Skip to Main Content

How to Hack Your Own Network and Beef Up Its Security with Kali Linux


Kali Linux is a security-focused operating system you can run off a CD or USB drive, anywhere. With its security toolkit you can crack Wi-Fi passwords, create fake networks, and test other vulnerabilities. Here's how to use it to give your own a network a security checkup.

This post is part of our Evil Week series at Lifehacker, where we look at the dark side of getting things done. Knowing evil means knowing how to beat it, so you can use your sinister powers for good. Want more? Check out our evil week tag page.

Kali Linux is packed with a ton of software for testing security holes in your network. There are far too many to list here, but we're so enamored with it that we decided to pick a few of our favorite tools and show how they work: Aircrack, Airbase, and ARPspoof. We'll show you how to crack a Wi-Fi password with brute force techniques, create a fake router to trick machines into logging into it, and perform a man in the middle attack to eavesdrop on network communications. Remember: use these powers for good, not for evil. Knowing how to do these things can get you out of a jam or help you learn to secure your own network, but doing them to someone else is not something we recommend.

Crack a WPA Wi-Fi Password with Aircrack

Kali Linux comes with a whole suite of apps for cracking Wi-Fi networks, including Aircrack and Reaver—both of which we've mentioned before for cracking WEP and WPA passwords, respectively.

However, WEP passwords aren't that popular anymore (because they're so easy to crack), and Reaver only works if a network has WPS enabled. So today, we're going take another look at Aircrack and use it to to brute force our way into a WPA network (with the help of a password list).

Step One: Configure Your Wireless Card

First things first: disconnect from all wireless networks. Then open up terminal. In order to use Aircrack, you'll need a wireless card that supports injections. Type this into the Terminal to make sure your card supports it:

airmon-ng

This lists all the wireless cards that support this crack. If you card doesn't support injections, it won't show up here. Yours is likely listed under interface as wlan0, but it may depend on your machine.

Next, type in:

airmon-ng start wlan0

Replace wlan0 with your card's interface address. You should get a message back saying that monitor mode was enabled.

Step Two: Monitor Your Network

Next, you're going to get a list of all the networks in your area and monitor yours.

Type in:

airodump-ng mon0

You'll see all the networks in your area. Locate your network from the list, and copy the BSSID, while making a note of the channel it's on. Tap Ctrl+C to stop the process.

Next, type this in, replacing the information in parentheses with the information you gathered above:

airodump-ng -c (channel) --bssid (bssid) -w /root/Desktop/ (monitor interface)

It should read something like this:

airodump-ng -c 6 --bssid 04:1E:64:98:96:AB -w /root/Desktop/ mon0

Now, you'll be monitoring your network. You should see four files pop up on the desktop. Don't worry about those now; you'll need one of them later. The next step is a bit of a waiting game, as you'll be sitting around waiting for a device to connect to a network. In this case, just open up a device you own and connect to your Wi-Fi. You should see it pop up as a new station. Make a note of the station number, because you'll need that in the next step.

Step Three: Capture a Handshake

Now, you're going to force a reconnect so you can capture the handshake between the computer and the router. Leave Airodump running and open up a new tab in Terminal. Then type in:

aireplay-ng -0 2 -a (router bssid) -c (client station number) mon0

It should look something like:

aireplay-ng -0 2 -a 04:1E:64:98:96:AB -c 54:4E:85:46:78:EA mon0

You'll now see Aireplay send packets to your computer to force a reconnect. Hop back over to the Airodump tab and you'll see a new number listed after WPA Handshake. If that's there, you've successfully grabbed the handshake and you can start cracking the password.

Step Four: Crack the Password

You now have the router's password in encrypted form, but you still need to actually figure out what it is. To do this, you'll use a password list to try and brute force your way into the network. You can find these lists online, but Kali Linux includes a few small lists to get you started in the /usr/share/wordlists directory, so we'll just use one of those. To start cracking the password type this in:

aircrack-ng -a2 -b (router bssid) -w (path to wordlist) /Root/Desktop/*.cap

So, continuing with our above example and using one of the built-in wordlists, it should read something like:

aircrack-ng -a2 -b 04:1E:64:98:96:AB -w /usr/share/wordlists/fern-wifi/common.txt /Root/Desktop/*.cap

Now, Aircrack will try all of those passwords to see if one fits. If it does, you'll get a message saying the key was found with the password. If not, give another one of the password lists a try until you find one that works. The bigger the password list, the longer this process will take, but the greater chance you have of succeeding.

How to Use This Information to Stay Safe

So, you just brute forced your way into your own network. Depending on how good your password is, it either took you five minutes or five hours. If your password is something simple, like "password123", then chances are one of the smaller wordlists was able to crack it pretty quickly. If it was more complicated, it probably took a long time or never surfaced the password at all (if so: good for you!).

The best protection here is a good, strong password on your router. The longer, weirder, and more complex it is, the better. Likewise, make sure you're using the WPA2 security protocol and you don't have WPS enabled.

Create a Fake Network with Airbase

Next up, let's take a look at how you can spoof a network address to trick people into signing into the wrong network so you can watch what they're doing. Hackers might do this so you sign into the fake network thinking it's your real one, then performing a man in the middle attack (more on that in the next section) to gather information about you from your traffic. This is amazingly easy to do with a tool in Kali Linux called Airbase.

Essentially, you'll turn your Wi-Fi adapter on Kali Linux into an access point with the same name as another network. In order to do this, you'll follow the same line of research as you did above, but the ending's a bit different.

Step One: Configure Your Wireless Card

Just like last time, you need to set up your wireless card to monitor traffic. Open up Terminal and type:

airmon-ng

This lists all the wireless cards that support this crack. Yours is likely listed under interface as wlan0.

Next, type in:

airmon-ng start wlan0

Now you're in monitor mode. It's time to find the network you want to spoof.

Step Two: Find a Wi-Fi Network to Spoof

In order to spoof a router, you'll need some information about it. So, type in:

airodump-ng mon0

You'll see all the networks in your area. Locate your network from the list and copy the BSSID, while making a note of its name and the channel it's on. This is the router you're going to spoof. Tap Ctrl+C to stop the process.

Step Three: Create a Fake Network

Now, you're going to create the fake network with Airbase. Type this in, replacing the information you gathered in the last step for the parenthesis:

airbase-ng -a (router BSSID) --essid "(network name)" -c (channel) mon0

For example, it should read something like:

airbase-ng -a 04:1E:64:98:96:AB --essid "MyNetwork" -c 11 mon0

That's it. You've now spoofed the router and created a clone with the same name, channel, and SSID number so it's indistinguishable from the original. Unfortunately, the computers on that network will always connect to the most powerful router with that name automatically, so you need to turn up the power of your fake network. Type in:

iwconfig wlan0 txpower 27

This bumps up the power of your fake network to the maximum accepted limit so hopefully next time they log in, they connect to you automatically. It shouldn't do any damage to the card as long as you don't go higher than 27. Once they do, it'll be just like you're both on the same network. That means you can access whatever they're doing pretty easily.

How to Use This Information to Stay Safe

Spoofing a network is tough to find, but you can usually spot it when network traffic is slow, or if it suddenly doesn't require a password authentication. If you're really paranoid someone is spoofing a router, you can turn off the ability to automatically connect to Wi-Fi, so you at least have time to look at the router you're logging into.

Snoop Another Device's Traffic with a Man in the Middle Attack with ARP Spoofing

A Man in the Middle Attack is essentially eavesdropping on your network. Here, you'll intercept network signals between a computer and a router without the computer realizing it. We've shown you how to do packet sniffing and today we'll use ARP spoofing to gather this information. Both sniffing spoofing are about listening in on conversations, but they work a little differently. Sniffing captures traffic by monitoring a network, spoofing pretends to be that network. These types of attacks are often used to grab passwords, images, and pretty much anything else you're sending over your network.

Step One: Turn On Packet Forwarding

First things first, you need to make your Kali Linux machine forward any traffic it gets so the target computer can still access the internet. Type this into the command line:

echo 1 > /proc/sys/net/ipv4/ip_forward

This will ensure all information is forwarded after it's intercepted. That way, the internet and any other communications between the router and the target computer will continue to work.

Step Two: Turn On ARP Spoofing

Now you need to turn on ARP spoofing. This tricks the computer and the router into thinking that your Wi-Fi adapter is a bridge. When you successfully spoof, you can monitor all traffic between the devices. You'll do this twice so you can capture traffic going to your computer from the router and from your computer to the router.

To capture traffic from your router type this in, replacing the parenthesis with your network's information:

arpspoof -i wlan0 -t (router address) (target computer address)

You'll see a bunch of number outputting showing that it's running. Leave that running, then open another tab in Terminal and do the reverse:

arpspoof -i wlan -t (target computer address) (router address)

Both lines should look something like this:

arpspoof -i wlan0 -t 192.168.1.1 192.168.1.105
arpspoof -i wlan0 -t 192.168.1.105 192.168.1.1

Now, all the traffic between those two machines is being collected in Kali Linux. There are a ton of tools to actually capture this information, but let's just take a look at a couple of them here.

To track any URLs the computer visits, open up another Terminal tab and type in:

urlsnarf -i wlan0

This will display any web sites the computer visits.

If you're more interested in images, you can capture any image traffic as well. Type in:

driftnet -i wlan0

A window will pop up and display any images they load and transfer over the network. Basically, if there's any unencrypted information being sent between the router and the computer, you'll see it happen.

How to Use This Information to Stay Safe

The best way to keep people from ARP spoofing your network is to secure your network with a strong password and make sure they're not in there in the first place. That said, turning on a firewall on your machine helps as well. Also, make sure you're always using HTTPS when it's available. When HTTPS is on, an ARP spoofer won't capture anything you're doing. This is especially important when you're on public Wi-Fi and can't control a network's security.