Cracking WPA/WPA2 Passwords

Cracking WPA/WPA2 Passwords

This test was carried out using the Alpha Long Range USB Adapter (AWUS036NHA)

In this article, I will explain how to crack WPA/WPA2 passwords by capturing handshakes, then using a word list, to crack the password protected the access point. This is known as a dictionary attack. In this example, I will be cracking An iPhone personal hotspot which is password protected with the password being “password”. 

This article is for educational purposes only!


Creating a wordlist

Using crunch

The command crunch 1 2 123 = The 1 is the minimum length of the password. The 2 is the maximum length of the password. The 123 is the data which passwords can be created from, the passwords can only contain the numbers 1, 2 or 3. As shown below.

The command crunch 2 2 123 –t [email protected] will create passwords which all start with “1”. The @ sign is replaced by a number but the 1 always stays. This method is used to generate a list of passwords with a pattern IE all the passwords starting with a “1”.
The minimum & Maximum Length must match the values after the –t  in the command.IE if minimum = 3 & maximum = 3 there must be 3 numbers, letters or @ symbols after the –t IE crunch 3 3 1234 –t [email protected]@. As shown in the command below the password will be 3 digits long, with the password always beginning with a “1”, the passwords being created can only contain the numbers “1,2,3 or 4”. 
The command to create a word list and save the results into a file = -o insertfilename the file name can be whatever you chose. As shown below in this example the wordlist will be saved into a file called “skyinpwlist” shown highlighted in red.


Check if wireless card/adapter is connected

Iwconfig = shows if the wireless card is up & connected to Wi-Fi as shown my Wi-Fi card is currently in managed mode, shown highlighted in red.


Change the Adapter to Monitor Mode

  • Ifconfig wlan0 down = this turns the Wi-Fi adapter off
  • Iwconfig wlan0 mode monitor = this changes the Wi-Fi adapter mode in monitor mode
  • Ifconfig wlan0 up = this brings the adapter back up (powered on)
  • Iwconfig = this shows what mode the Wi-Fi adapter is currently in, shown in red, the adapter is now in monitor mode. 

The Wi-Fi adapter must be changed into monitor mode in order to run this attack, this is done using the commands highlighted in green. Monitor mode allows the Wi-Fi adapter to monitor all nearby Wi-Fi signals 


Running the Brute Force Password Gaining Attack

Scan for Wi-Fi Using Wifite & capture Handshake

Wifite = this will display all nearby Wi-Fi signals (shown below). All other nearby access points have been hidden for security purposes. The access point which will be attacked is number 1 on the list “James’s iPhone”
Enter the number of which Wi-Fi you want to crack. IE in this example we are cracking number 1 in the
wifite list. Once this is entered the handshake will be captured. As shown below. The handshake is captured and saved in the pathname


Create a password list using crunch

A password list will be created, the password list which is created will contain the password for “James’s Iphone” which is “password”. The command to create the password list & save it into a file = crunch 8 8 abcdefghijklmnopqrstuvwxyz -t [email protected]@[email protected]@ -o iphonepasslist
The saved password list in file form is shown below. Shown highlighted in yellow is the word “password” within the iphonepasslist.txt document. 


Run the attack using Aircrack-ng

Aircrack-ng is used to run the brute force password cracking attack. The command to run the attack = aircrack-ng hs/handshake_JamessiPhone_3E-2E-FF-2D-DB-D8_2019-07-21T20-08-07.cap -w iphonepasslist. The path where the captured handshake file was saved is inputted into the command (hs/handshake_JamessiPhone_3E-2E-FF-2D-DB-D8_2019-07-21T20-08-07.cap) shown in red font. With the name of the password list also being inputted into the command (-w iphonepasslist shown in blue font). 

Once the command is inputted it will run and will display that the password has been found as shown below.

Article by: James C Billson

Liked it? Take a second to support Alexis on Patreon!
Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *


SSH Brute-force Protection With Fail2Ban

Fail2Ban is an intrusion prevention framework written in Python that protects Linux systems and servers from brute-force attacks. We can setup Fail2Ban to provide brute-force protection for SSH on our server, this will ensure that the server is secure from brute-force attacks and it also allows us to monitor the strength of the brute-force attacks […]

Share this post