How to crack WPA handshakes

This guide exploits a fundamental flaw within the WPA2 protocol. This is because, unlike in WPA3,  where frames are cryptographically protected, in WPA2 deauthentication frames are not. This allows any attacker to spoof these frames and kick devices off the network. When the device reconnects (often automatically), this gives us a great opportunity to capture the handshake and try to crack it offline.

Step 1: Removing interference

First, we need to make sure that there is nothing that could interfere with monitor mode or packet capturing. To do this we need to stop all services that may cause issues. To do this, we run the command: sudo airmon-ng check kill

Step 2: Starting the network adapter

Next, we need to start the network adapter’s monitoring mode. To do this, we need to check the name that the network interface has been given. We can do this by running iwconfig . This will show all of the wireless network interfaces, and in my case, my network adapter is  wlan0 . Now that we know the name of the network adapter, we can place it into monitor mode.

This can be achieved by running the command sudo airmon-ng start InterfaceName . This will place the network adapter into monitor mode so that we can capture and inject packets!

Step 3: Scan and List nearby Wi-Fi Networks

In order to intercept the WPA handshake to crack it, we first need to find the target networks MAC address and channel number. We can do this by running the command sudo airodump-ng interfaceName . In my case, this name was wlan0mon . This will give us a list of the networks around us, their associated MAC addresses and the channel they run on. This information will be crucial for the next step.

Step 4: Monitor that network!

Now for the exciting part – where we start to capture traffic on the network! To do this, we can run the command sudo airodump-ng -w output.cap -c channelNum --bssid routerMAC interfaceName . This command will start listening and capturing traffic going to and from the router to any devices on that specific channel. We get the channel and MAC address from the previous command, and the -wtag allows us to specify that we want the output to be a .cap file, which we can then later crack. While the next step is not necessary, it will help speed up the process (and is very cool!).

Step 5: (Optional) Deauthenticate devices.

In this next step, we can see why not cryptographically signing frames in the WPA2 standard may have been a poor choice. By running the following command, we can kick devices off a network. When they (often automatically) re-join, we will be able to capture the four-way handshake and begin offline cracking. This command can also be set to run indefinitely, effectively creating a Denial of Service (DoS) attack. The command is sudo aireplay-ng--deauth 0 -a routerMAC interfaceName . The 0 after deauth can be set to any number of frames to send; however, 0 will send them indefinitely. This will force all devices to disconnect from the network.

Step 6: Crack that hash!

Once the handshake has been intercepted (either through using step 5 or simply from someone manually connecting) we can move on to cracking the four-way handshake. In this demonstration, I set the password to be a very insecure password of superduper, as I knew this was in the rockyou.txt password list. In reality, you will likely never find a password like this, and it (should) be a pseudo-random alphanumeric string. I will touch on how attackers crack these; however, for now, let’s assume our victim has this weak password. If they did, we could crack this by using a dictionary attack, a very common method of password cracking. I chose to use the rockyou.txt password list, as it is still relevant in 2025, as people still use weak, common passwords. The command to automatically compare the hashes to the computed rockyou.txt hashes is aircrack-ng outputName.cap -w /usr/share/wordlists/rockyou.txt . If the password is in the rockyou.txt list, and a match is found, then the password will be displayed! 

Video Example:

How do modern attackers hack the random passwords that come with new routers?

Modern attackers use a variety of methods to speed up the offline cracking. One way is to use a rainbow table. This is a large database (often stored as a hashmap) of precomputed WPA2 handshakes and their associated passwords. Well-equipped attackers could use Clusters and GPU acceleration to compute millions of hash/password pairs. This will mean that your password is in the table, it will be found very, very quickly. 

They also hope that the user has changed the password to use a weaker password that can be attacked with a dictionary attack and wordlists (as shown above). As we demonstrated, if you use a common human-chosen short password, then it is likely trivial to crack it in minutes, not years. This drastically reduces the number of guesses needed compared to pure brute-force.

How can I protect myself against this sort of attack? 

A simple way to protect yourself against this attack is to use WPA3. WPA3 uses much stronger encryption (SAE), which makes it much more resistant to offline dictionary attacks. Furthermore, it also fixes the issue with deauthentication frames, as these are authenticated, which makes it much harder for an attacker to spoof them. 

However, WPA3 is not supported by all home routers. If it is not and Protected Management Frames (PMF) is not an option in your Wi-Fi settings, you may need to instead simply use a pseudorandom password that is computationally infeasible to crack. This can be done by creating a long, randomly generated password from a password manager.  The more length the password has, the harder it is to crack, even by the aforementioned methods. This will make the time to crack the password many, many years which is of course impractical, keeping your password secure.