How to capture a WPA handshake

-
There are different methods for getting unauthorized access to a Wifi network. I will try to cover several ones, but in this post I will focus on capturing a WPA handshake for a subsequent dictionary or brute-force attack.

Requirements

Before getting started make sure you have the following:
  • Raspberry Pi 3 running Kali Linux (tutorial here)
  • Monitor-mode and Packet-injection capable wifi adapter
  • PC
  • Decent internet connection
We'll be using the wifi adapter with the Raspberry Pi, controlling them with a PC via VNC (tutorial here).

What is a WPA handshake?

In simple words, a WPA handshake is used to authenticate a user with an AP (Access Point). To illustrate things, think of it as a literal handshake: if the client presents his hand but the AP doesn't, the handshake can't happen and authentication thus fails. Because the engineering behind a WPA handshake is not the main purpose of this guide, let's dive into our work.

Discovering the target AP

The first thing to do is scan for nearby Wifi networks in order to find our target. We have to enable monitor mode for our network interface. Run iwconfig to find the wireless card you'll be using: it should be the one not connected to any network (note that the Pi's integrated card will necessarily be connected to a network because we're using VNC):


In this case, the interface we'll be using is wlan0. To put it into monitor mode, use the command
airmon-ng start wlan0:


We are now ready to scan for nearby wifi networks. The stronger your antenna, the more networks you'll pick up. Start scanning with airodump-ng start wlan0mon:


The terminal window should start populating with all the APs around you (upper part) as well as the clients (lower part). In this case, we'll target a "dummy" AP set up by myself for experimenting purposes. Once we find our target AP, we can stop the scan by pressing ctrl^c. Make sure to note down the BSSID and channel of the AP as we'll be using them in the next section: capturing the WPA handshake.

Capturing the handshake

In order to capture a handshake, we need to listen to the AP's communications with its connected clients. We will achieve this using the airodump-ng command:
airodump-ng -c AP_channel --bbsid AP_BSSID -w Output_File_Name wlan0mon
Some clarifications:
  • -c: specifies the channel on which our target AP is operating
  • --bssid: specifies the BSSID (or MAC address) of our target AP
  • -w: specifies the name of the output file where our survey will be logged
  • wlan0mon: the network interface we're using

The variables following each flag, e.g. AP_channel, should be replaced with the actual information in your case (see the image below).


A scan similar to the first one will start, but this time we are only monitoring our target. As soos as a client appears -- in the lower part of the window -- we can speed up the process with a deauthentication (or deauth) attack.
To perform it, open a new terminal window (we don't want to stop monitoring our target, otherwise we won't be able to capture a handshake). Use the aireplay-ng command as follows:
aireplay-ng -0 Number_of_attacks_desired -a AP_BSSID -c Client_BSSID wlan0mon
  • -0: specifies the number of deauth attacks we want to send
  • -a: specifies the BSSID (MAC address) of our target AP
  • -c: specifies the BSSID of the client we want to attack (this client is connected to the AP)
  • wlan0mon: wireless interface
Again, change the variables after each flag according to your needs, like in the image:


After launching the deauth attack, the client should be disconnected any moment and will immediately reattempt a connection to the AP. This is precisely when a WPA handshake is captured. In the scan window monitoring our AP, look at the top-right corner of the console: you will be informed upon successful handshake capture by the words "WPA handshake: [AP BSSID]".

And we're done! We have captured a WPA handshake and saved it in a log file that we can use later on to decipher the hash -- this will be explored in detail in another post.


Finally, if desired, we can disable monitor mode by typing in a terminal window
airmon-ng stop wlan0mon:


If you have any problems, questions or suggestions, I will be glad to answer in the comments section below, and don't forget to share the tutorial if you found it helpful. Stay tuned for upcoming content.

Comments

Post a Comment

Share your thoughts! Leave a comment here

Popular posts from this blog

Pixie-Dust Wifi Attack: Theory & Practice

-
Image
In the series of wifi hacking, I have already covered WPA handshake capture and social engineering . In this post I present to you yet another attack using a novel approach for gaining access to a network: it is based on the WPS protocol and is known as the Pixie-Dust attack. You will find a step-by-step guide after a short explanation of the theory behind the security flaw hereby discussed.
Read more

Getting started in scripting

-
Image
Perhaps the most important skill a hacker should master is programming. This is what makes the true difference between "hackers" and "script kiddies". The latter lacks the knowledge to write his own script: he rather uses programs made by others to attack his target. In contrast, a worthy hacker builds his own program tailored to his needs in order to exploit a specific vulnerability. Does that mean that a hacker never uses material written by others? Of course not. As most of the exploits (i.e. scripts that exploit a flaw) written by/for the Linux community are open-source, hackers often reverse-engineer these programs to understand how they work and potentially modify them to suit their own needs. What's more, when building his own script, a hacker very often integrates some tool from a fellow hacker. This is precisely how malware evolves on a daily basis: a programmer uses his know-how to combine multiple exploits in an effective way. Writing your firs
Read more