The Easiest Way To Crack a WiFi Password Using Your Computer

6 min readJan 4, 2024

How does WiFi cracking work?

If you’re curious about understanding how this works you’ll need to understand how WiFi authentication works. in the first place. But it all boils down to a simple process:

Start listening for packets for the target WiFi network
Perform deauthentication
Capture WiFi handshake
Crack the handshake

When you connect to your home WiFi network, a handshake is done between your phone and the access point.

Wi-Fi handshakes are part of the process by which a device (like a laptop or smartphone) connects securely to a Wi-Fi network. The most common type is the WPA/WPA2 handshake, which is used to establish a connection using the Wi-Fi Protected Access (WPA or WPA2) security protocol.

The WPA/WPA2 handshake process then begins, which is a four-step process:

Step 1: Authentication Request (AP → Client):

The AP sends an authentication request to the client, including a random number known as an ANonce (AP nonce).

Step 2: Authentication Response (Client → AP):

The client device generates its own random number called SNonce (Supplicant nonce), creates a pre-shared key (PSK) if using WPA2-PSK (based on the Wi-Fi password), and calculates a MIC (Message Integrity Code) using the ANonce, SNonce, PSK, and MAC addresses.
The client sends back its SNonce, along with the calculated MIC, to the AP.

Step 3: The AP verifies the MIC:

The AP uses the received SNonce, its ANonce, the PSK, and the MAC addresses to calculate its own MIC.
If its MIC matches the one received from the client, the AP knows that both it and the client have the correct PSK.
The AP then sends a message to the client confirming the successful authentication and includes the GTK (Group Temporal Key), encrypted with the PSK.

Step 4: Acknowledgment and Encryption Ready (Client → AP):

The client sends an acknowledgment back to the AP.
Both the AP and the client now have the necessary keys to encrypt and decrypt the data they send to each other.

After the handshake, all data transmitted between the client and the AP is encrypted using the established keys, providing a secure Wi-Fi connection.

How can we crack the password?

We can do that by intercepting the handshake, extracting the hash from it and trying to crack it locally by trying different combinations of characters until we try the correct combination which is the password!

How do we intercept the handshake? Well… it might not seem obvious, but WiFi isn’t directional, it doesn’t send data to a specific device, it broadcasts it in the air and all the clients can receive this data! Which is exactly why we need to encrypt the traffic because everyone receives everything!

Modern software just filters the received packets to extract out the ones meant to it only!

Hash cracking with GPUs

You will need a powerful GPU for this. Hash cracking is much faster using GPUs for the following reasons:

GPUs are designed for highly parallel operations. They contain hundreds or thousands of smaller cores designed for handling multiple tasks simultaneously. This is in contrast to CPUs, which typically have a much smaller number of cores optimized for sequential serial processing and are more general purpose.
Hash cracking involves trying millions or billions of combinations, which is a highly parallelizable task. Each attempt to crack a hash can be processed independently. GPUs can handle many such attempts in parallel, significantly speeding up the process.
GPUs have instruction sets that are often more optimized for the types of computations required for hash cracking, such as bitwise operations and large number arithmetic as it’s used in computer graphics.

Steps to cracking a WiFi password

We will be using 3 tools for this:

WiFiCrackPy which is a python script that automates most of this attack for you
zizzania used by the script to perform the deauthentication attack
hashcat used to crack the hash itself

Start by installing the WiFiCrackPy prerequisites:

brew install hashcat libpcap wget hcxtools

Clone zizzania and compile it:

make -f config.Makefile && make -j "$(sysctl -n hw.logicalcpu)"

Please keep in mind that the prerequisites might change in the future, it is accurate at the time I’m posting this article :)

Then clone WiFiCrackPy and install it’s depenedencies

git clone https://github.com/phenotypic/WiFiCrackPy.git
cd WiFiCrackPy
pip3 install -r requirements.txt

Now let’s run the script:

python3 WiFiCrackPy.py

Now select the WiFi network, I selected 4.

Now it’s waiting to capture the handshake and this happens when a client disconnects and connects again, which is what the deauthentication attack does.

You can make the tool run the deauthentication attack automatically by running it with the arguments -d.

python3 WiFiCrackPy.py -d

However, this doesn’t always work and because this article is for education purposes only, I won’t get into details on how to perform this, I just simply disconnect and connect again on my phone.

I’ll select brute-force and since I already know the password is 11 digits, I’ll supply it with a pattern of only digits and 11 characters and I’ll also provide it with the first 4 digits to speed up the process and not burn my computer out as this would usually take days :D Speeding it up this way will make it only take a minute.

As you can see, it’s iterating through every possible combination of digits and trying to crack the hash. You can use dictionaries if you think the password might be common or your own brute-force pattern.

Aaaaand finally, it’s cracked!

If you would like to stop and try again, it’s okay because this tool saves the handshake in capture.hc22000 file and you can run hashcat on it pretty easily.

You can run hashcat by running:

sudo hashcat -m 22000 capture.hc22000 -a 3 "2510?d?d?d?d?d?d?d" -O

If for some reason your WiFi gets stuck in monitoring mode you can just run this command to switch it back:

sudo tcpdump -I -i en0 -p

Note that en0 is the interface name, it might be named something else your machine, you can use ifconfig to find out.

Benchmarks

You can find benchmarks for different GPUs online easily by googling them. We are typically looking for the 22000 module benchmark as it’s the one used for cracking a WiFi password.

You can also benchmark your own computer by running the command:

hashcat -b

However, this command will benchmark all hashcat modules and to benchmark the WPA module only, you can run:

hashcat -m 22000 -b

Here are the benchmarks from my own computer:

ziadalzarka@MacBook-Pro WiFiCrackPy % hashcat -m 22000 -b
hashcat (v6.2.6) starting in benchmark mode

Benchmarking uses hand-optimized kernel code by default.
You can use it in your cracking session by setting the -O option.
Note: Using optimized kernel code limits the maximum supported password length.
To disable the optimized kernel code in benchmark mode, use the -w option.

* Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable.
             You have been warned.

METAL API (Metal 341.35)
========================
* Device #1: Apple M1 Max, 10880/21845 MB, 32MCU

OpenCL API (OpenCL 1.2 (Nov 11 2023 23:48:17)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M1 Max, skipped

Benchmark relevant options:
===========================
* --optimized-kernel-enable

-------------------------------------------------------------
* Hash-Mode 22000 (WPA-PBKDF2-PMKID+EAPOL) [Iterations: 4095]
-------------------------------------------------------------

Speed.#1.........:   245.0 kH/s (66.27ms) @ Accel:64 Loops:512 Thr:64 Vec:1

Started: Thu Jan  4 19:21:22 2024
Stopped: Thu Jan  4 19:21:25 2024

I hope you fed your curiosity by reading this article, please don’t use it for unethical purposes it’s for education only :)