Download How To Break Wpa2 Aes

  1. To crack WPA-PSK, we'll use the venerable BackTrack Live-CD SLAX distro. It's free to download, but please consider donating, since this really is the Swiss Army knife of network security. As you can see from my system specs in Table 1, it doesn't take much computing power to run WPA cracks.
  2. WPA2 PSK Cracking Demonstration. This demonstration uses an SSID of ‘og150-test’ and a WPA2 pass-phrase of ‘originalgangster’. I have used WPA2 and AES cipher which is the strongest PSK variant currently available. I have done this to illustrate that both WPA and WPA2 are susceptible to this attack.
Download How To Break Wpa2 Aes

How To Crack WPA/WPA2 With HashCat

The tutorial will illustrate how to install and configure HashCat on a Windows client and crack the captured PMKID or .hccap files using a wordlist dictionary attack.

“Hashcat is the self-proclaimed world’s fastest password recovery tool. It had a proprietary code base until 2015, but is now released as free software. Versions are available for Linux, OS X, and Windows and can come in CPU-based or GPU-based variants.”

AES (used by WPA2) is much more safe than TKIP (used by WPA). As you saw earlier, the only way to break WPA/WPA2 is by sniffing the authentication 4-way handshake and brute-force the PSK. To make it computationally impossible, use a password of at least 10 characters composed of random combination (not any plain word that you can meet in any.

The WPA2 handshake can be captured on a Linux compatible client like Kali Linux with a supported WiFi card running on VirtualBox. Then converted to the right format depending on the captured method and moved over to the Windows client to be cracked.

Use the guides Capturing WPA2 and Capturing WPA2 PMKID to capture the WPA2 handshake. For this test we will use the famous “Rockyou” wordlist.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.

Step 1: Download HashCat

Hashcat do not require any installation, it is a portable program it requires you to unpack the downloaded archive.

  1. First you need to download Hashcat binaries from
  2. Navigate to the location where you saved the downloaded file, and unzip the file

Step 2: Download Wordlist

They are numerous wordlists out on the web, for this test we are going to use the famous “rockyou”.

  1. Open the hashcat folder on your harddrive and create a new folder called “wordlist”
  2. Download therockyou.txt wordlist from this Link.
  3. Save the downloaded file in the new folder“wordlist”

Step 3: Prepare Your Captured WPA2 Handshake

Depending on the method you used to capture the handshake you either must format the cap file to 2500 hash-mode or the PMKID file to hashcat 16800 hash-mode .

For how to format the files please see the guides Capturing WPA2 and Capturing WPA2 PMKID.

In this lab we are using a captured PMKID and a pcpa handshake formatted to hashcat readable format. “HonnyP01.hccapx ” and ” HonnyP02.16800″.

I’m using two different home routers from D-Link and Technicolor for this experiment, both WiFi routers are owed by me.

  • The “HonnyP01.hccapx” file is captured from the D-Link router.
  • The ” HonnyP02.16800″ file is captured from the Technicolor router.

Step 4: Start Hashcat

You need to run hashcat in CMD or PowerShell. In this example we will use CMD to execute our commands and crack the handshake.

Open CMD and navigate to the hashcat folder.

Type hashcat64 -h to display all options

Step 5: Crack WPA2

In the First example we will illustrate how to get the password from a converted pcap file “.hccapx”.

Copy your converted file to the hashcat folder, in this example i am copying the file HonnyP01.hccapx to my hashcat folder.

Next we will start hashcat and use the wordlist rockyou, type in the parameters below in CMD.

  • hashcat64 the binary
  • -m 2500 the format type
  • -w 3 workload-profile 3
  • HonnyP01.hccapx the formatted file
  • “wordlistrockyou.txt” the path to the wordlist

Hashcat will start processing the file, if you are successful the terminal will display the hash and the password.

Here we can see that hashcat was able to match the hash to a password in the wordlist, in this lab the password to the D-Link WiFi is “password”. You can chose to let the application run trough the wordlist or press “q” to quit.

You can display the cracked password with the “show” command or by running the same command again, all cracked hashes will be stored in the “hashcat.potfile” in the hashcat folder.

Wpa2 Aes Router

To display the cracked password in CDM type the command bellow.

In the next example we will run the same command except now we use the 16800 mode to run the dictionary attack against formatted PMKID file captured from the Technicolor router.

  • hashcat64 the binary
  • -m 16800 the format type
  • -w 3 workload-profile 3
  • HonnyP02.16800 the formatted file
  • “wordlistrockyou.txt” the path to the wordlist

Screen recording on mac computer. Here we can see that the cracked password is “adsladsl” for the Technicolor router.

Extra: Brute Force Attack And Rule based attack

You can let hashcat brute force the file with the command bellow.

Or use ruled base attack.


Your home or office WiFi can be hacked if you are using a weak password, as always a strong and complex password is still the best defense against an attacker.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.

  • Wireless Security Tutorial
Download how to break wpa2 aes

Download How To Break Wpa2 Aesthetics

  • Wireless Security Basics
  • Wireless Threats
  • Wireless Security Tools
  • Wireless Security Pen Testing
  • Wireless Security Useful Resources
  • Selected Reading

WPA/WPA2 is the next evolution of secure wireless network that came up after WEP turned out to be insecure. The algorithms used by those protocols are much more secure (WPA: TKIP and WPA2: CCMP/AES), making it impossible to crack the network, using the same approach we did with WEP.

Breaking of WPA/WPA2 is based on the same idea – sniffing the initial 4-way handshake and applying brute-force attack in order to break encrypted password.

To illustrate this example, I will once again make use of the 'LAB-test' WLAN, this time secured with WPA2 using the following key− ' F8BE4A2C'. As you remember from the previous chapters, success and time required from brute-forcing of the password depends on the complexity of password. The password, I have used here is potentially weak-enough to be crack-able in a relatively reasonable time. In real-environments you should only see the password, that are 10+ characters long and have all types of alphanumeric signs included – that way, it would take years to brute-force it.

The same as in last example, we will start with airodump-ng, to passively collect some information about the WLAN.

As you can observe, indeed he have 'LAB-test' SSID secured with WPA2 with CCMP encryption. The client connected to LAB-test is currently my other PC with MAC address of 84: A6:C8:9B: 84:76.

First step is to enable sniffing of the traffic on (we don't care that much about data packets this time) LAB-test is order to collect the initial 4-way handshake between AP and Wireless Client (my PC).

As you can see below, every time a new user joins the network, airodump is sniffing the 4-way handshake.

As we have those handshakes collected in a file, we are ready to crack the password. The only missing element is a dictionary file with possible passwords. There is bunch of tools you can use like john, crunch or you can even download the dictionary file from the internet. In this example, I will show crunch, but feel free to experiment with all the solutions you may find. Remember, the sky is the limit.

As you can see, crunch can create a dictionary for you. Let's assume that we want to have all passwords with number and letters up to 8 characters in length. And let's assume that the number may be from 0 to 9 and letters from A to F. Why we make this limitations (assumption about the password)? – it is because, if you want to have a file with all the combinations of password composed of number 0-9, letters a-z and A-Z, you need a space of 18566719 GB (!!!).

So first we create all the combinations and put them in a dictionary file.

Then, we reference this dictionary file in using the aircrack utility to try to derive the right key, as follows −

The aircrack-ng has found 8 BSSID's in the file, therefore it asks you – which is the WLAN you want to crack – I referenced number 2 – 'LAB-test' network.

Checking each of the passwords, in one-by-one fashion is a very long process. The time to find a right password depends on how far in a dictionary file the password is put (If you are lucky, you can find the password in your first guess, if the password is put in 1st line of the dictionary file). In this example, as you can see, I have found the password, but it took 8 hours and 47 minutes (!!!). Using a password of 10 characters instead of 8 would increase the time probably to days or maybe week.

You have to keep in mind, that the longer the dictionary, the longer it will take to break the password. And, as I underlined a few times earlier, if the password is pretty complex and long, it is computationally not feasible to perform cracking at all (in the limited time, let's say under 10 years).