How to Hack WiFi on a Raspberry Pi with Kali Linux

hack wifi password on raspberry pi

As I often write on this blog, the Raspberry Pi is the perfect device for hacking and pen testing
In this tutorial, I’ll show you the step-by-step procedure on how to hack a wireless network from your Raspberry Pi

How to Hack WiFi on a Raspberry Pi?
Hacking WiFi on Raspberry Pi is easy since there is a package available to do this: AirCrack-NG
AirCrack-NG allows you to monitor all wireless networks around you, catch authentication packets and then use them to find the password with brute force

In this post I’ll guide you through the entire process
From installing Kali Linux and scanning the nearby networks, to hacking the passwords

Disclaimer

Hacking a wireless network you don’t own is a crime in many countries
It’s illegal and you can go to jail for this
This tutorial is here for an educational purpose only.
Try this on your own network if you want, to learn how hackers work and then protect yourself
But don’t use these techniques on other networks without the owner permission

In no case I can be held responsible for your actions
Now that this is clear, let’s get down to the practice

Kali Linux installation

Foreword

In this tutorial, I’ll use the Kali Linux operating system because it’s convenient, everything is available on first boot
But you can do the same on Raspbian or other systems if you prefer
The package we’ll use is often available in the default repositories, so you can just install it
For example, on Raspbian: sudo apt install aircrack-ng
Then jump directly to the hacking procedure paragraph

What is Kali Linux?

Kali Linux is a Linux distribution targeting ethical hacking and pen testing users
On the first boot, you’ll get everything you need for these kinds of uses:

  • WiFi Hacking tools
  • Website exploits scanners
  • Sniffing/spoofing tools
  • Hardware hacking & stress testing
  • Etc …

So it’s the perfect Linux distribution for this tutorial, that’s why I’m using it 🙂

Download Kali Linux

Kali Linux is available for download for free
You can get the image on this page

Scroll to the Raspberry Pi section and click on the first link (“Kali Linux RPI”)
kali linux download

It’s a torrent file
You need to open it with a Torrent download tool
If you don’t have one, Deluge is available for any operating system: click here

Open the torrent file with the tool to start the download
Once done, the image is available on your computer (it depends on your Torrent tool but probably in the Downloads folder)

Create the SD card

The next step is to flash the image on the SD card

Follow this procedure to get started:

  • Download and install Balena Etcher from this link
    It’s the easiest tool to flash image on SD card
    I use it all the time
  • Start Etcher, a window appears with three parts
    etcher menu
  • Click on the first button and browse to the image location
    Select the image file (can be an archive) and confirm
  • Insert the SD card in your computer
    Etcher will detect it automatically
  • Then click on “Flash!” to start the copy

After a few minutes, your SD card is ready to use

First boot

For your first try, I recommend connecting your Raspberry Pi with an ethernet cable
That way you can follow this tutorial from your computer, it’ll be more convenient
I know that in real pen testing or hacking that’s not the case but to learn you can start like that

  • Start your Raspberry Pi
  • A login screen appears, enter the following credentials:
    • Login: root
    • Password: toor
  • That’s it, you are on the Kali Linux desktop

Check that the network is working fine and enable ssh:

  • Open a terminal from the main menu
  • Enter this command to check the network:
    ping raspberrytips.com

    If your ping is working that’s fine
    Hit CTRL+C to stop the ping

  • Then start the SSH server with:
    service ssh start

    SSH allows you to connect to the Raspberry Pi from your computer

  • You can also grab your current IP address with:
    ifconfig

    Your IP address is on the second line from the result

That’s it, your Raspberry Pi is ready
You can now connect to it from your computer via SSH

If you don’t have it yet, you can install Putty from this link
Enter the Raspberry Pi IP address and click connect

Configuration

The Kali Linux configuration doesn’t require a lot of things since everything is already available on boot
But I recommend to at least update your system with:

apt update
apt upgrade
reboot

This can take between 30min and 1 hour depending on your Raspberry Pi model and your connection
Be patient 🙂

If needed, raspi-config is also available on Kali Linux for keyboard layouts and localizations options
But you need to install it
For this and other questions, I already made a guide about Kali Linux on Raspberry Pi, click on the link if you need more help on these steps

Once you’re ready, you can move to the hacking procedure 🙂

Hacking WiFi procedure

Aircrack introduction

AirCrack-NG is a suite of tools to hack WiFi networks, or at least to test their security
AirCrack-NG offers tools to test, monitor, attack and crack WiFi networks

In this part, we’ll see how to use it step-by-step to:

  • Turn your wireless card in monitor mode
  • Scan all WiFi networks nearby
  • Listen to a specific target to get needed packets (handshakes)
  • Brute force handshakes data to find the password

If you are using Kali Linux, everything is already installed on first boot
On other systems you have to install it manually

Here is the link to the official website if you need help to install it

Set your wireless card in monitor mode

The first step is to turn your wireless card into monitor mode
This mode allows you to see all networks around you and listen for handshakes

  • Use the airmon-ng command a first time to display your wireless card(s)
    airmon-ng

    airmon-ng

    Here, I  have only one card named wlan0

  • So, we can start airmon-ng with the interface we just found
    airmon-ng start wlan0
  • On your first try, you’ll get errors about process interfering with the monitor mode
    You have to kill them before moving forward
    Airmon-ng offers a command to kill them all easily:
    airmon-ng check kill

    Then start again:

    airmong-ng start wlan0
  • Enter the airmon-ng command again to see the new interface
    airmon-ng

    In the next steps we’ll use wlan0mon

Scan for WiFi networks

Once your wireless card is ready, we can move to the next tool: airodump-ng
Airodump-ng allows you to scan WiFi networks to find your target

Use the following command to start the scan:

airodump-ng wlan0mon

You’ll get a screen like this:
airodump scan wifi networks

Each line is a WiFi network around you
You’re close from the first networks in the list and you can see their channel in the CH column

Just below the WiFi networks list, you can see the stations detected and to which network they are connected
To collect data about a target, we need some active stations

Choose one target

The first thing to do is to choose one target
A target is a WiFi network (one line in the list) with preferably a few active devices on it

In this lesson, choose your own network, anything else is forbidden
To filter the list to display only one WiFi network, follow these steps:

  • Stop the scan networks command with CTRL+C
  • Then use this command to scan only one network and write data in a file
    airodump-ng wlan0mon --bssid XX:XX:XX:XX:XX --channel X --write airodump

    Replace XX by the BSSID mac address and X by the channel number
    airodump is the filename where you’ll collect data, we’ll use it later

  • You’ll get a filtered list like this:
  • Here I have one wireless network and 3 devices connected, it’s perfect

Now you need to wait until one device reconnects to the WiFi network
As it’s your own network, you can disconnect and reconnect your smartphone and see what happens

In real life, hackers are sending packets to force a device to reconnect
You can do this with aireplay-ng like this:

aireplay-ng wlan0mon --deauth 10 -a XX:XX:XX:XX:XX

Replace the XX by the BSSID of the network you target
Run this command in another terminal (or another SSH session)
You can’t stop the airodump command or you won’t get the result

If everything is going well, you’ll see a “WPA Handshake” message at the top of your scan window:

Your attack is successful
You now get one handshake in the file.
You can crack it to get the password

A handshake sample is like an encrypted password
You can’t decrypt a password hash but you can encrypt words to see if the result is the same encrypted hash
In the next steps we’ll try to find a password by doing this

Get passwords dictionaries

With new security on WiFi networks, it’s no longer possible to find the password directly from the handshake data
You need to use dictionaries to try a lot of words and finally find the corresponding password

So the first thing is to get those dictionaries
Here is a list of links you can use to get them:

Beware, some are big. On Raspberry Pi you don’t have unlimited disk space
It all depends on the size of your SD card

To download them, you can use wget, for example:

wget https://mirrors.edge.kernel.org/openwall/wordlists/passwords/password.gz

Then you need to extract them, depending on the extension, with gunzip, unzip or unrar

Sometimes, you can also generate your own dictionary (I think that John The Ripper offers this feature)
Depending on the SSID name, you can probably guess what type of password is set by default (each ISP/router has its own default format)
Most of the time, people don’t change the default password

Hack the password

The last step is to try cracking the password with aircrack-ng and your dictionaries

  • You now have to use this command to start cracking the WiFi password:
    aircrack-ng airodump-01.cap -w password

    airodump-01.cap is the file previously generated by airodump with the WPA Handshake
    password is the name of my dictionary file

  • Then aircrack-ng will try all the passwords from the file
  • If you have a strong password, aircrack-ng won’t find it
    You can add it in the dictionary file to see what happens when it’s found
    aircrack ng found password

Conclusion

That’s it, you now know how to crack a WiFi password and how to protect yourself from hackers

Having a strong password with 20 characters or more is the best security tip I can give you
If it’s hard to remember, try to use a non obvious phrase like:

  • LookingForAWiFiConnection : 25 characters
  • MyWiFiPasswordIsSoStrong! : 25 characters including a special one
  • etc …

Once they got the .cap file from your WiFi, hackers can crack it with super computers for weeks or months if you are a big company that interests them
In a company like this, try to change the WiFi password frequently or to use enterprise features like Active Directory login and password

As I often write on this blog, the Raspberry Pi is the perfect device for hacking and pen testing In this tutorial, I’ll show you the step-by-step procedure on how to hack a wireless network from your Raspberry Pi

Leave a Reply

Your email address will not be published. Required fields are marked *