Wireless hotspots are all around us. Some are open, and some require you to enter a password before you can join. This control is in place to stop unauthorized access to the network.

WPA/WPA2 come as standard nowadays and even your broadband router should comply. You can tell this because you will require a key before your device can connect. By default these routers are somewhat secure because they use a randomize password per router. You can change this though to make life easier. For instance, the hotspot at your local Café. Because of this, there is a chance it can be cracked.

Below we are using Aircrack-ng to crack the Wireless password. There is some misconception that this tool breaks the hash to extract the password. What it is actually doing is hashing words pulled from a wordlist and comparing the hash.

Let’s say our wireless password is P@ssw0rd. This gets hashed and becomes 161ebd7d45089b3….. This is the hash which is present in the handshake. This is what we are trying to collect and crack.

Once we have the hash, we can use Aircrack-ng. We will also need a wordlist such as rockyou.txt in order to crack the password. Aircrack-ng will run through the wordlist and hash each value. Once it gets to P@ssw0rd, it will hash the value and see if the hash matches the one collected from the handshake. If it does, you know the original word.

Let go through it.

Aircrack-ng comes pre-installed with Parrot OS and Kali however if you need to download it, follow these instructions: https://github.com/aircrack-ng/aircrack-ng

It’s important to note that you will need a wireless adapter that can send and receive traffic. Most built in wireless adapters will only receive so you may need to purchase one.

I personally use: https://www.alfa.com.tw/products_detail/7.htm but there are more out there.

First, we need to enable monitoring mode on our adapter. To do this we run:

sudo airmon-ng start wlan1

I’m using Wlan1 because it’s the interface for my Alfa adapter. Wlan0 is built in. To find out which one you are using, you can run the following commands to see.

netstat -i

ip show link

Once our adapter is in monitoring mode, the name of the interface will change. Wlan1 has become Wlan1mon. This is the interface we now need to use to capture traffic. Let’s run:

sudo Airodump-ng wlan1mon

Once we have a target, we can focus on it. I’m going to use “I’m Watching You”

To focus on that AP, we need the BSSID and it’s Channel. We also need to start capturing traffic at this point so we can use –write {name}.

sudo airodump-ng –bssid 90:21:06:61:11:6A -c 1 –write CADcrack wlan1mon

Once we can see traffic, we need to kick them off so that we can capture the handshake. To do this, we can use Airplay-ng.

–deauth is how many pings and -a is the access points BSSID.

Before you run the next command, open up a new terminal. You want to keep the monitoring open in order to see if you have captured the handshake.

sudo aireplay-ng –deauth 100 -a 90:21:06:61:11:6A wlan1mon

As you can see, we have been successful. Now we just need to crack the password using Aircrack-ng. Before we can do this, we will need a wordlist. To find out more about wordlists, read this: https://ctrlaltdel.blog/2019/05/25/generating-custom-wordlists-for-targeted-attacks/

Once we have our wordlist, lets run Aircrack-ng and crack the password. We will need to run Aircrack-ng against our capture file which contains the handshake. In the example above, I ran airodump-ng and wrote to a file with the name ‘CADcrack’.

sudo aircrack-ng CADcrack-02.cap -w ./wordlist.txt

And there you have it. We’ve cracked the key. Now in real life, it won’t be this simple. To speed things up, I generated the wordlist myself (Knowing the password). Therefore, it’s important to generate custom wordlists or to do some prior research first. Rockyou.txt is the most common however you might be wasting your time if the password isn’t in the wordlist.

Once finished, to end monitoring mode, use:

sudo airmon-ng stop wlan1mon