Cracking WiFi WPA/WPA2 using WiFite and Aircrack

Last Updated: 20/11/2024

So you’re interested in Hacking and Cracking? Or just want some free WiFi? Either way you have found the right place to start cracking WiFi.

Today we are going to walk through the steps needed to crack WiFi access points using a combination of wifite and Aircrack-ng. In this guide we will go through how to capture and crack the handshakes to reveal the WiFi Password. 

What do I need?

Firstly, you will need a Kali machine! For the purpose of this guide I am using a vanilla install of Kali and am running all of my sessions and commands as a Root user. If you are using a standard account then ‘sudo’ will be required before most, if not all commands being executed.

My installation of Kali is on a Laptop with a compatible WiFi adapter which allows for monitor mode. This is necessary to capture packets ‘in the air’. A quick Google search will tell you which WiFi cards/adaptors are supported.

A good understanding of networking will certainly help for this. I would recommending looking into things like: Handshakes, WiFi Authentication, Deauth, Cracking concepts, Linux commands prior to attempting this.

Capture the Handshake

Boot up Kali and either navigate to ‘wifite‘ in the applications tab or open up a terminal and type in ‘wifite‘.

Immediately you will see a list of WiFi SSID’s begin to populate in the terminal window. The key thing to look out for is the amount of connected clients (as we are trying to capture a handshake between the client and the AP). The more clients, the better the chance of capturing.

After choosing the Access Point in wifite, in this case ‘EternalWIFI’. It will attempt to deauth the clients connected (disconnect the Clients). Those clients will then try to re-establish a connection and in doing so, wifite will capture the initial handshake packets which contain the password hashes. The more clients that are connected to the AP the better the chance and more quicker wifite will capture the handshake packets.

When a Handshake packet is captured, Wifite will try a default/simple password list. Its not bad and has worked for me a few times on individuals that tether phones and change their passwords to something very simple. You can of course edit this list to include more passwords.

As you can see from the above, wifite has managed to crack the simple password which is ‘password’. 

Password Lists

This however, will not always work. So we will need to crack the hash against a bigger password list. We are going to do this by using aircrack-ng. By feeding a password list against the captured handshake hash.

So, we are going to need passwords, lots of passwords!

If you need some password files I have zipped a few up HERE, I have found these on the Internet and take no credit for them! 

However, the best way to get wordlists is by creating them yourself on Crunch. If you suspect that someone has changed their password to something ‘personal’ then it might be worth running CUPP (Common User Password Profiler) for a specific list.

Kali also comes with a default list (rockyou.txt) located in: /usr/share/wordlists

When cracking WiFi, the more you know about the network, router and users can help a lot. First things first would be to look at the SSID (most SSID’s have the brand of router included within the name) and this allows you to understand how many characters the default WiFi code is and the combination of letters, numbers, caps. An example of this is: 

Default Iphone Hotspots/Tether will use 13 Lowercase only with Numbers (No Symbols or Caps). This information will allow us to filter our wordlists and create new wordlist around this.

Cracking the WiFi Handshake

Once you have downloaded or created a password list, it’s time to run this against the captured hash using aircrack-ng. The Syntax for aircrack-ng is: 

aircrack-ng capturedpackets.cap -w wordlist.txt

When we execute this, aircrack-ng will begin hashing the passwords from the list against the handshake password hash.

If the password is in the list then it will eventually strike a match.

As you can see, the WiFi password is ‘pleaseletmein’. While a simple password, this one wasn’t in the common password file in wifite and required the use of our own wordlist in order to crack.

Exit Monitor Mode

Make sure you exit monitor mode on your WiFi adapter so you can test if the passphrase works.

The command for this is: airmon-ng stop wlan0mon

The interface could be different on your setup, so adjust accordingly.

Wrap up

So there we have it, a way of cracking WiFi. Please note that the cracking speed will be based upon your machines performance. It goes without saying that if the passphrase isn’t in your wordlist then you wont find the password. So make sure you build out specific wordlists dependent on the WiFi AP you want to crack. There are many other tools that you can use for the capture of the handshake and the cracking of the handshake. I prefer wifite as its easy to use and great for beginners and aircrack-ng has easy to remember syntax for piping a handshake to a wordlist.

Please use this knowledge responsibly and make sure you have consent to execute attacks such as this against someones Access Point. I take no responsibility for misuse of this information.  

Please feel free to put any questions or comments in the section below.

 

17 thoughts on “Cracking WiFi WPA/WPA2 using WiFite and Aircrack

    1. Hi James,

      Thanks for your feedback!

      Kali can be downloaded here: https://www.kali.org/ I would recommend burning to USB with Rufus which can be downloaded for free here: https://rufus.ie/. If it gives you the option burn in DD mode not ISO mode as ISO mode can sometimes cause a few issues during installation. Hope this helps!

Leave a Reply

Your email address will not be published. Required fields are marked *