3/19/25, 9:46 AM Capturing and Cracking WPA/WPA2 WiFi Passwords | Predatech

(/)

29.07.2024 | Nicholas Ray

Tags: Penetration Testing (https://predatech.co.uk/tag/penetration-testing/)

Capturing and Cracking WPA/WPA2 WiFi

Passwords with Kali Linux
Wireless access points can provide a gateway into your organisation’s network for unauthorised threat
actors.

Understanding the techniques used by threat actors to capture and crack WPA/WPA2 hashes can be
also be useful when trying to enhance your network security.

In this blog, we’ll explore how wireless packets can be captured, how WPA/WPA2 pre-shared key
hashes can be obtained and how these hashes can be cracked to derive the plaintext password. We’ll
then look at what can be done to reduce the risk of wireless exploitation which will ultimately help to
better protect your organisation.

Capturing WPA/WPA2 Pre-Shared Key Hashes

We use cookies on our website to give you the most relevant experience by remembering your
preferences and repeat
1. Kill Running visits.To
Processes: Bybegin,
clicking
you “Accept”, you
must ensure consent
that to the
any running use of ALL
networking the cookies.
services on your
Find out more by
machine arereading ourshuts
killed. This Privacy Policy
down (/privacy-policy).
any services that may prevent airmon-ng placing the
wireless network interface card (NIC) in monitor mode. The following command must be run
from the airmon-ng suite.

https://predatech.co.uk/capturing-and-cracking-wpa-wpa2-wifi-passwords/ 1/11
3/19/25, 9:46 AM Capturing and Cracking WPA/WPA2 WiFi Passwords | Predatech

sudo airmon-ng check kill

(/)

2. Monitor Mode Activation: Your wireless NIC must be set to monitor mode. This mode allows the
NIC to monitor and capture all wireless traffic within range. We recommend using a wireless
adapter that will support packet injection and monitor mode. The wireless adapters will also
provide much better signal reception over a built-in wireless NIC.

sudo airmon-ng start wlan0

3. Packet Sniffing: Once in monitor mode, a tool such as airodump-ng can be employed to capture
incoming wireless packets. The tool provides a real-time view of the wireless networks in range
(SSIDs) and their access point MAC addresses (BSSIDs). We use the following command,
focusing on the wlan0 interface in our case.

sudo airodump-ng ‘wlan0’

We use cookies on our website to give you the most relevant experience by remembering your
4. Targeted Capture: To reduce the noise and focus on the target we are interested in, we can set
preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
airodump to filter by the relevant BSSID and channel. Where there are multiple BSSIDs, try to
Find out more by reading our Privacy Policy (/privacy-policy).
focus on one which has a higher amount of data reported.

https://predatech.co.uk/capturing-and-cracking-wpa-wpa2-wifi-passwords/ 2/11
3/19/25, 9:46 AM Capturing and Cracking WPA/WPA2 WiFi Passwords | Predatech

We now wait until a WPA/WPA2 handshake is captured. Once captured there will be a banner at the
top of the panel which reads ‘[ WPA Handshake: <MAC Address>] ’. Once the handshake has been
(/)
obtained, we can stop the tool and collect the .pcap file that’s been generated (which now holds the
captured WPA/WPA2 handshake).

sudo airodump-ng -c 4 –bssid ‘60:A4:B7:49:D9:ED’ -w capture ‘wlan0’

5. Deauthentication Attack (Optional): Where you’re having trouble capturing a wireless

handshake, you can use a deauthentication attack to expedite the process. By disconnecting a
client from the network, you force them to reconnect. This increases your chance of capturing a
WPA/WPA2 handshake, particularly where wireless traffic is sparse.

sudo aireplay-ng –deauth 0 -a ‘Access point BSSID’ -c ‘Station BSSID’ ‘wlan0’

Cracking WPA/WPA2 Pre-Shared Key Hashes

Handshake Cracking: Now that we’ve captured a WPA/WPA2 PSK hash, we can use a tool like
aircrack-ng to crack the hash and derive the plaintext password/PSK. This involves running the hash
against a common password list.

For this example, I created a .txt file and entered a few lines which included the password for the
router. Normally this process would require millions of potential passwords and would take
significantly more computing resource and time. The simpler or easier to guess the password is, the
higher the likelihood that we’ll get a password match within our list.

sudo aircrack-ng -w ‘wordlist.txt’ ‘capture-01.cap’

We use cookies on our website to give you the most relevant experience by remembering your
preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Find out more by reading our Privacy Policy (/privacy-policy).

https://predatech.co.uk/capturing-and-cracking-wpa-wpa2-wifi-passwords/ 3/11
3/19/25, 9:46 AM Capturing and Cracking WPA/WPA2 WiFi Passwords | Predatech

(/)

How To Reduce The Risk of Wireless Exploitation

Upgrade to WPA3 Where Possible: The WPA3 protocol provides noticeable security benefits over
WPA/WPA2, including stronger encryption, forward secrecy and individualised encryption which
mitigates the traditional WPA/WPA2 hash capture and cracking techniques. WPA is deprecated and so
WPA2 should be used where WPA3 is not an option.

Use Strong & Complex Passwords: Where the WPA2 protocol must be used, ensure that the pre-
shared key/WiFi password is strong and not easily guessable. The simpler the password is, the faster
it will be cracked if a hash is obtained. Avoid using common words and instead opt for more complex
phrases with a mixture of different character types.

Recalibrate Signal Strength: Consider limiting the wireless signal range to only the area practically
required. This will make it more difficult for threat actors to pick up a signal from outside the
building/premises.

Use a Strong Encryption Algorithm: Where using WPA2, ensure that the settings use the stronger AES
encryption rather than TKIP.

Disable SSID Broadcasting: Hide the SSID (wireless network name) by disabling SSID broadcasting.
This will make the network less visible to casual threat actors and increase the difficulty for
exploitation.
We use cookies on our website to give you the most relevant experience by remembering your
preferences and repeat
Use MAC Address visits.
Filtering: By clicking
Consider using “Accept”, youfiltering
MAC address consent to to theonly
allow useapproved
of ALL the cookies.
devices to
Find out more
be able by reading
to connect our Privacynetwork.
to the organisation Policy (/privacy-policy).
Although the MAC address of a device can be
spoofed, it makes the process of connecting to the wireless network more difficult for a threat actor.

https://predatech.co.uk/capturing-and-cracking-wpa-wpa2-wifi-passwords/ 4/11
3/19/25, 9:46 AM Capturing and Cracking WPA/WPA2 WiFi Passwords | Predatech

Predatech is a cyber security consultancy that offers a range of services including CREST accredited
penetration testing (https://predatech.co.uk/penetration-testing/) and Cyber Essentials/Cyber Essentials
(/)
Plus assessments. What makes us different? We combine expert cyber security with great customer
service and value for money. If you’d like to better understand your security posture, and how to
strengthen it from attacks including wireless exploitation, please contact us

(https://predatech.co.uk/contact/) for a free consultation.

Latest Posts

(https://predatech.co.uk/who-keeps-your-cloud-infrastructure-secure-understanding-the-shared-responsibility-
model/)

Who Keeps Your Cloud Infrastructure Secure? Understanding the

Shared Responsibility Model
(https://predatech.co.uk/who-keeps-your-cloud-infrastructure-secure-understanding-the-shared-
responsibility-model/)

Over time more organisations have moved infrastructure from physical on-premises systems to the
cloud. This brings many benefits including cost savings, increased system scalability, reliability.…

READ MORE
( h t t p s : // p re d a t e c h . c o . u k / w h o - ke e p s -
yo u r - c l o u d - i n f ra s t r u c t u re - s e c u re -
We use cookies on our website to give you the most relevant uexperience
n d e r s t a n d i nby g - remembering
t h e - s h a re d - your
Jacob Alcock | 13.01.2025 re s p o n s i b i l
preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.i t y - m o d e l / )

Find out more by reading our Privacy Policy (/privacy-policy).

https://predatech.co.uk/capturing-and-cracking-wpa-wpa2-wifi-passwords/ 5/11
3/19/25, 9:46 AM Capturing and Cracking WPA/WPA2 WiFi Passwords | Predatech

(/)

(https://predatech.co.uk/british-data-awards-2025-nominations-open/)

British Data Awards 2025: Nominations Open

(https://predatech.co.uk/british-data-awards-2025-nominations-open/)

Our quest to discover the individuals and organisations that are passionate about data and to celebrate
their data success stories has returned! Nominations for the…

READ MORE
( h t t p s : // p re d a t e c h . c o . u k / b r i t i s h - d a t a -
Michael Fotis | 03.01.2025 a w a rd s - 2 0 2 5 - n o m i n a t i o n s - o p e n / )

(https://predatech.co.uk/predatech-turns-four/)

Predatech
We Turns
use cookies on Fourto give you the most relevant experience by remembering your
our website
preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Find out more by reading our Privacy Policy (/privacy-policy).
(https://predatech.co.uk/predatech-turns-four/)

https://predatech.co.uk/capturing-and-cracking-wpa-wpa2-wifi-passwords/ 6/11
3/19/25, 9:46 AM Capturing and Cracking WPA/WPA2 WiFi Passwords | Predatech

As we get ready to wrap-up a busy 2024, I’m happy to share that Predatech is now four years old!
Writing this blog is one…
(/)

READ MORE
( h t t p s : // p re d a t e c h . c o . u k / p re d a t e c h -

Jason Johnson | 16.12.2024 turns-four/)

(https://predatech.co.uk/who-keeps-your-cloud-infrastructure-secure-understanding-the-shared-responsibility-
model/)

Who Keeps Your Cloud Infrastructure Secure? Understanding the

Shared Responsibility Model
(https://predatech.co.uk/who-keeps-your-cloud-infrastructure-secure-understanding-the-shared-
responsibility-model/)

Over time more organisations have moved infrastructure from physical on-premises systems to the
cloud. This brings many benefits including cost savings, increased system scalability, reliability.…

READ MORE
( h t t p s : // p re d a t e c h . c o . u k / w h o - ke e p s -
yo u r - c l o u d - i n f ra s t r u c t u re - s e c u re -
u n d e r s t a n d i n g - t h e - s h a re d -
Jacob Alcock | 13.01.2025 re s p o n s i b i l i t y - m o d e l / )

We use cookies on our website to give you the most relevant experience by remembering your
preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Find out more by reading our Privacy Policy (/privacy-policy).

https://predatech.co.uk/capturing-and-cracking-wpa-wpa2-wifi-passwords/ 7/11
3/19/25, 9:46 AM Capturing and Cracking WPA/WPA2 WiFi Passwords | Predatech

(/)

(https://predatech.co.uk/british-data-awards-2025-nominations-open/)

British Data Awards 2025: Nominations Open

(https://predatech.co.uk/british-data-awards-2025-nominations-open/)

Our quest to discover the individuals and organisations that are passionate about data and to celebrate
their data success stories has returned! Nominations for the…

READ MORE
( h t t p s : // p re d a t e c h . c o . u k / b r i t i s h - d a t a -
Michael Fotis | 03.01.2025 a w a rd s - 2 0 2 5 - n o m i n a t i o n s - o p e n / )

(https://predatech.co.uk/predatech-turns-four/)

Predatech
We Turns
use cookies on Fourto give you the most relevant experience by remembering your
our website
preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Find out more by reading our Privacy Policy (/privacy-policy).
(https://predatech.co.uk/predatech-turns-four/)

https://predatech.co.uk/capturing-and-cracking-wpa-wpa2-wifi-passwords/ 8/11
3/19/25, 9:46 AM Capturing and Cracking WPA/WPA2 WiFi Passwords | Predatech

As we get ready to wrap-up a busy 2024, I’m happy to share that Predatech is now four years old!
Writing this blog is one…
(/)

READ MORE
( h t t p s : // p re d a t e c h . c o . u k / p re d a t e c h -

Jason Johnson | 16.12.2024 turns-four/)

ISO 27001
(https://predatech.co.uk/iso-27001-introduction-certification-process/)

ISO 27001: Introduction & Certification Process

(https://predatech.co.uk/iso-27001-introduction-certification-process/)

ISO 27001 is an internationally recognised Information Security Management System (ISMS) standard
that helps organisations to protect their information assets such as customer data and…

READ MORE
( h t t p s : // p re d a t e c h . c o . u k / i s o - 2 7 0 0 1 -
Chris Massey | 09.09.2024 i n t ro d u c t i o n - c e r t i f i c a t i o n - p ro c e s s / )

SEE ALL ARTICLES

(/blog/)

(https://registry.blockmarktech.com/certificates/8d317
6c7f-41c4-9457-ccc6ea2cb183/)

We use cookies on our website to give you the most relevant experience by remembering your
preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Find out more by reading our Privacy Policy (/privacy-policy).

https://predatech.co.uk/capturing-and-cracking-wpa-wpa2-wifi-passwords/ 9/11
3/19/25, 9:46 AM Capturing and Cracking WPA/WPA2 WiFi Passwords | Predatech

(/)

(https://registry.blockmarktech.com/certificates/0e6a4
(https://registry.blockmarktech.com/certificates/471d5029-
dffe-479a-b552-2f74a5f7fae6/)
47a6-46f2-b375-0a078995c69b/)

We use cookies on our website to give you the most relevant experience by remembering your
preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Quick Links
Find out more by reading our Privacy Policy (/privacy-policy).
About Us (https://predatech.co.uk/about-us/)

Resources (https://predatech.co.uk/blog/)

British Data Awards (https://predatech.co.uk/british-data-awards/)

https://predatech.co.uk/capturing-and-cracking-wpa-wpa2-wifi-passwords/ 10/11
3/19/25, 9:46 AM Capturing and Cracking WPA/WPA2 WiFi Passwords | Predatech

Contact (https://predatech.co.uk/contact/)

(/)

Services

Penetration Testing as a Service


(https://predatech.co.uk/services/penetration-testing-as-a-

Penetration Testing (https://predatech.co.uk/penetration-testing/) service/)

Cloud & Server Security Reviews

Managed Vulnerability Scanning (https://predatech.co.uk/services/cloud-server-security-

(https://predatech.co.uk/services/vulnerability-management/) reviews/)

ISO 27001 & IASME Cyber Assurance

(https://predatech.co.uk/services/iso-27001-and-iasme-cyber- Cyber Essentials (https://predatech.co.uk/services/cyber-

assurance/) essentials-certification/)

Contact

info@predatech.co.uk (mailto:info@predatech.co.uk)

0161 706 0720 (tel:01617060720)

(https://www.linkedin.com/company/predatech) (https://twitter.com/PredatechSec)

(https://www.youtube.com/channel/UCikyjO2EPB8Foxse811SK5A)
(https://www.facebook.com/predatechsec)

Privacy Policy (/privacy-policy)

© 2025 Predatech Limited

We use cookies on our website to give you the most relevant experience by remembering your
preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Find out more by reading our Privacy Policy (/privacy-policy).

https://predatech.co.uk/capturing-and-cracking-wpa-wpa2-wifi-passwords/ 11/11