How to Hack Wi-Fi: Cracking WPA2-PSK Passwords Using Aircrack-Ng

Cracking WPA2-PSK Passwords Using Aircrack-Ng

Welcome back, my greenhorn hackers.

When Wi-Fi was first developed in the late 1990s, Wired Equivalent Privacy was created to give wireless communications confidentiality. WEP, as it became known, proved terribly flawed and easily cracked. You can read more about that in my beginner's guide to hacking Wi-Fi.

As a replacement, most wireless access points now use Wi-Fi Protected Access II with a pre-shared key for wireless security, known as WPA2-PSK. WPA2 uses a stronger encryption algorithm, AES, that's very difficult to crack—but not impossible. My beginner's Wi-Fi hacking guide also gives more information on this.

The weakness in the WPA2-PSK system is that the encrypted password is shared in what is known as the 4-way handshake. When a client authenticates to the access point (AP), the client and the AP go through a 4-step process to authenticate the user to the AP. If we can grab the password at that time, we can then attempt to crack it.

Image via Shutterstock

In this tutorial from our Wi-Fi Hacking series, we'll look at using aircrack-ng and a dictionary attack on the encrypted password after grabbing it in the 4-way handshake. If you're looking for a faster way, I suggest you also check out my article on hacking WPA2-PSK passwords using coWPAtty.

Step 1: Put Wi-Fi Adapter in Monitor Mode with Airmon-Ng

Let's start by putting our wireless adapter in monitor mode.

For this to work, we'll need to use a compatible wireless network adapter. Check out our 2017 list of Kali Linux and Backtrack compatible wireless network adapters in the link above, or you can grab our most popular adapter for beginners here.

A roundup of Kali Linux compatible wireless network adapters. Image by SADMIN/Null Byte

This is similar to putting a wired adapter into promiscuous mode. It allows us to see all of the wireless traffic that passes by us in the air. Let's open a terminal and type:

  • airmon-ng start wlan0

Note that airmon-ng has renamed your wlan0 adapter to mon0.

Step 2: Capture Traffic with Airodump-Ng

Now that our wireless adapter is in monitor mode, we have the capability to see all the wireless traffic that passes by in the air. We can grab that traffic by simply using the airodump-ng command.

This command grabs all the traffic that your wireless adapter can see and displays critical information about it, including the BSSID (the MAC address of the AP), power, number of beacon frames, number of data frames, channel, speed, encryption (if any), and finally, the ESSID (what most of us refer to as the SSID). Let's do this by typing:

  • airodump-ng mon0

Note all of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen.

Step 3: Focus Airodump-Ng on One AP on One Channel

Our next step is to focus our efforts on one AP, on one channel, and capture critical data from it. We need the BSSID and channel to do this. Let's open another terminal and type:

  • airodump-ng --bssid 08:86:30:74:22:76 -c 6 --write WPAcrack mon0
  • 08:86:30:74:22:76 is the BSSID of the AP
  • -c 6 is the channel the AP is operating on
  • WPAcrack is the file you want to write to
  • mon0 is the monitoring wireless adapter*

As you can see in the screenshot above, we're now focusing on capturing data from one AP with a ESSID of Belkin276 on channel 6. The Belkin276 is probably a default SSID, which are prime targets for wireless hacking as the users that leave the default ESSID usually don't spend much effort securing their AP.

Step 4: Aireplay-Ng Deauth

In order to capture the encrypted password, we need to have the client authenticate against the AP. If they're already authenticated, we can de-authenticate them (kick them off) and their system will automatically re-authenticate, whereby we can grab their encrypted password in the process. Let's open another terminal and type:

  • aireplay-ng --deauth 100 -a 08:86:30:74:22:76 mon0
  • 100 is the number of de-authenticate frames you want to send
  • 08:86:30:74:22:76 is the BSSID of the AP
  • mon0 is the monitoring wireless adapter

Step 5: Capture the Handshake

In the previous step, we bounced the user off their own AP, and now when they re-authenticate, airodump-ng will attempt to grab their password in the new 4-way handshake. Let's go back to our airodump-ng terminal and check to see whether or not we've been successful.

Notice in the top line to the far right, airodump-ng says "WPA handshake." This is the way it tells us we were successful in grabbing the encrypted password! That is the first step to success!

Step 6: Let's Aircrack-Ng That Password!

Now that we have the encrypted password in our file WPAcrack, we can run that file against aircrack-ng using a password file of our choice. Remember that this type of attack is only as good as your password file. I'll be using the default password list included with aircrack-ng on BackTrack named darkcOde.

We'll now attempt to crack the password by opening another terminal and typing:

  • aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de
  • WPAcrack-01.cap is the name of the file we wrote to in the airodump-ng command
  • /pentest/passwords/wordlist/darkc0de is the absolute path to your password file

How Long Will It Take?

This process can be relatively slow and tedious. Depending upon the length of your password list, you could be waiting a few minutes to a few days. On my dual core 2.8 gig Intel processor, it's capable of testing a little over 500 passwords per second. That works out to about 1.8 million passwords per hour. Your results will vary.

When the password is found, it'll appear on your screen. Remember, the password file is critical. Try the default password file first and if it's not successful, advance to a larger, more complete password file such as one of these.

Stay Tuned for More Wireless Hacking Guides

Keep coming back, as I promise more advanced methods of hacking wireless in future tutorials. If you haven't seen the other Wi-Fi hacking guides yet, check them out here. Particularly the one on hacking WEP using aircrack-ng and hacking WPA2-PSK passwords using coWPAtty.

If you're looking for a cheap, handy platform to get started working with aircrack, check out our Kali Linux Raspberry Pi build using the $35 Raspberry Pi.

A beginner Wi-Fi hacking kit. Image by SADMIN/Null Byte

And as always, if you have questions on any of this, please ask away in the comments below. If it's something unrelated, try asking in the Null Byte forum.

Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.

Cover image via Shutterstock


great master OTW...clear as always...great job!

Master OTw...will the WPAcrack file be created on the call to the command or i have to create it somewhere? thanks

The command will create the file.

I have been trying to download backtrack 5 R3 and the completed iso file size of BT5R3-GNOME-64 is 506MB. Did I get it all downloaded?


It doesn't sound like you got it all. It should be 2-3gb.


Everytime I try downloading it says it failed because the source couldn't be read. How can I get around this?

First of all, thanks for the great tutorial.
The only problem I have is the following:
14:49:01 wlan0mon is on channel 6, but the AP uses channel 9
I tried things like "airmon-ng start wlan0mon 9" but it displayed the same error.
Any Ideas how to fix this?

I am getting the same error now, have you found anything?

I ran into a similar problem. The way I solve it was like this:

Instead of typing airodump-ng --bssid 08:86:30:74:22:76 -c 6 --write WPAcrack mon0, after the -c put the channel that the AP uses, in your case 9. If it doesn't work, run the command a few times, and you'll notice that the channel might be changing, so if you spam it a bit you might land on it and get lucky.

Or just:

$ ifconfig wlan1 down
$ iwconfig wlan1 channel 9
$ ifconfig wlan1 up

When it doesnt work try a little bit Google there are severel methods
to do this.

Or like BEN says, if the channel is everytime different, than its in Auto-Channel mode so you can just spam it a little around to hit the correct Channel.

when i do, airodump-ng --bssid 08:XX:BB:XX:CC -c 1 -write WPAcrack what i get is....
Notice: You specified "-write". Did you mean "--write" instead?
Interface WPAcrack:
ioctl(SIOCGIFINDEX) failed: No such device

so i was thinking -write was a i did
airodump-ng --bssid 08:XX:BB:CC:GG:XX -c 1 --write WPAcrack
and now i get
No interface specified.
"airodump-ng --help" for help.

so what am I doing wrong master OTW?

the syntax you are going for is: airodump-ng --bssid 08:XX:BB:CC:GG:XX -c 1 --write WPAcrack mon0

You are right, it should have been --write. Thanks for catching that typo.

I forgot to also put in the interface, it appears. You nned to tell airodump-ng, what interface to use. In this case mon0.


Hello Master OTW!
Thanks so much for ur hard work. People like us are finding ur tutorials more useful.
I have a little problem. I followed ur tutorials on cracking WPA/WPA2 and everything worked out fine.
Just the last stage, the aircrack-ng;
When I typed aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de
This is what I got:
Opening WPAcrack-01.cap
Please specify a dictionary (Option -w).

Quitting aircrack-ng...
Please could u explain to me what I did wrong?

This guide was written against BackTrack 5. You are using Kali Linux I assume. The file paths are different.

Use : locate wordlists
To find ALL wordlists in your Kali.

Side note: Use rockyou.txt wordlist. You will have better luck with it.

Ok master things went well to the last step... I get this error..

Opening WPAcrack-01.cap
Opening /pentest/passwords/wordlists/darkc0de
open failed: No such file or directory

i tried it with this time darkcode..changing the zero in darkc0de to to an o..still No such file or imagining my kali doesnt have it...i deleted backtrack5 and installed how do i get other password lists and more important how do i install it straight into the aircrack-ng directory...

been trying to find that directory but i just find the file in bin..and thats still learning how files are organized in ubuntu and debian in general.....


I put two links to other password list in the article. Try those first.

As for putting them in the correct directory, you can put them anywhere but make certain that you use that directory in the aircrack-ng command.


I tried cracking WPA2 networks last week using airodump and fern, but my chromebook's processor is not that powerful! :P Will definitely have to play around with the command prompt way, I'm a sucker for GUi's...haha Also, thanks for the password lists, those are hard to find sometimes, surprisingly.

my wireless adaptor stays on channel 6 when i put in airodump-ng mon0 its not jumping through channels like it used to.
do you know a command to fix this


What wireless adapter are you using? It's likely a driver issue.


I would suggest, re-installing the driver.


I forgot to ask you, did you already use your wlan0 to connect to an AP? If you did that will explain why it no longer hops channels. Disconnect from the AP and it should hop channels again.


Can I hack with TP Link wireless adapters?


You can check the aircrack-ng website for compatible wireless adapters.


hey i got the channel changing when we do that first airodump.

now in the second airodump when we are specifically looking at the target AP, where it says fixed channel mon0 in the top right corner the channel is changing up there an i cant tell from the picture wether your one is doing the same or it is fixed on ur specified channel

algood mate mate i managed to get the 4 way handshake now just waiting for it to do its thing.
an thanks for the help to, much appreciated

Great write up. I think it is worthwhile for those who choose this endeavor to understand just how long bruteforcing a pwd might take. You can enter a pwd here and get a fair calculation. Fortunately for those who might want to do this most people will use the name of their pet if they even change the admin/admin default.


Thanks for that info! Technically, this isn't a brute force attack though and its not a dictionary attack either. We are using wordlists of commonly used passwords with special characters and numbers. It might best be called a hybrid attack and takes a lot less time than a brute force attack.


Thanks for correcting me. That's what I get from skimming instead of reading.

So I've been following your recent guides (and already got to test on some Wi-fi's) but now trying to expand the dictionary (Darkc0de isn't enough, more if your language is not English) but the alternative dictionaries you offered are txt's and aircrack says it only takes IVs or Cap, so, as a beginner that I am, how would I get those in the correct format? Is there a converter and what parameters would I have to set up to get it right?

Thanks in advance, nice guides! Kudos

rockyou.txt huge wordlist. Think it comes with kali.

This is nice OTW. I like using reaver personally. Pretty fast usually works within a couple hours with good signal strength.

Mkay. I tried this this morning. I'm not sure if it worked or not. I was originally making an attempting on cracking the WPA2, yet something a little different happened, so I just followed through with a DoS attack of which i think worked. I'm led to believe that it worked because after the deauth went through, the saw the mac addy pop back up and re-authenticate itself onto the network. I decided to quit the WPA2 crack because I never saw the 4-way hand shack after they reconnected. It's suppose to say 4-way handshack in the top right... here's a screenshot. It never appeared when they reauthenticated back onto the network. Any idea why?


You are right, it should have captured the handshake when they re-authenticated. Are you sure they re-authenticated?


OTW: Personal experience tells me that this works best, in my neighborhood atleast, during business hours. I'm also working with Kali instead of BT.

Which brings me my question: Would you know the Darkc0de in Kali? I tried locate and find, but gained no results. To answer a potential question, I used one of your listed alternative dictionaries.


I don't know for certain, but I believe that it is not included in Kali. Maybe another good reason to stay on BT?


Hey, i came across a issue, i think i went through all of the steps here word for word and about two times it said "WPA Handshake" and the Bssid in the top right but when i went and tried to use the darkc0de command "aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de" it at first said specify a dictionary so i entered darc0de as darkc0de.lst and it seemed to work, but now I'm coming across this in the top right console it says there is no Valid WPA Handshake but on the left one it says it went through after authentication.


Each time you run aircrack-ng, it creates a new file, so it means no handshake in that file.


I thought of that, so i went and deleted all of the other ones i failed with before i went and started this one, so i should only have 1 file to "Load" it from, i guess i will make sure i have none again this time and try again, also does the Reauthentication the machine doing that or a human having to reenter their password or something? (After i deauthenticate them, when should it say WPA Handshake? As in a time interval?)

The machine will automatically reauthenicate after you deauthenicate, almost immediately.


Hmm from what i seen/hear from yours that would be the case, but when i tried last night only a few times would i even get a WPA Handshake, the other times i waited hours and got nothing, so WPA handshake should be instant and afterwards i use the aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de.lst command and it should be all fine and i will have to wait for that one

Did you restart airodump-ng?

After i realised there was no handshake yes, and when i ran to start airmon-ng start wlan0 (without resetting computer first) It made different monitoring devices so will i have to restart every time i do this?

Can you help me find the right path for kali linux this one isn't working ? /pentest/passwords/wordlists/darkc0de

Hmm, is there a "Quicker" Method to WEP/WPA/WPA2 Password cracking? The two smaller files that i tried were both unable to find the password and the Larger One i downloaded from the two links will take about a week I'm guessing to even come near completion and i only have one Laptop and use it daily so i can't exactly just leave it for a week and Hope for it to find the password, Given that the password isn't in that large list.

How do I know WPA2 with WPS?


Welcome to Null Byte!

There is tutorial here on cracking WPA2 with WPS.


alright, I'll Check out Reaver, and its probably just having to be Patient, but that is kind of hard to wait a week without being able to use Your only source of Connectivity. I know this may be the best way and we Don't have Transformer Technology that will get us inside in Minutes. Just seems a little Drastic for a whole Week+ of a possibility for a password. But enough complaining i'll go check Reaver now.


If you have an idea of the password, choose a password file that is appropriate.

You can always let the password cracking run in the background and still do something else on your computer.

If you want the password, sometimes you have to be patient. By the way, their are other tools such a GPU's and specially designed ASIC's that can reduce the time by about 1,000,000 times. Unfortunately, they are a bit pricey. About $2000.


I have no clue of what the password would be or even what it would start with, So that is a no go or i would have edited one of the lists, if it was just a simple word file or such, and only had the passwords with the first letter in it. I Suppose that would drastically reduce it. Or perhaps i could break up the file into smaller ones and test them while i am sleeping. Also about the background i myself don't have internet at my house and the RAM on my computer is rather low, i don't think i should try anything else as to not Corrupt or interfere with the speed or stability of the Cracking Process. Also in your "Reaver" Link would having BTr3 Already have all of these already?

"The following programs installed (install by package name): aircrack-ng, python-pycryptopp, python-scapy, libpcap-dev"

Oh, also im having an issue even getting The WPA handshake at all, I've tried many different Connections and only randomly got it once, im not sure what causes this really, but generally i dont know if this is weird but when i try to "De-auth" It sometimes says my card is on a different channel than the target and my card seems to be switching through the channels and i have to enter the de-auth command a few times before it sends the signals

Fallen Ones:

To get the handshake, someone has to authenticate. The deauth deauthenticates them and when they re-authenticate you should get the handshake.

As for the issue with your cards switching through the channels, you could simply lock down on a single target channel when you put your card in monitor mode.


"The machine will automatically reauthenicate after you deauthenicate, almost immediately." I though that when you said this you meant i would get the WPA handshake immediately, so i do have to wait on the Handshake then? also, my backtrack doesn't seem to have Airodump-ng for the WEP Cracking is there a guide on installing all these and the ones needed for the Reaver guide for the WPA2 As well?


What version of BT are you running? Airodump-ng should be in all of them.

If you need to download anything from the aircrack-ng suite, go to


BTr3, i went and tried it once or twice and it simply said "Airodump Command not found" I can go and try again though.

Do you mean BT5v3? If so, its there.

This may explain why you are not capturing the handshake. You need airodump-ng to capture the handshake.

Hmm well i went and loaded up BT and ive downloaded the most recent, and i only once randomly got the handshake, but when i try this "airodump --bssid 00:09:5B:6F:64:1E -c 11 WEPcrack mon0" in the WEP Guide (using the Bssid's channel and own Bssid) It says the command does not exist No issues up until i have to enter that

airodump-ng --bssid DC:45:17:67:F4:50 -c 11 WEPcrack mon0

"airodump-ng --help" for help.

I;ve tried that and only get the help command, i also tried to remove the space inbetween the airodump-ng and --bssid but it goes back to saying the command doesn't exist

Edit- 10:57 PM Wait, i think i see where it might have went wrong.. Was it supposed to be like this?

airodump-ng --bssid 00:09:5B:6F:64:1E -c 11 --write WEPcrack mon0

Where as in the WEP Cracking you have this "airodump --bssid 00:09:5B:6F:64:1E -c 11 WEPcrack mon0"

9:00 AM~

Okay, well now i am severly confused. i got the command working to where it would write the WEP file, but after i set everything up and followed the guide and went to sleep, after about 9 hours and 20 minutes i came and checked to see that no one had connected to the network i was monitoring, and that when i tried to Crack it i got no Data Packets but around 494574 Normal Packets? and it wouldn't attempt, so i decided to go and try again but then i see that i got a Handshake From a different Network which i was not even monitoring or using the Bssid of the network, even the Bssid's of the two network are different and I'm not even sure how the Handshake took place, as the one i was trying to crack was called "Blue" Bssid: 00:0C:41:F6:A0:0E And it is a WEP The other is "BrightonNetwork" Bssid: E0:91:F5:A3:ED:3E and is WPA2 which is where i got the handshake from and now i have no idea what to do.

Also im unsure if my computer isn't picking up people connecting or registering any Handshakes, as i stated above it came in randomly when i was monitoring a different network and i can't use the handshake as it was not monitored at the time and wasn't written into the WEP "Blue" File. Any ideas? It seems everytime i try to do this it fails WEP or Not.

Edit: 11:52 AM~

Okay so i went ahead and followed the WPA Cracking guide, again, and this time i got the handshake almost immediatly (Given that i am now trying the WPA on the "Brighton-Network") And am just trying the Cracks now, Would editing a large 14GB Password file cause it to not be ran? Its not a normal .txt file so I'm unsure, or could i just change it into a txt file and be fine? I've tried opening it with Notepad, and Notepad++ But it says the file is too large to open in them.

(The file is actually realuniq.lst)


You are confusing the two cracks. You don't need the handshake for WEP cracking, just the IV's.

Go back and re-read the WEP tutorial and try again. You should be collecting IV's and then you use aircrack-ng to derive the password via statistical techniques. Its foolproof and quick.



Also, yes, if you edit that file it won't run.

Try a small file first. It will be much faster.


No no, i'm not confusing them.. I'm saying while using and running the WEP Crack and info i got a handshake from a WPA Network randomly when i Wasn't monitoring it.

And i don't get an IV's? Cause no one connects to the WEP network so i dont think i can get them at all, because i was monitoring for nine hours and only got 500K Packets and no IV's or anything crack wouldn't even try to start


First, the WEP crack requires that someone authenticate against the AP and then you spook their MAC address. With their MAC, you can then send ARP's to the AP to accelerate the cracking process. You should be able to pick up enough IV's within minutes.

While you have airodump-ng open on all channels, it will pick up handshakes on any channel within range, no matter what attack you are attempting.


hi, thanks for the tutorial.
what about when he finds the password ?

I waited until it stop, but aircrack still had the same appearance. I tried with the 'passphrase' that was display but it don't works.

I presume I'll have to try with another password files ?


This attack is only as good as your wordlist. Try another wordlist.


okay ,thanks for answering.

once we have the good WPAcrack-XX.cap, can we start the process another day at step 6 with another wordlist or do we have to start each time at the beginning ?


You can use the same .cap file with a new wordlist.


I didn't manage :

I tried once with darc0de.lst and it failed, I shut down my computer, restart some days later directly at step 6 with the rockyou.txt wordlists, it failed. Then I tried with the big dictionnary, it took more than 24 hours but it failed.

did I make a mistake or is that normal ?

thank you


I don't know if you made a mistake, but if the admin of the AP chose a passphrase that is unique on not on any of those lists, then this method won't find it. Remember, this method is only as good as the list you use and a smart admin will choose a long and unique passphrase that is not in those lists.

Also, is this a business? Is it possibly use WPA2-EAP? If so, this method won't work. It only works with WPA2 with a Pre-Shared Key (PSK).


no this is a personnal wifi, and airodump-ng said that's a WPA2 PSK ...
could I have more chance with Cowpatty ?

Thanks for the tutorial OTW,

I followed all the steps with BT5 and the darkc0de failed. I downloaded crackstation pw list you provided, but i dont know how to access it or how to use a directory to get to it.

please help


First, welcome to Null Byte!

All you need to do is point the aircrack-ng command like in step #6 to the directory with the wordlist you downloaded.


so hack a wifi... ok lets say i want to hack a WiFi or obtain internet access in a very conventional way such as... purchasing a cable modem from retail and registering it under a cold real address(cold means no one lives at the address nor doesn't have services with the cable company or the ISP i am asking services from). Registering internet with many cable providers doesn't require a tech to be sent out and do the installation, it can be activated over the phone and without a truck roll, use of social engineering techniques are required to accomplish that task.

So now the modem is registered at an address that is 20km away from my house where the modem is actually being used.. Would that be traceable as well? Would they go by the billing address where services are bound to or they go by IP of the WAN and therefore come over where the modem is physically located? In that case, the modem IP would still be my house location? How does it work in terms of ISP companies head ends that feeds each serviceable address with RF cable?


First, I want you to be careful until you know more.

Second, there are problems with your strategy. The first is that the cable company can trace the location of all Internet services (not so with TV services). The second problem is that your payment could be traced unless all payments are in cash.

The best way to use wifi anonymously is to hack someone's password who is good distance away (say .5-2 miles). Then use there wifi with a high gain directional antenna. I have worked with law enforcement agencies and even when they know the wifi is hacked, they focus their investigation to surrounded houses/neighborhood.


Thnks OTW

Hi, N00B here.
Been trying to follow the steps but I get shot down at first crack...
when I enter iwconfig (to find my wireless card) I get

lo no wireless extensions.
eth1 no wireless extensions.

Any idea what my problem may be? I'm unable to proceed to the next steps as a result of that.

As well as...

airmon-ng start eth1

Found 3 processes that could cause trouble.

If airodump-ng, airreplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them!

PID Name
954 dhclient3
2715 dhclient
2733 dhclient

Let me know if you can guys?


Are you using a VM?


Yes, that is a screenshot from the VMware Workstation I installed today.

Yes, that is a screenshot from the VMware Workstation I installed today.


VMWare workstation takes your wireless adapter on your host machine and pipes it into your virtual machine as a wired connection, eth0. To do wireless hacking from a vm, you will need a usb wireless adapter. I recommend the Alfa cards. They are cheap, work great and are plug and play in BT.


Also, Yesterday I was trying to accomplish the same thing using CommView for WiFi and when I select the option for Node Reassociation i get a prompt that says device does not have/support that function, is that to be replaced with the Alfa Card as well?


As long as you are using a vm, you can't do wifi hacking until you get an external card.


Sir OTW,

I've tried the darkcode list but im getting no result at all..
i heard about JTR, but dunno how to use it with BT.
newbie here.


My wifii card isn't found in backtrakck how do I enable it?


Welcome to Null Byte!

If you are running BT as a VM, it won't recognize it. To do wireless hacking you will need an external wireless adapter.


Hey OTW,

I have purchased and installed my Alfa Card (2W) and am ready to have another go but I'm still not getting any recognition of my card either via VM or CommView.

Please advise.


In the vm interface, you must tell the vm to connect your removeable device. In Vmware, it is on the vm tab.


Kool... giving it a go... YES! I'm in (wlan0) Thanks a lot man!

How does one update VMware Tools in the interface?


Great! Glad you were successful!

At the bottom of the vm screen you will see a button to update the vm tools.


thats what I did and I saw that pop up so I was wondering if it needed me to do something or leave it be?

Simply install them or leave them be.

Right. So I figured out how to Install/Update VMware Tools thanks to a youtube video. But it still seems like I can't get a break...

arrived at airodump-ng mon0 and I'm taken to the section where a list of networks should be but there is no list, just the BSSID etc but no network names show up.

Please advise?

Did you read the whole tutorial? That is what you should see.

breath a sigh of relief... plugged in airmon-ng start wlanx and that seemed to have forced the card to inject and show the APs. (read that somewhere). I know nothing, I just go hard.

So I hope this works now. APs are up and I'm going in but I noticed tho that its taking forever to capture the handshake. Is this normal waiting time. I also thought I'd put reaver up to the task and see who comes back with a response first.

Let me know what you think
remember.... I know nothing

When I typed airodump -ng mon0 it says no device found. what do i do and i'm running BT5 in VMware.


Are you running BT in a VM?


please i need your help i tried more than one way its all lead to the same end and this is it ""Choosing first network as target.

Opening WPAcrack-01.cap
Please specify a dictionary (option -w).

Quitting aircrack-ng...""


Check to see whether your wordlist is actually at that location.



When you run BT or any OS in a VM, it converts your wireless to a wired connection. If using a VM, you will need an external wireless adapter. I recommend the Alfa.


is any other way besides getting an external wireless adapter. I'll try anything else. Sorry for any trouble I've caused you.


The other option is to create a dual boot system. Even then, you will have difficulty without an aircrack-ng compatible wireless adapter.


I have installed BT5 as a dual boot system( I think). I have also downloaded aircrack-ng for windows. What should i do now to make this work.


If you installed BT as a dual boot,you are ready to start hacking! You don't need aircrack-ng for windows. Aircrack is built into BT. Now just follow my tutorials.

Good luck!


Thank you but i tried and at the second command, airodump-ng mon0

it says no device found. I think its because it says my connection is wired but is there another way besides buying an external wireless adapter. Is there something i can download to fix this??


You said you are were running dual boot, but it sounds like you are running a vm. With a vm, you will need an external wireless adapter.


Hey OTW,

So since I got myself the external adapter and been trying to get in the game. I have yet to succesfully access a listing of APs via airodump-ng.

Been scouring the web trying to find a solution but none seem to be hitting the mark but I have summized that the problem lies within the chipset of my external adapter (see image).

So I'm asking if you are aware of such a case in BT5r3 and do you know of any resolution for the matter?

I'm sorry I'm a bit confused i thought that a virtual machine was a dual boot system. How do i install it as a dual boot system. I've seen your other tutorial on how to install BT5 but i still didnt know to install it as a dual boot system. sorry i must be a big pain:( Can i install as a dual boot without a CD?


Running BT in a virtual machine is NOT a dual boot system. A dual system has two operating system on the physical machine and you can choose to run one or the other. If you run dual boot, you will not need an external wireless adapter. With a VM, you will need an external wireless adapter.

To install a dual boot system , you will need to install the BT operating system from an external device such as a flash drive, CD or DVD.

Hope this helps.


Is this something I may need to do? I have BT v3 iso both the 32 and 64 versions. Tried running the 64 version off of a usb with a little over 7 gb space. Booted off the usb and ran in text mode. Entered startx to get to gui. Then tried iwconfig and it couldn't find anything. I have an external wireless reciever. I am pretty sure it is aircrack compatible. It is a NETGEAR WNDA3100 not sure if it is v1 or v2 but I believe both are compatible. Do I need to install BT to my machine instead using a VM?

Thank you it helped a lot. I have installed the bt5 ios to my usb using unetbootin. Not sure what to do now though. i pressed f2 on Asus laptop but i just got lost.

You need to change the Hard disk priority, and usb should be selected as first Hard disk Bios setting.

use the following command.
iwconfig mon0 --channel ?
? is the channel your target AP is on.

Yes, you want to set your mon0 on the same channel as your target.



Welcome to Null Byte!

You need to execute each of the commands here in order. Did you do that?


Hi how do i boot of my usb and install it to my hard drive.


You must first get into your BIOS and change the boot up sequence so that it boots from your USB first.



hey otw

i am getting this in the end.

use this command . iwconfig mon1 --channel 11


The wireless adapter is randomly going from channel to channel. If you keep trying, you will hit the right channel eventually.

As an alternative, you can use the --channel switch in your airodump-ng command to lock on a specific channel and then run aireplay-ng.


Also I've learned something very important. If you've tried the process more than once you will need to ensure that monitor mode is disabled before you start it again or you will get unsuccessful processes such as the above...

simply type airmon-ng stop mon0 then airmon-ng stop wlan0 to take your wifi out of monitor mode and then restart the process. After putting your card in monitor mode and you're finished doing whatever you're doing always take the card out of monitor mode. Trust me, I've been around the world in the past week learning this thing as a newbie and if you're following a tut such as this then READING IS BOTH FUNDAMENTAL AND ESSENTIAL to understanding the process.

You may also try switching your mon0 channel by...
enable mon0
airmon-ng start wlan0

Check for the wps enabled wpa wifi (this can also be done with
#wash -i mon0 -C

set your channel to the same AP in which you are interested
#iwconfig mon0 channel <channel of AP eg. 11>

start aireplay
#aireplay-ng mon0 -1 120 -a <MAC of AP> -e <AP name>

start reaver
#reaver -i mon0 -A -b <MAC of AP> -vv

Thanks James! That help is much appreciated.

Hi OTW I booted up bt5 from my USB and installed it but when it says restart to finish installing, the whole screen goes black and stays black. Not sure what I've done wrong.


Did you take the USB out?



If you installed BT from the USB to your hard drive, you must remove the USB when you restart.


You may need to re-install it.

i tried that and it still leads to a black screen.


I'm not sure what is causing this problem, but I would;

  1. Make sure your download was not corrupted
  1. Make sure your graphics card is compatible.

Btw, how much RAM are you running on.


please Administrator i just got to know of your website and decided to state in some comment for further a beginner and lerning how to hack wifi password.i hornestly dont know what u are saying in this and dont know how to put my wifi adapter into monitor mode.please help me.thanks


Welcome to Null Byte! I'm glad found us.

Step #1 above puts your wifi adapter in monitor mode. The command is

airmon-ng start wlan0

Good Luck!



Really Thanks for al these turtorials.

but if i do aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de it says that i didn't chose an network/ he didn't find a network. and if i do airodump-ng --bssid 08:86:30:74:22:76 -c 6 --write WPAcrack mon0 and then aireplay-ng --deauth 100 -a 08:86:30:74:22:76 mon0 and i go back to look if i capture the hand shake than i see that i was succesful and than i see fixed chanel again. how can i solve these problems?


Welcome to Null Byte!

Did you do each of my steps in order?

Please give more information on what you did. Let's start with "Were you able to see the wireless network" and did you get your wireless adapter into monitor mode?


I did each step in order, i was able to see the wireless network en i did this:
1airmon-ng start wlan0
2airodump-ng mon0
3airodump-ng --bssid 08:86:30:74:22:76 -c 6 --write WPAcrack mon0 (with my own selected bssid and chanel)
4aireplay-ng --deauth 100 -a 08:86:30:74:22:76 mon0
5 then i see that i have captured the wpa handshake and than i see fixed chanel again.

6aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de if i do this step it says that it can't find the file and than it opens WPAcrack and then it says no netwerk exist and it closes.


It appears that possibly you don't have the darkc0de word list or it is in another place. Are you using BackTrack5v3?


Hi, i tried getting handshake by de-authentication in one WiFi it worked but on the other i didn't get the handshake line above the list of all available nets

could it be a defense against hacking so the hacker wont get the encrypted pw?

hi OTW im running on a windows 8 Asus 8gb ram. I know its been a long time but I've been trying to find a solution on line but i found no results

So in this hack we hope that the password is one of those in the wordlist we are using? What if the AP's password is its owner's phone number or birthdate ?


Yes, we are hoping it is in that wordlist. There are numerous wordlists available with millions of passwords.

If the password is numeric, it should be pretty easy to brute force with a numeric wordlist.


hey otw have u heard about the Anonymous os?
If u have i wanted to know if its actually any good?


The Anonymous OS was NOT developed by Anonymous. It is OS designed to embed rootkits in your system. DO NOT DOWNLOAD IT!


Bilal: I think your problem might be that your system is 32/64 bit and you have installed a BT 64/32 bit ...the incompatible architecture if installed will not work....

if the architectures are compatible, check the md5sums of your downloads. If they match it says your download completed intended. Hope this helps. And most modern machines come with UEFI and legacy boot installed. CHanging EFI settings can be extremely tricky, so try and see if you can go back to legacy mode.

Good call, Absolute! That just might be issue!

my computer is a 64 bit and i downloaded a 64 bit bt5 but how do i check the md5sums and in the bios i found something called legacy but im not sure how to go back to it?

The md5sums are given next to the download link.
After u download the files will have one called md5sum compare the 2.

As for setting your Boot up sequence, each machine has a different key..if u are inUEFI at present, hold the shift key down while the laptop restarts it will take you to around here a bit and u can choose legacy or efi boot.

i also downloaded bt5 as a torrent and i can boot of the usb i just cant restart after it finishes installing, it takes me to a black screen and it stays like that for a very very long time.

try getting the direct download instead of a torrent..sometimes a torrent can be corrupted

: master OTW

i hv some wifi network without any key i.e. open networks but when i tried to connect thn i couldnt connect thm..................... how can i connect to those networks..............................thnx


I need more information before I answer that correctly. What happens when you try to connect?

Many "open" networks have a proxy behind them that requires authentication. Some hotels, restaurants, etc. work like this.


it simply gives a message "unable to connect"


They may have IP or MAC filtering on. Try spoofing your MAC address to one that you can see has connected. You will need to use airmon-ng and airodump-ng for this.


i understand master............but two machine with same MAC can be connected with a router????

I have to say, this is somewhat better than reader because most new routers blocked the wps hole. I have a problem and some questions master OTW. They go as follow:

I'm very new to Linux and backtrack. Like a slutty virgin, this is my first time.

I followed all the instructions and everything is fine but the wordslist doesn't have the password. I have routers around me I know uses numbers as password. Please, I need to know the command to use if I saved a wordslist on the desktop what will I enter in the command exactly.

Also, how do I create a wordslist of numbers or where can I get a number list? What file type does the wordslist need to be? Is there a number list and where can I get? Thanks a lot.. I just need wifi for peaceful browsing.


Try this website . They have numerous wordlists or you could create your own.

The wordlist must be a .txt file created in Linux. If you create it in Windows, would work without removing the embedded CR and LF.


Master OTW.

I don't see any users. I see all the AP, but even on my own wi-fi, connected with another laptop, i don't see anyone connected to them. When i use "airodump-ng --bssid..... -w WPAcrack mon0" It only shows out the info on the AP.

What should i do?


I'm not sure what is wrong, but let's start at the beginning. Did you put your wireless card into monitor mode? Is your wireless card aircrack compatible?


Well i did put it on monitor mode. Im not sure its aircrack compatible. Ill check.

FOSS wireless driver for BCM4313, BCM43224, BCM43225 chipsets
Currently does not support monitor/injection. Well, it did monitor..

I'm glad you found the problem.

When I tried running this, I got an error that said "Couldn't determine current channel for mon0, you should either force the operation with --ignore-negative-one or apply a kernel patch

Please specify an ESSID (-e)"

When I tried the --ignore-negative-one and it ran the DeAuth, but no handshake. I'm just curious what that error message is saying exactly?

Walking Dude:

I've never seen that error message, but I am speculating that you got this message after trying to link your mon0 to the AP in Step #3. What are you running this command on? BackTrack?



master i hv so many wifi around me....i want to know that some wifi do not display their ESSID ..they only shows <lenght>at moniter mode...what does it mean???

and i dont get that ip over my windows machine why????


I'm not certain what you are asking me here. It would help if you could give me a screenshot.


in this tutorial 3rd screen shot i.e. airodump-ng mon0.......................ESSID coloumn contains <length 0>....what does it mean????

are they hidden networks??

No, probably an AP that has never been assigned a SSID. aircrack-ng will detect "hidden" networks.

how can we find hidden network through aircrack-ng??

I did it! I did it to my own network, sure, but it worked and I'm feeling accomplished.

One question, though. When I tried it on another network it would tell me that mon0 was on channel X while the AP was on channel Y. What does that mean, and is there a way I can get around it?

Congratulation WalkingDude!

I'm very happy for you!

As for your question, mon0 rotatesthrough the various channels. You can lock in your mon0 on one channel is you know the channel you are attacking in advance.


I have dled both the 32 and 64 iso for backtrack 5. Used unetbootin to put the 64 iso on usb and booting from that. I'd rather use the 32 version on my laptop but I think it may be too old because I can't get it to boot anything from the usb(I have tried 32 and 64 version and neither work). It just goes straight to windows xp. On my desktop I don't have a wireless card I have a usb plug in wireless receiver. Netgear wireless N dual band. WNDA3100.

I am guessing this is a problem since when I boot using the usb and get backtrack up. I type in startx and get the gui. I try entering in iwconfig and it finds nothing. Is there any way around this? Or am I hosed?

Bee Kay:

When you are in BT, try removing the usb wireless adapter and then inserting it. If BT has a driver for your card, it will automount the device and driver, similar to Windows PnP. If that doesn't work, there may not be a driver for the wireless adapter in BT. You can then either find a driver and install it or buy a new wireless adapter that has a driver in BT. Buying another wireless card might be your best bet as few wireless card are compatible with aircrack-ng. Before you buy, check if it is on the compatible list.

I recommend the Alfa cards. They are cheap and fully compatible with BT and aircarck-ng.


I tried what you suggested and it didn't seem to work. I am taking your advice and looking into alfa cards and found this site.

It has a list of the best cards for BT5 and I was wondering if I should go with the first or second card on the list. Both Alfa cards. The Alfa AWUS036H is the top rated but then they go on to say it is commonly counterfeited. Where is a legit site where I can grab one? Tried contacting Alfa and haven't had any replies. Also this card doesn't broadcast in N. Would that be a problem if I tried using it for finding a network broadcast in N?

Bee Kay:

I agree with them, the best card for hacking is AWUS036H. I have both. You can buy them Amazon and any of the major electronics retailers.


master :

i get a network on my window 8 device...named HIDDEN NETWORK that is WEP secured...but wht i tried to monitor over bt device ..i didn't get that can i get its bssid ???? it asks its ssid before key for accesing??


When you put your card in monitor mode, it will appear.


no master im not getting tht network in monitor mode?

Yes, you are. Its name is different.

hello master OTW...there are some networks i just can't grab the handshake...i even deauth them like 300 times instead of 100...but still the handshake will not come...i try it on my wifi and i have the handshake...any reason? could it be that am too far from the ap?

The handshake only appears in WPA-PSK authorization and yes, they may be too far.

yes is not a wep encryption...this is a wpa and wpa2..i hope they are the same thing...


I have an issue. It seems that I am unable to get any traffic. Could you please advise? I am using Alfa AWUS036NH.

After this I am doing airodump-ng mon0. It switches to the other screen, but does not detect anything.

Your help is appreciated.

Thank you!


Welcome to Null Byte!

Unfortunately, that Alfa card you are using has had some driver problems. You may try downloading updated drivers or use the Alfa AWUS036H.


Hi again,

finally I got the AWUS036H and it worked! Awesome guide.

Now just gonna need to straight up brute force it, because I am certain, that the password is not an English word, so dictionary attack won't work.

Anyways, massive thanks to you for pointing the adapter issue out.

Cud u pls further xplain the 1st step :'3 .. i cudnt enable monitor mode on mon0 ... u knw m tottaly new to this hacking world...! n to this site evn... i just need to hack my neighbours wifi.. cox its range if full in my room... i hav got wireless network in my home... but in my room. the connection speed is v v slow .. somtimes get disconnected evn.. n in moblie the connection isnt evn available ... but our neighbours wifi seems so strong... n i guess they use unlimited packages .. they dont realy hav to run into an issue if i use theirs a little bit i guess.. n so searched the internet.. n saw this tutorial ... n i thought it cud help me to make my dream into a reality.. ;'3 but wen i tried..... i got stucked at the 1st step evn... but tht doesnt mean i wil quit trying.. n so ,,, i need ur help admin... pls help me out :'( ... pls reply as soon as possible ... hope u wil b glad to help me :) .... thnk yuh!


Welcome to Null Byte!

First, are you using BackTrack?


@OTW : yes backtrack 5r3.! on VMware player! ... but m not sure tht its installed properly.... becox after installation..wen i opened it .. there's a "install backtrack' button located in the left side corner of the screen.. .. but stil m able play with the places, system n root... etc.. n one more thing.... can i do wpa2-psk wifi hacking without an external wireless adapter? ... i mean using the built in adapter? ... i think it detects my internal built in wireless adapter ... but i cudnt get it enabled... this is so overwhelming :'( ... help me out pls ...!

GNOME or KDE... which one is better?... n is it better to download 32bit version of backtrack, evnthough i hav a x64 based processor? cox i wil b running backtrack in the VMware player! .. need ur suggestion OTW!


I prefer KDE.

Don't worry about the "Install Back Track" icon. You can just right click on it and delete. as for using a VM to crack wireless, yes you will need an external adapter.


also, you are better to download x64.

its really unfortunate tht i cant proceed it any further i guess... as i dont hav an external wireless adapter.. :'( .. anyways.. thnk yuh so much for ur help @OTW :) ... !


do u hav got any tutorial on hacking facebook accounts using backtrack? if its there... pls let me knw :)...............

..............................................................................Thnks :)~

master otw:

i hv got a key of wifi in hexa numbers.....but whn i try tht key with BT it displays "BAD PASSWORD "messge ....while i'm connecting through tht key over window 7 machine????

i copy the key into a text file and thn paste into the key field with and with out semicolon...but still showing same messg :(

Copy and paste directly. No text file.

directly means from aircrack-ng????

i directly paste the password to key field....still showing the same messge "bad password"...... and for each hexa key showing the same... :(

Did you paste it into the wifi connect in BT?

otw I can not connect to Mon0, the strange thing is just that I could do it because I did not open it in virtual box? you know what I can do to connect to mon0 in virtual box?

the other way i could run mon0, was when i started the computer up and logged into bios, and started my usb.

hope you understand, and your will answer me :)

Is your wireless adapter BT and aircrack compatible?

Do you have an external wifi adapter?

Master otw:

Sorry i do not understand you, i speak not so good english, can you explain what this things is... Google translate cant translate it????

And please dont tell me this not is the right carrer, if i didnt knew what that things is.
Wirreles adapter BT <--what stand BT for?
Aircrack <-- can you explain that
Just that two things please :)

When i can tell you my wirreles adapter running fine, and thats the only wifi nothing else just that :)
Hope you can see the problem

If you are using Backtrack in VM, you must use an external wireless adapter. That adapter must be compatible with Backtrack and aircrack-ng.

Master OTW
i use virtual box, and i though that is the problem.
When how can i made the wireless adapter compitable with backtrack/aircrack??

If you are using virtual box, you will need an external wireless adapter. When you buy that adapter, make certain it is compatible with BackTrack and aircrack-ng.


master plz give me solution ........why i am not connecting with any wifi network over BT.... while it is working excellent over window 7 macnihe??

If you are running BT in a VM, you need an external wifi adapter that is BT and aircrack compatible.

Do you have that?

no master u didnt understand my question........ i hv cracked the key of a network ...i use to connect over window 7 machine...but the hexa decimal key is not working ovet bt....i hvn installed bt in my machine..........i tried copy and paste the key but not working.....


This is where your problem solving skills need to kick in.


Master otw
Just so im sure, if i wanna connect wifi to backtrack in virtual box.
I gonna buy a new external adapter that is backtrack compatible???

Ohh that will not happened... :(
So i though i gonna use the old mode to start BT up with usb in the bios menu. When thanks for the quick response OTW
Keep up the good work!

If you don't want to use an external adapter, you are better off using a dual boot system.

Many, if not most, of the wifi hacks require a special wifi adapter.

i tried to setup the dual boot system ( saw a video on youtube)
When all the videos was very confusing, can you make a tutorial about it...
You explain the things much, much better :)


I'll put it on my long list of upcoming tutorials.

Dear OTW
I am feeling the same problem like others in case of aircrack-ng. It is showing:-
"Choosing first network as target.

Opening WPAcrack-01.cap
Please specify a dictionary (option -w).

Quitting aircrack-ng...""

In this case if the path is not right, how to find out the path of Dictionary in BTr5 3. Waiting for your reply.

As you can see in the tutorial above, simply designate the dictionary file with a -w and then the path to the dictionary.

If you want to use a different dictionary, you simply need to use the absolute path to that dictionary file.

But my bro, my dictionary means the wordlist is there in the BT5r3. So why it is showing this message ? Would you pl clear it me. And the second thing is that when I am testing it with VM it can't detect wlan0. I tested it in ifconfig or iwconfig and then airmon-ng start wlan0. But it is not coming.

I checked for for dictionary in torrent. The big dictionary is 13 GB.


If you are running BT in a VM, you will need an external wireless card. That's why no wlan0 appears.

The bigger the dictionary, the better chance of cracking it.


Master otw

Just so im sure... A dual boot system is when you can switch between two different operations systems? Like i got a windows and i switch to backtrack???

Master otw
I got a problem with the last step, see what i had done to now=

  1. I type airmon-ng start wlan0
  2. i type airodump-ng mon0
  3. airodump-ng --bssid 74:44:01:F8:44:40 -c 3 --write wpacrack mon0
  4. Aireplay-ng --deauth 100 -a 74:44:01:F8:44:40 mon0
  5. aircrack-ng wpacrack-01.cap -w /pentest/passwords/wordlists/darkc0de.lst

=Opening read 611 packets. Choosing first network as target opnening wpacrack-01.cap no valid wpa handshakes found..

Quitting aircrack-ng...

How can i fix that problem???? Please help me in the last step, im so close to crack the wif,i suddenly! please please please help me !

Just forget it i was a little bit stupid
I did not got the handshake aaarhg!!!
When i got it now, and i cracking the wifi right now!
Thanks for the wonderful tutorial master OTW
You is the MASTER!

Master otw

I had tried to crack my own wifi first because it easy and i know of cause my own password so i set the password into the wordlist when then i tried to crack it and the terminal had tried all the keys it says. passphrase not in dictionary quitting aircrack-ng...

please help this is the last things!!!!!!
I will really preciate it!!

How did you add it? What app and what operating system?


Be patient! This is a slow process using one machine using one CPU.

If you really need to speed it up, you could use multiple CPUs, multiple GPUs or specialized cracking ASICs that are thousands of times faster.


I opened the terminal and typed
aircrack-ng wpacrack-01.cap -w /pentest/passwords/wordlists/darkc0de.lst= its beginning to set the keys in.
When it was finnish it says : passphrase not in dictionary quitting aircrack-ng...

I though it says that becouse it couldnt find the passwd in the wordlist, when the strange things is, i tried to hack my own network in the start just to about its work, so i knew the passwd....

I placed the passwd in the wordlist and tried again, and it say the same thing again:passphrase not in dictionary quitting aircrack-ng...

Can you hel me please :)

App: i just use backtrack 5 r3 in a terminal
Operation system: backtrack 5 r3 i opened in the bios with my usb(windows 7)

And master i will try to a little bit more patient, its just becouse i had worked with backtrack over a week and i had not hacked anything to now. When i will help if this wifi hack work.

Hope your understand and can find the problem


You have not been working with BT for over a week. You have been trying to install BT for over a week. That job usually takes an hour.

If you want me to help you, you need to improve your basic computer skills and be MUCH more patient.

My suggestion to you is to take the time to learn fundamental computer concepts and skills and then try hacking. Its obvious, you are not adequately prepared for hacking.


Master otw:

I know a lot of the basic backtrack now, and i had read many of your tutorials, please answer on my quistion i promise i will be more patient in the future.

I would really like to be a hacker and i knew i can... Just believe me please. I will do exactly what you say.

Ps. If you not though i can enough basic skills, then give me a link to on of your tutorials and i will read it and train. Until you though im ready.

I will really preciate it, if you would teach me to be a better hacker :)


There are thousands of readers here. There are not enough hours in day to answer for each of them as many questions as you have addition, you are very disrespectful.

Go study the fundamentals of networking and computers. You don't have the knowledge,patience or problem solving skills to be a hacker.



I got the same problem i cant find the key, I had tried with my own int. first because its a good start. i placed the int. key into the wordlist when it could still not find the key.

all the things before have i done exactly like you had done.
can you help me?

First, are you using an aircrack-ng compatible wireless adapter?


What adapter are you using?

How did you add you key to the word list?

I use a normal wirreles adapter wpa-2 password

I copy the wordlist out on the desktop and drag it into the terminal so it says /somethingicantremember/somethingagain/wordlist/darkc0de.lst

It is a easy way i saw on youtube... Maybe thats the problem..

You still have not told me what wireless adapter you have?

How should i explain what wirreles adapter i have? My brand?
I got a home network (a box) from yousee. Netgear CG 3000
Did you mean that , im Pretty confused?

Who is sebastian?

I'm sure you know Sebastian.

Master OTW,

As per your guideline I have used one Tech-Com 802.11/b/g/n 150 Mbps wireless USB Adapter. But inspite of that my Kali or BTr3 is not showing the wifi usb adapter. Is there any problem with me master ? But when I am using live Kali or BTr3 it is detecting. But dear master it is not detecting password and showing the same prob.

One thing I want to know from you that is there any possibility to find the person who cracked the wifi. If it is where from that evidence can be achieved ?

Waiting for your reply my master.


Is that adapter on the aircrack-ng compatible list?

When using a VM, you must tell the VM to connect the wireless adapter to the VM.


Dear OTW (Master),

My Wifi adapter is not detected by VM. So I can't connect it. Here is a great problem. It should come in lower right side of VM. But not showing. But the said device is detected in device manager.

But when I am running VM it is showing the message as seen in the picture. May this be the reason ? If it is how can it be solved ?

Waiting for your reply my Master.


Go to the "VM" menu at the top of VMWorkstation and go down to "Removable Devices". There you can connect your external adapter.

Make certain that your wireless adapter is comptatible with aircrack-ng or all the effort will be wasted.


How to know that it is aircrack-ng compatible. I wanted to know one morethings from u my master, that is whether this process keeps any digital footprint anywhere or not ? If keeps its where ? And how to find it out ?

Go to and look at their compatibility list.

Everything leaves a digital footprint.


So I have bought the adapter you suggested and gave it a try. Got a handshake but that was all. I then tried just using reaver and that worked. I have tried again and now it does not work. I get an infinite loop with the first pin it tries now.

I was also getting the same error message as some one above.

I would switch wlan0 and mon0 and it would kind of work but then I got that infinite loop when trying reaver.

Image via

What indications do you have that you are running an infinite loop? This screen looks normal.

Sorry that isn't a screen of the loop. That is just an error message I would also receive when trying to use airmon-ng. Sorry I communicated that poorly.

The loop happens when I run reaver. It just constantly tries one and only one pin and does not move onto another. I believe it looks like this

  • Trying Pin 12345670
  • Sending EAPOL START Request
  • Receiving identity request
  • Sending identity response
  • Receiving identity request
  • Sending identity response

! WARNING: Receive timeout ocurred

  • Sending WSC NACK

! WPS Transaction failed (code: 0x02), re-trying last pin

. . .

! WARNING: 10 failed connection in a row

And re-start again with same Pin, 12345670.

Bee Kay:

That doesn't sound like an infinite loop, but rather something wrong with your wordlist.


How would I get around that? Last time I simply entered the necessary commands to run reaver and it went without a hitch the first time. I tried the method in your article here but I think I had trouble with it finding dark0de when I tried it so went with reaver instead.

Hello Master,
I'm a newbie. Just stated using Kali Linux, which I read is "Backtrack 6"

It has an app called "fern" which apparently automates the steps you describe on this post. In my first attempt I used a dictionary called phpbb.txt but couldn't find any keys, so now I'm trying another dictionary called rockyou.txt which is about 130 Mb. (I'm waiting for it to churn through as we speak)

My question is, have you tried a technique called "crunch" and how does it work?


Welcome to Null Byte!

I have used crunch and I'll try to include a tutorial on it in the near future.


Cannot get Aireplay-Ng Deauth to work still, i am running Kali using live USB on windows 8.1 with a Alfa AWUS036H out of the box ,

'no drive update'
as installing software CD is not compatible in Kali.
I ran these tests on the Alfa AWUS036H, so it looks ok?

root@kali:~# airmon-ng start wlan0


Realtek RTL8187L rtl8187 - phy0
Intel 6235 iwlwifi - phy1

(monitor mode enabled on mon0)

root@kali:~# airmon-ng start wlan1

Chipset Driver

mon0 Intel 6235 iwlwifi - phy1
Realtek RTL8187L rtl8187 - phy0

(monitor mode enabled on mon1)
Intel 6235 iwlwifi - phy1

root@kali:~# aireplay-ng -9 -i mon0


Trying broadcast probe requests...
Injection is working!

22:43:40 Found 11 APs


Trying card-to-card injection...
22:44:12 Attack -0:

22:44:12 Attack -1 (open):

22:44:12 Attack -1 (psk):

22:44:12 Attack -2/-3/-4/-6:

22:44:12 Attack -5/-7:

hi can tell me whats happening here thanks

root@kali:~# aireplay-ng --deauth 100 -a 58:#:35:#:50:C8 mon0
19:00:50 Waiting for beacon frame (BSSID: #:98:#:23:#:C8) on channel -1
Couldn't determine current channel for mon0,
you should either force the operation with --ignore-negative-one or apply a kernel patch
Please specify an ESSID (-e).

I tried changing channel to just 1 from -1 but this made on auto by aireplay-ng i think


Let's try to break down your problem in pieces.

First, what was that part about "no drive update"?

Also, it appears from your output that you have two wireless devices. Are you sure you are connecting to the right one?



i am using the Alfa AWUS036H straight from the box, but with the injection test that i used, it looks like that is working .

no not sure at all :-)
with both devices i cant get the aireplay-ng --deauth 100 to work
should i look to disable the default adapter?


I'm pretty sure you are using the wrong wireless device.


It looks like the ASUS card is wlan1.

thanks after work ill take look at disabling that card and running sum tests .

i did found that if someone dropped a connection ,i was able to capture the handshake without aireplay-ng --deauth , but was not able to take it further till i tracked down a good word list

as i am using kali

thank you for your time


Exactly. deauth is meant to FORCE them to re-connect. If you are patient, you can simply wait for them to re-connect.


Is aireplay-ng able to kick people off their network even if you are not connected to it? I have had no success with deauth (even though it says it is sending the broadcast) on any network other than my own (the one I am connected to). Any help would be appreciated! And I know I could just wait it out, but that is not as convenient.


First, you should be able to kick people off their AP as long as you have the BSSID set correctly. Also, make certain that you are NOT connected to your AP when you are trying to deauth.


Hi OTW, My aireplay-ng is stuck on channel 1, i have tried patching, starting wlan0 in channel6 (airmon is good to go) and currently use. --Ignore-negative-one with mon0, I dont get any error messages regarding the channel anyway, how can i send deauth to channel 6 :ps i was able to obtain handshake from an ap in channel1

opening wpacrack-01.cap
Please specify a dictionary (option-w).

quitting aircrack-ng ...
what should i do now???

Avinash, drag in a wordlist file after -w, syntax ;aircrack-ng -w <drag wordlisthere> wpacrack-01.cap.

Can u make it more clear.I am getting the same error.Can u type in the enter code with more clarity??


No wordlist works 100% of the time. It depends upon the language and complexity of the password.

If you simply google password lists, you will find thousands.

Hi all , had everything working great then some thing happened and Kali cut off all wireless, its saying wireless hardware switch is turn off,.

wireless is working under windows 8 on same laptop, and i can found how turn back on again.

the last program that was was running was reaver, after testing aircrack-ng , any way heres a screen shot

as you see Realtek ATL8187l is been shut down by RF-kill

any help would be great
thank you

i also have this screen shot

Here my problem solving , 'google Kali Rf-kill' 'panic jump up and down' post in forums , go home try all that has to offer .

low down if any one has run into this before -running sony viro -windows 8 and kali dual boot . key pad short cuts to turn wireless etc back the sony doesn't have hard switch


Is your wireless card on the aircrack-ng compatible list?

yes AWUS036H , and had everything well , then it went out :-(

Try disabling the internal wireless card.

What is the difference between wpa,wpa/wpa2,wpa2 securites??.They all can be hacked only by dictionary attacks??. There is no other way to crack them if WPS Is not available?

Cant we exploit into someone's system some how & cant we know the passwd?? using backtrack.

yes we can, but it is dependent upon the OS, the services, etc. Check out my metasploit tutorials.

well obtaining the password by brute-forcing is almost impossibru,
trillion trillion trillion combinations!!!


This is not brute forcing. It is essentially a dictionary attack. If is impossible, then I have done the impossible many, many times.


I am trying to hack a wps enabled router reaver completed 42 % and saved the session but again nxt day i tried it associated with esssid. And stucked

why i can't see any interfaces, chipsets or drivers??



You need to designate an interface such as wlan0.

Also, if you are using a vm you need to use an external wireless card.


How do i do that occupythewebotw ? xD im noob at this topic :O

Sir OTW:
When i do aireplay-ng --deauth 100 command i get an error
root@Vats:~# aireplay-ng --deauth 100 -a D0:51:62:6F:BC:7D mon0

23:06:40 Waiting for beacon frame (BSSID: D0:51:62:6F:BC:7D) on channel -1

23:06:40 Couldn't determine current channel for mon0, you should either force the operation with --ignore-negative-one or apply a kernel patch

Please specify an ESSID (-e).

I did --ignore-negative-one & i'm able to capture handshake,but now i wasn't able to find darkc0de wordlist so i used john password.lst and got this error:

root@Vats:~# aircrack-ng /WPAcrack-01.cap -w /usr/share/john/password.lst
Opening /WPAcrack-01.cap
Read 70156 packets.

# BSSID ESSID Encryption

1 D0:51:62:6F:BC:7D ADYU29ueQ No data - WEP or WPA

Choosing first network as target.

Opening /WPAcrack-01.cap
Got no data packets from target network!

Quitting aircrack-ng...

What does that mean , when i use darkc0de it says:
root@Vats:~# aircrack-ng /WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de
fopen(dictionary) failed: No such file or directory
fopen(dictionary) failed: No such file or directory

Please help
Thank you


If you are using Kali, there is no darkc0de wordlist. Download one and use it.

like this?


If you are running BT in a VM, you will need an external wireless adapter.


To help you, I will need more information.

I'm new to all this. In fact I'm pretty new to Linux. Everything has worked for me so far but when I get to the deauth command the message I get is as follows:

"Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel -1" followed by...

"Couldn't determine current channel for mon0, you should either force the operation with --ignore-negative-one or apply a kernel patch"

followed by...

"Please specify an ESSID (-e)"

It seems to me that the BSSID is being associated with channel 1 although I specified channel 8 in the previous airodump step. In fact, the airodump terminal even displays "fixed channel mon0 -1". Should the deauth command have also included the channel? What am I missing?

Image via

Using "help", I was able to employ a command that was accepted, which forced the operation as suggested by the program and also includes the ESSID but is still "fixed" in channel 1 apparently.

Image via

I hope I've been able to clearly state my problem. I'm sure it won't be the last for me but I'm determined to get my head around this stuff. Thanks in advance for any help.

By the way the more I learn the more I begin to realize things I had no clue about before. Like I said, I'm a noob to Linux but very excited to expand my knowledge base. That being said, I'm seeing from most of the screenshots here that most are using Kali for for this. I'm on Ubuntu 14.04 as it is my understanding that that is the ideal platform for Linux beginners like myself. Is Ubuntu the problem? I installed an aircrack-ng version specific to Ubuntu. Eventually I would like to graduate to Kali when I'm ready. I think the hacking community probably could use more females :)


I agree we need more female hackers! I'm glad you found us at Null Byte.

I concur with Cyberhitchhiker's comments below.



  1. Is that a VMware image you are using?
  • Never mind I see your second post now.
  1. Does your WiFi adapter packet inject?


(No channel specified in command)
airmon-ng start wlan0 8

... ? :-)
aireplay-ng -0 10 -a xx:xx:xx:xx:xx:xx -c xx:xx:xx:xx:xx:xx wlan0
-a AP first set of #s
-c (client=Target) second set of #s
-0 Deauth Attack
10 Amount of deauths to send.

Side Note: I would disagree on Ubuntu as a Pen-test learning platform. Don't get me wrong, its a great OS. If you are on the Pen-test path you need a Pen-test OS Like Backtrack.

I started on UNIX back in 90's went on to learn Linux and pen-testing with Backtrack 1 in the 2ks. You can pimp BT to act like a Ubuntu by adding the packages you want BTW. (just a thought.)

If I were you, I would grab a Live CD of Kali since BT has evolved into Kali. Use it to play around with, make a persistent USB of it (32-64 GB). Treat it like a installed version since it will remember everything you do on next boot up.

Good Luck ;-)

-This should solve most issues as far as making connection.-

Why does deauthentication not work?

There can be several reasons and one or more can affect you:

You are physically too far away from the client(s). You need enough transmit power for the packets to reach and be heard by the clients. If you do a full packet capture, each packet sent to the client should result in an "ack" packet back. This means the client heard the packet. If there is no "ack" then likely it did not receive the packet.

Wireless cards work in particular modes such b, g, n and so on. If your card is in a different mode then the client card there is good chance that the client will not be able to correctly receive your transmission. See the previous item for confirming the client received the packet.

Some clients ignore broadcast deauthentications. If this is the case, you will need to send a deauthentication directed at the particular client.

Clients may reconnect too fast for you to see that they had been disconnected. If you do a full packet capture, you will be able to look for the reassociation packets in the capture to confirm deauthentication worked.

Thank you masters OTW and Cyberhitchhiker. That gives me some direction. Looks like I'll delving into Backtrack sooner rather than later. That's fine. I've never been known for my patience although I'm sure it will be tested as I move forward. Kali looks like a sexy little distro and I'll go ahead and order the disks. Can you direct me where to do that? I only see a download link on In the meantime I'll download the iso as I would like to get started. I'm familiar with creating a bootable flashdrive with the iso, having done so with Ubuntu. Will I be able to run the OS from that alone (obviously without doing an install) or is there more to it than that? I'm sure I will eventually do an install, unless there is more security in running it from the flashdrive, I don't know. Your thoughts? And as always... respect.


You can simply download the ISO and run it as LiveCD. As a beginner, I recommend that you either install it as a dual boot or in VM.


I'm still trying to find where I can order the Kali disks.

Also I'm trying to determine the usability of the aircard on my Dell Inspiron 17R N7110 17.3 Laptop (Intel Core i7-2630QM Quad-Core Processor). The hardware specs of which indicate:

Dell Wireless 1702 802.11b/g/n
Device Type: Network adapters
Manufacturer: Atheros Communications Inc.
Location: PCI bus 1, device 0, function 0

I'm trying to find a comprehensive list to see if this will work or if I'll need to purchase an external wireless adapter. Your continued patience is appreciated.

Master OTW and other knowledgeable members: I know tis is not on this topic, but I cannot think of a better place to ask for advice. I am moving now from a country where i get Naked DSL to a place where I get a broadband which is much slower. Is there anyway I can increase throughput internet access/streaming etc by replacing the company given modem with a better one?

Please advise.

opening WPAcrack-01.cap
read 32740 packets.

No networks found, exiting.

Quitting aircrack-ng

can someone help please


Are you sure it said "no networks found"? Can you provide a screenshot?


I've tried a few times and always get stuck at this part


First, I assuming that every other step worked before now.

Second, notice that it tells you "no such file or directory". That a major clue. Either there is no WPAcrack-01.pcap or no darkc0de file. Go back and check.


That is what I assumed at first... but both files are in their directories

Got it working ..thx for the support occupyt
problem was I had to use WPAcrack-03 instead of 01


darkc0de ... had to make sure .lst was entered in after it

now its cracking


I tried also this tutorial but when I type ; aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de

Hey bro I have a question
is it recommanded to use backtrack or ubuntu to crack wpa ?
( sorry for my bad English )


Welcome to Null Byte!

I recommend you use Backtrack or Kali for wifi hacking.


No worries. You can use either. This tutorial was created on a BackTrack5 system tho.


Great tutorial - very easy to follow through!

I've skimmed through the above comments so apologies in advance if this has already been asked:

I was wondering about the syntax of implementing a password dictionary as above - is there a method through which aircrack can combine multiple words within a dictionary together and test each of those as a separate password?

Also, is there a specific syntax available for when you know the password is a single word, and then a string of numbers? Say, implementing dictionaryone:dictionarytwo, where one is the words and two is the numbers?


Sounds like pyrit , crunch and attackpassthrough.

everything seemed to work, the key was found to be (ADMINISTARTOR) yet when i try using this passphrase to connect to the network it doesnt work, whats happening?


Are you sure you spelled it correctly. You spelled adminstrator wrong above.



Yes im almost certain that i spelled it correctly, think that was just a typo! haha

I tend to cut/copy and paste anyway

the password was ADMINISTRATOR and i tried copying it exactly how it was and tried connecting to the network but it does not work

I thought so but i spoofed the MAC and it still doesnt connect

Can i steel do this using Lubuntu OS ? Or is it a must to have Kali installed on your pc ?


Welcome to Null Byte!

Yes, you can do this with any linux distribution, but you will have to download all the tools. The advantage of using Kali is that all the toolsare already installed and it makes following my tutorials much easier.


Wre i will get this software? Give the link or torrent..


Welcome to Null Byte!

Aircrack-ng is built into Backtrack and Kali. In addition, you can download it


please help is required i have used airodump-ng and try to capture handshake ai follow all steps correctly but the it is not capturing wpa handshake after several attempts even i deauthen the clients and they reauth but still it does not capture handshake

using kali adapter broadcom even check this through atheros but still same problem


Are you using a aircrack-ng compatible wireless adapter?

how to check that my adapter is compatible or not another thing is that i am using kali usb live does this is cause of problem i means drivers missing etc i am newbie .Another thing it tried to crack my own router tp-link using reaver as i know my device pin .The cracked pin is encrypted in hexadecimal format not one that i set how to decrypt even ssid is also encrypted .i have read that reaver does not need dictionary attack .Please help one important thing i use live usb on my friend laptop with atheros card using command

airodump-ng --bssid APMAC -c 11 -w wep01 mon0
then using aireplay to deauth but still it does not capture wpa handshake

Thanks for your cooperation

I have cracked the password, it is not connecting to my cell phone .First it scans then try to use remembered password and then say connecting.Just after authenticating it again start scanning and it start repeating the process again. After two or three try , the wi-fi network disappears. I see you said MAC or IP Filtering to Secret(a Member). How to crack the MAC or Ip filtering. I researched on internet and found that my HTC Wildfire requires network certificate(.p12). Or is there any other term , Please tell me i cant wait to crack down my network fully

Sounds like MAC filtering to me. So you would need to spoof an approved mac or add the phones MAC to the filter table on the router. With the filter on it will go thru the process but AP wont connect to it.

dear admin

I have seen recommendations for those running bt5 or kali on a vm. is there any other external wireless card that can do besides the alfa card recommended like the tp link?

"TP-Link TL-WN321G Ralink RT73 Internal
TP-Link TL-WN321G v4 Ralink RT2070 Internal
TP-Link TL-WN610G Cardbus Atheros Internal
TP-Link TL-WN650G PCI Atheros Soldered-in

This card has a soldered-in external antenna, with the wire between the card and the antenna easily pigtailable to RP-SMA.

TP-Link TL-WN651G PCI Atheros RP-SMA"

What is the best website to find information on using GPU cards to speed the aircrack key check (like info on cards, best price for card,etc) Ive seen some sites but hope that you can guide me. Thanks

Cat Hat:

I'm sure what web site covers this best, but you do have several GPU utilizing tools in Kali under Password Attacks and then GPU tools. I'm starting a new series on password cracking next week, so you may find that useful.


ATI or Nvidia?
Cudacat, OCLHashcat?

(Rev 1.1)

I'm trying Ringo, I'm really trying!!

Swing and a miss.
oot@bt:~# aircrack-ng WPAcrack-01.cap -w /pentest/passwords/wordlists/darkc0de
fopen(dictionary) failed: No such file or directory
fopren(dictionary) failed: No such file or directory
Opening WPAcrack-01.cap
Read 37554 packets.

# BSSID ESSID Encryption

1 xx:xx:xx:xx:xx:xx NETGEAR30 WPA (1 handshake)

Choosing first network as target.

Opening WPAcrack-01.cap
Please specify a dictionary (option -w).
Quitting aircrack-ng...

Is my problem maybe /pentest/passwords/wordlists/darkc0de.lst
I'm on the ledge

Greetings. If you search the WHT forums. This exact question and reply is posted.

Short version: Your darkc0de.lst wont work unless you rename it to darckc0de.txt


Ran into a problem whilst trying out to hack WPA password for a wifi, when I issue the aireplay-ng --deauth 100 -a 92:4E:2B:2D:FA:DB mon0, I get the following error:

waiting for beacon frame (BSSID: 92:4E:2B:2D:FA:DB) on channel -1

couldn't determine current channel for mon0, you should either force the operation with --ignore-negative-one or apply a kernel patch.

Please specify an ESSIDE (-e).

When I use force using the ignore negative one option, it just goes on and on, without deauthenticating and then finally stops.

What am I doing wrong please?

Channel -1 ? Try channel 1
100 Deauths? try 10.

6 comments up:
... ? :-)
aireplay-ng -0 10 -a xx:xx:xx:xx:xx:xx -c xx:xx:xx:xx:xx:xx wlan0
-a AP first set of #s
-c (client=Target) second set of #s
-0 Deauth Attack
10 Amount of deauths to send.

Hey! I have done everything so far till I got to step where I need to use wordlist. I do not have one, so how to download one and where to extract it?

I can only download through windows, because I start backtrack from USB and when it boots and start it only opens a terminal, I do not have any other options

#~ startx Don't Work? Well the cmd above needs no GUI. Its a location of wordlists.
Make a wordlist

#~ crunch 4 25 -f charset.lst lalpha-numeric -o /Desktop/wordlist.txt -z gzip (Maybe you will need to apt-get Crunch( )Lot of options for crunch. This will create a huge list btw so trim the cmd to suit.)

Pass it to pyrit and crunch..


Excellent tutorial :) I have one little practical question though.

Say I had foundd the encrypted password from the handshake on my laptop. Would it be possible to transfer the password so I could crack it on my desktop computer, seeing as that processor is a lot better than my laptop's?

yes, but you need aircrack-ng on the desktop computer.

Sir, if i'll send deauthentication to an access point continuously will it disconnect even the wired clients? or the wireless clients only. Because sometimes, there is a wifi but no wireless clients to be kick, Any idea?

"reaver" will work on client-less AP if it has WPS turned on.

It will only disconnect the wireless clients.

Hi OTW, firstly thanks for your Help and Support u r providing :)
Initially i went to the last step(step 6) and later it showed it as
open failed : No such file or directory

I switched of the pc and tried the next day , but now i am getting stuck at step 3

The packets are running but i couldnt see the BSSID or anything in the other terminal as shown in the above fig .
I was using Backtrack 5 in dual boot, should i need to run in "Safemode" instead of "normal text mode"

and can u kindly elaborate on detail reg step 6 , on how to add a new word list (i saw the previous comments but couldn't able to understand)


Can u also elaborate on how to use reaver on BT 5, i have seen the post but i was getting error , saying that " no directory found "

Reaver is not in the base install is why.
(I edited this as well)

wget reaver from its repo.


Welcome to Null Byte!

It looks like things are running as they should in your screenshot. I see the BSSID and all the info you need in the left screenshot. In the right screenshot, it looks like you are either using another interface or you are locked on a channel than no one is using. You should have enough info to crack the WPA2 in the left screenshot.

Running in dual boot mode with "normal text mode" is the preferable way to run BT5.

Are you using a aircrack-ng compatible wifi adapter?