How To Hack Wi-Fi on a Raspberry Pi with Kali Linux


As I often write on this blog, the Raspberry Pi is the perfect device for hacking and pen testing.
In this tutorial, I’ll show you the step-by-step procedure on how to hack a wireless network from your Raspberry Pi.

Hacking Wi-Fi on Raspberry Pi can be done easily with the AirCrack-NG suite, available in the default repository.
AirCrack-NG can monitor all wireless networks, catch authentication packets, and use them to find the password with a brute force attack.

In this post I’ll guide you through the entire process.
From installing Kali Linux and scanning the nearby networks, to hacking the passwords.

By the way, if you are interested in Raspberry Pi and security, there are a few chapters dedicated to this in my book “Master your Raspberry Pi in 30 days”. It’s a 30-day challenge, from beginner to expert, where you’ll learn about Raspberry Pi but also about Linux in general and practice many other topics (like security, programming, system administration, etc.). I highly recommend checking it out.

Disclaimer

Hacking a wireless network you don’t own is a crime in many countries
It’s illegal, and you can go to jail for this.
This tutorial is here for an educational purpose only.
Try this on your network if you want, to learn how hackers work and then protect yourself.
But don’t use these techniques on other networks without the owner permission.

In no case I can be held responsible for your actions.
Now that this is clear, let’s get down to the practice.

Kali Linux installation

Foreword

In this tutorial, I’ll use the Kali Linux operating system because it’s convenient, everything is available on first boot.
But you can do the same on Raspbian or other systems if you prefer.
The package we’ll use is often available in the default repositories, so you can just install it.
For example, on Raspbian:
sudo apt install aircrack-ng
Then jump directly to the hacking procedure paragraph.

Raspberry Pi Bootcamp
Sale: 10% off today.
Take it to the next level.
I'm here to help you get started on Raspberry Pi.
Learn all the skills you need in the correct order.

What is Kali Linux?

Kali Linux is a Linux distribution targeting ethical hacking and pen testing users.
On the first boot, you’ll get everything you need for these kinds of uses:

  • Wi-Fi Hacking tools
  • Website exploits scanners
  • Sniffing/spoofing tools
  • Hardware hacking & stress testing
  • Etc …

So, it’s the perfect Linux distribution for this tutorial, that’s why I’m using it.

Download Kali Linux

Kali Linux is available for download for free.
You can get the image on this page.

Scroll to the Raspberry Pi section and click on the first link (“Kali Linux RPI”).

It’s a torrent file.
You need to open it with a Torrent download tool.
If you don’t have one, Deluge is available for any operating system: click here.

Open the torrent file with the tool to start the download.
Once done, the image is available on your computer (it depends on your Torrent tool but probably in the Downloads folder).

Create the SD card

The next step is to flash the image on the SD card.

Follow this procedure to get started:

  • Download and install Balena Etcher from this link.
    It’s the easiest tool to flash image on a SD card.
    I use it all the time.
  • Start Etcher, a window appears with three parts
    etcher menu
  • Click on the first button and browse to the image location
  • Select the image file (can be an archive) and confirm
  • Insert the SD card in your computer
  • Etcher will detect it automatically
  • Then click on “Flash!” to start the copy

After a few minutes, your SD card is ready to use.

First boot

For your first try, I recommend connecting your Raspberry Pi with an Ethernet cable.
That way you can follow this tutorial from your computer, it’ll be more convenient.
I know that in real pen testing or hacking that’s not the case but to learn you can start like that.

  • Start your Raspberry Pi
  • A login screen appears, enter the following credentials:
    • Login: kali
    • Password: kali
  • That’s it, you are on the Kali Linux desktop

Check that the network is working fine and enable ssh:

  • Open a terminal from the main menu.
  • Enter this command to check the network:
    • ping raspberrytips.com
      If your ping is working, that’s fine
      Hit CTRL+C to stop the ping
  • Then start the SSH server with:
    • service ssh start
      SSH allows you to connect to the Raspberry Pi from your computer
  • You can also grab your current IP address with:
    • ifconfig
      Your IP address is on the second line from the result

That’s it, your Raspberry Pi is ready.
You can now connect to it from your computer via SSH.

If you don’t have it yet, you can install Putty from this link.
Enter the Raspberry Pi IP address and click connect.

Master your Raspberry Pi in 30 days
Sale: 10% off today.
Download the eBook.
Uncover the secrets of the Raspberry Pi in a 30 days challenge.
Learn useful Linux skills and practice multiples projects.

Configuration

The Kali Linux configuration doesn’t require many things since everything is already available on boot.
But I recommend to at least update your system with:

  • apt update
  • apt upgrade
  • reboot

This can take between 30min and 1 hour depending on your Raspberry Pi model and your connection.
Be patient 🙂

If needed, raspi-config is also available on Kali Linux for keyboard layouts and localization options.
But you need to install it.
For this, and other questions, I already made a guide about Kali Linux on Raspberry Pi, click on the link if you need further assistance on these steps.

Once you’re ready, you can move to the hacking procedure. 

Hacking WiFi procedure

Aircrack introduction

AirCrack-NG is a suite of tools to hack Wi-Fi networks, or at least to test their security.
AirCrack-NG offers tools to test, monitor, attack and crack Wi-Fi networks.

In this part, we’ll see how to use it step-by-step to:

  • Turn your wireless card in monitor mode
  • Scan all Wi-Fi networks nearby
  • Listen to a specific target to get needed packets (handshakes)
  • Brute force handshakes data to find the password

If you are using Kali Linux, everything is already installed on first boot
On other systems you have to install it manually
.

Here is the link to the official website if you need help to install it.

Set your wireless card in monitor mode

The first step is to turn your wireless card into monitor mode.
This mode allows you to see all networks around you and listen for handshakes.

  • Use the airmon-ng command a first time to display your wireless card(s)
    airmon-ng
    airmon-ng
    Here, I  have only one card named wlan0.
  • So, we can start airmon-ng with the interface we just found
    airmon-ng start wlan0
  • On your first try, you’ll get errors about process interfering with the monitor mode.
    You have to kill them before moving forward.
    Airmon-ng offers a command to kill them all easily:
    airmon-ng check kill
    Then start again:
    airmong-ng start wlan0
  • Enter the airmon-ng command again to see the new interface
    airmon-ng

    In the next steps we’ll use wlan0mon.

Scan for WiFi networks

Once your wireless card is ready, we can move to the next tool: airodump-ng.
Airodump-ng allows you to scan Wi-Fi networks to find your target.

Use the following command to start the scan:
airodump-ng wlan0mon

You’ll get a screen like this:

airodump scan wifi networks

Each line is a Wi-Fi network around you.
You’re close from the first networks in the list, and you can see their channel in the CH column.

Just below the Wi-Fi networks list, you can see the stations detected and to which network they are connected.
To collect data about a target, we need some active stations.

Choose one target

The first thing to do is to choose one target.
A target is a Wi-Fi network (one line in the list) with preferably a few active devices on it.

In this lesson, choose your network, anything else is forbidden.
To filter the list to display only one Wi-Fi network, follow these steps:

  • Stop the scan networks command with CTRL+C
  • Then use this command to scan only one network and write data in a file:
    airodump-ng wlan0mon – bssid XX:XX:XX:XX:XX – channel X – write airodump
    Replace XX by the BSSID mac address and X by the channel number.
    airodump is the filename where you’ll collect data, we’ll use it later.
  • You’ll get a filtered list like this:
  • Here I have one wireless network and 3 devices connected, it’s perfect

Now you need to wait until one device reconnects to the Wi-Fi network.
As it’s your network, you can disconnect and reconnect your smartphone and see what happens.

In real life, hackers are sending packets to force a device to reconnect
You can do this with aireplay-ng like this:
aireplay-ng wlan0mon – deauth 10 -a XX:XX:XX:XX:XX

Replace the XX by the BSSID of the network you target.
Run this command in another terminal (or another SSH session).
You can’t stop the airodump command, or you won’t get the result.

If everything is going well, you’ll see a “WPA Handshake” message at the top of your scan window:

Your attack is successful.
You now get one handshake in the file.
You can crack it to get the password.

A handshake sample is like an encrypted password.
You can’t decrypt a password hash, but you can encrypt words to see if the result is the same encrypted hash.
In the next steps we’ll try to find a password by doing this.

Get passwords dictionaries

With new security on Wi-Fi networks, it’s no longer possible to find the password directly from the handshake data.
You need to use dictionaries to try many words and finally find the corresponding password.

So, the first thing is to get those dictionaries.
Here is a list of links you can use to get them:

Beware, some are big. On Raspberry Pi you don’t have unlimited disk space.
It all depends on the size of your SD card.

To download them, you can use wget, for example:
wget https://mirrors.edge.kernel.org/openwall/wordlists/passwords/password.gz

Then you need to extract them, depending on the extension, with gzip, unzip or unrar.

Sometimes, you can also generate your dictionary (I think that John The Ripper offers this feature).
Depending on the SSID name, you can probably guess what type of password is set by default (each ISP/router has its default format).
Most of the time, people don’t change the default password.

Hack the password

The last step is to try cracking the password with aircrack-ng and your dictionaries

  • You now have to use this command to start cracking the Wi-Fi password:
    aircrack-ng airodump-01.cap -w password
    airodump-01.cap is the file previously generated by airodump with the WPA Handshake.
    password is the name of my dictionary file.
  • Then aircrack-ng will try all the passwords from the file:
  • If you have a strong password, aircrack-ng won’t find it.
    You can add it in the dictionary file to see what happens when it’s found:
    aircrack ng found password

Conclusion

That’s it, you now know how to crack a Wi-Fi password and how to protect yourself from hackers.

Having a strong password with 20 characters or more is the best security tip I can give you.
If it’s hard to remember, try to use a non-obvious phrase like:

  • LookingForAWiFiConnection : 25 characters
  • MyWiFiPasswordIsSoStrong! : 25 characters including a special one
  • etc …

Once they got the .cap file from your Wi-Fi, hackers can crack it with super computers for weeks or months if you are a big company that interests them.
In a company like this, try to change the Wi-Fi password frequently or to use enterprise features like Active Directory login and password.

To learn more about Kali Linux, you can read my tutorial here with an introduction to many tools you”l find on it, or even read this book about security testing:


This tutorial doesn't work anymore? Report the issue here, so that I can update it!

kali linux raspberry pi
Basic Security Testing With Kali Linux

Patrick Fromaget

I'm the lead author and owner of RaspberryTips.com. My goal is to help you with your Raspberry Pi problems using detailed guides and tutorials. In real life, I'm a Linux system administrator with a web developer experience.

5 thoughts on “How To Hack Wi-Fi on a Raspberry Pi with Kali Linux

  1. Patrick,

    I’ve tried this several times now and even went so far as to re-installing Kali [Linux]. I get the same error at the same place:
    airodump-ng wlan0mon – bssid XX:XX:XX:XX:XX – channel X – write airodump
    I get the following error after substituting my bssid and channel number
    “airodump-ng –help” for help.
    I’m thinking, that Aircrack-ng has changed since you posted this tutorial. Any help would be appreciated.
    This type of software really interests me in identifying any security holes in my home network.

      1. I have tested it recently, without noticing any issue with this tutorial.
        Please share with us the solution/cause if you resolve this problem.

    1. Had the same problem. If you notice in the help file, the commands are with (two) hyphens “–”
      –channel
      –write
      –bbssid

      When i cam across that message I changed single hyphen commands to double, and it worked.

  2. I never get the “wlan0mon” interface. Using the Pi 400, the internal wifi doesn’t seem to work, so I am using an Edimax USB wifi dongle, but it never shows up with the correct interface when I run “airmon-ng”.

    Could it be Kali Linux or maybe this Edimax dongle isn’t fully supported?

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Master your Raspberry Pi - 10% off