How to Crack WPA2 WiFi Networks using the Raspberry Pi

Cracking WPA and WPA 2 networks is still very difficult and solely dependent on using a brute force attack with a good dictonary. Depending on the word-list that you use will improve the success rate of cracking WPA2 WiFi networks. In this tutorial I will be showing you how to grab the 4-Way handshake from a WPA2 WiFi network and how to do an offline brute-force cracking attempt at find the password for the WiFi network. The Raspberry Pi 3 can check around 500 keys per second which is not really fast when you have a word-list with over 10 millions passwords to check.

The Raspberry Pi 3 can check around 1.8 million passwords an hour which again it doesn’t gurantee that it will be able to find the correct password for a WPA2 WiFi network. The best use of the Raspberry Pi in hacking WiFi networks is that you can use it to collect a 4-Way handshake and then transfer the handshake for cracking to a more powerful computer. The reason the Raspberry Pi is good for a scenrio like this is because of its mobility. You can easilly attach a battery to your Pi and put it in a backback and walk around collecting handshakes to crack.

Today’s tutorial will show you how to capture a 4-Way Handshake and then use our Raspberry Pi 3 to crack the password. We will be using the aircrack-ng suite to collect the handshake and then to crack the password. You will need a good word-list for cracking. There are many word-lists out there. One of the biggest word-lists I have seen is the CrackStation Wordlist which has over 1.5 Billion passwords that have been put together from many data breaches like Linked In and MySpace. Let’s get started.


To capture a 4-Way Handshake from a WPA2 WiFi network and crack the password using a brute-force method


You will need the following:


I will be running a freshly installed version of Raspbian Jessie on my Raspberry Pi. You can use Rasbian Jessie Lite on your Raspberry Pi since we will just needing the terminal and I will be using SSH to run all my commands. Go ahead and connect to your Raspberry Pi and lets begin by installing the aircrack-ng suite on our Raspberry Pi. Run the following command to install the dependencies for the aircrack-ng suite:

Now that we have the libraries downloaded and installed, run the following commands to download the latest version of aircrack-ng and then we’ll unzip it and install it. You may want to check out the aircrack-ng download page here and verify the url of the latest linux version. I tested this tutorial with  aircrack-ng 1.2-RC4.

After we have built aircrack-ng from the source and installed it we will need to update the IEEE OUI file. The OUI is most often used to create IEEE 802-defined MAC addresses and we need it to run aircrack-ng

Now that we have aircrack-ng installed we can begin searching for targets. I will be hacking my own WiFi network today for demonstation purposes. Lets begin by putting our WiFi adapter into monitor mode. You will need a USB WiFi adapte to put into monitor mode for this to work. The onboard WiFi adapter that is on the Raspberry Pi 3 will not work. I use the Alfa AWUS036H in this tutorial.

You can view all your WiFi adapters with the ‘iwconfig‘ command. Your USB adapter will most likely be ‘wlan1‘. Let’s put our WiFi adapter into monitor mode with the following command, be sure to replace wlan1 with your interface:

This will put our WiFi adapter in monitor mode and it will create a new interface for us to use, in my case the new interface is wlan1mon. Now let’s see what WiFi connections are around us by running the following command:

sudo airodump-ng wlan1mon

You can see my network name is ‘dayz’ and you can see that my network is running on Channel ‘3‘ and the BSSID is ‘DC:EF:09:C6:BD:BD‘. Be sure to write down the BSSID and the Channel since we will need this for the next step.

The next step is when we will try to capture the handshake so that we can use it to crack the WiFi password. The way we will capture the handshake is we will sit and monitor all the data that is being passed with the WiFi network and we will look for when a new device connects or reconnects with the network. We can run ‘deauth‘ commands to speed things up by booting devices off the network and having them reestablish with the network to capture the handshake.

Let’s start by monitoring all the data for the network we are trying to capture the handshake. We will be using airodump-ng to write all the data to a file. We will need the channel number and the BSSID. Edit the command below to fit your needs, the ‘write‘ argument will be the filename we are using to save to, I like to use the SSID. Replace the BSSID with your BSSID. The -c argument is the channel and -write argument is your filename to save to.

You should get a similar screen like above and it will be monitoring all the data on the network. Next to speed things up lets run some ‘deauth’ commands to capture a handshake. Open a new terminal window or a new SSH connection and type the following command. We will need the BSSID this time. The -a argument is the BSSID and the 10 next to -deauth is the number of deauth commands to send to the network.

You should see the deauth command being sent. After the command finishes go back to your other window that is monitoring the data and look to see if you have captured a handshake. You should see a ‘WPA Handshake‘ appear in the top right corner. Look at the image below for the handshake being captured.

Once you have captured you can hit CTRL+C to stop capturing data. You can also close the other SSH connection or terminal that you performed the deauth commands since we will not need it anymore.

We are now ready to attempt to crack the WPA password. Remember all your success lies in the word-list that you use. The Raspberry Pi 3 is pretty slow so I would not suggest running a huge word-list on the Raspberry Pi but you can use a small word-list that has common passwords fairly quickly.

All you will need is the filename that you used above, in my case it was called ‘dayz’. You can use the ‘ls’ command to find the files that were written. The handshake will be stored in ‘dayz-01.cap’. Run the following command to begin cracking the WPA WiFi network using the word-list you have. This can be run offline so you do not need to be next to the WiFi network to crack it.

That’s basically it once you run that command aircrack-ng will begin checking all the passwords in your word-list trying to see if any of them match the hash from the 4-Way Handshake. The Raspberry Pi can check around 250-500 keys per second which is fairly slow. As you can see in my example it will take over an hour to check against 1.25 Million passwords, which is a small word-list to being with.

NOTE: You can use an online hash cracking service like which you can upload your captured handshake and they will attempt to crack the password. It will work A LOT faster then using your Raspberry Pi as well as faster then using your own computer.





  • SemE

    June 24, 2017

    what exactly do you do with “write dayz wlan1mon”?

    does it mean writing to “dayz” file, through the wlan1 monitor?

    • dayz

      July 10, 2017

      that would be correct. You can name your file anything you want

  • wan

    December 1, 2017

    thing didn’t work on ‘sudo make’
    what I do wrong?

    • Sont

      December 22, 2017

      Post the error message.

    • test

      January 1, 2018

      do “sudo apt-get install aircrack-ng” instead, worked for me

  • Greg

    March 4, 2018

    i was all good until the end with the wordlist, i can’t get the wordlists from the website you gave it always comes back saying passphrase not in dictionary 3/0 keys tested, what can i input for the [yourwordlist.txt]. thanks!!

  • Ned

    March 11, 2018

    Does it work with kali linux?
    And cause i am new can i just swap the sd card with another and all the wifi hacking be on the first sd card or will it stay on raspberry

  • griffin

    September 18, 2018

    the line “tar -zxvf aircrack-ng-1.2-rc4.tar.gz” didn’t work for me what do I do?

  • Rpi

    October 11, 2018

    When the password is found, what will be shown on the screen? Will the code stop?

    • dayz

      October 12, 2018

      It should show you the password that was found

      • ralph

        November 24, 2018

        it is really funny if you run “screen aircrack-ng blahblah” without the -l option, because AFTER the password cracks after 3 days of solid work, screen terminates and the password is not readable!

        Good times.

        • dayz

          August 9, 2019

          The Raspberry Pi is more efficient at capturing the handshake. You can use it for cracking but it will be very slow…

  • Apurv

    August 25, 2019

    hi i followed the instructions but ran in a error

    ~/aircrack-ng-1.2-rc4 $ sudo make
    make -C src all
    make[1]: Entering directory ‘/home/pi/aircrack-ng-1.2-rc4/src’
    sh ../autocfg gcc ..
    trap: SIGINT: bad trap
    gcc -g -W -Wall -O3 -DOLD_SSE_CORE=1 -pthread -D_FILE_OFFSET_BITS=64 -D_REVISION=0 -DCONFIG_LIBNL30 -DCONFIG_LIBNL -I/usr/include/libnl3 -fstack-protector-strong -Wno-unused-but-set-variable -Wno-array-bounds -Iinclude -c -o aircrack-ng.o aircrack-ng.c
    aircrack-ng.c: In function ‘do_make_wkp’:
    aircrack-ng.c:4442:3: warning: ‘strncpy’ output may be truncated copying 32 bytes from a string of length 32 [-Wstringop-truncation]
    strncpy( ap_cur->essid, opt.essid, sizeof( ap_cur->essid ) – 1 );
    aircrack-ng.c: In function ‘do_make_hccap’:
    aircrack-ng.c:4593:3: warning: ‘strncpy’ output may be truncated copying 32 bytes from a string of length 32 [-Wstringop-truncation]
    strncpy( ap_cur->essid, opt.essid, sizeof( ap_cur->essid ) – 1 );
    aircrack-ng.c: In function ‘main’:
    aircrack-ng.c:5464:5: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
    strncpy(opt.logKeyToFile, optarg, strlen(optarg));
    aircrack-ng.c:5489:5: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
    strncpy(opt.hccap, optarg, strlen(optarg));
    aircrack-ng.c:5476:5: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation]
    strncpy(opt.wkp, optarg, strlen(optarg));
    aircrack-ng.c:6177:4: warning: ‘strncpy’ output may be truncated copying 32 bytes from a string of length 32 [-Wstringop-truncation]
    strncpy( ap_cur->essid, opt.essid, sizeof( ap_cur->essid ) – 1 );
    gcc -g -W -Wall -O3 -DOLD_SSE_CORE=1 -pthread -D_FILE_OFFSET_BITS=64 -D_REVISION=0 -DCONFIG_LIBNL30 -DCONFIG_LIBNL -I/usr/include/libnl3 -fstack-protector-strong -Wno-unused-but-set-variable -Wno-array-bounds -Iinclude -c -o cpuid.o cpuid.c
    gcc -g -W -Wall -O3 -DOLD_SSE_CORE=1 -pthread -D_FILE_OFFSET_BITS=64 -D_REVISION=0 -DCONFIG_LIBNL30 -DCONFIG_LIBNL -I/usr/include/libnl3 -fstack-protector-strong -Wno-unused-but-set-variable -Wno-array-bounds -Iinclude -c -o crypto.o crypto.c
    crypto.c: In function ‘calc_mic’:
    crypto.c:291:11: error: storage size of ‘ctx’ isn’t known
    HMAC_CTX ctx;
    crypto.c:317:2: warning: implicit declaration of function ‘HMAC_CTX_init’; did you mean ‘HMAC_CTX_new’? [-Wimplicit-function-declaration]
    crypto.c:327:2: warning: implicit declaration of function ‘HMAC_CTX_cleanup’; did you mean ‘HMAC_CTX_get_md’? [-Wimplicit-function-declaration]
    crypto.c:291:11: warning: unused variable ‘ctx’ [-Wunused-variable]
    HMAC_CTX ctx;
    crypto.c: In function ‘calc_tkip_mic_key’:
    crypto.c:932:5: warning: this ‘if’ clause does not guard… [-Wmisleading-indentation]
    if((ptr-message) % 4 > 0)
    crypto.c:933:49: note: …this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’
    memcpy(ptr, ZERO, 4-((ptr-message)%4)); ptr+=4-((ptr-message)%4);
    make[1]: *** [: crypto.o] Error 1
    make[1]: Leaving directory ‘/home/pi/aircrack-ng-1.2-rc4/src’
    make: *** [Makefile:25: all] Error 2

    please help me out!. Thanks!!!!


Leave a Reply