There are many ways to hack a wifi router, some people use to bruteforce password directly some use WPS pin cracking with reaver etc. Most of the times WPS pin cracking succeed because the router is in its default pin and easy to crack. Here we are going to hack a WPS disabled router. We have most effective and simple toolkit for this purpose: Aircrack-ng.

The whole process is not too hard but not too easy. This is a little bit complicated process but don’t worry i will explain. consider a router and a client device connected to it is constantly communicating with wpa encryption. If an attacker tries to capture the packets and try to read it , it won’t make any sense because its fully encrypted. We have a method to crack it. First a wifi adapter should be in monitor mode constantly capturing all the packets. Then we have to break the connection between the client and router so that whan the device tries to reconnect it send a packet to the router which has authentication details. Our adapter in monitor mode will capture this packet. This is called 4 way handshake packet capturing. This packet is encrypted too but we can crack it by bruteforcing this hash. This method is faster than bruteforcing a router password directly.

Aircrack suite has specific tools for this process. Airodump-ng is used to capture the packets and saves as a .cap file. Aireplay-ng will deauthenticate the client from router by sending deauth packets. aircrack-ng is used to crack wpa hash from the .cap file. we can also crack it with hashcat for much faster cracking. Follow the steps.


Demo video



Fire up kali linux and get a wifi adapter alpha or tp-link, both works fine. The important part is installing the driver. If you dont know the firmware or model number connect the adapter to kali and open terminal and type :


# lsusb


It will show all the connected devices with their model number. Download the right driver and install it. check whether its working or not :


# iwconfig
If its working it will show up the wireless extension configurations. You can also use “# dmesg” for more detailed info of hardware registration log.


Buy now



Step 1

First you have to enable monitor mode on wifi adapter.
# airmon-ng check kill
# airmon-ng start wlan0
From kali linux 2.0 onwards monitor mode will be enabled on “wlan0mon” not on “mon0”

Step 2

Scan for all wifi networks and find the target router’s mac address and channel. use airodump-ng to scan nearby network.
# airodump-ng wlan0mon
Once you got the target mac and channel capture packets for that specific mac and write to .cap file
# airodump-ng –bssid “mac_address” -c channel” -w /root/Desktop/capture wlan0mon
A new file will be created on the desktop. Don’t close the terminal window keep it aside, let it capture all the packets.



Step 3

Now you have to deauthenticate a client from the router. Open new terminal and use aireplay-ng.
# aireplay-ng –deauth 50 -a “mac_address” wlan0mon

The above command will send 50 deauth packets you can increase the number or use 0 for infinite packets. Depending up on the strength of signal you have to increase the packets. better send infinite packet until the device is kicked off from the network. When the device tries to reconnect, airodump will capture and will show the message “wpa handshake <mac address>”. once you have got the handshake, terminate the process. All we need now is the .cap file in the desktop.



Step 4

Use aircrack ng to crack the wpa passphrase. You need a dictionary or a wordlist for this process. Or you can make one with crunch. The process speed depends upon you system specs and the strength of the password. use the following command to start cracking.
# aircrack-ng /root/Desktop/capture-01.cap -w “path to wordlist”

You can also use various other tools for cracking wpa hash. Using a good wordlist will help you. Any doubts or questions? post it on the comment section below. If you like this blog give me a like on facebook and add me on google plus. Subscribe my youtube channel for video tutorials.

Susmith Krishnan

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you


Apocalypse · September 22, 2016 at 3:59 am

crunch 7 7 0123456789 | aircrack-ng –bssid *enterbssid* -w- handshake.cap
Also an easier way to crack, if your wordlist doesnt work *this method does not require a wordlist*. And fiddle with crunch by adding alphabet upper cases and many more. Hope admin will post a detailed verson of how to use crunch.

imraqeeb · October 2, 2016 at 7:09 am

What the router has very long password with WPA2 & its WPS disabled. Then are there any ways which can get that Router’s Password.

Daniel · April 12, 2017 at 3:53 am

BSSID and STATION Does not show anything—

maguette · May 19, 2017 at 9:13 pm


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.