If you want to know how to hack WiFi access point – just read this step by step aircrack-ng tutorial, run the verified commands and hack WiFi password easily.
With the help a these commands you will be able to hack WiFi AP (access points) that use WPA/WPA2-PSK (pre-shared key) encryption.
The basis of this method of hacking WiFi lies in capturing of the WPA/WPA2 authentication handshake and then cracking the PSK using aircrack-ng.
How to hack WiFi – the action plan:
- Download and install the latest
aircrack-ng - Start the wireless interface in monitor mode using the
airmon-ng - Start the
airodump-ngon AP channel with filter for BSSID to collect authentication handshake - [Optional] Use the
aireplay-ngto deauthenticate the wireless client - Run the
aircrack-ngto hack the WiFi password by cracking the authentication handshake
- Now, our alfa card is enabled monitor mode, time to scan the air. For that we will use airodump-ng utility from the aircrack-ng suite of tools. Step 5: Type in terminal airodump-ng monitor mode interface i.e 'airodump-ng wlan1mon'. Identify the WEP enabled AP. After identifying WEP enabled AP, press CTRL-C and note the info.
- Now wait until airodump-ng captures a handshake. If you want to speed up this process – go to the step #4 and try to force wireless client reauthentication. After some time you should see the WPA handshake: 00:11:22:33:44:55 in the top right-hand corner of the screen. This means that the airodump-ng has successfully captured the handshake. CH 1 Elapsed: 20 s 2014-05-29 12:46 WPA.
1. Aircrack-ng: Download and Install
The Latest Version Only: If you really want to hack WiFi – do not install the old aircrack-ng from your OS repositories. Download and compile the latest version manually.
Install the required dependencies:
Guide to install AirCrack-ng on Mac OSX 10.8 Mountain Lion in 5 simple steps. What is Aircrack? Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic.
Download and install the latest aircrack-ng (current version):
Ensure that you have installed the latest version of aircrack-ng:
They can also occur if your operating system crashes, or if your computer otherwise shuts down abnormally. Reinstall Microsoft NTFS for Mac by Tuxera. This can occur if you detach a hard drive from a computer without unmounting it first ('Safely remove hardware' in Windows, 'Eject' in macOS/OS X Finder). If the previous steps haven't solved the problem, the volume might contain errors or inconsistencies. Tuxera ntfs for mac trial expired. Make sure Microsoft NTFS for Mac by Tuxera is enabled in your settings.
2. Airmon-ng: Monitor Mode
Now it is required to start the wireless interface in monitor mode.Monitor mode allows a computer with a wireless network interface to monitor all traffic received from the wireless network.
What is especially important for us – monitor mode allows packets to be captured without having to associate with an access point.
Find and stop all the processes that use the wireless interface and may cause troubles:
Start the wireless interface in monitor mode:
In the example above the airmon-ng has created a new wireless interface called mon0 and enabled on it monitor mode.
So the correct interface name to use in the next parts of this tutorial is the mon0.
3. Airodump-ng: Authentication Handshake
Cool Tip: Want to have some 'fun'? Create a Linux fork bomb! One small string that is able to hang the whole system! Read more →
Now, when our wireless adapter is in monitor mode, we have a capability to see all the wireless traffic that passes by in the air.
This can be done with the airodump-ng command:
All of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen:
Start the airodump-ng on AP channel with the filter for BSSID to collect the authentication handshake for the access point we are interested in:
| Option | Description |
|---|---|
-c | The channel for the wireless network |
--bssid | The MAC address of the access point |
-w | The file name prefix for the file which will contain authentication handshake |
mon0 | The wireless interface |
--ignore-negative-one | Fixes the ‘fixed channel : -1' error message |
Download Airodump-ng For Mac
airodump-ng captures a handshake.If you want to speed up this process – go to the step #4 and try to force wireless client reauthentication.
After some time you should see the WPA handshake: 00:11:22:33:44:55 in the top right-hand corner of the screen.
This means that the airodump-ng has successfully captured the handshake:
4. Aireplay-ng: Deauthenticate Client
Cool Tip: Want to stay anonymous? Learn how to use PROXY on the Linux command line. Read more →
If you can't wait till airodump-ng captures a handshake, you can send a message to the wireless client saying that it is no longer associated with the AP.
The wireless client will then hopefully reauthenticate with the AP and we'll capture the authentication handshake.
Send deauth to broadcast:
Send directed deauth (attack is more effective when it is targeted):
Airodump For Macbook Pro
| Option | Description |
|---|---|
--deauth 100 | The number of de-authenticate frames you want to send (0 for unlimited) |
-a | The MAC address of the access point |
-c | The MAC address of the client |
mon0 | The wireless interface |
--ignore-negative-one | Fixes the ‘fixed channel : -1' error message |
Cool Tip: Need to hack WiFi password? Don't wast your time! Use 'John the Ripper' – the fastest password cracker! Read more →
5. Aircrack-ng: Hack WiFi Password
Unfortunately there is no way except brute force to break WPA/WPA2-PSK encryption.To hack WiFi password, you need a password dictionary.
And remember that this type of attack is only as good as your password dictionary.
You can download some dictionaries from here.
All of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen:
Start the airodump-ng on AP channel with the filter for BSSID to collect the authentication handshake for the access point we are interested in:
| Option | Description |
|---|---|
-c | The channel for the wireless network |
--bssid | The MAC address of the access point |
-w | The file name prefix for the file which will contain authentication handshake |
mon0 | The wireless interface |
--ignore-negative-one | Fixes the ‘fixed channel : -1' error message |
Download Airodump-ng For Mac
airodump-ng captures a handshake.If you want to speed up this process – go to the step #4 and try to force wireless client reauthentication.
After some time you should see the WPA handshake: 00:11:22:33:44:55 in the top right-hand corner of the screen.
This means that the airodump-ng has successfully captured the handshake:
4. Aireplay-ng: Deauthenticate Client
Cool Tip: Want to stay anonymous? Learn how to use PROXY on the Linux command line. Read more →
If you can't wait till airodump-ng captures a handshake, you can send a message to the wireless client saying that it is no longer associated with the AP.
The wireless client will then hopefully reauthenticate with the AP and we'll capture the authentication handshake.
Send deauth to broadcast:
Send directed deauth (attack is more effective when it is targeted):
Airodump For Macbook Pro
| Option | Description |
|---|---|
--deauth 100 | The number of de-authenticate frames you want to send (0 for unlimited) |
-a | The MAC address of the access point |
-c | The MAC address of the client |
mon0 | The wireless interface |
--ignore-negative-one | Fixes the ‘fixed channel : -1' error message |
Cool Tip: Need to hack WiFi password? Don't wast your time! Use 'John the Ripper' – the fastest password cracker! Read more →
5. Aircrack-ng: Hack WiFi Password
Unfortunately there is no way except brute force to break WPA/WPA2-PSK encryption.To hack WiFi password, you need a password dictionary.
And remember that this type of attack is only as good as your password dictionary.
You can download some dictionaries from here.
Crack the WPA/WPA2-PSK with the following command:
Airodump For Mac
| Option | Description |
|---|---|
-w | The name of the dictionary file |
-b | The MAC address of the access point |
WPAcrack.cap | The name of the file that contains the authentication handshake |
Airodump-ng For Mac
Cool Tip: Password cracking often takes time. Combine aircrack-ng with 'John The Ripper' to pause/resume cracking whenever you want without loosing the progress! Read more →
The first step in getting aircrack-ng working properly on your Linux system is patching and installing the proper driver for your wireless card. Many cards work with multiple drivers, some of which provide the necessary features for using aircrack-ng, and some of which do not.
Needless to say, you need a wireless card which is compatible with the aircrack-ng suite. This is hardware which is fully compatible and can inject packets. A compatible wireless card can be used to crack a wireless access point in under an hour.
To determine to which category your card belongs to, see hardware compatibility page. Read Tutorial: Is My Wireless Card Compatible? if you don't know where to look in this table. It still does not hurt to read this tutorial to build your knowledge and confirm your card attributes.
First, you need to know which chipset is used in your wireless card and which driver you need for it. You will have determined this using the information in the previous paragraph. The drivers section will tell you which drivers you need.
