Cracking WPA2 Tutorial

June 17, 2011 by Andrew Whitaker

In this video we will demonstrate how to crack WPA2 using the Airmon-ng suite. We will do it by:

  • Identifying an access point
  • Capturing traffic from that access point
  • Attempt to capture the handshake. We have two options for doing this.
    1. We can wait for a client to connect on their own
    2. We can run a deauth attack to force them to disconnect and then you can capture the handshake then

Once you have captured the handshake, you can attempt to crack it with a word list or a rainbow table. The key can then be found from there.


Posted: June 17, 2011
Andrew Whitaker
View Profile

Andrew Whitaker is a Senior Instructor for both the InfoSec Institute and the Intense School. He is also a nationally recognized expert on information security. He has performed penetration tests on numerous financial institutions throughout the United States and has been a regular consultant to government agencies on cyber security.He is also the author of several best-selling security and networking books, including "Penetration Testing and Network Defense" (Cisco Press), "Cisco Router Configuration Handbook" (Cisco Press), and "Chained Exploits: Advanced Hacking Attacks From Start to Finish" (Addison-Wesley). He is also a frequent conference speaker and has given talks on ethical hacking at Defcon, Chicagocon, SecurePhilly, and TakeDownCon. Whitaker also holds a Master’s Degree in Computer Science. He has trained the military, government defense contractors, and intelligence agencies on cyber security, risk management, ethical hacking, reverse engineering and exploit development.

10 responses to “Cracking WPA2 Tutorial”

  1. chris says:

    hi Andrew Whitaker,
    My name is Chris.
    This video is fine but the main thing i want to know how i can crack the WPA/WPA2 without a dic attack.
    i tried to use the JTR with the switch INCREMENTAL pipe with jtr.i left it for 5 HOURS but no use.
    whatelse i can do ? because the dic file dosnt work all the time but most of the time.
    Can u Plz try to find something without dic attack.
    cannt we brutforce wpa randomly?
    one more thing , can you tell me where i can find the max table of rainbow table.i want to buy.


  2. Jay Libove, CISSP, CIPP, CISM says:

    Andrew’s final comment in the video is “You can’t trust the security of WPA2”, a conclusion which he draws partly on the awful tendancy of users (and even administrators) to choose truly weak WPA/WPA2 passphrases, and more completely on the existence of rainbow tables.

    There’s a nice article here http://www.renderlab.net/projects/WPA-tables/ about rainbow tables. In summary, there are available rainbow tables in the size of about 33GB which can be downloaded or purchased, and which contain tables for 1 million “words” pre-hashed over the top 1000 most common access point names. (There may be other, even larger and more complete rainbow tables available).

    But, still, this relies on the confluence of a moderately common access point name and insufficiently strong passphrase.

    I submit that it’s not that you can’t trust the security of WPA2, it’s that almost any security system can be used insecurely.

    1. Choose something either random, or very unusual, for your access point name. e.g. “John&Fr3d’z !ccess_p[]1nt_” (I tried, and failed, to find an RFC describing the explicit rules for access point names, but it seems likely that a name could be chosen which is both descriptive and unlikely to appear in the rainbow tables)
    2. Choose long, complex passphrases, preferably random, or again as above very unusual (and, due to rainbow tables, in this case “unusual” must go well beyond just “H8cker_sp3ak”).

    .. or have the rainbow tables become so good and so available that there is, for practical purposes, no adequately secure combination of SSID and passphrase?

  3. It is truly a great and useful piece of information. I’m satisfied that you simply shared this helpful info with us. Please keep us up to date like this. Thank you for sharing.

  4. adam says:

    It’d be great if these programs could be run in Windows and/or if they could be entirely from an .exe file. I cracked a WEP key using Backtrack 4 and a Hawking usb wireless adapter, but that source has since left the building. I tried BT3 and BT5 but they didn’t play nice with my wireless adapter for some reason. It’s not like doing it is hard or anything, it’s just getting used to the command line, and knowing that one wrong character and you have to type the whole line over again. That’s annoying.

  5. general says:

    I don’t have a gpu accelerated cracking machine. I have tried some dictionary attacks but it didn’t work. If anyone would be willing to help me crack this WPA handshake?
    meThanks in anticipation

    My email id is http://www.google.com/recaptcha/mailhide/d?k=01qjEzTMSs43bbrpJYYqgQlQ==&c=6td13CjLr6kTmdcCz_k_-srrHf_T0AMEejqb9wOfY1Y=

  6. johnny says:

    Hey general,

    I’d suggest grabbing the guide at http://www.majestysecurity.com – It covers basic and advanced attacks on all types of WIFI networks..

  7. Andy says:

    Also you can use online GPU-accelerated services (http://www.gpuhash.com for example) for fast cracking. Tried this one last week and have one password revealed (from 3 handshakes, tough).

  8. wpa2 says:

    where to download without CD

  9. Alex says:

    What if the password isn´t in any worlist or rainbow table? Is there a way to reverse engineer the handshake?

  10. Luis kuan says:

    hai, may i ask how to crack wpa2/wpa with backtrack 4 -r1? because i cant capture the wpa handshake. Normally i do with tis step…
    2.airmon-ng start wlan
    3.airodump-ng mon0
    5. airmon-ng stop mon0
    6.airmon-ng start wlan0 1
    8.airodump-ng -c 1 –bssid d8:5d:4c:e6:f3:04 -w wpa mon0
    9.aireplay-ng -0 3 -a d8:5d:4c:e6:f3:04 -c 04:48:4c:ff:ff:fe mon0
    10.aircrack-ng -w mypass.txt wpa-01.cap

    when i do the step between step 8 and 9 the handshake capture didnt appear, i hv wait for a long time about 4 hour but still no appear.
    but i hv note tat the psk hv change to mgt after i do step 9.
    can u help me see if my step is wrong?can give me ur step ?

Leave a Reply

Your email address will not be published.