Download Kali WiFi suite before trying this. Click here to learn more.
For those of you who do not know, WPA2 is short for Wi-Fi Protected Access 2, the follow on security method to WPA for wireless networks that provides stronger data protection and network access control. It provides enterprise and consumer Wi-Fi users with a high level of assurance that only authorized users can access their wireless networks. WPA2 is backwards compatible with WPA.
WPA2 is a modern encryption and it’s not as easy to crack as WEP. We cannot actually crack the encryption itself but what we can do is brute force our way to the gold. Yes, it is possible to crack WPA2 or WPA passwords with Kali Linux.
> How to crack WPA2 or WPA Password with Kali Linux: Set the target access point
The first step to cracking WPA2 or WPA is receiving a valid handshake from the target WiFi access point. To do that:
- Start the interface on your choice of wireless card. My choice is wlan0 but your’s may differ. Enter the following command: airmon-ng start wlan0
- Note the name of your interface (mine is mon0). Enter the following command to show the various WiFi access points available, including those encrypted by WPA2 or WPA: airodump-ng mon0
- Airodump will now list all of the wireless networks in your area, and lots of useful information about them. Locate the target WiFi access point. Note down a) the BSSID of the target and b) the channel on which it is operating.
- For the sake of this tutorial, the target BSSID is 00:14:BF:E0:E8:D5 and the channel on which the WiFi access point is operating is 10. Enter the following command to specify the target: airodump-ng -c 10 –bssid 00:14:BF:E0:E8:D5 -w /root/Desktop/ mon0
Airodump with now monitor only the target network, allowing us to capture more specific information about it. What we’re really doing now is waiting for a device to connect or reconnect to the network, forcing the router to send out the four-way handshake that we need to capture in order to crack the password.
> How to crack WPA2 or WPA Password with Kali Linux: Saving the handshake
We’re not really going to wait for a device to connect. That would take too long. We’re actually going to use another cool-tool that belongs to the Aircrack-ng suite called Aireplay-ng, to speed up the process.
Instead of waiting for a device to connect, we’re going to use Aireplay-ng tool to force a device to reconnect by sending deauthentication (deauth) packets to the device, making it think that it has to reconnect with the router. Of course, in order for this tool to work, there has to be someone else connected to the network first, so watch the airodump-ng and wait for a client to show up.
You can see in this picture, that a client has appeared on our network, allowing us to start the next step.
Leave airodump-ng running and open a second Terminal. In this terminal, enter the following command: aireplay-ng –0 2 –a 00:14:BF:E0:E8:D5 –c 4C:EB:42:59:DE:31 mon0
On hitting Enter, you will see the following message show up on the Terminal. Success!
Now you can move onto the actual cracking of the WPA2 or WPA password.
> How to crack WPA2 or WPA Password with Kali Linux: Dictionary Attack
A dictionary or a wordlist is a predefined set of commonly used passwords collected from over the internet. Kali does not ship with one but you can download your own. For the sake of this tutorial, I will use “wpa.txt” as my dictionary.
- Now, all you have to do is start the cracking procedure. Enter the following command to start: aircrack-ng –a2 –b 00:14:BF:E0:E8:D5 –w /root/wpa.txt /root/Desktop/*.cap
- Wait for the password to be discovered!
> How to crack WPA2 or WPA Password with Kali Linux: Conclusion
As you can see, we did not actually crack the WPA2 or WPA encryption itself. What we did was try every (well, not every!) possible password. Note: If the password is not available in the dictionary then the hack will obviously fail.