WiFi Password Recoverywifipassword.org

How to Capture a WPA Handshake

To recover a forgotten WiFi password, you need to capture the WPA 4-way handshake — a brief cryptographic exchange that happens when any device connects to your network. This guide covers two methods: hcxdumptool (recommended) and Wireshark.

Before you start

You need a WiFi adapter that supports monitor mode. Most built-in laptop adapters do not support this. A USB adapter based on the Realtek RTL8812AU, RTL8832AU, or MediaTek MT7612U chipsets works well in 2026. You also need a Linux system (Ubuntu, Kali, or any distro).

1

Method 1: hcxdumptool (Recommended)

hcxdumptool is purpose-built for WPA capture. It outputs .pcapng files that hashcat can read directly with the hcxpcapngtool converter. This is the most reliable method.

Step 1 — Install hcxdumptool

# Ubuntu / Debian
sudo apt update && sudo apt install hcxtools hcxdumptool

# Kali Linux (usually pre-installed)
sudo apt install hcxtools

Step 2 — Find your WiFi interface name

ip link show
# Look for your WiFi adapter — typically wlan0, wlp3s0, or wlan1

The interface name will be used in all commands below. Replace wlan0 with your actual interface name.

Step 3 — Capture the handshake

# Stop NetworkManager from interfering
sudo systemctl stop NetworkManager

# Start capture (replace wlan0 with your interface)
sudo hcxdumptool -i wlan0 -o capture.pcapng

# Let it run for 2-5 minutes while a device connects to your network
# Press Ctrl+C to stop when done

While the capture runs, connect a phone or laptop to your WiFi network — the handshake is captured during that connection. Note: the --active_beacon flag was removed in hcxdumptool 6.x.

Step 4 — Convert to hashcat format (optional)

# Convert .pcapng to .hc22000 (hashcat modern format)
hcxpcapngtool -o capture.hc22000 capture.pcapng

# Check if handshake was captured
cat capture.hc22000 | head -1
# Should start with: WPA*02* (PMKID) or WPA*01* (EAPOL handshake)

You can submit either the .pcapng or the .hc22000 to our recovery service. Both are supported.

2

Method 2: aircrack-ng + airodump-ng

The classic method using the aircrack-ng suite. Outputs a .cap file. Slightly more involved setup but widely documented.

Install aircrack-ng

sudo apt install aircrack-ng

Enable monitor mode

sudo airmon-ng check kill
sudo airmon-ng start wlan0
# Interface is now typically called wlan0mon

Find your network's channel and BSSID

sudo airodump-ng wlan0mon
# Find your network in the list
# Note the BSSID (MAC address) and CH (channel) columns

Capture the handshake

# Replace XX:XX:XX:XX:XX:XX with your router BSSID
# Replace 6 with your network channel
sudo airodump-ng -c 6 --bssid XX:XX:XX:XX:XX:XX -w capture wlan0mon

# In another terminal, reconnect a device to your WiFi
# When you see "WPA handshake: XX:XX:XX:XX:XX:XX" in the output, you're done
# Press Ctrl+C to stop

The output file will be capture-01.cap. This file is ready to upload directly.

Troubleshooting

No handshake captured after 10 minutes
Make sure a device actually connects to the network during the capture — not just stays connected, but connects (disconnects and reconnects). On iOS: go to Settings → WiFi → tap your network → Forget → reconnect.
Interface doesn't support monitor mode
Most built-in laptop WiFi cards don't support monitor mode. You need a dedicated USB WiFi adapter. Recommended in 2026: Alfa AWUS036ACHM (MT7612U) or Alfa AWUS036ACH (RTL8812AU) — both widely supported on Linux and available online.
hcxdumptool: permission denied
Run with sudo. hcxdumptool requires root privileges to put the adapter into monitor mode.
hc22000 file is empty after conversion
The capture didn't contain a complete handshake. The EAPOL 4-way handshake requires all 4 packets (message 1-4) to be captured. Try again and ensure a device connects while hcxdumptool is running.

Ready to submit your capture file?

Upload your .cap, .pcapng, or .hc22000 file to verify the handshake and submit for GPU recovery.

Submit for Recovery