[Cracking WPA2 1/2] Capturing the Handshake

How many times did you need to run the capture/deauth command?

  • Once only!

    Votes: 0 0.0%
  • Between two and five times.

    Votes: 2 33.3%
  • Between five and ten times.

    Votes: 0 0.0%
  • Between ten and fifty times.

    Votes: 2 33.3%
  • It didn't work (I was too far from the target)

    Votes: 2 33.3%

  • Total voters
    6

shockli

Contributor
Jan 29, 2016
243
194
111
Hello r4p3 members. This tutorial is going to show you how to hack WiFi (Wireless Fidelity) access points. This tutorial specifically covers capturing the encrypted four-way handshake. You only need to get ¾ packets that are sent. My next tutorial will cover cracking the handshake.

The Method:

The best way to capture WiFi handshakes on WPA2 is by making the user(s) disconnect and reconnect. When they reconnect you capture their handshakes, as mentioned before you only need ¾ packets that are part of the handshake, to be more specific the first two and then either the third or fourth. You can also wait for a user to reconnect if the network is very active instead of removing someone from the network, this might cause less suspicion, but your chances of success are way lower.

Software Required:
Linux
: aircrack-ng suite – Should be in your repos.
Windows: aircrack-ng suite - http://www.aircrack-ng.org/downloads.html

Hardware Required:
A compatible WiFi card.

Step one: Identify your target
This means you get the BSSID of the WiFi network you own. Make sure to have exact spelling.

Step Two: Configure Your Hardware
On linux:
You need to set your WiFi device (usually wlan0, use “airmon” to check) to monitor mode. You can use the following command to do this.
Code:
airmon-ng start wlan0

On windows:
This is very hard. There are a very limited amount of WiFi cards that can work. Do not be surprised if it doesn’t work. If it does you are very lucky (or have done your research and bought the correct hardware). Note: For all commands: run the same command as Linux, just with the correct application name (aircrack-ng.exe <command>) for all commands.
Code:
airmon-ng start wlan0

Step Three: Further Identification of Target
Next you need to get the WiFi BSSID Mac Address. You can run the following command to identify the Mac address.
Code:
airodump-ng wlan0

Step Four: Deauthing the User(s) and Capturing the Handshake
This is where the magic happens. You are now going to “kick” the user off their network and then capture the handshake when they automatically reconnect. You can use the following command to do this:
Code:
aireplay-ng --deauth 100 -a AA:BB:CC:DD:EE:11 mon0

Step Five: Repeat Step Four Until Key is Captured
As mentioned in step. You can confirm you have captured the key by looking for “WPA Handshake” in the info section.
 

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,028
896
216
I had tried that a while ago and it just wouldn't capture the handshake. Even when I was like 1 meter away from both device and every conflicting services stopped. I suspected my wifi card. Those were weird times xD
 

shockli

Contributor
Jan 29, 2016
243
194
111
I had tried that a while ago and it just wouldn't capture the handshake. Even when I was like 1 meter away from both device and every conflicting services stopped. Weird times those where xD
Ah yes, I know that feeling.. I remember building a 1x1x3m tinfoil tunnel from my WiFi router to my laptop to my phone to try it XD
On a more serious note, if you use linux you can modify your WiFi card's TX power to the "legal" limit ;) *cough*1W*cough*
 

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,028
896
216
Yeah I had done that (iw reg set BO) but it would still not capture the handshake everything else was just there (well it was encrypted).
 

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,028
896
216
Then you either have a special card or your card is not supported at all. Try and run airmon-ng without any argument
 

Laszl0w

Well-Known Member
Oct 10, 2015
217
149
143
It works with live-cd linux,it doesnt work on virtual computers :D
 

Derp

Retired Staff
Contributor
Apr 30, 2015
933
1,017
217
There's no wlan0 :D
The monitoring interface name differs on different aircrack packages. Older versions of aircrack use wlan0, newer versions use mon0.


@skokk - Great thread. However, personally I don't like this method very much. On my opinion, this method should be a "Last Option".

Instead of wasting processing power. You could setup a EvilTwin attack. Or, if you're really into cracking stuff at least consider cracking the WPS Pin first (If WPS is enabled)(Beside, if you're lucky the device might be vulnerable to PixieDust)

-Derp
 

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,028
896
216
EvilTwin is more and more difficult with new version of windows for example that checks some attributes of your access point. But still it can be great agains clueless people :D
 

Derp

Retired Staff
Contributor
Apr 30, 2015
933
1,017
217
I had tried that a while ago and it just wouldn't capture the handshake. Even when I was like 1 meter away from both device and every conflicting services stopped. I suspected my wifi card. Those were weird times xD
In some cases, running services may interfere. In that case, "airmon-ng check" would come in handy.
 

shockli

Contributor
Jan 29, 2016
243
194
111
The monitoring interface name differs on different aircrack packages. Older versions of aircrack use wlan0, newer versions use mon0.


@skokk - Great thread. However, personally I don't like this method very much. On my opinion, this method should be a "Last Option".

Instead of wasting processing power. You could setup a EvilTwin attack. Or, if you're really into cracking stuff at least consider cracking the WPS Pin first (If WPS is enabled)(Beside, if you're lucky the device might be vulnerable to PixieDust)

-Derp
Thanks! EvilTwin is also probably the easiest/best solution. I might create a post sometime in the future showing how to use it and also a MANA attack.
 

Derp

Retired Staff
Contributor
Apr 30, 2015
933
1,017
217
Thanks! EvilTwin is also probably the easiest/best solution. I might create a post sometime in the future showing how to use it and also a MANA attack.
Thank you for bringing up Mana :)

Wifiphisher is also good, It has less features but it does what it says ;)
 

shockli

Contributor
Jan 29, 2016
243
194
111
Thank you for bringing up Mana :)

Wifiphisher is also good, It has less features but it does what it says ;)
Yes. I have had quite a few interesting conversations with the guys that made Sensepost's Mana attack :)
 

kingston

Contributor
Feb 10, 2016
243
151
128
This thread makes me feel like i want to try it. I'm surrounded by several, nice networks and they are all WPA2 protected. Till today i thought so cracking WPA2 takes a whole lot of time and computing power to succeed.

Is there any particular wi-fi card that you recommend for this kind of stuff? I mean fully compatible, etc. This is partially covered e.g. in this article but still i don't think we have to stick to one of these only?

http://www.inkthat.info/kali-backtrack-wireless-adapters/top-kali-linux-usb-wireless-adapters/

What i noticed at once is that dongles significantly differ in operating power. Having 1 watt and 2 watts makes a lot of a difference for sure. I bet that generic ones don't even offer half a watt. Still not sure about the best chipset available and what else to look at when choosing a card.

After doing some quick research i learned the most important stuff to look at when choosing the right card: monitor mode, packet injection, radiated power 1000mW minimum (EIRP), upgradable antenna (9dBi recommended and 5dBi minimum).

It is very important to check the chipset before ordering the card, e.g. popular and cheap RTL8188EUS and RTL8188CUS are useless.
 
Last edited:

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,028
896
216
Having 1 watt and 2 watts makes a lot of a difference for sure
This is not the most important part for capturing handhaske. You need to care about RX sensitivity :)

Also you can try with what you already have in terms of wifi cards / chip as many are already compatible :D
(for example my laptop has an integrated chip that is really good)
 

kingston

Contributor
Feb 10, 2016
243
151
128
I have been studying the subject all day long and as from what i found out TX seems also very important. Without enough TX and nice RX you might be able to monitor but not to inject packets which seems crucial for the success. For this reason integrated are not so good unless you are relatively close to the target compared to what you could do having more TX.

In my particular case i can see 18 different networks of which only 3 are strong enough to play with. The rest is out of my reach. I'm quite sure that things could drastically change with a proper card. Will most likely decide on Alfa but this is quite scary as there are many fakes in the market.

I have also learned that gathering the handshake is just the beginning and it is getting worse after as you basically need to bruteforce unless you are lucky to crack some WPS (much less bruteforce) but in my case there are mostly TP Link and Cisco routers around and they are barely crackable this way :/

Cracking a silly 5 characters password may take up to 1 week with average hardware and a few days at least with GPU. Unless the password is really stupid. But in case of longer passwords or more complicated ones... you would need a cluster of GPUs to compute that in a reasonable time. Which has been done by someone already to crack Windows passwords (25 GPUs cluster able brute any password up to 8 characters in just 6 hours).

Just my 3 cents after day one. Please correct me wherever i went wrong - very noob to this :D
 
Last edited:

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,028
896
216
Indeed without injecting capability you become very limited :p
That can also depend on how the chip's antenna is made. Mine runs around the screen which is very good :D plus the additional power (1W)
 

shockli

Contributor
Jan 29, 2016
243
194
111
I have been studying the subject all day long and as from what i found out TX seems also very important. Without enough TX and nice RX you might be able to monitor but not to inject packets which seems crucial for the success. For this reason integrated are not so good unless you are relatively close to the target compared to what you could do having more TX.

In my particular case i can see 18 different networks of which only 3 are strong enough to play with. The rest is out of my reach. I'm quite sure that things could drastically change with a proper card. Will most likely decide on Alfa but this is quite scary as there are many fakes in the market.
Also try invest in a good 2.4ghz grid. Many WISP's over here are throwing theirs away or selling for cheap because they are moving to 5.8ghz
 

onerodz

Member
Feb 9, 2016
24
3
38
ok capturing HANDSHAKE done... but u know the HANDSHAKE only can be cracked using bruteforce... using a text library... i use a 1tb txt library and after 4 days, i no get the pass.
 
Top