Contact GitHub

WPA2-Personal

WPA2
Wi-Fi Protected Access 2 with a pre-shared key (AES-CCMP). The mainstream standard, and the single highest-value capture-and-crack lab in the manual.
Introduced2004
EncryptionAES-CCMP
Key mgmtPSK
PMFOptional
PrevalenceUbiquitous

How it works

WPA2-Personal authenticates every client with a single shared passphrase, but it never sends that passphrase over the air. Instead, the access point and the client run a four-way handshake that proves both sides know the Pairwise Master Key (PMK) derived from the passphrase, and along the way they agree on fresh per-session keys (the PTK) used to encrypt traffic with AES-CCMP.

ACCESS POINT authenticator CLIENT supplicant Both already hold the PMK (from the passphrase + SSID); the handshake proves it without sending it. M1: ANonce client derives the PTK M2: SNonce + MIC AP derives the PTK, checks MIC M3: GTK + MIC (install keys) M4: ACK + MIC Keys installed; traffic now encrypted with AES-CCMP Offline crack: the captured frames carry both nonces and the MIC, so an attacker tests each guessed passphrase (PMK -> PTK -> MIC) against the capture with no further contact. Strength = the passphrase.
The WPA2 four-way handshake. The passphrase never crosses the air, but the four frames carry the two nonces and the message integrity code (MIC), which is exactly what lets a captured handshake be cracked offline.

That design is strong against passive eavesdropping. Its weakness is that the four handshake frames contain everything an attacker needs to test passphrase guesses offline. Capture one handshake and you can grind candidate passphrases against it on your own hardware, as fast as your GPU allows, with no further contact with the network. The security of a WPA2-Personal network therefore comes down entirely to the strength of its passphrase.

Configuring it in Tala WTE

The protocol-specific control for WPA2-Personal is the PMKID Exposed toggle, which the Topology section reveals only for this protocol. Left off (the default), the access point withholds the PMKID exactly like a modern router, so capturing the key requires a real client and a full four-way handshake. Turned on, the AP advertises the RSN PMKID in the first handshake frame, opening the clientless capture path below. For a realistic crack lab, pick a passphrase that sits in a wordlist (for example Summer2026!) so students get the full capture-to-crack loop without waiting on a hopeless brute force.

For the full New-Network walkthrough, see Networks.

Attacks

The classic attack captures a four-way handshake and cracks it offline. Put an adapter in monitor mode, watch for the target, and deauthenticate a connected client to force a reconnect so the handshake replays:

airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w cap wlan0mon
aireplay-ng -0 3 -a AA:BB:CC:DD:EE:FF wlan0mon
hashcat -m 22000 cap.hc22000 wordlist.txt

When PMKID Exposed is on, you skip the client entirely. The AP hands you the PMKID in its first reply, which hcxdumptool harvests and you crack with the same hashcat mode:

hcxdumptool -i wlan0mon -o pmkid.pcapng
hcxpcapngtool -o pmkid.hc22000 pmkid.pcapng
hashcat -m 22000 pmkid.hc22000 wordlist.txt

What you find in the field

WPA2-Personal still backs the overwhelming majority of home and small-business networks, which makes it the single highest-value capture-and-crack target you will meet. The cipher is sound, so the win is never the crypto: it is the passphrase. In surveys you find the predictable failures, the SSID-derived password, the street address, the phone number, the seasonal Spring2026!, all of which fall in seconds to a wordlist and a GPU. PMKID exposure is increasingly rare on current routers, so most real captures still come from a deauthentication burst and a four-way handshake, which is why a connected client (or one you can force to reconnect) is the practical prerequisite. The honest takeaway for a report is blunt: a WPA2-Personal network is exactly as strong as its passphrase, and once a handshake is on disk the contest moves entirely to your hardware and your wordlist, with no further contact required.

Defending against it

There is no fix for the offline handshake crack itself; the four-way handshake leaks crackable material by design, so the defense is to make the offline grind hopeless. Choose a long, high-entropy passphrase that no wordlist contains, and never derive it from the SSID, the address, or anything guessable. Enable Protected Management Frames (PMF, IEEE 802.11w) where every client supports it, which blocks the unauthenticated deauthentication that forces a handshake on demand. Keep AP and client firmware current so the KRACK key-reinstallation flaws and the FragAttacks frame-aggregation flaws stay patched. Where the client fleet allows, move to WPA3-Personal (SAE), which closes the offline dictionary attack outright; see WPA3-Personal. For mixed fleets, understand that WPA3-Transition leaves the WPA2-PSK path intact and therefore inherits this exact weakness.

References

(c) 2026 VTEM Labs, Inc. All rights reserved. | vtemlabs.com