Unformatted Attachment Preview
IA445 Wi-Fi Hacking: WPA2PSK
Lab Setup: In normal situation, the lab environment has already been setup in Room 6. But since you
will carry out this lab at home this time, you must do it by yourself with your own equipment. The
correct setup is critical to the success of the lab.
1. A special Wireless USB NIC and a Kali machine with the NIC installed: You must obtain a
wireless NIC card with a chipset that can do “rfmon” mode and supported by Kali. This N
I have been successfully using the following NIC for in-class wi-fi lab. I purchased from Amazon: .
Other choices of supported chipset are possible, such as Atheros AR9271, Ralink RT3070, Ralink
RT3572, Realtek 8187L (Wireless G adapters) , Realtek RTL8812AU, Ralink RT5370N. You might
already have a wireless NIC that come with one of the chipsets. You can find more details at this
2. The “Victim” Network: You should pick a wireless network with WPA2PSK enable and you
must already know the passphrase of the network. Ideally, the AP should be the one you own.
You will not break anything. Instead, you will only test the capturing and cracking the 4-way
handshake. You should NOT test with a WPA-PSK wireless network that you are not authorized
3. The “Victim” Client: the “victim” network must have at least a wireless Client connecting to it.
This client could be your cell phone or any mobile device using this wireless network.
Your lab starts here:
The Attacker: A Kali VM with the required wireless USB NIC installed.
*Note: For some Kali versions, the NIC card might be “hardware blocked” by the VMware. If this
happens, please use a physical machine or an earlier version of Kali instead.
Please refer to the appendix for the instruction to install the USB wireless NIC in the VM. Make use
you assign more than 2G memory to your Kali VM
Step1: Check NIC card compatibility
In KALI command line, type in the following:
Make sure the NIC card is listed; note the interface name (e.g. “wlan0”)
Step2: enable monitor mode on the NIC card,
Type in the following:
airmon-ng start wlan0
The wlan0 interface is now in monitor mode. The monitoring interface has a new name such as
*Note: You might need to run the following command to stop network managers and then kill
interfering processes before you can start the monitoring mode
airmon-ng check kill
Step3: Discover Wi-Fi networks
Type in the following:
Let it run for a while. Then Use “ctrl-c” to stop.
Observe the output
Please note: your target has a SSID of the network you know passphrase of.
** Take screen shot for documentation.
Write down the channel number, the SSID, and BSSID of the victim AP. You will need this information
in the next step.
Step4: Capture the 4-way handshake packets
Type in the following
airodump-ng –-channel n –-bssid xx:xx:xx:xx:xx:xx –-write wpapsk wlan0mon
(Replace n and xx:xx:xx:xx:xx:xx with the information you are supposed to write down in previous
For some Kali version, you may need to use –ignore-negative-one option. Your command to capture
the 4-way handshake should be as follows:
airodump-ng –-ignore-negative-one –-channel n –-bssid xx:xx:xx:xx:xx:xx –-write wpapsk wlan0mon
Wait until airodump indicates that it has captured the four-way handshake at the upper-right corner.
Use “ctrl-c” to stop.
** Take screenshot for report.
Step 4a: De-authentication attack as assistance to step 4 (You might not need this step. Can you tell
Open another CLI windows, type in the following:
aireplay-ng --deauth 2 -a xx:xx:xx:xx:xx:xx -c yy:yy:yy:yy:yy:yy wlan0mon
xx:xx:xx:xx:xx:xx is the mac address of the wireless AP.
yy:yy:yy:yy:yy:yy is the mac address of the wireless NIC on the second lab machine.
Step5: Crack the WPA-PSK key using dictionary attack
Passworld.lst is a list of possible passwords. If you have a good password file, you have better chance
to crack the wpa psk key. You may find a password list under /usr/share/wordlists/rockyou.txt.gz
(Note: Use gzip –d to unzip a .gz file)
To crack the WPA-PSK key, type in the following:
aircrack-ng –w /usr/share/wordlists/rockyou.txt wpapsk-01.cap
Note: In case you fail in your attempt to crack the key, you may need to stage your password file and
complete this lab.
Observe the output, ** Take screen shot for the report.
Appendix: Steps to setup NIC in Kali VM.
1. First you need to install Alfa AWUS036H NIC correctly in the host system (Windows7). Use the driver CD
came with the box or download the driver from the product support website. Note: You don’t need to
reboot the machine.
2. Second, you need to mount this NIC in Kali VM:
Under “VM” menu, connect the “removable device”. See below.
Accept the warning message regarding “unplugging from the host”. See below.