Cracking WPA

posted on August 20th, 2006

1. Get yourself a good Linux distribution and download the newest aircrack-ng suite ( Also download Kismet.

I would warmly recommend you to use back|track because it already has everything installed. Check the cracking WEP tutorial for information about the back|track installation.

2. Put your wireless card in monitor mode.

There are many different ways to do this. Some may not work with your drivers/card. I will explain one here: Type ‘iwconfig’ in a terminal to see your wireless interfaces (mine is ath0). After that, type ‘iwconfig [interface] mode Monitor’ to put your interface in monitor mode.

3. Start Kismet and wait a few seconds to find all networks in your area. First press ’s’ and then ’f’ to sort the networks and navigate to a WPA enabled network with your arrow keys. Press enter to get more information about the highlighted network. Do this in order to make sure that the network is protected with a WPA encryption. Also remember on which channel the network is running.

4. Now start airodump, by opening a terminal window (you can use the one from the previous step) and typing:

airodump-ng -c [channel] -w wpa [interface]

5. Airodump will find all networks in the area using the channel you entered. Wait for ‘your’ network to show up and wait for a client connecting to that access point. Clients are shown in the list below the list of AP’s.

6. Open a new terminal window and type:

aireplay-ng [interface] –deauth 25 -a [MAC address of the AP*] -h [MAC of the client]

* The MAC address: The number that airodump calls ‘BSSID’. It usually looks like this: 12:34:45:78:89:56

7. The deauth attack will kick the client off the network and force him to reconnect.  During this reconnect airodump captures the so called ‘handshake’. To crack the key, start a new terminal window. Keep airodump running. In the new terminal, type:

aircrack-ng -w [full path to dictionary file**] wpa-01.cap

** Search the web for a good dictionary file (try Google with the term “security wordlist”, please post good dictionaries in the comments). If you are using back|track, open a new terminal window and type (HD install only!):

cd /pentest/password/dictionaries
gunzip wordlist.txt.Z

After unzipping, the “full path to dictionary file” is /pentest/password/dictionaries/wordlist.txt.

8. Now wait a long time. This can take hours if you aren’t lucky and if the keyphrase isn’t in the dictionary you’ll never find the key. If the key is found it shows up in aircrack. I’m currently figuring out how rainbow Tables work. From what I read these Rainbow Tables can crack a WPA key in 10 minutes (wow!). Expect a tutorial about how this works within a few days.


  1. Legionnaire said on August 21st, 2006 at 11:33 am :

    From the little I know, rainbow tables need a LOT of hard disk space. Like many GBs.

    Also, they are ineffective when the victim uses encode(password+salt) or hash(password+salt) so you go back to brute forcing again.

    It’s an interesting experiment though. Let us know how it goes.

  2. Derreck said on September 26th, 2006 at 7:48 am :

    Rainbow tables are very effective with this sort of thing. I have personally tried them out, and they work. If you are wanting to make your own tables, this can be time consuming (depending on how powerful your machine is). If you aren’t willing to make them yourself, you can purchase them online.
    Winrtgen is a windows program that will generate these tables for you, can be downloaded from

    Cain, another program I use, can apply the use of rainbow tables. If you have the hash, you can put it into the program and tell it what table you wish to use, then it will go to work! cain can also be downloaded from

    I hope this clears some things up for anyone interested!

  3. phil said on February 11th, 2007 at 10:12 pm :

    You don’t need to “purchase” them. Here’s what you need:

    However, they need A LOT of space (64GB is the most complete table on that site) but crack passwords literally in minutes (even seconds).

  4. PMT said on May 25th, 2007 at 4:20 pm :

    Rainbow tables are useless on a WPA network, as the ESSID is part of the salt used for the encryption, so you’d need to have a rainbow table PER wireless network name.

    This is all well and good if you precompute, say, “linksys” “netgear” “belkin54g” and similar, but won’t help you against “KEEP OUT I MEAN IT” unless you have a lot of free time and space.

  5. Gimpy said on June 3rd, 2007 at 7:13 pm :

    Is running in Linux required? If so, then is there a way to do all of this is Windows?

  6. Cyrus Stalkings said on June 4th, 2007 at 12:44 am :

    Linux is only required for the programs mentioned here, if you want to waste your life looking for windows programs that do the same thing go ahead

  7. Mike said on June 30th, 2007 at 3:44 am :

    Interesting read, but rainbow tables are only usually good for up to an 8 digit password (for all character keys, upper, and lower) In addition that table takes up over 100 gig. An easily remembered passphrase with a few odd characters would defeat this kind of attack.

    Or take a password, and then md5sum it, and use that as key, you would never find it with rainbow tables, maybe a quantum processor…

Leave a Reply