> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-18/802.11/wpa-cracking/trick-0391.md).

# Crack Wpa-Psk Using Aircrack-Ng

***

To crack a captured WPA/WPA2-PSK 4-way handshake using a dictionary attack, use `aircrack-ng`. You need the capture file containing the handshake and the BSSID of the target AP.

```bash
aircrack-ng -w /path/to/wordlist.txt -b <AP_BSSID> <handshake_capture.cap>
```

* `-w /path/to/wordlist.txt`: Specifies the dictionary file (e.g., `/usr/share/wordlists/rockyou.txt.gz`).
* `-b <AP_BSSID>`: Provides the BSSID (MAC address) of the target Access Point (e.g., `D8:3A:DD:07:AA:5A`).
* `<handshake_capture.cap>`: The path to the capture file containing the 4-way handshake (e.g., `dump-05.cap`).

Additional options can be used to refine the attack or improve performance:

* `-a 2`: Specifies the attack mode as WPA/WPA2 cracking. While often inferred, explicitly setting `-a 2` ensures the correct mode.
* `-e <essid>`: Targets a specific network by its ESSID (network name). This is useful if your capture file contains handshakes from multiple networks.
* `-p <num_cores>`: Specifies the number of CPU cores to use.
* `-D`: Use all available CPU cores. This overrides the `-p` option.
* `-K <num_gpu>`: Specifies the number of GPUs to use.
* `-G`: Use all available GPUs. This overrides the `-K` option.

A more specific command including the ESSID and attack mode might look like this:

```bash
aircrack-ng -a 2 -b <AP_BSSID> -e <AP_ESSID> -w /path/to/wordlist.txt <handshake_capture.cap>
```

If the password exists in the dictionary, `aircrack-ng` will find and display it, often showing "KEY FOUND! \[ the key ]". If the password is not found after exhausting the wordlist, it will indicate that no key was found.
