In the previous section, we saw how we can use the WPS feature in routers to crack the WPA key. This process is guaranteed to work on every WPS-enabled network; therefore, if your target uses WPA or WPA2 encryption and has WPS enabled, that should be the first method you try to crack the password with. If WPS is not enabled, however, we have to crack the actual WPA key. As we explained in the section on WPS cracking, in WPA, each packet is encrypted using a unique, temporary key, it's not like WEP, where IVs are repeated and we collect a large number of data packets with the same IVs. In each WPA packet, there is a temporary unique IV, even if we collect one million packets, these packets will not be useful for us—they do not contain any information that can help us determine the actual WPA key.

The only packets that contain information that can help us determine the key are the handshake packets. These are four packets, sent when a new device or a new client connects to the target network. For example, when we are at home and our device connects to the network, we have the password, and a process called a four-way handshake happens between the device and the AP. In this process, four packets, called the handshake packets, get transferred between the two devices, to authenticate the device connection. Using aircrack-ng, we can use a wordlist, testing each password in the wordlist by using the handshake. To crack WPA encrypted networks, we need two things: we need to capture the handshake, and we need a wordlist that contains passwords.