Note: This is for Educational Purpose Only, Don't try it on networks you don't have permission.
In this post we will learn how to capture and crack any WiFi on Linux. For this you will need some tools that are already installed on Kali Linux but if you are using any other Linux distribution other than Kali then make sure that these tools are installed.
- airmon-ng
- airodump-ng
- aireplay-ng
- aircrack-ng
To check there installation you only need to check the installation of aircrack-ng because all other are auto installed with this package. To verify installation run this in terminal.
aircrack-ng
If you see output like this
It means its installed on your system.If its not installed run this command to install this package.We will be only installing aircrack-ng because it will auto install all other packages.
For Debian-based distributions (Ubuntu, Kali Linux, etc.)
sudo apt install aircrack-ng
For Red Hat-based distributions (Fedora, CentOS, RHEL, etc.)
sudo dnf install aircrack-ng
As its already installed on my system but in your case it will install these packages that are required for our purpose.
NOTE: If you are using a Desktop system then you require a Wireless Network Interface card to perform this.
After this you have to know what is your wireless interface name because in upcoming command you will need that. To know about just run this command:
ifconfig
iwconfig
iconfig
You can use any one of these command to check your Wireless interface name because command can vary depending on Linux distribution being used.
AS you can see in my case its "wlp0s20f3" but in your case it can be different and in most cases its "wlan0". In above picture you can also see that Wireless Interface is in Manage Mode.
Basic Concept
For capturing and cracking first let discuss some basic key points and what steps we will take to do so. First of all, all devices that are connected to some WiFi stores wifi password in their local storage when we connect it first time using password and every next time when we turn on our device WiFi then it send that password to router again to automatically connect to available WiFi with which it was previously connected. When device send password to WiFi router , the router check the password and if password is correct it send success message to device and then device connection is created. In networking terminology this process is called Handshake.
Steps to Capture and Crack Password
- Capture that Handshake file , this file will be encrypted
- Crack that file using different cracking tools
Capturing Handshake File
For capturing handshake file your Wireless Interface should be in "Monitor" mode as in above picture i showed you by default it will be in "Managed". So we have to set it into Monitor mode first.
For converting it in Monitor mode run following commands:
sudo airmon-ng check kill
This command will stop all running services on Wireless Interface.
sudo airmon-ng start wlp0s20f3
Replace "wlp0s20f3" with your actual Wireless Interface name that you have found as i told earlier.
This command will run your wireless interface in Monitor Mode. You can check it by running "iwconfig" command or other command i told earlier depending on your Linux distribution.
Note: After this Wireless Interface name will be changed and "mon" will be written on its end that means our Wireless Interface card is in Monitor mode.
Next run this command:
sudo airodump-ng wlp0s20f3mon
Replace "wlp0s20f3mon" with your Wireless Interface name that is in Monitor mode.
This command will list all nearby WiFi's.
It will continue listing all available WiFi's depending on range of your Wireless Interface Card. When you find the WiFi that you want to Crack in the list , press "Ctrl + C" to stop this command.
WiFi that i will be using for this purpose is Ramzan Techs that is my personal Network. Now we have to copy the bssid of this network that is displayed in first column and also note down "CH" column value its the channel on which this network is operating on my System.
Now we will narrow down our airodump-ng command to only capture traffic of that specific WiFi.
sudo airodump-ng --bssid 2A:60:40:D9:27:A2 -w rtwifi -c 11 wlp0s20f3mon
- --bssid : It is the MAC Address of WiFi that we note down above
- -w : It is used to provide the output file in which captured Handshake data will be stored. By default it will be stored in currently working directly if you want to specify other path you can also specify that in this value etc. ."/home/ramzan/wifi-cracking/rtwifi " with this file will be stored on specified path. Please make sure path you used exist.
- -c : It is used to specify the channel make sure it match with the wifi channel value as we noted above.
In first picture you can see it output the file name that was created in my case it is "rtwifi-01.cap".
And second picture will be showing the working of that command , it will continuously listen to that wifi and try to capture any handshake file.In the below table in second picture it will also list all connected devices in my case only 1 device is connected and its MAC address is written in STATION column. Note down that MAC Address. Because now we will try to disconnect this device with WiFi and when it will try to reconnect again to WiFi Handshake will me made and captured with this command . So don't exit this command.
NOTE: Don't exit this command until we found Handshake file.
Now open another terminal without closing it.In that terminal we will perform some attacks to disconnect that device from WiFi.
sudo aireplay-ng -0 10 -a 2A:60:40:D9:27:A2 -c D8:1E:DD:9E:05:01 wlp0s20f3mon
- -0 : It is the number of packets that will be sent to connected device to disconnect it.
- -a: It is the MAC Address of WiFi Device.
- -c : It is the MAC address of that connected device
- At the end we write the our Wireless Interface name that is in Monitor mode
It is the output of above command. After this device will be disconnected and when ever it will try to reconnect to WiFi the Handshake file will be captured and shown in our first terminal in which our previous command is running.
As you can see the handshake file has been captured and it is shown in first row of our running command.
Now we have successfully found Handshake file and stored it in the file.
In your specified path these four files will be created. It is automatically created when we run our airodump-ng command on specific WiFi but the actual data we need is stored in it when we successfully captured the Handshake file.
Only file we need is that which ends with .cap extension in my case its rtwifi-01.cap, this file is encrypted so now we will try to decrypt the password stored in it.
Cracking Handshake File
There is no straight forward way that will decrypt the file. For decrypting we will need a password dictionary that has millions of password in it , a lot of these files can be found online. If you are using kali linux there is a famous file "rockyou.txt" that contains most commonly used passwords, it will already stored in it you don't need to download it but if you are using any other Linux you can manually download it form google.
In Kali Linux it will be already stored in "usr/share/wordlists/rockyou.txt.gz"
If if its not in you Linux you can manually download it from here:
https://www.kaggle.com/datasets/wjburns/common-password-list-rockyoutxt
After downloading lets crack the Handshake captured file.
Run the following command to do that:
aircrack-ng -w wifi-password-lists/rockyou.txt rtwifi-01.cap
- -w : specify the password list file
- after that write the name of captured file if it is in current directory. If it is not in current directory specify the full path to it
After that it will start cracking the password. Its a huge processing task and can take time to crack password. However its not compulsory that the password will be cracked with this file because password will be cracked if this file contains that password used for WiFi.However it contains most common passwords and in most cases you can find password in no time.
As you can see in above picture the password is found which is "445566445566". Now to connect to wifi we have to convert our Wireless Network again into "Managed" mode.
Stopping Monitor Mode
To do so run the following commands:
sudo airmon-ng stop wlp0s20f3mon
Replace "wlp0s20f3mon" with your actual Wireless Interface name.
sudo systemctl start NetworkManager
sudo systemctl start wpa_supplicant
After that your wifi will be running again normally and you can can connect to any wifi.But if it does not work for you can simply reboot/restart your system and everything will be fine again.
If you don't find password in this file you can download other password files that are available online and try on that.
However you can also create custom password file using special pattern that you think the owner of wifi may be use and try to crack this with that file.I will write another blog post on how to create custom password dictionary.
Custom Password File Generation Blog Link:
https://ramzantechs.odoo.com/blog/our-blogs-2/how-to-create-custom-password-dictionary-in-linux-3
NOTE: There is also an online tool that you can use to crack captured file i will also write blog on that and add link here.