> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-18/802.11/wpa-cracking/trick-0453.md).

# Crack WPA/WPA2 PSK with Aircrack-ng

***

Before capturing, it's necessary to prepare the wireless interface by putting it into monitor mode. This often involves killing processes that might interfere with the wireless card and then starting monitor mode on the chosen interface.

```bash
sudo airmon-ng check kill
sudo airmon-ng start <interface>
```

Once the interface is in monitor mode (often named like `wlan0mon`), you can capture the WPA/WPA2 4-way handshake from the target network traffic using `airodump-ng`. To focus the capture and save the output, specify the target BSSID, channel, and an output file prefix.

```bash
sudo airodump-ng -c [channel] --bssid [AP MAC address] -w [output file prefix] [monitor interface]
```

This command will display information about the target network and connected clients. You need to wait for a client to connect or reconnect to the network to capture the handshake. The handshake is typically indicated in the `airodump-ng` output. The captured traffic, including the handshake, will be saved to files with the specified prefix (e.g., `output_file_prefix-01.cap`).

If no clients are actively connecting, you can attempt to force a deauthentication of an associated client using `aireplay-ng` to trigger a new handshake when they reconnect.

```bash
sudo aireplay-ng --deauth 0 -a [target_bssid] -c [client_mac] [monitor_interface]
```

This command sends deauthentication packets. Replace `0` with a specific number of deauth packets if desired, `[target_bssid]` with the AP's MAC address, `[client_mac]` with the client's MAC address, and `[monitor_interface]` with your monitor mode interface.

Once the handshake is successfully captured and saved to a file (e.g., `output_file_prefix-01.cap`), perform an offline dictionary attack using `aircrack-ng`. You will need a suitable wordlist containing potential passwords.

```bash
sudo aircrack-ng -w /path/to/your/wordlist.txt output_file_prefix-01.cap
```

The `-w` option specifies the path to the wordlist file. `aircrack-ng` takes the captured `.cap` file containing the handshake and attempts to crack the WPA/WPA2 Pre-Shared Key (PSK) by testing each entry from the provided wordlist against the cryptographic data in the handshake. The success and speed of this process are heavily dependent on the comprehensiveness of the wordlist used and the complexity of the target network's PSK.
