Ethical Hacking Tutorials

This is how I hack WiFi networks ๐Ÿฅท

From spoofing your MAC address to cracking WEP and WPA networks, here is my guide to gaining entry to WiFi networks.

Read this bit first

๐Ÿ‘‰ I stronglyย condemn any illegal use of this material as is outlined in my legal disclaimer. There are plenty of responsible applications for this content, and it is here to inform ethical hackers, penetration testers, and anyone who is intrigued as to how systems are compromised. Remember the golden rule and THINK before you type. ๐Ÿ‘ˆ

In the ever-evolving landscape of cybersecurity, identifying chinks in the armor of your target’s defenses can be a daunting challenge. However, what if I told you that sometimes the gateway to your target’s most sensitive information lies within the seemingly invisible realm of wireless networks? Welcome to a realm where security is often underestimated, and vulnerabilities are overlooked.

In this short guide I will unravel the secrets behind the doors that wireless networks unwittingly leave ajar. This guide isn’t just about exploiting weaknesses; it’s an exploration into the art of wireless hacking.ย 

In this guide we will reveal the most common and unsuspecting methods employed to gain unauthorised access. Uncover the techniques that exploit the vulnerabilities present in wireless networks, providing you with a toolkit of knowledge to understand, anticipate, and counter potential threats.

But, be forewarned โ€“ our journey doesn’t extend into the realm of post-intrusion actions. We’ll leave the captivating tales of packet captures, man-in-the-middle attacks, and ARP poisoning for another expedition. For now, let’s focus on unraveling the mysteries of wireless networks and mastering the art of gaining entry. Are you ready to step into the shadows and discover the vulnerabilities that lie within the heart of wireless security? The gateway awaits; let the exploration begin.

Purchasing a wireless adapter

Before we go any further you should note that to hack a wireless network, you will need to invest in a high quality wireless adapter. These can be purchased online easily and are affordable. The choice of adapter is important. I’ll spare you all the details, but you can click here to see the wireless adapter I personally use that supports both 2.4Ghz and 5ghz frequencies. It will allow you to do everything outlined in this post.

Changing your MAC address

This should go without saying, but one of the first steps we should take is to anonymise ourselves before we launch an attack. When hacking computers and websites, it’s best practice to mask our IP addresses using either Proxychains, Botnets, or even routing our traffic through the TOR network.

However when it comes to hacking wireless networks, we must follow a slightly different procedure. Instead of masking our IP address, we need to mask our MAC address. By altering and hiding our MAC address, we introduce a layer of obfuscation, making it more challenging for network defenders to trace our digital footsteps.

A Media Access Control (MAC) address is a unique identifier assigned to network interfaces for communications on a physical network. This address is hardcoded into the network interface card (NIC) during manufacturing, providing a globally unique identifier for every device connected to a network. Whilst I will cover MAC addresses in more detail in a separate post, in a nutshell MAC addresses are used within the network to transfer packets between devices.ย 

However using Kali Linux, it is possible to change and spoof our MAC address thereby giving us a layer of anonymity. By changing your MAC address you can also bypass network access filters – more on that later. To change your MAC address, open a terminal in Kali Linux and complete the following steps:

					ifconfig wlan0 down

The above command will cut your WiFi connection, and the following command will change your MAC address to 00:11:22:33:44:55. Please note that MAC addresses should start with 00, and they must be 48 bits in total (or 12 characters).ย 

					ifconfig wlan0 hw ether 00:11:22:33:44:55

Your MAC address should now be changed in memory. Please note that you will have to complete this process every time you boot into Kali Linux. Finally, complete the following command to reactivate your wireless connection:

					ifconfig wlan0 up

Congratulations! You have just changed your MAC address. Please type ifconfig to check that the process has completed successfully.ย 

Changing from monitored mode to wireless mode

To hack WiFi networks, we need to change our adapter from managed mode to monitor mode. To check what mode your adapter is in, you can use the iwconfig command as shown below:


In short, managed mode is the standard and default mode of your wireless adapter. Monitor mode is required to capture packets flowing through a given network, and it is important that your adapter is set to monitor mode. To set your adapter to monitor mode, complete the following commands within your Kali terminal:

					ifconfig wlan0 down
					airmon-ng check kill
					iwconfig wlan0 mode monitor
					ifconfig wlan0 up

Now your adapter is configured to begin launching attacks. In the coming chapters, I will explain how to exploit both WEP networks and WPA & WPA2 networks.ย 

Learning the foundations of packet sniffing with airodump-ng

Airodump-ng is a part of the Aircrack-ng suite, designed specifically for Wi-Fi security assessment. Its primary function is to capture and display raw wireless frame data, offering insights into the intricacies of network traffic. As we embark on the journey of learning the fundamentals, let’s delve into the key components that make Airodump-ng an indispensable tool for aspiring ethical hackers and network security enthusiasts.

At its core, Airodump-ng is a packet sniffer dedicated to wireless LANs. By deploying this tool, one can passively capture data frames, management frames, and control frames circulating within the target Wi-Fi network. These frames encapsulate crucial information about devices, network activity, and potential vulnerabilities.

Airodump-ng’s ability to dynamically hop between channels adds a layer of agility to the packet sniffing process. This feature is particularly advantageous when dealing with networks spanning multiple channels. Additionally, the tool excels at identifying and locking onto specific target Access Points (APs) and clients, streamlining the focus of the packet capture.

The first command we will use will display all the wireless networks within range of your adapter. Type the following into your terminal:

					airodump-ng mon0

The different types of wireless networks

There are key differences in wireless networks that any ethical hacker should know about. The main differences are in the frequencies, and in the encryption protocols that are used. Let’s start by looking at the frequencies.

Wireless networks operate over two frequencies: 2.4Ghz and 5Ghz.ย 

The 2.4GHz frequency, being more commonly used, is often crowded due to the proliferation of devices such as routers, smartphones, and other IoT devices. This congestion can lead to interference and increased vulnerability to certain types of attacks, such as signal jamming or eavesdropping. Additionally, the 2.4GHz spectrum has a greater range, making it more susceptible to long-range attacks.

On the other hand, the 5GHz frequency offers a less congested and more spacious spectrum, providing higher data transfer rates and reduced interference. However, the shorter range of 5GHz signals poses challenges for attackers attempting to exploit vulnerabilities from a distance. Despite these advantages, it’s crucial to note that not all devices support 5GHz, potentially limiting the scope of penetration testing.

Moving on to encryption protocols, securing wireless networks is paramount to prevent unauthorised access and data breaches. Common encryption standards include WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), and WPA2/WPA3. It’s imperative for ethical hackers to be familiar with the weaknesses of these protocols.

WEP is insanely easy to hack and you would only find it on legacy systems. WPA-WPA3 networks are more secure however there are key vulnerabilities that we can exploit in our attempt to gain access to our target’s wireless network.

WEP, once widely used, is now considered highly insecure due to its susceptibility to various attacks. WPA improved security by introducing dynamic encryption keys, but WPA2 became the standard as it addressed vulnerabilities present in its predecessor. The latest iteration, WPA3, enhances security further with features like individualised data encryption for each user.

What is WEP and how does it work?

Let’s start by looking at exploiting WEP networks using our Kali Linux penetration testing platform.

WEP, or Wired Equivalent Privacy, was one of the earliest security protocols designed to secure wireless networks. Introduced in the late 1990s as part of the original IEEE 802.11 standard, WEP aimed to provide a level of privacy and data integrity for wireless communications comparable to what was expected in wired networks. However, over time, significant vulnerabilities were discovered, rendering WEP obsolete and insecure.

WEP operates by encrypting the data transmitted over a wireless network using a shared key. This key, typically a passphrase, is used to generate the encryption keys needed to secure the communication between devices on the network. WEP was initially considered a significant advancement in wireless security, offering a solution to the inherent vulnerabilities associated with open and unencrypted Wi-Fi networks.

Despite its initial promise, WEP has been widely discredited due to several critical weaknesses that expose networks to exploitation by malicious actors. The primary vulnerabilities associated with WEP include:

  1. Static Encryption Keys: WEP uses static encryption keys, which means the same key is used for an extended period. This lack of key rotation makes it susceptible to attacks, as once the key is compromised, an attacker can decrypt all data transmitted on the network.

  2. Weak Initialisation Vectors (IVs): WEP relies on a 24-bit Initialization Vector (IV) to ensure the uniqueness of encrypted packets. However, the limited size of the IV space (2^24 possibilities) makes it susceptible to statistical attacks, allowing attackers to predict and exploit patterns in the encryption process.

  3. Vulnerability to Packet Injection Attacks: WEP is prone to packet injection attacks, where an attacker can introduce specially crafted packets into the network to exploit weaknesses in the encryption algorithm. This allows for the interception and manipulation of data traffic.

  4. Flawed Authentication Mechanism: WEP’s authentication mechanism is flawed, making it susceptible to various attacks, including authentication spoofing. Attackers can exploit weaknesses in the authentication process to gain unauthorised access to the network.

  5. Limited Key Length: WEP supports only 64-bit and 128-bit key lengths. In the face of modern computing capabilities, these key lengths are insufficient to provide a robust defense against brute-force attacks.

Due to these fundamental weaknesses, WEP has been largely deprecated, and its use is strongly discouraged in favour of more secure encryption protocols such as WPA2 and WPA3. Understanding the vulnerabilities inherent in WEP is crucial for security professionals and ethical hackers engaged in assessing the weaknesses of wireless networks during penetration testing activities.

Hacking WEP networks

Getting started

Make sure you have a wireless adapter that is compatible with the necessary frequencies and ensure your Kali Linux system is up-to-date with the latest tools and packages. You can do this by running:

					sudo apt update && sudo apt upgrade

To capture packets effectively, you need to enable monitor mode on your wireless network interface. Replace “wlan0” with the name of your wireless interface:

					sudo airmon-ng start wlan0

Use the following command to scan for nearby networks and identify the target WEP network:

					sudo airodump-ng wlan0mon

Note the BSSID (MAC address) and channel of the target network.

Open a new terminal window and execute the following command to capture packets on the target channel. Replace “channel” and “bssid” with the appropriate values from the previous step:

					sudo airodump-ng -c channel --bssid BSSID -w outputfile wlan0mon

In a separate terminal, use the following command to inject ARP (Address Resolution Protocol) packets into the network:

					sudo aireplay-ng -3 -b BSSID -h YOUR_MAC_ADDRESS wlan0mon

Now that you have captured sufficient data, it’s time to crack the WEP key. Open a new terminal and use the following command:

					sudo aircrack-ng -b BSSID -w wordlist outputfile-01.cap

Replace “wordlist” with the path to your preferred wordlist for dictionary attacks.

If successful, aircrack-ng will display the WEP key. You can then use this key to connect to the target network or further assess its vulnerabilities.

					KEY FOUND! [ WEP Key: Your_WEP_Key ]


What is WPA2 and how does it work?

WPA2 represents a significant advancement over its predecessor, WPA (Wi-Fi Protected Access), introducing stronger encryption algorithms and security mechanisms. It operates on the IEEE 802.11i standard and employs the Advanced Encryption Standard (AES) for secure data transmission. With WPA2, the use of pre-shared keys (PSK) or more advanced enterprise authentication methods helps safeguard wireless networks from unauthorised access and data breaches.

Here’s an overview of how WPA2 works:

Authentication and key management

Pre-Shared Key (PSK) Mode: In PSK mode, users or devices connecting to the wireless network must enter a pre-shared passphrase or key. This passphrase is used to generate the Pairwise Master Key (PMK), which serves as the basis for encryption keys.

Enterprise Mode: In enterprise environments, WPA2 can also operate with a more robust authentication system known as 802.1X/EAP (Extensible Authentication Protocol). This involves a RADIUS (Remote Authentication Dial-In User Service) server, which authenticates users or devices based on digital certificates or other authentication methods.

Four-way handshake

The WPA2 four-way handshake is a crucial part of the authentication process. It establishes a shared secret between the client device and the access point (AP) without transmitting the actual pre-shared key over the air, adding an extra layer of security.

The four-way handshake involves the following steps:

Request (1st Message): The client requests to authenticate with the AP.
Response (2nd Message): The AP responds, and both parties exchange nonces (random numbers).
Confirm (3rd Message): The client confirms receipt of the AP’s message.
Complete (4th Message): The AP acknowledges the client’s confirmation.

Once the four-way handshake is completed successfully, the PMK is established. This PMK is used to derive additional keys:ย 

  • Pairwise Transient Key (PTK): Used for encrypting unicast traffic between the client and AP.
  • Group Transient Key (GTK): Used for encrypting broadcast and multicast traffic to multiple devices on the network.

Data encryption

WPA2 employs the Advanced Encryption Standard (AES) in Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) for data encryption. AES is a strong symmetric encryption algorithm widely recognised for its security.

The PTK is used to generate unique encryption keys for each session, ensuring that even if one session key is compromised, it does not impact the security of other sessions.

Data integrity

CCMP not only provides encryption but also ensures data integrity by appending a Message Authentication Code (MAC) to each encrypted frame. This MAC ensures that the data has not been tampered with during transmission.

Exploiting the WPS feature

Wi-Fi Protected Setup (WPS) is a feature designed to simplify the process of connecting devices to a secure wireless network. Its primary goal is to provide a user-friendly method for configuring the security settings of a Wi-Fi network without the need for complex passwords. WPS is commonly found on home routers and access points, offering an alternative to manually entering a lengthy and potentially complex Wi-Fi passphrase.

WPS will generate an eight digit pin in place of a password that can be used to pair devices, and therein lies the vulnerability: as the pin is eight digits long, it is open to being bruteforced by attackers who can try every digit until the correct code is generated. There are also concerns about the WPS protocol itself, however this would warrant a separate dedicated article.ย 

For now, let’s explore how we can weaponise the WPS feature to gain access to our target’s WiFi network using Reaver.

First, we must scan for nearby networks that have WPS enabled. Use the following command to do so:

					sudo wash -i wlan0

Note the BSSID (MAC address) of the WPS-enabled network. Now it’s time to use Reaver, a tool specifically designed for WPS attacks.

					sudo reaver -i wlan0mon -b BSSID -vv

Reaver will attempt to exploit WPS vulnerabilities and retrieve the WPA key. Observe Reaver’s progress as it tries different PIN combinations.ย 

If successful, Reaver will display the WPA key:


Bruteforcing WPA Networks

Most organisations will have WPS disabled (thankfully). Therefore we will have to resort to bruteforcing and dictionary attacks should this be the case. To do this, we can capture the handshake from a device attempting to access the network and analyse the packet for the golden key.

To start, identify the target WPA2 network by scanning nearby networks. Note the BSSID (MAC address) and channel of the target network.

					sudo airodump-ng wlan0mon

Capture the WPA handshake by monitoring the target network. Wait for a device to connect to the network, triggering the WPA handshake.

					sudo airodump-ng -c [channel] --bssid [BSSID] -w capturefile wlan0mon

Use a tool like Hashcat or Aircrack-ng to crack the captured WPA handshake. Replace [wordlist] with a path to a suitable wordlist for password cracking.

					aircrack-ng -w [wordlist] -b [BSSID] capturefile-01.cap

If the password is not found with the initial wordlist, consider using a more extensive wordlist or employing brute-force attacks. Customise [charset] based on the potential characters in the password.

					aircrack-ng -b [BSSID] -C [charset] capturefile-01.cap

In conclusion

In conclusion, the landscape of Wi-Fi network penetration testing, encompassing both WEP and WPA2 protocols, reflects the ongoing efforts to bolster the security of wireless communication. As we explored the vulnerabilities of WEP, its susceptibility to attacks such as packet injection, and the outdated static encryption keys, it became evident that relying on this protocol exposes networks to significant risks. Ethical hackers engaging in penetration testing play a crucial role in uncovering these vulnerabilities, urging organisations to transition to more secure encryption standards like WPA2 or WPA3.

Transitioning to WPA2 introduced robust encryption methods, such as the Advanced Encryption Standard (AES) and a more secure four-way handshake. Nevertheless, ethical hacking endeavours revealed potential weaknesses, including the susceptibility of WPS to brute-force attacks and protocol vulnerabilities. Penetration testers must navigate these nuances responsibly, obtaining explicit permission for testing and sharing findings to fortify network defences.

The overarching goal of Wi-Fi network penetration testing is not just to uncover weaknesses but to instigate proactive measures that enhance the security posture of wireless networks. As ethical hackers delve into the intricacies of these protocols, they contribute to the evolution of security standards, urging the adoption of more advanced encryption protocols and the implementation of robust security practices.

In the ever-evolving realm of cybersecurity, staying informed about emerging threats, utilising up-to-date tools, and adhering to ethical guidelines are paramount. Whether probing the vulnerabilities of legacy WEP networks or assessing the resilience of modern WPA2 implementations, ethical hacking serves as a critical element in the ongoing battle to secure our wireless communication channels. Through responsible penetration testing, we collectively contribute to a safer digital environment, ensuring that the networks connecting our devices remain resilient against potential cyber threats.


Hey! Can we make it official? ๐Ÿ˜˜

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. I promise not to spam you, and you can count on me to keep your data safe ๐Ÿ˜‡

More Hacking Guides

Hacking Computers With Powershell Empire ๐Ÿ’€๐Ÿ”“

How I learned Hacking, and my tips for fast-tracking the learning journey ๐Ÿ’ป

This is how I hack WiFi networks ๐Ÿฅท

How I hack websites using Burpsuite๐Ÿ’ป

Nmap: an essential tool for hacking โœ…

Hacking websites with WPScan ๐Ÿง

Fifteen Steps to maximising firefox privacy ๐Ÿ”’โœ…

Download the complete FireFox checklist that I give to my counter-surveillance clients – completely free of charge! I will take you step-by-step through advanced Firefox Configurations that will help you maximise your privacy, security and anonymity.ย 

Enter your details below and I will email it to you straight away. And don’t worry, your data is safe with me ๐Ÿ˜‡

Access free subscriber only content ๐Ÿ˜˜

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. Your data will be encrypted and I will never sell it to third parties ๐Ÿ˜‡

UK Cybersecurity Company

About Aitken Security

Aitken Security is a UK Cybersecurity Company specialising in offensive and defensive security.