Cracking WEP & WPA2-PSK Wireless Encryption

Today I had to change some settings within my wireless network, so I decided I would while I was making the changes to the wireless network of mine that I would write a blog post about cracking WEP and WPA2-PSK encryption methods for wireless networks. This topic has been covered in quite some detail, I am not demonstrating a new type of wireless attack in this blog post.

What is needed for cracking the wireless network?

  • airmon-ng
  • airodump-ng
  • aircrack-ng
  • aireplay-ng
  • rockyou.txt (generic wordlist file)
  • ALFA network card (AWUS036H)

I’m using a laptop with the Kali Linux operating system installed.

The first step I took was setting up my system, I connected the ALFA to my laptop, once connected I wanted to set my ALFA to listen for wireless networks.


From the above screenshot, I used the ifconfig command to display all the interfaces on my laptop but I grepped the output to display only information about my wireless interfaces as I was searching for which interface my ALFA adapter is, because I have a inbuilt wireless card in my laptop which would be wlan0 I knew the ALFA adapter would be wlan1. Once I knew the interface which was assigned to the AFLA I configured the interface as a mon0 interface using airmon-ng.


Using the command – airodump-ng mon0 – I began listening on the mon0 interface I had just configured for what wireless networks are located in the area around my laptop. airodump-ng returned 3 wireless networks in my area with the SSID’s of KHAwifi, HomeLan289 and Olympus, the network I am attempting to break into is Olympus.

The above steps do not change for the two types of wireless encryption attacks I perform below, this the initial information gathering steps that should be performed.

Cracking WEP encryption

From the initial output from airodump-ng listening on the mon0 interface I could see that the encryption for the access point is WEP encryption. Now that I know I am cracking WEP encryption I decided the attack I planned to perform to crack the WEP encryption is the ARP Request Replay Attack. For this attack I need to gather the following information:

  • BSSID of the access point (MAC address of AP): 00:24:B2:32D0:16
  • ESSID of the wireless network (SSID): Olympus
  • Channel of the network: 11
  • MAC address of a client associated with the network: 74:EA:3A:CA:94:11

I used the airodump-ng output to gather the above information. Now that I have gathered the needed information I restart airodump-ng using the following command – airodump-ng -c 11 -w olympus_wep_crack –bssid 00:24:B2:32D0:16 mon0 – this command will restart airodump-ng but will only display information regarding the Olympus network, the output from airodump-ng will be sent to the file olympus_wep_crack, this file will contain any wireless information for the Olympus network such as the IVs.


In another tab I start the tool aireplay-ng to perform an ARP replay attack when an ARP packet is captured in the output file, this was done using the following command – aireplay-ng -3 -b 00:24:B2:32D0:16 -h 74:EA:3A:CA:94:11 mon0. This command will listen for an ARP packet from the client and then once capture keep replaying the ARP packet back to the AP as the client MAC address.


The final step of this attack is to use the tool aircrack-ng to attempt to crack the IVs generated by the replaying of the ARP packet, this was done by using the following command – aircrack-ng -b 00:24:B2:32:D0:16 olympus_wep_crack. The aircack-ng tool successfully cracked the password for the AP network in 14 seconds and the key was found to be F2:C7:BB:35:B9.


Cracking WPA2-PSK Encryption

In this part of the blog post I will redo the break to the Olympus network again but by cracking a WPA2-PSK key this time. WPA2-PSK is currently one of the strongest encryption methods for wireless networks. The attack I plan to perform to break into the network is a bruteforce password attack on a WPA2-PSK handshake. I will force an associated client with the network to re-authenticate with  the AP and as the client attempts to re-authenticate I will capture the handshake as it performed. I will then attempt to crack the WPA2-PSK that is part of the handshake with the aircrack-ng tool again.

For this attack I need the following information:

  • BSSID of the access point (MAC address of AP): 00:24:B2:32D0:16
  • ESSID of the wireless network (SSID): Olympus
  • Channel of the network: 11
  • MAC address of a client associated with the network: 74:EA:3A:CA:94:11

Once the information was gathered I restarted airmon-ng to set the mon0 interface on a specific channel using this command – airmon-ng start wlan1 11 mon0, 11 being the specific channel I want to use.

Once again I will setup airodump-ng to listen for a specific BSSID and send the information captured to an output file. This was done by using the following command – airodump-ng -c 11 -w olympus_wpa2_crack –bssid 00:24:B2:32D0:16 mon0. The below image shows airodump-ng before the wpa2-psk handshake has been captured.


The concept of this attack is to have an associated client with the target AP to disconnect from the AP and re-authenticated with the AP and while the client is attempting to re-associate with the AP, I will hopefully be able to intercept the handshake. As the handshake between the client and the AP contains the key for the authentication process I will attempt to crack the key using a brute-force wordlist attack. To de-authenticate the client from AP I will use the tool, aireplay-ng, to perform a deauth packet, this will drop the client and I will capture the handshake as the client re-associates, using the following command – aireplay-ng -0 10 -a 00:24:B2:32:D0:16 -c 74:EA:3A:CA:94:11 mon0.


The next image below shows that after aireplay-ng had sent the deauth packets, airodump-ng has captured a wpa handshake.


After capturing the handshake in airodump-ng which stores the handshake in the output file that was created with the airodump-ng command, I used aircrack-ng to attempt the brute-force password attack using the a wordlist provided in the kali linux distro, rockyou.txt, this was done using the following command – aircrack-ng olympus_wpa2_crack.02.pcap -w /usr/share/wordlists/rockyou.txt.


As from the above image you can see i was successfully able to crack a wpa2-psk handshake using a brute force password attack method.



  1. knowing that WPA2-PSK min password length is 8, max 64
    wouldn’t this be a wordlist dictionary attack thing?

    well I used Crunch to generate a list of words, but being said, that dictionary/wordlist would be Petabytes…in size….

    1. The attack that I perform to crack the WPA2-PSK key was a brute-force password attack using a wordlist. A brute-force password attack using a wordlist or a dictionary is the same attack just referred to by a different name.

      I just used a wordlist file that was provided in the default installation of Kali Linux, any wordlist file would if the word/passphrase that was used to make the WPA2-PSK key exists in the wordlist file you are using. Here is a link to a great resource/reference to wordlist/dictionary files –

  2. sorry m a compeltly newbie into this,but i did follow your steps until i went wrong on the aaireplay-ng step ,where it asks to specify an essid (e),i googled it but didnot find relvant answer,it’d be gald if u help me,plzz

    1. For which wireless attack? WEP or WPA2-PSK? The essid isn’t used in either of the attacks, you use the mac of the wireless AP (in WEP it is the “-b” parameter or “-a” when performing the deauthentication attack in the WPA2-PSK attack).

      I hope this helps you.

      1. thanx a ton it worked,handshake was successfully done,but now the problem is that the password list which i have used doesn’t contain the password,downloaded many from different sites but no luck,can u provide me any better list …..

      2. well,thanx for tht,but of the files are invalid as it shows when i try to download,u got any other link?

  3. hi, great tut But i have a question can i crack wpa2-psk without worldlist (dictionary) using the same commands i mean aircrack-ng ?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s