Lab Overview
Lab at a Glance
pritam's A17 (author's own test network)airmon-ng · airodump-ng · aircrack-ng/usr/share/wordlists/rockyou.txt (14 million passwords)In this lab we perform a WPA2 dictionary attack — one of the most common real-world WiFi attacks and a core skill tested in the OSCP exam. We use the Aircrack-ng suite (pre-installed in Kali Linux) to put a USB WiFi adapter into monitor mode, capture the WPA2 4-way handshake when a device connects, then brute-force the password offline using rockyou.txt.
This technique works because WPA2-PSK authentication is based on a handshake that can be captured passively — the attacker never needs to interact with the router directly, and the cracking is done entirely offline.
Only perform this lab on your own WiFi network or one you have explicit written permission to test. Capturing handshakes or cracking passwords on networks you do not own is a criminal offence in Australia and most countries. The network pritam's A17 is the author's own home network used solely for educational purposes.
Hardware Required — Alfa AWUS036H
The built-in WiFi adapter of most laptops does not support monitor mode or packet injection — the two capabilities required for this lab. You need an external USB WiFi adapter with the right chipset.
Alfa AWUS036H
High-Power 1000mW USB WiFi Adapter — the industry standard for wireless penetration testing.
Once plugged into your Windows host, inside VirtualBox go to Devices → USB → Alfa AWUS036H to pass it through to Kali Linux. Kali will automatically detect it as wlan0.
Enabling Monitor Mode
By default, a WiFi adapter only processes packets addressed to its own MAC address (managed mode). We switch it to monitor mode so it captures all WiFi packets in the air — like switching from a private phone call to listening to all radio broadcasts simultaneously.
Step 1 — Enable Monitor Mode with airmon-ng
airmon-ng start wlan0
wlan0, chipset Qualcomm Atheros AR9271. It warns about 2 processes that may interfere — NetworkManager (PID 526) and wpa_supplicant (PID 819). Monitor mode is enabled, creating the new interface wlan0mon.Step 2 — Kill Interfering Processes
NetworkManager and wpa_supplicant can push the adapter back to managed mode. Kill them using the PIDs shown in the airmon-ng output:
kill 526 kill 819 # Then confirm monitor mode is working airodump-ng wlan0mon
wlan0mon to confirm the adapter is working in monitor mode and scanning for networks.Killing NetworkManager will disconnect your VM from the internet temporarily. This is expected — the Alfa adapter is now fully dedicated to packet capture. Your regular network adapter (enp0s3) for internet access is unaffected.
Scanning for WiFi Networks
Step 3 — Discover All Nearby Networks
airodump-ng wlan0mon
0E:73:1C:51:29:8F on Channel 6, WPA2 CCMP PSK.From the scan we record these key details about our target:
| Field | Value | Why It Matters |
|---|---|---|
| BSSID | 0E:73:1C:51:29:8F | Router's MAC address — needed to target this specific network |
| Channel | 6 | Must lock adapter to this channel to capture packets reliably |
| ENC | WPA2 | Confirms this is a WPA2 network — our attack applies |
| AUTH | PSK | Pre-Shared Key — a single WiFi password is used |
| ESSID | pritam's A17 | The network name — our target |
Capturing the WPA2 Handshake
The WPA2 4-way handshake is the authentication exchange that happens when any device connects to a WPA2 network. It contains enough cryptographic information to crack the password offline — without staying connected to the network.
Step 4 — Target the Network and Start Capture
airodump-ng --bssid 0E:73:1C:51:29:8F --channel 6 -w kihe11 wlan0mon
| Flag | Value | Purpose |
|---|---|---|
| --bssid | 0E:73:1C:51:29:8F | Only capture packets from this specific router |
| --channel | 6 | Lock adapter to channel 6 — stops channel hopping |
| -w kihe11 | kihe11 | Write captured packets to files starting with "kihe11" |
| wlan0mon | Interface | Use our monitor mode interface |
pritam's A17. The top-right corner confirms WPA handshake: 0E:73:1C:51:29:8F has been captured. The station section shows two connected clients — one EAPOL (handshake) packet was recorded from A2:2C:2A:D3:74:0A. Press Ctrl+C to stop.The message "WPA handshake: 0E:73:1C:51:29:8F" in the top-right confirms the handshake has been saved. This happens automatically when any device connects or reconnects to the target network.
Step 5 — Verify Captured Files
ls
ls output confirms kihe11-01.cap was created — this is the packet capture file containing our WPA2 handshake. Multiple capture sessions from different networks are also visible from previous lab sessions.Cracking the Password
We perform an offline dictionary attack. Aircrack-ng tries each password from rockyou.txt, computes what the handshake would look like with that password, and compares it to our captured handshake until it finds a match.
Step 6 — Launch the Dictionary Attack
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 0E:73:1C:51:29:8F kihe11-01.cap
kihe11-01.cap (763 packets) and begins testing passwords from rockyou.txt against the captured WPA2 handshake. The -b flag filters to only process the specific BSSID we are targeting.Step 7 — KEY FOUND!
Aircrack-ng found "password" — near-instantly because it appears very early in the rockyou.txt wordlist. This demonstrates why using common or simple passwords for WiFi is extremely dangerous.
The screen showed "2 days, 11 hours" as worst-case estimated time — that is if the password is near the end or not in the list at all. Common passwords like "password123" are found within seconds. A truly random 16-character password would not be in rockyou.txt at all.
Defensive Measures
Understanding this attack allows you to harden your own network effectively. Here are the five most important protections:
🔑 Use a Long, Random WiFi Password
The single most effective defence. Use at least 16 random characters — not words from the dictionary. A password like Xk9!mP2#vQr7&nLw would never appear in rockyou.txt and would take centuries to brute-force.
📡 Upgrade to WPA3
WPA3 uses Simultaneous Authentication of Equals (SAE) which prevents offline dictionary attacks entirely. The 4-way handshake attack does not work against WPA3. Check if your router supports WPA3 and enable it in settings.
📶 Disable WPS
WPS PIN brute-force is a separate attack vector that bypasses WPA2 entirely. Most routers have WPS enabled by default. Disable it in your router admin panel immediately.
🔒 Use a Guest Network for IoT
Segment your network. If an attacker cracks your IoT WiFi, they cannot reach your main computers and sensitive devices on the separate primary network.
👁 Monitor for Deauthentication Attacks
Tools like Kismet can detect mass deauthentication frames — a sign someone is forcing handshake captures. Enable management frame protection (802.11w) if your router supports it.
Conclusion & Learning Outcomes
In this lab we successfully put an Alfa AWUS036H adapter into monitor mode, scanned nearby WiFi networks, targeted a WPA2 network, captured the 4-way authentication handshake, and cracked the password using a dictionary attack — all using tools built into Kali Linux 2025.
The key lesson: WPA2 with a weak or common password offers almost no protection. The handshake is captured silently and passively, cracking is done entirely offline, and the router never logs a single failed attempt.
Attack Flow Summary
After this lab, you can:
- Explain how WPA2 4-way handshake authentication works
- Put a compatible USB WiFi adapter into monitor mode using airmon-ng
- Scan and identify nearby WiFi networks using airodump-ng
- Capture a WPA2 handshake from a target network
- Run an offline dictionary attack using aircrack-ng and rockyou.txt
- Explain why weak WiFi passwords are catastrophically insecure
- Implement at least 3 specific defences against this attack on your own network
MITRE ATT&CK Mapping
In the next lab we explore Metasploit Framework — scanning for vulnerabilities, selecting exploit modules, gaining a shell on a target machine, and introducing Meterpreter post-exploitation sessions.
Acknowledgements
Dr. Pritam Gajkumar Shah is an Australian-based computer science academic and cybersecurity specialist with extensive experience in teaching, research, and curriculum development in information technology and cyber security. He holds a Ph.D. in Information Sciences and Engineering from the University of Canberra, where his research focused on elliptic curve cryptography for resource-constrained wireless sensor networks. He is the founder of CyberPritam, a global cybersecurity learning platform that has provided free practical training to thousands of international students, and AusJournal, an academic publishing initiative supporting research dissemination and technical education.