Using Aircrack and a Dictionary to Crack a WPA Data Capture Part 6 - Backtrack

Introduction To Kali and WiFi Pen Testing
How to Install Kali Linux
WEP Hacking
Kali Linux and Reaver
Getting a Handshake and a Data Capture, WPA Dictionary Attack
Using Aircrack and a Dictionary to Crack a WPA Data Capture
Cracking a WPA Capture with the GPU using HashCat
Creating a Dictionary / Wordlist with Crunch Part 8

Using Aircrack and a Dictionary to Crack a WPA Data Capture 

If you have a WPA handshake capture and cannot crack it yourself then there are services online that for a price will crack it for you.

To get started you should already have a WPA handshake file and Kali Linux running.

Getting a good dictionary can be hard but finding good ones, or creating them yourself with Crunch, is necessary to try and use this method. I have setup adownload section HERE with a WPA wordlist/Dictionaries that can be used if needed.

Keep in mind the dictionary file is only a simple text file that can be edited with any text editing program, such as notepad. Don’t use Microsoft Word or Open Office as they make changes that render a wordlist unusable.

If you know a person well enough you can try and type as many guesses as you can think of in a text file then use that as your dictionary.


The default storage for a WPA handshake is under /root and will be there under the name it was given when captured. Open a terminal window and type the command “ls” the data capture should be there. The file type we want to use is the .CAP file

The dictionary that we will use for this example is called dict.txt.


We will be using Aircrack to do the cracking and the command to do this is:

aircrack-ng (file name) -w (dictionary location)

Where the file name is the handshake file that was captured and the dictionary location is the path to the dictionary. The location of where these two files are and their names will be up to you.

The usual default location of the handshake file is under /root and is whatever name it was called when captured. We will be using a dictionary called dict.txt for this example that I copied to /root.

So the command for me to do this would be:

“aircrack-ng dlink.cap -w dict.txt”


If done right Aircrack should start and begin to try to crack the WPA handshake capture with the dictionary.

If the dictionary finds it, it will show as above with the “KEY FOUND” if not, then another dictionary will need to be used. For this example, I edited the text dictionary file and put the password in to show what it looks like when it is found.

NEXT     :    Cracking a WPA Capture with the GPU using HashCat

Creating a Dictionary / Wordlist with Crunch Part 8 - Backtrack

Introduction To Kali and WiFi Pen Testing
How to Install Kali Linux
WEP Hacking
Kali Linux and Reaver
Getting a Handshake and a Data Capture, WPA Dictionary Attack
Using Aircrack and a Dictionary to Crack a WPA Data Capture
Cracking a WPA Capture with the GPU using HashCat
Creating a Dictionary / Wordlist with Crunch Part 8



Crunch is a useful program for creating and outputting wordlist or dictionaries to be used with brute force attacks. Crunch can send a wordlist to the screen, file, or another program.
Here is how to create a dictionary with Crunch.

The syntax will be:
crunch (min)(max)(charset) -t (pattern) – o (filename.lst)

min = minimum characters that you want to add in your dictionary
max = maximum characters that you want to add in your dictionary
Charset = Which characters you want to add in your wordlist such as abcd or 123456
Pattern = Some characters can be static or dynamic meaning you can specify letters to change or not change.

For example, if I want to create a minimum 7 digits, maximum 7 digits, qwer987 with pattern qwe@@@@ and to save the file in the desktop folder.

The command would be:
crunch 7 7 qwer987 -t qwr@@@@ -o /root/Desktop/ dictionary.txt

Previous  :   Cracking a WPA Capture with the GPU using HashCat

Wireless Hacking Basics WPA Dictionary Attack, Handshake, Data Capture, Part 5 - Backtrack

Getting a Handshake and a Data Capture, WPA Dictionary Attack

Introduction To Kali and WiFi Pen Testing
How to Install Kali Linux
WEP Hacking
Kali Linux and Reaver
Getting a Handshake and a Data Capture, WPA Dictionary Attack
Using Aircrack and a Dictionary to Crack a WPA Data Capture
Cracking a WPA Capture with the GPU using HashCat
Creating a Dictionary / Wordlist with Crunch Part 8

WPA Dictionary Attack
WPA and WPA 2 is the newest encryption for wireless devices, as far as cracking them, they are the same so I will use WPA from here on.

A dictionary attack is one of the easiest to understand, but the least likely to find a password. This is often the last resort because while it does work it depends on the dictionary used and the computing power.

Basically a data capture of the router is captured wirelessly when someone logs into the router. Then a dictionary file with a bunch of names and combination of names/numbers is used to throw at the data capture until the password is found.

If someone knows the person then they may be able to guess the password but otherwise this can take a long time and never find anything. If you are stuck using this method, thinking about how the password might be structured will be crucial along with computing power. The data capture could be copied between multiple computers to split the things up. A to F on one G to Z on another. Cloud computing might be a option to harness someone else computing power and so on.

There are other ways such as Rainbow Tables, or the video card attack but the simplest or easiest way to understand a WPA dictionary attack is to use aircrack-ng. The way this works basically is that there is a large dictionary that you use to throw as many combinations of words as possible at the WPA encryption until it cracks. If the password is easy then it will find it quick, if it is a long paraphrase with many different number letter combinations then it will be much harder.

If you are unable to crack a WPA handshake capture there are online services that will do it for you for a price.

Getting a Handshake and a Data Capture

Commands used
airmon-ng
airmon-ng start wlan0
airodump-ng mon0

A data capture or handshake is a captured password when two devices talk wirelessly. The data capture will be stored in a file in a computer. It still will be encrypted and need to be cracked which is when a dictionary will be used to guess the password. This is a two step process capturing the data file being first.

Setup a test environment. 
Setup a test environment with a WPA or WPA2 encrypted router and set a password on it, and connect to it with a laptop, smartphone, or computer wirelessly.

Kali Linux should be up and running.

Open a terminal window.


Run the command “airmon-ng” to see if your USB adapter shows up, if it doesn’t, then some troubleshooting as to why it is not will have to be done. For this example I am using a Alfa AWUS036NH which uses the Ralink Rt2070/3070 chipset


Once you know the adapter is connected and operating run this command to get the adapter into monitor mode.

“airmon-ng start wlan0”


If all goes well the screen will scroll by with some information then say enabled on mon0. (Sometimes it will enable on mon1 or mon2 if it does use this.)  

Now we want to see what router or access point (AP) are out there so we run this command.
“airodump-ng mon0”



A picture like the above should come up and show all the routers out there. Here we want to target the router we want and copy the BSSID. Use CTRL+C to stop the terminal window and copy the BSSID.

Next we want to leave the original terminal alone and open a second terminal window. Here we are going to setup the adapter to do a data capture on the router we selected. After we do this we will have to wait for a wireless device to connect to the router and it will do a data capture. To do this we do the following command.

airodump-ng -c (channel) -w (Our file name) –bssid (bssid of AP) mon0
So for me it would be.
airodump-ng -c 6 -w dlink –bssid 00:26:5A:F2:57:2B mon0


The “-w” syntax is telling airodump-ng to write a file to the drive it can be given any name.

Then it should go into monitoring the AP for a data capture.


At this point we could simply wait for someone to connect wirelessly to the router. It can be any device their laptop, desktop or smart phone. When they connect the password will be transmitted back and forth to the device. If we wait then we stay in passive mode and no one can detect we are there. The top right of the terminal window will display WPA Handshake in the upper right when this happens.


Once it says “WPA handshake” on the top right the file it is done and the file is captured and written to the drive.

There is a way to speed this up if you know someone has a wireless device connected to the router by de-authenticating them or kicking them forcing them to reconnect. This will most likely be recorded by the router so this is not a passive method. To do this open another terminal window and type the following.

“aireplay-ng -0 5 -a (Target BSSID) mon0”

For me this would be.
aireplay-ng -0 5 -a 00:26:5A:F2:57:2B mon0

NEXT         :     Using Aircrack and a Dictionary to Crack a WPA Data Capture