Complete Tutorial

Kali Linux WiFi Password Recovery — Complete Tutorial

Kali Linux is the standard operating system for WiFi penetration testing and password recovery, pre-installed with aircrack-ng suite, hashcat, and all supporting tools. This step-by-step tutorial covers the complete pipeline: setting up your WiFi adapter in monitor mode, capturing a WPA2 4-way handshake (or PMKID) from a target network, converting the capture to hashcat format (hc22000), and cracking the password with GPU-accelerated dictionary and rule attacks. Every command is explained with what it does and why. By the end of this tutorial, you will be able to recover a forgotten WPA2 WiFi password from a captured handshake on any network within range.

Step 1 — Install and verify Kali Linux

Kali Linux can run as a primary OS, a virtual machine (VMware, VirtualBox), or a Live USB with persistence. For WiFi packet injection, a bare-metal install or Live USB is recommended — virtual machines may not pass through USB WiFi adapters with full monitor mode support.

For VM users: enable USB 3.0 passthrough in VM settings and attach the WiFi adapter to the VM (not the host). VMware Workstation and VirtualBox with Extension Pack support this. Some USB adapters have more reliable passthrough than others — Alfa AWUS036ACHM works well with VMware.

Post-install: update the system with sudo apt update && sudo apt full-upgrade -y. Verify kernel version with uname -r. Kernel 6.5+ is recommended for the best WiFi adapter driver support.

Kali vs Ubuntu/other distros

Kali comes with aircrack-ng, hcxdumptool, hashcat, and all supporting tools pre-installed. You can use Ubuntu/Debian/Fedora with the same results — just install the tools manually: sudo apt install aircrack-ng hcxdumptool hashcat

Step 2 — Set up monitor mode

Insert the WiFi adapter. Check it's recognised: iwconfig should show a new interface (typically wlan0). Put it into monitor mode: sudo airmon-ng start wlan0. This creates a monitor interface (wlan0mon) that can capture all WiFi frames in range.

If airmon-ng returns 'monitor mode already enabled' or fails: manually kill interfering processes. Check with sudo airmon-ng check kill — this stops NetworkManager and wpa_supplicant, which can interfere with monitor mode. Run the check-kill command, then try airmon-ng start again.

Verify monitor mode is active: iwconfig should show 'Mode:Monitor' on wlan0mon. Alternatively: sudo iw dev wlan0 set monitor none (modern method without airmon-ng). Both produce the same result.

Injection test: sudo aireplay-ng --test wlan0mon. The output should report 'Injection is working!'. If it reports 'No answer...' or 'No injection' the adapter does not support packet injection — check the chipset compatibility.

Step 3 — Capture a WPA handshake with airodump-ng

Start airodump-ng to scan all channels: sudo airodump-ng wlan0mon. This displays all visible access points (BSSID, channel, encryption, signal strength) and connected clients. Identify the target network from the list.

Focus on the target: sudo airodump-ng -c <channel> --bssid <target_BSSID> -w capture wlan0mon. This writes captured frames to 'capture-01.cap' (pcap format). The -c flag limits capture to the target's channel — essential for capturing the full 4-way handshake.

Initiate a deauth attack to force a client to re-associate: sudo aireplay-ng -0 2 -a <target_BSSID> -c <client_MAC> wlan0mon. This sends 2 deauthentication packets to the client, causing it to disconnect and reconnect. The reconnection triggers the 4-way EAPOL handshake.

Monitor airodump-ng output for 'WPA handshake: XX:XX:XX:XX:XX:XX' at the top-right corner. This confirms a complete 4-way handshake was captured. If no clients are connected, you cannot capture a handshake via deauth — consider PMKID capture instead.

Step 4 — PMKID capture (no client needed)

If the target has no connected clients, or if PMF is enabled: capture the PMKID instead. The PMKID is available in the RSN IE of the AP's beacon/probe response — no client association required.

Use hcxdumptool for PMKID capture: sudo hcxdumptool -i wlan0mon -o capture.pcapng --enable_status=1. This captures all PMKIDs visible to the adapter. Leave it running for 30-60 seconds per target — longer if the signal is weak.

PMKID capture works only on APs with 802.11w (PMF) enabled. Most WPA2 networks with PMF enabled expose the PMKID. This method does NOT work on WPA3 networks (they encrypt the RSN IE).

Convert the hcxdumptool output to hashcat format: hcxpcapngtool -o hash.hc22000 -E wordlist.txt capture.pcapng. The -E flag extracts any readable ESSIDs encountered during capture.

Step 5 — Convert capture to hashcat format

For airodump-ng captures (.cap): use hcxpcapngtool from the hcxtools package: hcxpcapngtool -o hash.hc22000 -E essidlist.txt capture-01.cap. This extracts the 4-way handshake hash in hashcat mode 22000 format.

For hcxdumptool captures (.pcapng): the same command works: hcxpcapngtool -o hash.hc22000 -E essidlist.txt capture.pcapng.

Inspect the output hash file: cat hash.hc22000. Each line should start with '22000

#x27; followed by the SSID, BSSID, client MAC, PMKID, and EAPOL fields. If the file is empty, the capture did not contain a complete handshake or usable PMKID.

Step 6 — Crack with hashcat (mode 22000)

Basic dictionary attack: hashcat -m 22000 hash.hc22000 rockyou.txt. On an RTX 5090, this tests ~14 million passwords per second. The rockyou.txt wordlist (14M unique passwords) completes in under 20 seconds.

Dictionary + rules attack: hashcat -m 22000 hash.hc22000 rockyou.txt -r /usr/share/hashcat/rules/best64.rule. This applies 64 rule mutations to each dictionary word, producing ~900 million candidates. On RTX 5090: ~17.5 minutes.

Mask attack (character-set constrained): hashcat -m 22000 hash.hc22000 -a 3 ?l?l?l?l?l?l?l?l. This tries all 8-character lowercase passwords (208 billion). On RTX 5090: ~2.8 days.

Hybrid attack (dictionary + mask suffix): hashcat -m 22000 hash.hc22000 rockyou.txt -a 6 ?d?d?d. This appends 3 digits to each dictionary word, covering patterns like 'password123'.

When the password is found: hashcat displays it in the output. Check the potfile: hashcat --show -m 22000 hash.hc22000. The cracked password appears as: SSID_hash:password.

Step 7 — Advanced techniques

Rules customization: create a custom rule file targeting the specific password patterns common in your region. For example: append year suffixes (2024, 2025, 2026), common number patterns (123, 000, 111), local area codes, or street-abbreviation variants.

Princess/Prince attack: use hashcat --stdout with princeprocessor (PP64) to generate combinatorial passwords from a base wordlist. Effective against compound passwords (e.g., 'John1982Sarah2020' — two dictionary elements combined).

Markov chain mask attack: use hashcat's --markov-disable toggle or built-in Markov stats to order mask candidates by probability. This finds passwords faster by testing the most likely character sequences first.

If GPU memory is insufficient for large wordlists: use --workload-profile 2 (reduces GPU memory usage, slightly slower) or split the wordlist into chunks.

Troubleshooting common issues

Adapter not recognised: run lsusb to confirm the adapter is detected. Check dmesg | tail -20 for driver errors. The Alfa ACHM should show MediaTek MT7612U. If it shows 'Realtek', you have the older model.

No handshake captured after deauth: the client might be using PMF (802.11w) which ignores deauth frames from non-AP sources. Try on a different network or use PMKID capture instead.

Hashcat shows 'Hashfile ... line reject' or 'Skipping' for your hash: the hash format is incorrect. Verify the hash starts with 22000$ and contains the correct number of fields. Re-extract with hcxpcapngtool using the --hc22000 flag.

Injection test fails: the adapter or driver does not support injection. Check the chipset against the supported list. Some adapters need a driver update or kernel downgrade.

Kali Linux WPA recovery pipeline

1
Boot Kali, insert adapter, set monitor mode
sudo airmon-ng start wlan0, verify with iwconfig.
2
Scan for networks
sudo airodump-ng wlan0mon. Note target BSSID, channel, encryption type.
3
Capture handshake or PMKID
airodump-ng focused capture + aireplay-ng deauth, OR hcxdumptool PMKID capture.
4
Convert to hashcat format
hcxpcapngtool -o hash.hc22000 -E ssids.txt capture.pcapng.
5
Crack with hashcat
hashcat -m 22000 hash.hc22000 rockyou.txt -r best64.rule. Use mask attack if dictionary fails.

Frequently Asked Questions

Do I need Kali Linux to crack WiFi passwords?

No — Ubuntu, Arch, or any Linux distribution works with the same tools installed. Kali is convenient because everything is pre-installed.

Can I use a virtual machine for handshake capture?

Yes, with USB passthrough of a compatible adapter. VMware and VirtualBox support this. Some adapters have better passthrough than others.

What is the difference between PMKID and full handshake capture?

PMKID capture does not require any connected clients — it works from the AP's beacon alone. Full handshake capture requires a client to deauthenticate and reconnect.

How long does it take to crack a typical WiFi password?

Human-chosen 8-char passwords: minutes to hours with dictionary+rule attack. Random 8-char passwords: days (lowercase) to years (full charset).

Can I crack WPA3 passwords on Kali Linux?

No. WPA3 uses SAE handshake which prevents offline dictionary attacks. Only WPA2 handshakes from WPA3 Transition Mode are crackable.

What WiFi adapter works best with Kali in 2026?

Alfa AWUS036ACHM (MT7612U chipset) — works out of the box, supports 2.4/5 GHz, reliable injection. No driver installation needed.

Can't find the WiFi password another way?

If every other method failed, capture a WPA handshake on your own network and let our GPU cluster handle the rest. Dictionary + rules attack, 2B+ candidates, pay only on success.

Open Recovery Tool