Ethical Hacking: Capturing The Handshake

Introduction

When WPS is disabled on your target network, or if it is enabled but configured to use push button or PBC, the methods shown in previous lectures become ineffective. In such cases, you will need to directly crack the WPA or WPA2 encryption.

The developers of these encryptions were well aware of the weaknesses in WEP and ensured that these vulnerabilities were properly addressed. They did such a thorough job that the methods used against WEP cannot be applied to WPA and WPA2.

WPA2 Key Characteristics

In WPA2, the encryption keys have several important properties that make them more secure:

Keys are unique for each session
Keys are temporary and regularly changed
Keys are significantly longer than those in WEP

As a result, the packets transmitted over the air contain virtually no information that can be used to crack the key. Even capturing a million packets would be insufficient for key recovery.

Important: The only packets that contain useful information for cracking WPA/WPA2 are the handshake packets. These are four packets exchanged between a client and the router when the client connects to the network.

Capturing the Handshake

In this section, we'll explore how to capture these critical handshake packets. The following lectures will demonstrate how to use them to crack the WPA or WPA2 key.

Initial Reconnaissance

First, run airodump-ng to identify all networks in your vicinity:

airodump-ng mon0

After identifying your target network (which uses WPA2), note its MAC address (BSSID) and channel.

Focused Monitoring

The first step is to run airodump-ng specifically on this network and store the data in a file:

airodump-ng --bssid <target_bssid> --channel <target_channel> --write WPA_handshake mon0
        

This command:

Uses airodump-ng to monitor wireless traffic
Specifies the target's MAC address with --bssid
Sets the correct channel with --channel
Stores all captured data in files with the prefix "WPA_handshake"
Uses the wireless adapter in monitor mode (mon0)

After executing this command, airodump-ng will monitor the target network. Now, you need to wait for the handshake to be captured.

Using a Deauthentication Attack

The handshake is only sent when a client connects to the network. Rather than waiting for a new client to connect naturally, you can force a connected client to disconnect and reconnect using a deauthentication attack.

Ethical Reminder: Only perform these techniques on networks you own or have explicit permission to test.

To perform a deauthentication attack:

aireplay-ng --deauth 4 -a <target_bssid> -c <client_mac> mon0

This command:

Uses aireplay-ng to run a deauthentication attack
Sends 4 deauthentication packets (--deauth 4)
Specifies the access point MAC address (-a)
Specifies the client MAC address to deauthenticate (-c)
Uses the wireless adapter in monitor mode (mon0)

After executing this command, watch the airodump-ng output. Once the client reconnects, the handshake will be captured and displayed in the top-right corner of the airodump-ng interface. At this point, you can stop airodump-ng by pressing Ctrl+C, as the handshake is now stored in the file specified earlier.

Key Takeaways

WPS-disabled or push-button networks require cracking WPA/WPA2 encryption directly.
Only handshake packets contain useful information for cracking WPA/WPA2 keys.
airodump-ng is used to capture handshake packets by monitoring the target network.
A deauthentication attack can force a client to reconnect, triggering the handshake for capture.
Once captured, the handshake can be used in subsequent steps to recover the network password.

Capturing The Handshake