Wifi Cracking
How to capture a WPA Four-Way Handshake on a wireless network with AirCrack
List the wireless interfaces available
First we'll need to list the available wireless interfaces on our own device. You can do so with iwconfig or ip a .
As you'll see above, the wireless device currently being used its wlan0 and it's currently in Managed mode. ( You can get more info about the device by using ifconfig wlan0.
To capture packets we'll need to set the device interface to Monitor mode. To do that we'll use the aircrack suite of tools.
Monitor Mode
To set your interface to Monitor mode we'll be using airmon. This allows us to swap the modes of the interface and start a monitoring session.
If we check the interface again, we'll see it is now in monitor mode.
Capturing Packets
We can now capture packets on this interface using airodump.
Your terminal should now switch to the packet capture screen, which looks like:
On the top of the airodump screen you'll see the current channel. Airodump will hop multiple channels attempting to capture multiple access points. This is followed by the scan time, and the current date.
The first table will list found access points and their associated information. BSSID is the MAC address of the access point, Beacons displays the amount of beacons the point is providing for locating, and CH is the particular channel the access point is broadcasting on.
Once we find a target that is of some interest we can narrow down our scope by fixating airodump on a particular BSSID.
This will focus on capturing data from the specific channel and MAC address. This readout will give you information on a client or clients that are connected to the access point. Our goal here is to knock the client ( de-authenticate ) off the access point forcing them to automatically try to re-authenticate and connect. In doing so we'll capture the four-way authentication handshake.
De-Authentication
Our primary goal now is to de-authenticate all, or a specific client from the access point so we can capture the handshake. To do that we use aireplay.
This will send TCP de-authentication packets, signalling the connection is done and over with. With aireplay-ng running, we'll keep an eye on the airodump of our client to see if we can capture the handshake. This can take some time depending on distance from the client, signal-strength, etc..
When the de-authentication is complete you should see WPA Handshake XX:XX:XX.. at the top of your airdodump. This means that we successfully captured the WPA Handshake. A .cap file should have been created in whatever directory you were running airodump.
Wireshark
Now that we have the cap file we can attempt to read it to find the handshake. To open wireshark with the cap file use:
Wireshark GUI should have loaded up with the corresponding .cap file. In the filter by expression bar we want to perform a filter for eapol. This will filter all traffic based on the extensible authentication protocol over lan ( eapol ). You should be presented with 4 read-outs. ( Message (# of 4)). This will be the 4 way handshake. This means we're good to go ahead and brute force the passphrase.
AirCrack
In this phase we'll be performing the brute force to attempt and crack the passphrase using AirCrack. To do that first we'll need to put our wireless interface back in Managed mode so we can connect to the wireless access point. We can do that simply by stopping airmon.
Now we can start the bruteforce on the capture file.
You'll see in the sample above that you will need to provide aircrack with a word list dictionary for the brute force.
The outcome of this brute force can take time depending on how complicated the passphrase is, as well as how extensible the dictionary or word list you're using is. However, aircrack will let you know when it's successfully ( or un-successfully ) cracked the passphrase. From there you can log on directly to the wireless access device.
Thanks!
This write up, as all of them are for educational purposes only. These methods should never be attempted in the real-world on actual devices.
Last updated
