistence, your Live USB would start up as a fresh Operating System every single time, i.e., it won’t save anything you do or make within Kali. I am pulling my slider all the way right, for having 4GB of persistent partition (may vary, depending on your USB size). [Refer to the screenshot above]
- Leave the rest of the settings untouched and press “START”. You will be prompted to download a small support file for writing Linux images (if this is your first time). Proceed with it. Next, you might encounter an option for choosing between ISO or DD. Go with ISO (it will be shown as recommended).
- Wait for your USB to be formatted and overwritten. During this process, instances of File Explorer may open up. Don’t mind it. You may close it safely. Once complete, it will show READY! and you may unplug your USB.
- Voila! You now have a Kali Live USB.
- The steps forward will vary highly depending on your PC/Laptop brand and model. Shut down your PC. Once it is off, plug in your Live USB (do not remove it until the end of this tutorial now). Turn your PC on, but don’t let it boot into Windows. Instead, boot into BIOS (please search how to open BIOS for your specific brand and model. You might have to force shutdown your device several times in this and following processes.).
- In the BIOS menu, find the option for disabling Secure Boot. Don’t worry, disabling secure boot doesn’t necessarily put your PC at a risk of viruses or something. It is merely meant for allowing the PC to boot into an Operating System other than Windows. As a matter of fact, some few laptop models can boot into the Live USB without disabling the secure boot. But it’s rare. So I suggest that you disable the secure boot.
- Next, look around for altering the Boot Device Order of your system. Place USB Diskette (or such similar device name) at the top of the list. This may vary according to models too. Some models allow to boot directly and automatically into the USB in the next boot-up, while others might prompt you to manually choose the boot device. For my hp laptop, I had to hold F10 button while booting up and I could order my Boot order to automatically boot into USB when plugged.
- After figuring it out, Save and Exit (usually the F10 button). Switch on the device if it isn’t rebooting already. If everything went well, you would land in the following page. If it didn’t, pull out your USB, force shutdown your PC, plug in your USB and turn it on. If it still doesn’t show up, go to Step 8 and review the steps again.
12. Use the arrow keys of your keyboard and choose “Live USB Persistence” or “Live System (persistence, check kali.org/prst)”. Press Enter and wait for the Kali Linux to boot up.
13. Once it boots up, you would have landed in the following screen. Congratulations, you have successfully got into Kali Linux!!
Take your time and dig around to get the hang of the environment. If you are using a Linux for the first time, these things may seem a bit intimidating at first. Feel free to Google about general things and familiarize yourself a tad bit.
Firing up Aircrack-ng (this is where the action begins. 😏)
Kali Linux has a ton of tools meant for various Penetration Testing purposes. We are going to use Aircrack-ng.
Aircrack-ng is a tool used for scanning, and injecting packets in a Wi-Fi network. In simpler words, every time you connect to a Wi-Fi network, you are sending encrypted packets of data over the air. Aircrack-ng enables your device to intercept (or more correctly, monitor and/or capture) these packets and send packets of it’s own into the Wi-Fi network.
P.S. You don’t need to know or save the password of the Wi-Fi network in your laptop. This method can be done on a completely foreign Wi-Fi network.
- Open the Terminal. It is the third icon from top on the taskbar to your left. You can also open it by going to “Show Applications” (last icon) and then scrolling down and clicking on “Terminal”. [Your terminal might show the prompt as root@kali, unlike mine. Don’t worry, my system is modified a bit, but it won’t affect the commands we’re going to run.]
- In the terminal, type
and press enter. In the list that follows, note the name of your Wi-Fi Card. (Mostly it will be wlan0).
So here, the name of my Wi-Fi card is wlan0.
If it doesn’t show up, it could be because your laptop is missing the drivers for Wireless Card in Linux. Please do search about it.
2. Next, type
airmon-ng check kill
This will turn off the Wi-Fi card and disconnects you from any connected Wi-Fi networks.
After that, type
airmon-ng start <name-of-interface>
or in this case
airmon-ng start wlan0
This is the place where the former mentioned warning comes into effect. If your card supports Monitor Mode, you would get the following (or closely similar) output.
If not, I am sorry. You wouldn’t be able to perform anything that is mentioned forward. Please don’t be disheartened. If you were a beginner, at this part of the tutorial, you would be having a Kali Live USB right? Trust me, that has a seriously high potential and a lot to learn and use. Do explore.
In Monitor Mode, you would be able to see all the surrounding Wi-Fi networks, its strength, the number of devices connected to each network, the unique MAC ID of every single one of those devices, and which of those devices are actively sending/receiving data.
Your Wi-Fi card’s name would have the suffix ‘mon’ appended to it, now. So, wlan0 is now wlan0mon.
3. Next up, we gotta initiate a scan to check all the active Wi-Fi connections around us. For the purpose of this tutorial, I would be hacking the password of a Wi-Fi network named ‘Hacker 101’ (which is actually just my hotspot 😅).
Next, type the following command:
or in this case:
and hit enter. You’ll be taken to an instance (like the screenshot below) which scans the networks around you. Give it some time to procure info of the networks and the devices connected to them.
Let’s analyse this screenshot for a better understanding. The BSSID in the first table is the MAC address of the Wi-Fi networks. These networks may or may not have a device connected to them.
The list below that, shows all the devices which are connected and actively sending packets around you. In that second table, ‘station’ is the MAC addresses of all the devices connected to the corresponding BSSID.If the device is actively sending/receiving data, you would see a quick increase in its Frames.
Note the BSSID and Channel number (under the column CH) of the target network. In this case, it is 0C:F3:46:D5:B7:C5 and 6, respectively.
Press Ctrl+C to stop the scan. You’ll have to restart the scan but with conditions (switches) now.
4. Some concepts before the next step. You may skip if you don’t want to know.
As I said before, Wi-Fi works by sending packets of encrypted data to and fro the device and router. The password of a Wi-Fi is also such a packet. When you are asked to type the password of your Wi-Fi in your phone or tab or laptop, you are sending a “hashed” (encrypted) packet of the password. The router then decodes the packet and accepts it if it is right. Hence, we say that the router accepted a “handshake”. Once accepted, there’s no more need of sending such a handshake packet during the whole time that the device is connected. It will be required to be sent again only when the device gets disconnected and has to reconnect again. This handshake file contains the password but in hidden form. We’ll have to intercept the handshake as it is being sent i.e. at the exact moment that it is connecting. What we are doing next is setting up a listener to detect when a handshake is sent and accepted, and to intercept and store the handshake into a file, so that we can crack the password later on.
After you stopped the scan, type the same command as earlier, but this time with switches:
airodump-ng -w <filename_to_store_hash_key> -c <channel_number> <interface_name>
or in this case:
airodump-ng -w test -c 6 wlan0mon
and press enter.
- -w is used for specifying the name of the set of files that’ll store the encrypted password file when we get hold of it. ‘test’ will be the name of the set of files.
- -c is used for fixing the scan to just one single channel. This avoids any unnecessary noise during the capture and makes the process a lot more cleaner.
The scan would’ve begun again, this time with maybe fewer networks than before. But since we fixed our channel to the channel number that we noted earlier (i.e. 6), we get to see our target network.
Now keep this scanning alive. Don’t close off the terminal until we get a “handshake”.
For getting the password file, we’ll need a device to try and connect to the target Wi-Fi network at the same time as we are scanning. Since this is highly unlikely, we are gonna have to do a teeny-weeny “trick”:
We are gonna kick people out of their own Wi-Fi!
Yup, we jam their signal and then force them to reconnect again, all at the same time that we are scanning. This process of kicking devices out of a network is called De-authentification, or for convenience, de-authing.
For this, you have to keep that scanning terminal alive and untouched. Note down the MAC address of the target Wi-Fi network (listed under BSSID, here). Now, open a new terminal (right-click on terminal icon in the taskbar and open new window). Then type the following command in the new terminal:
aireplay-ng -0 0 -a <MAC_address_of_target_network> <interface_name>
or in this case:
aireplay-ng -0 0 -a 0C:F3:46:D5:B7:C5 wlan0mon
Please do note, that after aireplay-ng, the thing written is ‘hyphen zero space zero’ not ‘hyphen O space O’. Medium has an awkward font choice for numbers sometimes…
- -0 is the switch which indicates that de-auth packages are to be sent. It can also be replaced with -deauth. The zero that follows is the number of packages that’ll be sent. If you put 2 there, two deauth packages would be sent, but when you put zero, infinite packages would be sent, until you choose to stop.
- -a is the switch for specifying the BSSID of the network we intent to jam.
Anyway, type it and press enter. You would see some repetitive messages stacking below. This means that you are continuously kicking out all the connected devices from that network. If you were testing this on your own network, you could now see that all your connected devices would have disconnected from the network.
While this is happening, head over to the previous terminal, and look at the end of the top line. If it says ‘WPA handshake’ somewhere, VOILA!, you have captured the password file (like it is in the following screenshot). You can now go to the terminal that was sending de-auth packets and press Ctrl+C to stop it. You may also stop the scanning now, since you got the packet.
If it doesn’t say anything about the handshake, wait for like 5–10 seconds. If it still doesn’t, head over to the de-auth terminal and stop it. Check if the handshake is received now. If not, go start the de-auth again. It is either because no one got kicked out, or because the kicked out device didn’t try to reconnect. If it is the first reason, try moving a bit more closer to the router before sending the de-auth packets again; if it’s the second reason, well, you aren’t in power of that, you might have to try it later.
You may now close both the terminals.
Alright. If you successfully got a WPA handshake, you would have saved the hashed password file and we may proceed to the next step.
Cracking the Hash
For cracking the hashed password, we need a ‘dictionary’. No, not the Oxford Dictionary or stuff. A dictionary is a big list of passwords of many kinds that can be used for such cracking purpose. This is also known as a ‘Dictionary Attack’. Kali comes with quite a few dictionaries built-in.
Dictionaries used for the purpose of cracking passwords can range from a text file with a few hundreds of passwords to ones with millions or billions of passwords in it! These passwords are procured through previously conducted Social Engineering Attacks or other means. Do remember that all the possible passwords in the world are not going to be fit into a single dictionary. So the limit of the type of passwords you can crack, depends on how comprehensive a dictionary you are using, or using other methods such as BruteForce.
If you are curious of how these dictionaries are used to crack the passwords of Wi-Fi networks, it’s not by decoding the password file as is. But instead, we encode the available passwords from the list and cross check whether the encoded result is the same as the encoded password file. If a match is found, we have cracked the password, if not… well, you get the idea. So this means, you can’t guarantee that any and every password will be cracked successfully. In this tutorial, we’ll be cracking an easy password only.
To ready the dictionary for use, we need to unzip it.
Type the following code in a new terminal (cd is used for changing directory).
and then (ls is used to list the contents of the current folder)
This will display all the files in that folder. In it, you would notice a file called ‘rockyou.txt.gz’ . This is the dictionary we’ll be using. For that, we’ll have to unzip it, because it is a compressed file as of now. For unzipping, type:
Now if you type:
You’ll see that ‘rockyou.txt.gz’ has changed into ‘rockyou.txt’ . If you type ‘nano rockyou.txt’ and wait for like 2–5 mins, you can see the contents of the list (not really very necessary). It takes 2–5 mins to open because it is a really big text file. If you opened it for viewing, close it with Ctrl+X before proceeding to the next step.
Great. Now for the finale. We are gonna crack the password file. If you open your file explorer now, you would see five files with the same name but different extensions. Since we used the name ‘test’ for the -w switch, all those five files will have the name ‘test-01’.
(P.S. There could be slight changes in your file name and number depending on what names you gave and how many retries you did)
In this, we will be using the .cap file for cracking.
Open a fresh terminal. And type the following:
aircrack-ng <filename>.cap -w <path_to_dictionary/dictionary_name>
or in this case:
aircrack-ng test-01.cap -w /usr/share/wordlists/rockyou.txt
and press enter. If you get a prompt to choose from multiple handshakes (which is kinda rare), choose the corresponding index number and press enter as well.
You’ll see the system trying various hashes one after the other while going through the dictionary. If the Wi-Fi password is there in the dictionary as well, it will show that you have FOUND THE KEY!
As you can see in the screenshot above, the password of the network is ‘bankbank’. And hence you have successfully hacked the password of a Wi-Fi Network!!
Yup, this was indeed a cool tech, but like anything, it has its limitations too.
- For this to work, your target Wi-Fi network should have at least one actively connected device. If it’s a Wi-Fi network which has no devices connected and don’t have or know the password of, you won’t be able to hack it.
- Your ability to crack the password depends on how hard or easy the password is. If it’s some easy or medium password like 12345678 or helloworld or something, you can hack it with the rockyou.txt dictionary that we used here. Else, you’ll have to use larger dictionaries or resort to other methods such as BruteForcing to crack the password.
- Your PC/Laptop specifications do matter at the last stage, i.e. the cracking of the password. The better your CPU, the faster you can crack the password. You may also employ your GPU for this job using other programs like Hashcat. Do explore 😃.
Well, if you were a beginner, I have just brought you into the world of Penetration Testing (sorta). Kali Linux is a seriously lit operating system for this purpose. Dig around to learn a really lot from it.
Don’t expect or depend on Kali Linux like how you would depend on a daily use Operating System like Windows, Mac or (maybe) Ubuntu. Kali is specifically designed for these jobs. So use it accordingly.
There are other ways to hack a Wi-Fi network than this. You can try learning about them too.
So with that, I wrap up this (first) article.
Thank you for sticking around till the end and bearing me.
I am available at email@example.com. Or do visit my GitHub profile.
Cheers and Best Wishes!! 😃