Introduction
In wireless network security, capturing a WPA/WPA2 4-way handshake is essential for cracking a network's password. However, before dedicating significant computational resources to a cracking attempt, it's vital to first verify that your capture file actually contains a complete and valid handshake. An incomplete or missing handshake will make any cracking attempt futile.
This lab will guide you through the process of using aircrack-ng, a powerful tool in the Aircrack-ng suite, to inspect a capture file (.cap) and confirm the presence of a valid handshake.
Locate the Captured .cap File in the Fluxion Directory
In this step, you will navigate to the directory where captured handshake files are typically stored and list its contents. For this lab, we have prepared a sample directory structure mimicking the fluxion tool's output.
First, change your current directory to the handshakes folder located at ~/project/fluxion/attacks/handshakes. Use the cd (change directory) command:
cd ~/project/fluxion/attacks/handshakes
Now that you are in the correct directory, use the ls -l command to list the files and their details. This will help you confirm the presence of the capture files we will be working with.
ls -l
You should see the following output, which includes wpa.cap (our valid handshake file) and invalid_handshake.cap (our empty file for comparison).
total 4
-rw-r--r-- 1 labex labex 0 Jan 01 12:00 invalid_handshake.cap
-rw-r--r-- 1 labex labex 3385 Jan 01 12:00 wpa.cap
Open a New Terminal Window
In a real-world scenario, you might have one terminal window running airodump-ng to capture traffic and another to perform other tasks. For this lab, we will continue using the same terminal to keep things simple. The purpose of this step is to ensure you are ready and focused for the verification command that follows.
No commands are needed for this step. Just ensure your terminal prompt is ready in the ~/project/fluxion/attacks/handshakes directory. We are now prepared to use aircrack-ng.
Run the 'aircrack-ng' Command on the .cap File
In this step, you will run the aircrack-ng command on the wpa.cap file. This command will analyze the file and report on its contents, including whether a valid handshake is present.
Execute the following command in your terminal. This tells aircrack-ng to process the wpa.cap file.
aircrack-ng wpa.cap
After running the command, aircrack-ng will display information about the capture file. The output will look similar to this:
Opening wpa.cap
Read 43 packets.
## BSSID ESSID Encryption
1 00:14:6C:7E:40:80 teddy WPA (1 handshake)
Choosing first network as target.
Opening wpa.cap
Reading packets, please wait...
The key piece of information here is WPA (1 handshake). We will analyze this in the next step. The command will appear to hang after "Reading packets," which is normal behavior as it's waiting for you to provide a wordlist for cracking. You can safely press Ctrl+C to exit the command and return to the terminal prompt.
Analyze the Output for '1 handshake' Confirmation
In this step, we will focus on interpreting the output from the previous command. As you saw, aircrack-ng provided a summary of the access points found in the capture file.
Let's look at the crucial line again:
1 00:14:6C:7E:40:80 teddy WPA (1 handshake)
The text (1 handshake) is the confirmation you are looking for. It explicitly tells you that aircrack-ng has successfully identified one complete WPA 4-way handshake associated with the BSSID 00:14:6C:7E:40:80 and ESSID teddy.
This confirmation means the wpa.cap file is valid and can be used for a password cracking attempt. If this message was not present, or if it said (0 handshake), any cracking attempt would fail.
Understand the Difference Between a Valid and Invalid Handshake
To fully understand the importance of verification, let's see what happens when you run aircrack-ng on a file that does not contain a handshake. We have an empty file named invalid_handshake.cap for this purpose.
Run aircrack-ng on this file:
aircrack-ng invalid_handshake.cap
The output will be very different. Since the file is empty and contains no network traffic, aircrack-ng will report that it found no data.
Opening invalid_handshake.cap
Read 0 packets.
No networks found, exiting.
If the file had contained packets but no complete handshake for a specific network, the output would list the network with (0 handshake). The key takeaway is that without the (1 handshake) confirmation, the capture is not viable for cracking. This simple check saves you from wasting time and resources on an unusable file.
Summary
In this lab, you have learned the critical process of verifying a WPA/WPA2 handshake within a capture file. You successfully used the aircrack-ng command to inspect a .cap file, identified the (1 handshake) message that confirms a valid capture, and observed the difference in output when analyzing an invalid file. This fundamental skill is essential for any work in wireless network security, ensuring that your cracking efforts are based on viable data.