Capture the 4-Way Handshake

Theorical background

In the WPA/WPA2 section of this book, we learned about the authentication flow and 4-Way handshake that occurs between the access point and the client to generate the PTK used to encrypt data. From what we learned we have now have better understand of how capturing the 4-Way handshake can be used by an attacker to retrieve the Wi-Fi passphrase.

Indeed, eyedropping a 4-Way handshake exchange allows an attacker to retrieve information needed to recreate the PTK (ANonce, SNonce, access point and client MAC addresses). Only the PMK is still needed to recreate the PTK, which can be retrieve using the good passphrase.

An attacker can determine if he found the correct passphrase, using a dictionary attack. By comparing the MIC obtained (from the calculated PTK) with the one that can be found in the 4-Way handshake captured. If both MIC match, these means that the PTK calculated was correct, and thus the PMK was also correct and so the passphrase too.

Source: Pentester Academy *PSK in this image also referred to the PMK

To perform a dictionary attack to retrieve the passphrase, not all 4 packets of the 4-Way Handshake necessarily need to be collected. At least, we need the second packet containing the SNonce (supplicant nonce) and the 1st or 3st packet containing the ANonce (access point nonce).

wifite2

Wifite2 is an handy tool that can perform various attacks on wireless networks configured with WEP or WPA/WPA2-PSK. The pros of this tools is that it automate the process of monitoring available networks in the perimeter, capturing the 4-way handshake, and then cracking the key.

• PKMID attack

• Capture 4-way handshake

• WPS attacks

Requires the entire aircrack-ng suite installed

--no-pkmid: do not proceed to PKMID attack.

--pmkid: only proceed to PKMID attack.

Cracking the hash online

Wifite2 allows attackers to crack the keys without the use of any other tool. Wifite performs an online dictionary attack since a list of keys is tried directly against the AP in an attempt to authenticate to the network.

The image below shows that wifite found several wireless networks in the perimeter. One user seems connected to the EvilCorp network.

wifite2 tool

Cracking the hash offline

Is is also possible to crack the key offline using Hashcat. Offline cracking, compared to online cracking, is when an attacker does not need to interact with the system directly (the AP) to retrieve the right information.

1. Capture the 4-way handshake

wifite -i <interface_in_monitor_mode>

If a 4-way handshake is captured, we need to convert the .cap file found in the /hs directory in a format hashcat can understand using the hcxpcapngtool

2. Convert the 4-way handshake .cap file

hcxpcapngtool -o <output_file_name> <4_way_handshake.cap>
hcxpcapngtool -o wifi-hashcat handshake-MonPrecieux.cap

3. Crack the hash offline using hashcat

To crack these hash format

WPA*01*PMKID*MAC_AP*MAC_CLIENT*ESSID*** # correspond to the pmkid hash
WPA*02*MIC*MAC_AP*MAC_CLIENT*ESSID*NONCE_AP*EAPOL_CLIENT*MESSAGEPAIR # correspond to the PMK key

Use mode 2200 in Hashcat

.\hashcat.exe -m 22000 --force .\tocrack.txt .\wordlist_test.txt

Using airodump and aireplay

Monitoring all wireless networks available, we can see that the targeted NewGenAirways network is running on channel 6. The image also shows that a wireless device is connected to the targeted wireless network with the BSSID B8:0D:F7:D5:79:F7. We want to capture the handshake of a client connecting to this network in order to retrieve the key.

airodump-ng output showing NewGenAirways network on channel 6

First of all, we want to fix airodump-ng on the channel 6 and put the output into a file that will contain the captured handshake. This step can be done with the command below with wlan0 being in monitor mode.

airodump-ng wlan0 -c 6 --write NewGenAirways-capture

We are now ready to perform a deauthentication attack in another terminal.

Performing a deauth attack

The main goal of the deauth attack is to force the clients to disconnect from the targeted access point and to reconnect. This allows the attackers to capture the 4-way handshake.

The command below aim to send 50 deauthentication packets to the AP with the BSSID B8:0D:F7:D5:79:F7.

-0: to specify deauthentication attack

-a: to specify the BSSID of the targeted access point

-c: to specify the MAC address of the tageted supplicant (if not specified broadcasting)

--ignore-negative-one: this flag is sometime needed

aireplay-ng -0 50 wlan0 -a B8:0D:F7:D5:79:F7

The handshake will be captured by airodump-ng.

airodump-ng showing a WPA handshake capture

We can verify that we captured the 4-way handshake correctly using aircrack-ng on the .cap file.

aircrack-ng NewGenAirways-capture-01.cap

Analyzing the .cap file with aircrack-ng

We can now crack the key using aircrack-ng and a list of common passwords.

airecrack-ng -w wordlists/100-common-passwords.txt NewGenAirways-capture-01.cap

Aircrack-ng tool used to retrieve the clear text key