Introduction
In this lab, you will learn the fundamentals of capturing a WPA/WPA2 handshake using the Aircrack-ng suite of tools. The WPA handshake is a four-way message exchange between a client device and a wireless Access Point (AP) that authenticates the client to the network. Capturing this handshake is the first step in testing the strength of a Wi-Fi password.
We will focus on a "passive" capture method. This means we will not actively disrupt the network or force clients to disconnect. Instead, we will simply listen to the airwaves and wait for a client to connect or reconnect to the target AP naturally. This is a stealthier approach to wireless security auditing.
You will use airmon-ng to enable monitor mode on a wireless interface and airodump-ng to capture the network traffic. By the end of this lab, you will have a capture file containing a valid WPA handshake, and you will know how to verify its contents.
Target a Specific AP with airodump-ng using --bssid and --channel
In this step, you will prepare your wireless interface for capturing packets and then start listening for traffic from a specific Access Point (AP).
First, you need to put your wireless interface into "monitor mode." This mode allows the network card to listen to all Wi-Fi traffic in the air, not just traffic addressed to it. We will use the airmon-ng tool for this. Our simulated wireless interface is named wlan0.
Execute the following command in your terminal to start monitor mode:
sudo airmon-ng start wlan0
You should see output indicating that monitor mode has been enabled. The new monitor interface will likely be named wlan0mon.
PHY Interface Driver Chipset
phy0 wlan0 mac80211_hwsim Software simulator
(monitor mode enabled on wlan0mon)
Now that monitor mode is active, you can use airodump-ng to start capturing. To avoid capturing unnecessary traffic from all nearby networks, we will target a specific AP. For this lab, we will use a simulated AP with the following details:
- BSSID (MAC Address):
00:11:22:33:44:55 - Channel:
6
Use the --bssid and --channel flags to focus airodump-ng on our target. Run this command:
sudo airodump-ng --bssid 00:11:22:33:44:55 --channel 6 wlan0mon
Your terminal will now show the airodump-ng interface, displaying information about the target AP. Leave this command running and proceed to the next step.
CH 6 ][ Elapsed: 0 s ][ 2023-10-27 10:00
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:11:22:33:44:55 -30 10 0 0 6 54e WPA2 CCMP PSK TestAP
BSSID STATION PWR Rate Lost Frames Probe
Write the Capture to a .cap File using -w
In the previous step, airodump-ng was only displaying live traffic on the screen. To perform any analysis later, you need to save the captured packets to a file.
First, stop the running airodump-ng command by pressing Ctrl+C in its terminal.
Now, you will run the same command again, but with the addition of the -w (write) flag. This flag tells airodump-ng to write the captured packets to a file. You specify a filename prefix, and airodump-ng will create several files with that prefix, the most important one ending in .cap.
Let's use passive_capture as our filename prefix. Execute the following command:
sudo airodump-ng --bssid 00:11:22:33:44:55 --channel 6 -w passive_capture wlan0mon
The output on your screen will look identical to the previous step, but now all the raw packet data is being saved to files in your current directory (~/project). The primary file will be named passive_capture-01.cap.
Keep this command running as we move to the next step, where we'll wait for the crucial handshake to occur.
Wait for a Client to Connect or Reconnect Naturally
In this step, you will learn about the conditions required to capture a WPA handshake. With airodump-ng running and saving to a file, your setup is ready. Now, you just need the handshake to happen.
A WPA handshake occurs only when a client device authenticates with the Access Point. In a passive capture scenario, this means you must wait for one of two events:
- A new client connects to the AP.
- An existing client disconnects and then reconnects to the AP.
This process requires patience, as you have no control over when these events occur. In an active attack (not covered in this lab), you would use another tool like aireplay-ng to force a client to disconnect, prompting them to reconnect immediately and generate a handshake on demand.
For this lab, we will simulate this waiting period. A client will automatically connect to the "TestAP" network in our simulated environment. You do not need to run any commands in this step. Simply continue to observe the airodump-ng output in your terminal.
Identify the 'WPA handshake' Message in the Output
In this step, you will see the confirmation that you have successfully captured the WPA handshake.
After waiting for a short period, the simulated client has connected to the AP. When airodump-ng successfully captures the four-way handshake packets, it will display a confirmation message in the top-right corner of its display.
Look at your airodump-ng terminal window. You should now see two important changes:
- A message
WPA handshake: 00:11:22:33:44:55has appeared. - A new entry has appeared in the lower section, representing the client device that just connected.
The output will look similar to this:
CH 6 ][ Elapsed: 45 s ][ 2023-10-27 10:05 ][ WPA handshake: 00:11:22:33:44:55
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:11:22:33:44:55 -30 55 20 1 6 54e WPA2 CCMP PSK TestAP
BSSID STATION PWR Rate Lost Frames Probe
00:11:22:33:44:55 AA:BB:CC:DD:EE:FF -40 54-54 0 20
This "WPA handshake" message is your signal that you have captured the data you need. You can now stop the capture process.
Stop the Capture and Verify the .cap File
In this final step, you will stop the packet capture and use aircrack-ng to verify that the handshake is present and valid within your capture file.
Since you've seen the "WPA handshake" message, you can now stop airodump-ng. Press Ctrl+C in the terminal where it is running.
Now, list the files in your current directory to see the files created by airodump-ng.
ls -l
You should see your capture files. The most important one is passive_capture-01.cap.
-rw-r--r-- 1 root root 1234 Oct 27 10:06 passive_capture-01.cap
-rw-r--r-- 1 root root 5678 Oct 27 10:06 passive_capture-01.csv
...
To confirm that the .cap file actually contains a usable handshake, you can check it with aircrack-ng itself. Simply run aircrack-ng and point it to your .cap file.
aircrack-ng passive_capture-01.cap
Aircrack-ng will analyze the file and report what it finds. The key piece of information to look for is (1 handshake). This confirms the file contains a complete, crackable WPA handshake for the target network.
Opening passive_capture-01.cap
Read 1500 packets.
## BSSID ESSID Encryption
1 00:11:22:33:44:55 TestAP WPA (1 handshake)
Choosing first network as target.
You have now successfully and passively captured a WPA handshake and verified its integrity.
Summary
In this lab, you have successfully performed a passive capture of a WPA/WPA2 handshake, a fundamental skill in wireless network security auditing.
You learned how to:
- Enable monitor mode on a wireless interface using
sudo airmon-ng start wlan0. - Use
airodump-ngto target a specific AP with the--bssidand--channelflags. - Save the captured network traffic to a file using the
-wflag. - Recognize the "WPA handshake" confirmation message in the
airodump-ngoutput. - Use
aircrack-ngto analyze a capture file and verify the presence of a valid handshake.
The capture file you generated, passive_capture-01.cap, now contains all the necessary information to attempt a password-cracking attack (e.g., a dictionary attack), which is the logical next step in a full security assessment. Congratulations on completing this lab!