WPA2 Handshake Capture and Cracking

This is a basic attack for compromising WPA2/PSK passwords by capturing and cracking the hash contained in an intercepted WPA2 handshake. This is a classic attack against a common technology and is often one of the first types of wireless attacks learned by security hobbyists.

Disclaimer

This is a common attack that's asked about by students and school aged kids pretty often, usually in the context of "how do I hack my school wifi".

If you are such a person, please don't try to do this. It's illegal, and the types of security controls used in enterprise and institutional settings is significantly more advanced that what can be handled by the techniques presented here.

Accordingly, this article is for security enthusiasts who just want to gain a basic understanding of WPA2/PSK attack methodologies, either for fun on their own hardware, or for testing customer deployments.

Pre-requisites

Almost anytime you perform active wifi attacks, you'll need a wireless card that's capable of packet injection. This is only possible with a very select number wireless chipsets, and so it's usually best to buy an external device. Aircrack maintains a list of common known working devices. Most of these are USB devices by the Taiwanese manufacturer, ALFA. If you're lucky and have an internal wireless card that uses the ath9k driver, it may work as well, but most of the laptops that use these cards are from the mid to late 2000s decade.

To put it to bed right away:

No, you will not be able to use your phone's integrated wireless card to do leet wifi haxor stuff with Kali nethunter.

It is possible to deploy some pretty cool mobile setups for activities like warwalking, but this would usually use something like a Raspberry Pi + an ALFA card + a phone to SSH into the Pi. That's beyond the scope of this article, though.

tl;dr buy an ALFA USB card

In addition to a proper wireless card, you'll also need the Aircrack-ng suite. This can be installed on Ubuntu-like Linuxes like so:

sudo apt-get install aircrack-ng

Of course, if you're using Kali, the Aircrack suite comes pre-installed.

Sniffing traffic

Once we have a proper wifi card and the software installed, we need to enable monitor mode and actually start sniffing for stuff.

Starting off, use ip a or ifconfig to identify what interface name your ALFA card is using. Mine normally shows up as wlan1, so that's what we'll be using in the examples. Once you've identified this, we can begin.

First, we have to actually startup the card in monitor mode:

sudo airmon-ng start wlan1

After this, we can start sniffing for general traffic like so:

sudo airodump-ng wlan1

If we're wanting to do an active attack against a particular access point, we'll want to make sure we're only sniffing traffic for that particular AP. Go over the output of airodump and get the wireless channel and BSSID (MAC addr) of the AP you want to target. Then stop airodump with ctrl+c and re-run it, filling in the information you collected like so:

sudo airodump-ng -c [target channel] --bssid [target MAC] -w [filename to write] wlan1

This will start collecting data specific to the AP you're wanting to target.

Deauth attack and capturing the handshake

Warning: Performing a deauth attack against APs you don't own could be used to prove intent to commit various crimes. Please only consider running deauth attacks against your own infrastructure or infrastructure you've been given permission to test.

In order to crack a WPA2 network, we need to capture the WPA2 4-way handshake. This is a communication that contains the authentication negotiation sequence for the AP, and within that, we can find the AP's authentication key hash.

This handshake gets transmitted anytime a device authenticates to the AP, so we can hypothetically sit around and passively sniff these as users come and go, but if we're impatient, we can use a deauth attack for force a device to disconnect from the network. Since most devices are configured to try to automatically reconnect to wifi, this will cause the device to immediately try to reauthenticate, which will let us capture the handshake.

While airodump is running, open another terminal and run the following:

sudo aireplay-ng -0 1 -a [AP MAC/BSSID] -c [Client MAC/STATION] wlan1

You should be able to fill in the blanks from information found in your airodump session. Clients should be the MAC addresses on the bottom, while the AP is the MAC near the top.

Once you run the deauth attack, the client should be knocked offline. In most cases, it will then try to reauthenticate and will broadcast the 4-way handshake. If you have sufficient signal strength, you should be able to capture the handshake, and this will be noted near the top of your Airodump output.

Once you have the handshake, we're done with the actual wireless part of the attack. In order to recover the authentication key, we have to move on to offline password cracking.

Cracking

While we can use the epynonymous aircrack-ng tool for this, this tool is inefficient and really designed to perform attacks againt the RC4 algorithm used by WEP rather than the dictionary attacks we'll be running against WPA2. So we'll use hashcat instead. We'll need to convert the packet capture into a format we can run through hashcat, though.

To do this, install the following tool:

sudo apt-get install hcxtools

Once we have this, we can convert the .cap file captured by airodump into a text hash that can be cracked by hashcat:

hcxpcapngtool [cap file].cap -o [output].txt

Once the hash is converted, we can perform a basic dictionary attack like this:

hashcat -m 22000 [hash].txt [wordlist].txt

If the password is in your list, then you win! Once hashcat goes through the list, you'll have recovered the plaintext password and will be able to authenticate to the victim AP. This is where things get difficult: if the target is using a strong password, it may be impossible to crack the hash.

Attacking default keyspaces

Many wireless APs come pre-configured with default "random" passwords. While these are supposed to be random, they tend to follow very predictable keyspace patterns, and can therefore be attacked much more easily than a true strong password.

This github contains a fairly useful list of keyspaces used by various common brands as well as some dictionaries that can be used to help construct an attack against default passwords.

We'd need to use these lists in tandem to perform these attacks. As an example, let's consider attacking Netgear routers. Netgear default SSIDs will follow a pattern of NETGEARXX, and use a keyspace that looks like adjective + noun + 3 digits.

In order to do this in hashcat with a noun and adjective dictionary, we might do something like this:

hashcat -m 22000 -a 1 hash.txt nouns.txt adjectives.txt -k '$[0-9]{3}'

Obviously, we'll need to set things up differently depending on the pattern, but this should give you the gist of what needs to be done.

Most recent:

Getting into security - 21 January 2025

---

Web 1: Dynamic Site Basics - 6 January 2025

---

Tunnelling Notes - 3 December 2024

---

CTF Service Enumeration Methodology - 1 December 2024

---

Web 0: The tech stack - 22 November 2024

---

HTB Crafty - 1 August 2024

---

Intro to Writing Suricata Rules - 9 March 2024

---

HTB Broker - 29 February 2024

---

Active Directory notes - 5 February 2024

---

Infil/Exfil Notes - 5 February 2024

---

Tags:

Cybersecurity

---

CTF

---

Windows

---

Privesc

---

Cheatsheets

---

Linux

---

Cheetsheets

---

Web

---

Sysadmin

---

Networking

---