Offensive Security

Kali Linux
Guidebook

A Practical Handbook for Penetration Testing
and Security Auditing

By Najeeb Ahmed (AKA DEVOOO)

v1.0 — 2026 Edition

Preface

Welcome to the Kali Linux Guidebook — a comprehensive resource designed for aspiring and intermediate penetration testers, security analysts, and cybersecurity enthusiasts who want to master the tools and techniques that define modern offensive security.

Kali Linux, developed by Offensive Security, has become the de facto standard operating system for penetration testing. With over 600 pre-installed tools, it provides everything needed to assess the security posture of networks, applications, and systems. However, the sheer number of tools can be overwhelming for newcomers.

This guidebook takes a practical, hands-on approach. Each chapter focuses on a specific tool or technique, walking you through installation, configuration, execution, and interpretation of results. We don't just show you commands — we explain why they work, when to use them, and how to avoid common pitfalls.

Who Should Read This Book?

How to Use This Book: Each chapter is self-contained, allowing you to jump to specific topics as needed. However, we recommend reading sequentially if you're new to Kali Linux. Practical examples assume you have a Kali Linux environment set up — either as a virtual machine, WSL instance, or bare-metal installation.

Remember: with great power comes great responsibility. Always obtain proper authorization before testing any system, and use these skills to make the digital world more secure.

Chapter 01

Cracking Password Hashes Using John the Ripper

1.1 Introduction

Password hashing is the standard method operating systems use to store credentials securely. Instead of storing passwords in plain text, systems convert them into irreversible hash values using algorithms like MD5, SHA-256, SHA-512, or bcrypt. When a user logs in, the entered password is hashed and compared against the stored hash. If the hashes match, access is granted.

If an attacker obtains these hashes — through a database breach, misconfigured permissions, or local privilege escalation — they do not need to reverse the hash mathematically. Instead, they can guess passwords, hash each guess with the same algorithm, and compare the results. This is where password cracking tools like John the Ripper become essential.

This chapter covers John the Ripper (JTR), one of the most widely used password-cracking tools in the security industry. You will learn how to install it, prepare hash files, run multiple attack types, and interpret the results — all within the context of authorized security testing on Kali Linux.

1.2 What Is John the Ripper?

John the Ripper is an open-source password cracker originally developed for Unix systems by Solar Designer in 1996. Its primary purpose is to detect weak passwords by testing hashed values against dictionaries, brute-force strategies, and rule-based transformations.

The version shipped with Kali Linux is the John the Ripper jumbo build, which extends the original with additional hash formats, performance optimizations, and extra attack modes not found in the core version. This community-maintained fork supports hundreds of hash types and is actively updated.

John operates entirely from the command line. It reads one or more files containing password hashes and attempts to recover the original plaintext passwords. Cracked passwords are stored in a pot file (~/.john/john.pot) so that previously recovered hashes are not re-tested in future sessions.

1.3 Why It Is Used

  • Password auditing — Verifying that user accounts on a system do not have weak or easily guessable passwords.
  • Penetration testing — Demonstrating the impact of a credential breach during an authorized engagement.
  • Security assessments — Evaluating the strength of password policies enforced by an organization.
  • Recovery of lost passwords — Regaining access to a system when the legitimate password has been forgotten (where permitted).
  • Hash format research — Analyzing and testing the resilience of various hashing algorithms.

1.4 Features

  • Multiple attack modes — Single crack mode, wordlist mode (with optional rules), incremental mode, and mask mode.
  • Broad hash format support — Handles DES, MD5, SHA-256, SHA-512 (crypt), NTLM, Kerberos, ZIP, RAR, PDF, Office documents, and many more.
  • Configurable rules engine — Applies transformations to wordlist entries (capitalization, substitutions, appending digits, leet speak, etc.).
  • Session management — Interrupted sessions can be resumed from the point they were stopped.
  • Multi-platform — Runs on Linux, Windows, macOS, and other Unix-like systems.
  • Open source — Freely available under a permissive license; the jumbo build is actively maintained by the community.
  • Automatic format detection — Identifies most hash formats without manual specification (though explicit specification is recommended).
  • GPU acceleration — Supports OpenCL and CUDA for significantly faster cracking on compatible hardware.

1.5 Installation

On Kali Linux, John the Ripper can be installed directly from the APT repositories:

┌──(kali㉿kali)-[~] └─$ sudo apt update && sudo apt install -y john
i

Information

Kali Linux typically has John pre-installed. Verify by running john --version before installing. The Kali repository ships the jumbo build by default.

1.6 Prerequisites

Before using John the Ripper to crack system password hashes, ensure the following:

  • Root access — Reading /etc/shadow requires elevated privileges.
  • Understanding of hash types — Know which algorithm was used to hash the passwords (e.g., MD5 crypt, SHA-512 crypt, NTLM).
  • Wordlist files — Dictionary-based attacks require a wordlist. Kali Linux includes several by default:
Path Description
/usr/share/john/password.lst Default John the Ripper wordlist
/usr/share/dict/ System dictionary files
/usr/share/wordlists/ Additional wordlists (includes rockyou.txt)

Pro Tip

The rockyou.txt wordlist contains over 14 million passwords. Install it with sudo apt install wordlists and decompress with gunzip /usr/share/wordlists/rockyou.txt.gz.

1.7 Basic Syntax

The general syntax for running John the Ripper is:

john [options] [password-file]

The password-file argument can be an unshadowed file, a file containing raw hashes, or any file in a format John recognizes. Options control the attack mode, hash format, wordlist path, and session behavior.

1.8 Most Important Commands

Command Purpose
sudo apt install john Install John the Ripper
unshadow /etc/passwd /etc/shadow > unshadowed.txt Combine passwd and shadow files
john --format=sha512crypt -single unshadowed.txt Single crack mode
john --format=sha512crypt --wordlist=/usr/share/john/password.lst --rules unshadowed.txt Dictionary attack with rules
john --show unshadowed.txt Display cracked passwords
john -restore Resume interrupted session

1.9 Command Explanation

Unshadowing Password Files

On Linux systems, /etc/passwd stores account information while /etc/shadow stores the actual password hashes. The unshadow utility merges these two files:

┌──(kali㉿kali)-[~] └─$ sudo unshadow /etc/passwd /etc/shadow > unshadowed.txt

Single Crack Mode

Uses the GECOS field from /etc/passwd to generate fast password guesses:

┌──(kali㉿kali)-[~] └─$ john --format=sha512crypt -single unshadowed.txt

Dictionary Attack with Rules

Reads each word from a wordlist, applies mangling rules, and tests against hashes:

┌──(kali㉿kali)-[~] └─$ john --format=sha512crypt --wordlist=/usr/share/john/password.lst --rules unshadowed.txt

Displaying Cracked Passwords

┌──(kali㉿kali)-[~] └─$ john --show unshadowed.txt

Resuming an Interrupted Session

┌──(kali㉿kali)-[~] └─$ john -restore

1.10 Common Flags

Flag Description
-single Enable single crack mode
--wordlist=FILE Specify a wordlist file
--rules Enable word mangling rules
--show Display cracked passwords
-restore Resume interrupted session
--restore=NAME Resume a named session
--session=NAME Name the current session
--format=FORMAT Set hash format explicitly
--incremental Brute-force all character combinations
--mask=MASK Enable mask mode with pattern
--users=LIST Crack only specified users
--list=formats List all supported hash formats
!

Important

Always specify --format explicitly to avoid auto-detection delays and potential misidentification.

1.11 Practical Examples

Example 1: Preparing the Hash File

┌──(kali㉿kali)-[~] └─$ sudo unshadow /etc/passwd /etc/shadow > unshadowed.txt

Example 2: Single Crack Mode

┌──(kali㉿kali)-[~] └─$ john --format=sha512crypt -single unshadowed.txt

Example 3: Dictionary Attack with Rockyou

┌──(kali㉿kali)-[~] └─$ john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

Example 4: Viewing Results

┌──(kali㉿kali)-[~] └─$ john --show unshadowed.txt

1.12 Expected Output

During Cracking

Loaded 5 password hashes with 5 different salts (crypt, generic crypt(3) [?/64]) Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:05 0.00% (ETA: 2025-01-15 10:30:00) 0g/s 234.5p/s 234.5c/s 234.5C/s 1g 0:00:00:12 20.00% (ETA: 2025-01-15 10:30:01) 1g/s 180.2p/s 180.2c/s 180.2C/s user1:password123

After Running --show

user1:password123 user3:letmein admin:admin2024 3 password hashes cracked, 2 left

1.13 Real-World Use Cases

  • Internal penetration test — After gaining initial access to a Linux server, an auditor dumps /etc/shadow, runs John offline, and uses cracked credentials to pivot.
  • Active Directory assessment — Hashes extracted from NTDS.DIT are cracked with John in NTLM format to evaluate password strength across the domain.
  • Compliance audit — An organization uses John to verify that no accounts have weak passwords violating PCI-DSS or HIPAA policy.
  • Application security review — Hashes from a compromised database are identified and cracked to evaluate breach impact.

1.14 Best Practices

Best Practice — Specify Hash Format

Always use --format to avoid auto-detection delays. Run john --list=formats to see all supported formats.

Best Practice — Order Your Attacks

Run in order of speed: single crack → wordlist with rules → incremental as last resort.

Best Practice — Name Your Sessions

Use --session=name to give sessions descriptive names for easy resumption.

Best Practice — Secure Hash Files

Delete hash files after use and clear the pot file at ~/.john/john.pot when sharing the system.

1.15 Common Mistakes

Mistake — Forgetting Root Privileges

Attempting to read /etc/shadow without root will fail. Always use sudo.

Mistake — Not Specifying Hash Format

Relying on auto-detection can cause slow cracking or incorrect format identification.

Mistake — Using Small Wordlists

The default John wordlist is small. Use rockyou.txt or custom wordlists for serious cracking.

1.16 Troubleshooting

Problem: "No password hashes loaded"

Cause: The hash file is empty, incorrectly formatted, or the format doesn't match.

Solution: Verify with cat unshadowed.txt and ensure format matches.

Problem: Cracking is extremely slow

Cause: Wrong hash format or using CPU instead of GPU.

Solution: Verify format and install GPU-enabled John build.

Problem: Session won't restore

Cause: Running from a different directory than where the session started.

Solution: Navigate to the original directory or use --restore=/absolute/path.

1.17 Related Tools

Tool Description
Hashcat GPU-accelerated password cracker; faster for many hash types
Hydra Online password cracker for services (SSH, FTP, HTTP)
Medusa Parallel online password cracker
CrackMapExec Post-exploitation tool with password cracking
cewl Custom wordlist generator that spiders websites

1.18 Security Notes

🔒

Security — Legal Authorization Required

Password cracking without explicit written authorization is illegal. Always obtain proper authorization and document your scope.

🔒

Security — Handle Cracked Passwords Securely

Do not store cracked passwords in plaintext. Securely delete hash files and the pot file after your assessment.

1.19 Summary

John the Ripper remains one of the most versatile password cracking tools available. Its strength lies in supporting hundreds of hash formats, multiple attack modes, and session resumption.

  • Always use unshadow to combine /etc/passwd and /etc/shadow
  • Specify the hash format explicitly with --format
  • Run attacks in order: single crack → wordlist with rules → incremental
  • Use --session=name to organize multiple sessions
  • Always obtain proper authorization before cracking passwords

1.20 Quick Reference Cheat Sheet

Task Command
Install John sudo apt install john
Check version john --version
List formats john --list=formats
Unshadow files sudo unshadow /etc/passwd /etc/shadow > unshadowed.txt
Single crack mode john --format=sha512crypt -single unshadowed.txt
Wordlist + rules john --format=sha512crypt --wordlist=wordlist.txt --rules unshadowed.txt
Incremental mode john --format=sha512crypt --incremental unshadowed.txt
Mask mode john --format=sha512crypt --mask='?u?l?l?l?d?d?d' unshadowed.txt
Resume session john -restore
Show cracked john --show unshadowed.txt
Clear pot file rm ~/.john/john.pot
Chapter 02

Network Reconnaissance with Nmap

2.1 Introduction

Network reconnaissance is the foundational phase of any penetration test or security assessment. Before you can exploit a vulnerability, you must first understand what exists on the target network — which hosts are alive, what ports are open, what services are running, and what operating systems are in use. This intelligence-gathering process directly determines the attack surface you'll be working with.

Nmap (Network Mapper) is the industry-standard tool for this phase. It has been the go-to network scanner for over two decades, used by security professionals, network administrators, and researchers worldwide. Whether you're scanning a single host or an entire enterprise subnet, Nmap provides the capabilities needed to map the network accurately.

This chapter covers Nmap in depth — from basic host discovery to advanced NSE scripting. You will learn to run efficient, stealthy scans and interpret the results to build a clear picture of the target environment.

2.2 What Is Nmap?

Nmap is a free, open-source network scanner created by Gordon Lyon (Fyodor) in 1997. It is designed to discover hosts and services on a computer network by sending specially crafted packets and analyzing the responses. Nmap supports multiple scanning techniques including TCP SYN scanning, TCP connect scanning, UDP scanning, and various ping sweeps.

Beyond simple port scanning, Nmap can detect service versions, operating systems, MAC addresses, and even run custom scripts through its Nmap Scripting Engine (NSE). It outputs results in multiple formats including interactive terminal output, XML, grepable output, and can even interface with databases for large-scale scanning.

Nmap ships pre-installed on Kali Linux and is available for Windows, macOS, and other Unix-like systems. Its combination of flexibility, accuracy, and extensibility has made it the most widely used network scanner in the world.

2.3 Why It Is Used

  • Host discovery — Identifying which IP addresses are active on a network before targeting specific hosts.
  • Port scanning — Determining which TCP and UDP ports are open on a target, revealing running services.
  • Service version detection — Identifying the specific software and version running on each open port.
  • Operating system detection — Fingerprinting the target's OS based on network stack behavior.
  • Vulnerability scanning — Using NSE scripts to detect known vulnerabilities on open services.
  • Network inventory — Maintaining an up-to-date map of network assets for security auditing.
  • Firewall testing — Evaluating the effectiveness of firewall rules and intrusion detection systems.

2.4 Features

  • Multiple scan types — SYN scan (-sS), Connect scan (-sT), UDP scan (-sU), ACK scan (-sA), FIN scan (-sF), and more.
  • Service version detection (-sV) — Probes open ports to determine service name, version, and sometimes configuration details.
  • OS fingerprinting (-O) — Sends a series of packets and compares responses against a database of known OS signatures.
  • Nmap Scripting Engine (NSE) — Over 600 scripts for vulnerability detection, exploitation, and information gathering.
  • Timing templates (-T0 through -T5) — Control scan speed from paranoid (very slow and stealthy) to insane (very fast but noisy).
  • Multiple output formats — Normal (-oN), XML (-oX), Grepable (-oG), and JSON for integration with other tools.
  • Host discovery methods — ARP ping, ICMP ping, TCP ping, and reverse-DNS for flexible host detection.
  • Target specification — Supports IP ranges, CIDR notation, hostnames, and reading targets from files.
  • Decoy scanning (-D) — Spoofs source addresses to obscure the real scanner's IP.
  • Fragmentation (-f) — Splits packets into tiny fragments to evade simple IDS/IPS rules.

2.5 Installation

Nmap comes pre-installed on Kali Linux. If for some reason it is not available, install it with:

┌──(kali㉿kali)-[~] └─$ sudo apt update && sudo apt install -y nmap

Verify the installation:

┌──(kali㉿kali)-[~] └─$ nmap --version Nmap version 7.95 ( https://nmap.org )
i

Information

For the graphical interface (Zenmap), install it separately with sudo apt install zenmap. Zenmap provides a point-and-click interface and scan comparison features.

2.6 Prerequisites

  • Network access — You need network connectivity to the target(s). Physical network access or VPN connection as per your engagement scope.
  • Root/sudo privileges — SYN scans, OS detection, and some NSE scripts require raw packet generation, which needs root.
  • Proper authorization — Scanning networks without authorization is illegal in most jurisdictions. Ensure you have a signed scope document.
  • Understanding of TCP/IP — Knowledge of the TCP three-way handshake, common ports, and protocol behavior is essential for interpreting results.
  • Target scope — Know exactly which IP ranges, hosts, and ports you are authorized to scan.

2.7 Basic Syntax

nmap [Scan Type(s)] [Options] {target specification}

Target specification can be:

  • A single host: 192.168.1.1
  • A range: 192.168.1.1-100
  • CIDR notation: 192.168.1.0/24
  • A hostname: target.example.com
  • From a file: -iL targets.txt
  • Excluding hosts: 192.168.1.0/24 --exclude 192.168.1.50

2.8 Most Important Commands

Command Purpose
sudo nmap -sS 192.168.1.0/24 SYN scan of entire subnet
sudo nmap -sV -sC 192.168.1.100 Version detection + default NSE scripts
sudo nmap -A 192.168.1.100 Aggressive scan (OS, version, scripts, traceroute)
sudo nmap -sU --top-ports 100 192.168.1.100 Top 100 UDP ports scan
sudo nmap -p- 192.168.1.100 Scan all 65535 TCP ports
sudo nmap -sn 192.168.1.0/24 Host discovery only (no port scan)
sudo nmap -O 192.168.1.100 Operating system detection
sudo nmap -sS -p- -T4 192.168.1.100 Full port SYN scan with aggressive timing

2.9 Command Explanation

SYN Scan (Stealth Scan)

The SYN scan (-sS) is the default scan type when running as root. It sends a SYN packet and waits for a response. If it receives a SYN-ACK, the port is open. It then sends an RST to tear down the connection before it's fully established. This makes it faster and stealthier than a full connect scan.

┌──(kali㉿kali)-[~] └─$ sudo nmap -sS 192.168.1.100

Service Version Detection

Version detection (-sV) probes open ports to determine the service name, version number, and sometimes additional details like device type or OS. This information is critical for identifying known vulnerabilities.

┌──(kali㉿kali)-[~] └─$ sudo nmap -sV 192.168.1.100

Aggressive Scan

The -A flag enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute) in a single command. It is the most comprehensive scan but also the noisiest.

┌──(kali㉿kali)-[~] └─$ sudo nmap -A 192.168.1.100

Host Discovery (Ping Scan)

The -sn flag tells Nmap to only perform host discovery — determining which hosts are up — without scanning any ports. This is useful for mapping a network before detailed scanning.

┌──(kali㉿kali)-[~] └─$ sudo nmap -sn 192.168.1.0/24

Full Port Scan

By default, Nmap scans only the top 1000 most common ports. The -p- flag scans all 65535 TCP ports, ensuring no open services are missed.

┌──(kali㉿kali)-[~] └─$ sudo nmap -p- -T4 192.168.1.100

2.10 Common Flags

Flag Description
-sS TCP SYN scan (stealth; requires root)
-sT TCP connect scan (full handshake; works without root)
-sU UDP scan
-sV Probe open ports for service version info
-sC Run default NSE scripts
-O Enable OS detection
-A Aggressive mode (OS + version + scripts + traceroute)
-p- Scan all 65535 ports
-p 80,443,8080 Scan specific ports
--top-ports N Scan the top N most common ports
-sn Host discovery only (no port scan)
-Pn Skip host discovery; treat all hosts as up
-T0 through -T5 Timing template (0=paranoid, 5=insane)
-oN file.txt Output results in normal format to file
-oX file.xml Output results in XML format
-oG file.gnmap Output in grepable format
-v / -vv Verbose / very verbose output
-D RND:10 Use decoys to obscure scanner IP
-f Fragment packets (evade simple IDS)
--script=SCRIPT Run specific NSE script(s)
-iL file.txt Read targets from a file
--exclude host Exclude a host from scanning

2.11 Practical Examples

Example 1: Quick Network Sweep

┌──(kali㉿kali)-[~] └─$ sudo nmap -sn 192.168.1.0/24

Quickly identifies all live hosts on the /24 subnet without scanning any ports.

Example 2: Standard Port Scan

┌──(kali㉿kali)-[~] └─$ sudo nmap -sS 192.168.1.100

Scans the top 1000 TCP ports using SYN scan technique.

Example 3: Comprehensive Target Scan

┌──(kali㉿kali)-[~] └─$ sudo nmap -sS -sV -sC -p- -T4 -oN scan_results.txt 192.168.1.100

Full port SYN scan with version detection, default scripts, aggressive timing, and results saved to file.

Example 4: UDP Scan

┌──(kali㉿kali)-[~] └─$ sudo nmap -sU --top-ports 100 192.168.1.100

Scans the top 100 most common UDP ports. UDP scanning is slower than TCP, so limiting the port range is recommended.

Example 5: Vulnerability Scanning with NSE

┌──(kali㉿kali)-[~] └─$ sudo nmap -sV --script vuln 192.168.1.100

Runs all vulnerability-detection NSE scripts against the target. Useful for finding known CVEs on open services.

Example 6: Stealthy Scan with Decoys

┌──(kali㉿kali)-[~] └─$ sudo nmap -sS -T2 -D RND:5 192.168.1.100

Uses 5 random decoy IPs and paranoid timing to make the scan harder to attribute to your IP.

2.12 Expected Output

Standard Port Scan Output

Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-15 10:00 EST Nmap scan report for 192.168.1.100 Host is up (0.0034s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 80/tcp open http Apache httpd 2.4.52 443/tcp open ssl/https Apache httpd 2.4.52 3306/tcp open mysql MySQL 8.0.35-0ubuntu0.22.04.1 8080/tcp open http-proxy Squid http proxy 4.13 Nmap done: 1 IP address (1 host up) scanned in 2.45 seconds

The output shows each port's state (open/closed/filtered), the service name, and the version string. The STATE column is critical: open means the port is accepting connections, filtered means a firewall is blocking it, and closed means no service is listening but the host responded.

Aggressive Scan Output

Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-15 10:05 EST Nmap scan report for 192.168.1.100 Host is up (0.0034s latency). Not shown: 65530 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 a1:b2:c3:d4:e5:f6:... (ECDSA) |_ 256 f6:e5:d4:c3:b2:a1:... (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-title: Apache2 Ubuntu Default Page |_http-server-header: Apache/2.4.52 (Ubuntu) 443/tcp open ssl/https Apache httpd 2.4.52 OS details: Linux 5.15 - 6.1, Ubuntu 22.04 Network Distance: 2 hops TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 1.2 ms 192.168.1.1 2 3.4 ms 192.168.1.100 Nmap done: 1 IP address (1 host up) scanned in 14.23 seconds

2.13 Real-World Use Cases

  • External penetration test — Scanning a company's public IP ranges to identify exposed services before attempting exploitation.
  • Internal network assessment — Mapping an internal network to discover forgotten servers, unauthorized devices, or misconfigured services.
  • Web application reconnaissance — Identifying web servers, backend databases, and administrative interfaces on a target host.
  • IoT device discovery — Scanning a network segment to find IoT devices and their exposed management interfaces.
  • Firewall rule validation — Scanning from outside a firewall to verify that only intended ports are accessible.
  • Incident response — Rapidly scanning a compromised network to identify attacker infrastructure or lateral movement paths.
  • CTF competitions — Discovering hidden services and ports on CTF challenge machines.

2.14 Best Practices

Best Practice — Always Save Your Results

Use -oN, -oX, or -oA (all formats) to save scan results. You will always need to reference them later.

Best Practice — Start Broad, Then Narrow

Begin with host discovery (-sn), then a quick port scan, then full port scan with version detection on interesting targets.

Best Practice — Use Appropriate Timing

Use -T3 for normal scans, -T4 for fast scans on stable networks, and -T1/T2 for stealth. Avoid -T5 unless you're on a local, low-latency network.

Best Practice — Scan All Ports When It Matters

The default top-1000 scan misses non-standard ports. Use -p- for thorough assessments, especially on CTF machines and external targets.

Best Practice — Leverage NSE Scripts

Use --script vuln for vulnerability detection, --script auth for brute-forcing, and --script discovery for information gathering.

2.15 Common Mistakes

Mistake — Scanning Without Authorization

Scanning networks you don't own or don't have permission to test is illegal. Always get written authorization first.

Mistake — Only Scanning Default Ports

Services on non-standard ports (e.g., SSH on 2222, HTTP on 8080) will be missed if you only scan defaults.

Mistake — Ignoring Filtered Ports

Filtered ports often indicate a firewall. These are worth investigating — they may hide services accessible from other network segments.

Mistake — Not Saving Results

Running scans without output flags means you lose the data as soon as the terminal clears. Always save to file.

Mistake — Running Aggressive Scans on Production

Using -A or -T5 on production systems can crash services or trigger IDS alerts. Use appropriate timing and scan types.

2.16 Troubleshooting

Problem: "You requested a scan type which requires root privileges"

Cause: SYN scans, OS detection, and some scripts need raw socket access.

Solution: Run with sudo or use -sT for non-root connect scans.

Problem: All ports show as "filtered"

Cause: A firewall is dropping all packets, or host discovery is failing.

Solution: Try -Pn to skip host discovery, or use -sT which may bypass some firewall rules.

Problem: Scan is extremely slow

Cause: UDP scanning is inherently slow, or timing is too conservative.

Solution: Use -T4 for faster scanning. For UDP, limit ports with --top-ports.

Problem: OS detection shows "No exact OS matches"

Cause: The target has few open ports, giving Nmap insufficient data for fingerprinting.

Solution: Scan more ports with -p- and combine with -sV for better OS detection accuracy.

2.17 Related Tools

Tool Description
Masscan Mass IP port scanner; can scan the entire internet in minutes
RustScan Fast port scanner that pipes results into Nmap for service detection
Unicornscan Asynchronous scanner with its own packet injection engine
Nessus Commercial vulnerability scanner with Nmap-like discovery
OpenVAS Open-source vulnerability scanner with network scanning capabilities
Zenmap Graphical frontend for Nmap with profile management
Autorecon Automated network reconnaissance tool that wraps Nmap and other tools

2.18 Security Notes

🔒

Security — Legal Requirements

Port scanning without authorization is illegal under the Computer Fraud and Abuse Act (CFAA) in the US and similar laws in other countries. Even "just scanning" can be prosecuted.

🔒

Security — Scan Reports Contain Sensitive Data

Nmap output reveals your target's infrastructure details. Store reports securely and encrypt them in transit.

🔒

Security — Defending Against Nmap

Use firewalls to limit exposed ports, implement IDS/IPS with Nmap detection signatures, and use port knocking for sensitive services.

2.19 Summary

Nmap is the cornerstone tool of network reconnaissance. Mastering its scan types, timing options, and NSE scripting will make you significantly more effective in any security engagement.

  • Start with host discovery (-sn) to map the network
  • Use SYN scan (-sS) as your default scan type
  • Always scan all ports (-p-) for thorough assessments
  • Add version detection (-sV) and scripts (-sC) for detailed intelligence
  • Save results with -oN, -oX, or -oA for reporting and analysis
  • Adjust timing templates based on network conditions and stealth requirements

2.20 Quick Reference Cheat Sheet

Task Command
Host discovery sudo nmap -sn 192.168.1.0/24
Quick port scan sudo nmap -sS 192.168.1.100
Full port scan sudo nmap -p- -T4 192.168.1.100
Version detection sudo nmap -sV 192.168.1.100
Aggressive scan sudo nmap -A 192.168.1.100
OS detection sudo nmap -O 192.168.1.100
UDP top 100 sudo nmap -sU --top-ports 100 192.168.1.100
Vuln scan sudo nmap -sV --script vuln 192.168.1.100
Stealthy scan sudo nmap -sS -T1 -D RND:5 192.168.1.100
Save all formats sudo nmap -sV -oA results 192.168.1.100
Scan from file sudo nmap -sS -iL targets.txt
Specific ports sudo nmap -sS -p 22,80,443 192.168.1.100
Skip host discovery sudo nmap -Pn -sS 192.168.1.100
List NSE scripts nmap --script-help="categories"
Chapter 03

Local Network Discovery: ARP Scanning and WiFi Monitor Mode

3.1 Introduction

Before attacking a network, you must understand its topology — what devices are connected, how they communicate, and what interfaces are available. On a wired local network, ARP (Address Resolution Protocol) scanning reveals live hosts by mapping IP addresses to MAC addresses. On wireless networks, putting your adapter into monitor mode allows you to capture all radio frames in the air, not just those addressed to you.

This chapter covers two complementary skill sets: using ARP scanning tools like arp-scan and arping to discover wired network hosts, and using the aircrack-ng suite's airmon-ng to enable monitor mode on wireless adapters for packet capture and analysis.

Both techniques are foundational for any local network assessment. Whether you're on a corporate pentest or a CTF challenge, knowing how to enumerate local hosts and capture wireless traffic is essential.

3.2 What Are These Tools?

arp-scan

arp-scan is a tool that sends ARP request packets to a range of IP addresses and listens for ARP replies. Any device that responds is confirmed to be active on the local network. It operates at Layer 2, making it more reliable than ICMP ping for local host discovery since it bypasses firewalls that block ICMP.

arping

arping is a simpler tool that sends ARP or ICMP packets to a single host to verify its presence on the network. It is useful for quickly checking if a specific IP is alive and resolving its MAC address.

airmon-ng

airmon-ng is part of the Aircrack-ng suite. It manages wireless network interface modes, specifically enabling and disabling monitor mode. Monitor mode allows a wireless adapter to capture all frames on the channel it's tuned to, regardless of the destination MAC address — essentially turning your adapter into a passive sniffer.

3.3 Why They Are Used

  • Local host discovery — Finding all devices on a LAN segment, including those that block ICMP.
  • Network mapping — Building a picture of the local network topology with IP-to-MAC mappings.
  • Rogue device detection — Identifying unauthorized devices connected to the network.
  • Wireless reconnaissance — Capturing wireless frames for analysis, including beacon frames, handshakes, and data packets.
  • Pre-engagement reconnaissance — Understanding the wireless environment (SSIDs, channels, encryption types) before targeting.
  • ARP spoofing preparation — Identifying target MAC addresses needed for man-in-the-middle attacks.

3.4 Features

arp-scan Features

  • Sends ARP requests and displays responses with IP, MAC, and hardware manufacturer
  • Supports multiple network interfaces
  • Can specify custom ARP data patterns
  • Detects duplicate IP addresses (ARP conflict detection)
  • Can load a custom MAC/Vendor mapping file

airmon-ng Features

  • Enables monitor mode on supported wireless adapters
  • Kills interfering processes that may disrupt capture
  • Lists available wireless interfaces and their current mode
  • Checks for wireless driver and chipset compatibility
  • Manages virtual monitor interfaces

3.5 Installation

Install arp-scan and arping

┌──(kali㉿kali)-[~] └─$ sudo apt update && sudo apt install -y arp-scan arping

Install Aircrack-ng Suite

┌──(kali㉿kali)-[~] └─$ sudo apt update && sudo apt install -y aircrack-ng
i

Information

Both tools are typically pre-installed on Kali Linux. Verify with arp-scan --version and airmon-ng --version before installing.

3.6 Prerequisites

  • Network interface — An active network interface connected to the target LAN (wired for ARP, wireless for airmon-ng).
  • Root/sudo privileges — ARP packet injection and wireless mode changes require elevated privileges.
  • Compatible wireless adapter — For monitor mode, you need an adapter with chipset that supports monitor mode and packet injection (e.g., Atheros, Ralink, Realtek RTL8812AU).
  • Correct wireless drivers — Some adapters require specific drivers. Check airmon-ng compatibility lists.
  • Same subnet — ARP scanning only works within your broadcast domain (same Layer 2 segment).

Pro Tip — USB Wireless Adapters

For WiFi assessments, external USB adapters with the RTL8812AU or Atheros AR9271 chipsets are widely recommended. Internal laptop adapters often lack monitor mode support.

3.7 Basic Syntax

arp-scan

arp-scan [options] [target specification]

arping

arping [options] destination

airmon-ng

airmon-ng [start|stop|check|kill] [interface]

3.8 Most Important Commands

Command Purpose
sudo arp-scan -l Scan the local subnet for live hosts
sudo arp-scan 192.168.1.0/24 Scan a specific subnet
sudo arping -c 3 192.168.1.1 Send 3 ARP pings to a single host
sudo airmon-ng List wireless interfaces and their status
sudo airmon-ng check kill Kill interfering processes
sudo airmon-ng start wlan0 Enable monitor mode on wlan0
sudo airmon-ng stop wlan0mon Disable monitor mode

3.9 Command Explanation

Scanning the Local Subnet with arp-scan

The -l flag tells arp-scan to automatically determine the local subnet based on the interface's IP address and netmask, then scan all addresses in that range:

┌──(kali㉿kali)-[~] └─$ sudo arp-scan -l

Pinging a Single Host with arping

Use arping to quickly verify if a specific host is reachable at Layer 2:

┌──(kali㉿kali)-[~] └─$ sudo arping -c 3 192.168.1.1

Checking Wireless Interfaces

Before enabling monitor mode, check which wireless interfaces are available and their current state:

┌──(kali㉿kali)-[~] └─$ sudo airmon-ng

Killing Interfering Processes

NetworkManager, wpa_supplicant, and other services can interfere with monitor mode. Kill them before proceeding:

┌──(kali㉿kali)-[~] └─$ sudo airmon-ng check kill

Enabling Monitor Mode

┌──(kali㉿kali)-[~] └─$ sudo airmon-ng start wlan0

This creates a new virtual interface (typically wlan0mon) in monitor mode. All capture tools should use this interface.

Disabling Monitor Mode

┌──(kali㉿kali)-[~] └─$ sudo airmon-ng stop wlan0mon

After disabling monitor mode, restart NetworkManager with sudo systemctl start NetworkManager to restore normal WiFi connectivity.

3.10 Common Flags

Flag Tool Description
-l arp-scan Use local network configuration for target range
-I eth0 arp-scan Specify the network interface to use
-r file.txt arp-scan Read target IPs from a file
-c N arping Send N ARP requests
-D arping Duplicate address detection mode
-I eth0 arping Specify source interface
-U arping Send unsolicited ARP (gratuitous ARP)
start airmon-ng Enable monitor mode on specified interface
stop airmon-ng Disable monitor mode
check airmon-ng List interfering processes
check kill airmon-ng Kill all interfering processes

3.11 Practical Examples

Example 1: Quick Local Network Scan

┌──(kali㉿kali)-[~] └─$ sudo arp-scan -l

This is the most common arp-scan command. It automatically detects your subnet and scans all addresses.

Example 2: Scan Specific Subnet on Specific Interface

┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 10.0.0.0/24

Useful when you have multiple interfaces and need to scan from a specific one.

Example 3: Verify Gateway Connectivity

┌──(kali㉿kali)-[~] └─$ sudo arping -c 3 192.168.1.1

Example 4: Complete WiFi Monitor Mode Workflow

┌──(kali㉿kali)-[~] └─$ sudo airmon-ng check kill ┌──(kali㉿kali)-[~] └─$ sudo airmon-ng start wlan0 PHY Interface Driver Chipset phy0 wlan0 rt2800usb Ralink Technology, Corp. RT5370 (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon) ┌──(kali㉿kali)-[~] └─$ sudo airodump-ng wlan0mon

This complete workflow: kills interfering processes, enables monitor mode, then starts airodump-ng to capture wireless traffic.

Example 5: Restoring Normal WiFi

┌──(kali㉿kali)-[~] └─$ sudo airmon-ng stop wlan0mon ┌──(kali㉿kali)-[~] └─$ sudo systemctl start NetworkManager

3.12 Expected Output

arp-scan Output

Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.10.0 with 256 hosts 192.168.1.1 00:11:22:33:44:55 (Unknown) 192.168.1.50 aa:bb:cc:dd:ee:ff (Apple Inc.) 192.168.1.100 11:22:33:44:55:66 (Intel Corporate) 192.168.1.150 66:77:88:99:aa:bb (Samsung Electronics Co.,Ltd) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.321 seconds (110.21 hosts/sec) 4 responded

Each line shows the IP address, MAC address, and the hardware vendor identified from the MAC prefix (OUI lookup). This vendor information helps identify device types quickly.

airmon-ng start Output

PHY Interface Driver Chipset phy0 wlan0 rt2800usb Ralink Technology, Corp. RT5370 (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)

3.13 Real-World Use Cases

  • Internal pentest — Running arp-scan immediately after connecting to a client network to map all visible devices before targeting.
  • Rogue device detection — Comparing ARP scan results against the organization's asset inventory to find unauthorized devices.
  • WiFi assessment prep — Enabling monitor mode to capture the wireless environment, identify all access points and clients, and plan the attack.
  • ARP spoofing setup — Identifying the target and gateway MAC addresses needed for tools like arpspoof or bettercap.
  • Physical security assessment — Discovering IoT devices, IP cameras, printers, and other devices on the network that may be forgotten or unsecured.
  • Incident response — Identifying new or unexpected MAC addresses on the network that may indicate an attacker's presence.

3.14 Best Practices

Best Practice — Always Kill Interfering Processes

Run airmon-ng check kill before enabling monitor mode. NetworkManager and wpa_supplicant will constantly try to associate with networks, disrupting your capture.

Best Practice — Restore Services After Use

Always run sudo systemctl start NetworkManager after disabling monitor mode to restore normal WiFi connectivity.

Best Practice — Use a Dedicated USB Adapter

For WiFi assessments, use a dedicated USB adapter with known-good monitor mode support. Don't rely on internal laptop adapters.

Best Practice — Combine ARP Scan with Nmap

Use arp-scan for fast Layer 2 discovery, then feed the results into Nmap for detailed service enumeration.

3.15 Common Mistakes

Mistake — Forgetting to Kill Interfering Processes

Skipping check kill causes monitor mode to be unstable or fail entirely.

Mistake — Using an Incompatible Adapter

Not all wireless chipsets support monitor mode. Research your adapter's chipset before attempting.

Mistake — Scanning Wrong Subnet

ARP scanning only works on your local broadcast domain. If you're on VLAN 10, you can't ARP scan VLAN 20.

Mistake — Not Restoring NetworkManager

After check kill, your WiFi won't reconnect automatically. Always restart NetworkManager.

3.16 Troubleshooting

Problem: "arp-scan: Could not obtain interface address"

Cause: The specified interface doesn't have an IP address or doesn't exist.

Solution: Check interface name with ip a and ensure it has an IP assigned.

Problem: "airmon-ng: ERROR: No such device"

Cause: The wireless interface name is wrong or the adapter is not connected.

Solution: Run ip link or iwconfig to find the correct interface name.

Problem: Monitor mode enables but no packets are captured

Cause: Wrong channel, or the adapter doesn't properly support monitor mode.

Solution: Manually set the channel with iwconfig wlan0mon channel 6 and verify with iwlist wlan0mon channel.

Problem: "Device or resource busy" when starting monitor mode

Cause: Interfering processes still running.

Solution: Run sudo airmon-ng check kill again and manually kill any remaining processes.

3.17 Related Tools

Tool Description
netdiscover Active/passive ARP reconnaissance tool with curses interface
bettercap Network attack framework with built-in ARP discovery and spoofing
airodump-ng Wireless packet capture tool (part of Aircrack-ng suite)
iwconfig/iw Low-level wireless configuration tools
arpspoof ARP spoofing tool for MITM attacks (dsniff suite)
Responder LLMNR/NBT-NS/MDNS poisoner that uses ARP for local network attacks

3.18 Security Notes

🔒

Security — ARP Scanning Is Detectable

ARP requests are visible to all devices on the LAN. Network monitoring tools will log your scanning activity. On authorized engagements, inform the client about expected scan noise.

🔒

Security — Monitor Mode Legal Status

Enabling monitor mode and capturing wireless frames may be illegal depending on your jurisdiction. Always ensure you have explicit authorization.

🔒

Security — Defending Against ARP Reconnaissance

Implement static ARP entries on critical systems, use port security on switches, and deploy ARP monitoring tools to detect scanning activity.

3.19 Summary

ARP scanning and WiFi monitor mode are complementary skills for local network discovery. ARP scanning provides fast, reliable host discovery on wired networks, while monitor mode opens the door to wireless reconnaissance and attack.

  • Use arp-scan -l for quick local network discovery
  • Use arping for verifying individual hosts
  • Always kill interfering processes before enabling monitor mode
  • Use a dedicated USB adapter with known monitor mode support
  • Restore NetworkManager after disabling monitor mode
  • Combine ARP discovery results with Nmap for comprehensive enumeration

3.20 Quick Reference Cheat Sheet

Task Command
Scan local subnet sudo arp-scan -l
Scan specific subnet sudo arp-scan 192.168.1.0/24
Verify single host sudo arping -c 3 192.168.1.1
List wireless interfaces sudo airmon-ng
Kill interfering processes sudo airmon-ng check kill
Enable monitor mode sudo airmon-ng start wlan0
Disable monitor mode sudo airmon-ng stop wlan0mon
Restore connectivity sudo systemctl start NetworkManager
Chapter 04

Capturing WPA2 Handshakes and Cracking Passwords

4.1 Introduction

Wireless networks secured with WPA or WPA2-PSK (Pre-Shared Key) rely on a 4-way handshake process when a client device authenticates to an Access Point (AP). This handshake proves that both the AP and the client know the pre-shared key, without ever transmitting the key itself across the air.

However, if an attacker can capture this 4-way handshake, they can perform an offline dictionary attack against it. By repeatedly hashing passwords from a wordlist and comparing the results to the captured handshake, the attacker can recover the original Wi-Fi password.

This chapter focuses on using the Aircrack-ng suite to locate target networks, capture the WPA2 handshake using airodump-ng, actively force clients to reconnect using aireplay-ng, and finally crack the captured hash offline using aircrack-ng.

4.2 What Are These Tools?

The Aircrack-ng suite is a complete set of tools to assess Wi-Fi network security. For this workflow, we focus on three primary components:

  • airodump-ng — A packet capture tool for 802.11 frames. It displays nearby Access Points, connected clients, and saves the raw captured data to disk (.cap files).
  • aireplay-ng — A frame injection tool used to generate artificial traffic. In this workflow, it is used to send deauthentication (deauth) frames to force a client to disconnect and reconnect, triggering a new handshake.
  • aircrack-ng — An 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets or a valid handshake has been captured.

4.3 Why It Is Used

  • Wireless security auditing — Evaluating the strength of an organization's wireless passwords.
  • Physical penetration testing — Gaining initial access to an internal network from the parking lot or lobby.
  • Compliance testing — Ensuring that wireless networks meet regulatory standards for encryption and password complexity.
  • Red teaming — Simulating real-world attacks where wireless networks are often the weakest link in the perimeter.

4.4 Features

  • Passive capturing — airodump-ng can capture handshakes passively by just listening to the airwaves, remaining completely undetectable.
  • Active deauthentication — aireplay-ng can actively disrupt connections to speed up the capture process.
  • Offline cracking — Once the handshake is captured, aircrack-ng runs offline, meaning there is no risk of locking out accounts or generating network alerts during the cracking phase.
  • Broad compatibility — Works with almost any wireless adapter that supports monitor mode and packet injection.

4.5 Installation

The Aircrack-ng suite is pre-installed on Kali Linux. If you need to install or update it, you can do so via APT:

┌──(kali㉿kali)-[~] └─$ sudo apt update && sudo apt install -y aircrack-ng

4.6 Prerequisites

  • Monitor Mode adapter — Your wireless adapter must be in monitor mode (e.g., wlan0mon) as covered in Chapter 3.
  • Packet Injection capability — Required for sending deauth frames with aireplay-ng. Test it with sudo aireplay-ng --test wlan0mon.
  • A good wordlist — The success of the attack entirely depends on the wordlist. rockyou.txt is a standard starting point.
  • Proximity to target — You need a strong enough signal to reliably capture the packets from both the AP and the client.

4.7 Basic Syntax

airodump-ng [options] <interface>
aireplay-ng [options] <interface>
aircrack-ng [options] <capture file>

4.8 Most Important Commands

Command Purpose
sudo airodump-ng wlan0mon Scan all channels for networks
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon Target a specific AP and save to file
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon Send 5 deauth packets to a client
aircrack-ng -w wordlist.txt capture-01.cap Crack the captured handshake

4.9 Command Explanation

Targeting a Network

Once you identify a target AP, you must lock airodump-ng to its specific channel and BSSID (MAC address), and tell it to write the captured packets to a file:

┌──(kali㉿kali)-[~] └─$ sudo airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w handshake_capture wlan0mon

Deauthenticating a Client

To speed up the capture, you can force a connected client to disconnect. When they automatically reconnect, airodump-ng will capture the handshake. The -0 flag specifies the deauth attack, followed by the number of packets to send (e.g., 5):

┌──(kali㉿kali)-[~] └─$ sudo aireplay-ng -0 5 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon

Cracking the Handshake

After successfully capturing the handshake, you can stop airodump-ng and use aircrack-ng to brute-force the password using a wordlist:

┌──(kali㉿kali)-[~] └─$ aircrack-ng -w /usr/share/wordlists/rockyou.txt handshake_capture-01.cap

4.10 Common Flags

Flag Tool Description
-c <channel> airodump-ng Listen only on the specified channel
--bssid <MAC> airodump-ng Filter capture to a specific AP
-w <prefix> airodump-ng Write captured data to files starting with prefix
-0 <count> aireplay-ng Perform deauthentication attack (count = number of packets)
-a <MAC> aireplay-ng BSSID (MAC address of the Access Point)
-c <MAC> aireplay-ng MAC address of the target client to deauth
-w <wordlist> aircrack-ng Path to the dictionary file

4.11 Practical Examples

Step 1: Locate Target

Start airodump-ng to scan all channels:

┌──(kali㉿kali)-[~] └─$ sudo airodump-ng wlan0mon

Identify your target's BSSID and Channel. Press Ctrl+C to stop.

Step 2: Targeted Capture

Focus airodump-ng on the target AP to capture the handshake (assuming BSSID 00:11:22:33:44:55 on channel 6):

┌──(kali㉿kali)-[~] └─$ sudo airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w corp_wifi wlan0mon

Leave this terminal open and running.

Step 3: Deauthenticate a Client

In a second terminal window, identify a connected client (STATION) from the airodump-ng output, and send deauth frames:

┌──(kali㉿kali)-[~] └─$ sudo aireplay-ng -0 5 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon

Step 4: Verify Handshake and Crack

Check the first terminal. In the top right corner, you should see [ WPA handshake: 00:11:22:33:44:55 ]. If you see this, you can stop airodump-ng and proceed to cracking:

┌──(kali㉿kali)-[~] └─$ aircrack-ng -w /usr/share/wordlists/rockyou.txt corp_wifi-01.cap

4.12 Expected Output

airodump-ng Handshake Capture

CH 6 ][ Elapsed: 2 mins ][ 2025-01-15 14:30 ][ WPA handshake: 00:11:22:33:44:55 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:11:22:33:44:55 -45 100 1256 450 4 6 54e. WPA2 CCMP PSK CorpWiFi BSSID STATION PWR Rate Lost Frames Notes Probes 00:11:22:33:44:55 AA:BB:CC:DD:EE:FF -50 0e-24e 0 45

aircrack-ng Success

Aircrack-ng 1.7 [00:00:15] 15000/14344391 keys tested (1000.00 k/s) Time left: 3 hours, 59 minutes, 4 seconds 0.10% KEY FOUND! [ Summer2025! ] Master Key : AB CD EF 01 23 45 67 89 0A BC DE F0 12 34 56 78 90 AB CD EF 01 23 45 67 89 0A BC DE F0 12 34 56 Transient Key : 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 00 11 22 EAPOL HMAC : 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF 00

4.13 Real-World Use Cases

  • Red Team Engagements — Bypassing physical security by accessing the internal network from outside the building via a weak Wi-Fi password.
  • Guest Network Auditing — Ensuring guest networks are properly isolated and that their PSK strength is adequate.
  • Employee Awareness — Demonstrating the danger of using weak or easily guessable passwords for corporate Wi-Fi.

4.14 Best Practices

Best Practice — Lock the Channel

Always lock airodump-ng to the specific channel of the target AP using the -c flag. If airodump-ng hops channels while the handshake occurs, you will miss packets.

Best Practice — Targeted Deauth

Use targeted deauthentication (-c <Client MAC>) instead of a broadcast deauth. Broadcast deauths are highly noisy, disrupt the entire network, and often fail on modern APs.

Best Practice — Use Hashcat for Speed

While aircrack-ng is excellent for validation, you can convert the .cap file to a hashcat format (using hcxpcapngtool) and crack it much faster using GPU acceleration with Hashcat.

4.15 Common Mistakes

Mistake — Attacking 5GHz on a 2.4GHz Adapter

Ensure your Wi-Fi adapter supports the frequency of the target AP. A 2.4GHz-only adapter cannot capture a handshake from a 5GHz network.

Mistake — Relying on Small Wordlists

If the password is not in your wordlist, aircrack-ng will fail. Use massive wordlists, custom rules, or targeted dictionaries for realistic assessments.

4.16 Troubleshooting

Problem: aircrack-ng says "1 handshake, with PMKID" but cracking fails immediately

Cause: The capture is incomplete and doesn't contain all 4 parts of the handshake.

Solution: Capture the handshake again. Ensure you are close enough to both the AP and the client to hear packets from both directions.

Problem: aireplay-ng fails with "No such BSSID available"

Cause: You are too far away from the AP, or the AP is on a different channel.

Solution: Verify you are locked to the correct channel in airodump-ng. Move physically closer.

4.17 Related Tools

Tool Description
Wifite Automated script that runs airodump-ng and aireplay-ng to capture handshakes automatically
hcxdumptool Advanced tool to capture PMKID and handshakes without needing clients (client-less attacks)
Hashcat GPU-accelerated cracking tool that cracks WPA/WPA2 significantly faster than aircrack-ng
Kismet Passive wireless network detector, sniffer, and intrusion detection system

4.18 Security Notes

🔒

Security — Deauthentication is an Active Attack

Sending deauthentication frames actively disrupts a network, causing Denial of Service (DoS) for the users. This is illegal without explicit consent and highly visible to Wireless Intrusion Prevention Systems (WIPS).

🔒

Security — PMF (Protected Management Frames)

WPA3 and properly configured WPA2 networks use 802.11w (PMF), which encrypts management frames. If PMF is enabled, deauthentication attacks via aireplay-ng will not work.

4.19 Summary

Capturing WPA2 handshakes is a core skill for any physical or wireless penetration test. The combination of passive monitoring and active deauthentication allows attackers to efficiently gather the cryptographic material needed to brute-force a network key.

  • Use airodump-ng to locate the target and lock onto its channel.
  • Use aireplay-ng to send targeted deauthentication frames to a connected client.
  • Verify the handshake was captured in airodump-ng before stopping.
  • Use aircrack-ng with a strong wordlist to crack the captured handshake offline.

4.20 Quick Reference Cheat Sheet

Task Command
Scan all channels sudo airodump-ng wlan0mon
Target AP & save capture sudo airodump-ng -c 6 --bssid AP_MAC -w capture wlan0mon
Targeted deauth attack sudo aireplay-ng -0 5 -a AP_MAC -c CLIENT_MAC wlan0mon
Broadcast deauth (noisy) sudo aireplay-ng -0 10 -a AP_MAC wlan0mon
Crack handshake aircrack-ng -w wordlist.txt capture-01.cap
Test packet injection sudo aireplay-ng --test wlan0mon

About the Author

Najeeb Ahmed (AKA DEVOOO) is a cybersecurity enthusiast and author of technical guidebooks. This guidebook is designed to help professionals master the practical use of Kali Linux in penetration testing environments.

Stay curious, stay legal, and keep hacking.