(How to) Kali Linux: Hack Encrypted Wifi Passwords with Reaver and Airmon-ng WPA – WPA2 – WPS

Share:FacebookGoogle+TwitterRedditPinterestStumbleUponEmailDiggLinkedIntumblr

Here we will go through how I tested Kali Linux with Reaver and Airmon-ng to hack into my WPA2 encrypted work network.



In order to use Reaver, you need to get your wireless card’s interface name, the BSSID of the router you’re attempting to crack (which I will show you how to find), and you need to make sure your wireless card is in monitor mode. So let’s do all that!

Find your wireless card:

Inside Terminal, type: iwconfig

Press Enter. You should see a wireless device in the subsequent list. Most likely, it’ll be named:

wlan0 or wlan1

But if you have more than one wireless card, or a more unusual networking setup, it may be named something different.

Put your wireless card into monitor mode: Assuming your wireless card’s interface name is: wlan0

Check any problematic processes, using:

airmon-ng check

Kill all listed PIDs using:

kill [####]

Execute the following command to put your wireless card into monitor mode:

airmon-ng start wlan0

This command will output the name of monitor mode interface, which you’ll also want to make note of. Most likely, it’ll be: mon0

Find the BSSID of the router you want to crack:

Lastly, you need to get the unique identifier of the router you’re attempting to crack so that you can point Reaver in the right direction. To do this, execute the following command:

airodump-ng mon0

When you see the network you want, press Ctrl+C to stop the list from refreshing, then copy that network’s BSSID (it’s the series of letters, numbers, and colons on the far left). The network should have WPA or WPA2 listed under the ENC column.

Now, with the BSSID and monitor interface name in hand, you’ve got everything you need to start up Reaver.

Crack a Network’s WPA Password with Reaver

To find out if the AP you are attacking usese WPS (vulnerable to Reaver), you can use:

wash -i mon0

Now execute the following command in the Terminal. (replacing bssid with the BSSID and monitor interface and you copied down above):

reaver -i mon0 -b [bssid] -vv

For example, if your monitor interface was mon0 like mine, and your BSSID was
8D:AE:9D:65:1F:B2
(a BSSID I just made up), your command would look like:

reaver -i mon0 -b 8D:AE:9D:65:1F:B2 -vv

Press Enter, sit back, and let Reaver work its disturbing magic. Reaver will now try a series of PINs on the router in a brute force attack, one after another. This will take a while. In my successful test, Reaver took about 6 hours to crack the network and deliver me with the correct password. As mentioned above, the Reaver documentation says it can take between 4 and 10 hours, so it could take more or less time than I experienced, depending.


Share:FacebookGoogle+TwitterRedditPinterestStumbleUponEmailDiggLinkedIntumblr
Tagged , , , , , , , , , , , . Bookmark the permalink.

10 Responses to (How to) Kali Linux: Hack Encrypted Wifi Passwords with Reaver and Airmon-ng WPA – WPA2 – WPS

  1. Nicholas Marks says:

    Hi Peter,

    What machine are you using in the video?

    I have an HP Envy m6 1310sa.

    Nick.

    • Hey there Nick,
      Laptop used in vid is an HP dv7
      -i7
      -12gb RAM
      -2gb Nvidia
      Although, this doesn’t really matter for two reasons:
      1- I am using Kali in a VMware
      2- This attack does not rely on processing power, but rather is timed by delay.

  2. Lee says:

    Hey Peter,

    Big fan!

    I have followed your tutorial and I cant seem to get it working. I have created a wireless lab strictly for this. Router have other things connected to it and I keep getting an error then it repeats the same pin over and over. I know you will be needing more info but would you be willing to take a look at my terminal logs and see where I went wrong?

  3. ren9999 says:

    After entering the reaver -i mon0 -b [bssid] -vv command (replacing [bssid] with the correct bssid it gets to the correct channel, I get the line that starts associated with (it associated with correct network) and then nothing happens

    Any ideas?

  4. vishnuvardan says:

    rather than using reaver -i mon0 -b [bssid] -vv
    give it a channel no by adding -c
    reaver -i mon0 -c [chno]-b [bssid] -vv

  5. Sid says:

    Hello UltimatePeter,

    You mentioned that you’re using Kali on VMware.
    I’m running the same setup.
    Can you tell me how to get the wireless interface to show up in the guest OS?

    • Hmmm… Well, you need to make sure it is a USB Wifi Card, you have it plugged into a USB 2.0 port (I can’t seem to get one to work through 3.0), and that you have gone on the VM menu to removable devices and passed it through.

  6. Bart says:

    Hello Ultimate Peter (or someone else who can find the solution),
    First I want to say that I’m a big fan of your tutorials about hacking and protecting yourself, but i have the following problem with reaver. I hope That you can anwser that and maybe can explain a bit why i have this error so i can learn.

    I am using Kali linux in a virtual machine i bought a wifi usb and that connects fine and it works well until i come at “wash -i mon0″ i get everytime “found packet with bad FCS, skipping…”
    I found a solution for this by changing my command to “wash -i mon0 -C”. I don’t know if this is related to my real problem.
    Because when i use reaver -i mon0 -b [BSSID] -vv it will channel up to 10 and then says WARNING: “Failed to associate with [BSSID] [ESSID]“.
    I found on the internet that I had to use -A so it doesn’t associate. but then I got: “Sending EAPOL START request” followed by “WARNING: Receive timeout occurred” so I think that didn’t work aswell.

    already Thank you for helping
    Greetings Bart

    PS I hope you get your youtube account back Ult. Peter.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Powered by sweet Captcha