Cracking WPA2 Personal PSKs

Below is the process I use for testing the strength of a wireless network’s password (WPA2 Personal in this example). This guide is intended for someone who already has a working knowledge of Kali Linux and an external WIFI adapter that is capable of operating in monitor mode and also capable of packet injection.

With my WIFI adapter connected, we can see that it’s listed as wlan0.


We type airmon-ng to make sure our adapter is listed in the output.  If not, resolve that issue before proceeding.


We gathered the name of the wireless interface from the first step, so we can now type the below command.  Notice the the interface name has now changed to wlan0mon.  Make note of what it changes to, as it it will be needed later.


Ifconfig confirms the interface name change as mentioned above.


The below command will list all of the wireless networks in the vicinity of the wireless adapter.


Below is the list of available wireless networks.  In this example, we are targeting the wireless network named “Nick’s iPhone”.  We need to make note the the BSSID and the channel.


We copy out the BSSID so that we don’t have to type it in manually.


To monitor only the target network (Nick’s iPhone in this example), issue the below command:


We can see that there is a single device connected (listed under station).


From here, we need to open a new terminal and issue the below command.  The command will send two “deauth” packets to the device/station connected to the wireless network named Nick’s iPhone.  When this happens, the device will be disconnected and will typically try to automatically reconnect.  When the device reconnected, we should (hopefully) capture the WPA2 4-way handshake.


In the top right hand side of the original terminal window we should see “WPA handshake” when the device has successfully reconnected. There will also be capture files on the desktop as well.


Issue the below command.  Note: When using wpaclean, you must list the name of the OUTPUT file first.  This is confusing.  The name can be anything, but the output file comes first.


As we are using hashcat to brute force the PSK, we need to convert the capture files into a format that is usable by hashcat.


A continuation of the above screen shot:


Below is the hashcat command needed to attempt to brute force the PSK against your favorite wordlists.  As we can see below, the password was found in the wordlist and the WIFI password for the target is: wireless123.



2 thoughts on “Cracking WPA2 Personal PSKs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s