Capturing WPA-PSK handshake

WLAN Hacking – WPA-PSK handshake. The deauth atack with Aireplay-ng -0 wants to disconect the client from Access Point and after reconnecting get by tapping the handshake. But the process fails. Now what? Be aware that there is another (maybe better and easier) way how to get the data for crack WPA. Wireshark is a strong application and the technology that will be described can be used in other ways like for universal sniffing of the net traffic. The process can be combined and you might already know where I am aiming. Combination of Wi-Fi card (chipset Atheros, Prism), drivers with Monitor mode support and promiscuity all together means the possibility of listen in of complete net traffic in the ether.

And you don’t have too be connected to the wireless net. Yes, as a result of this combination is the same thing that can be done by monitoring with Windows application CommView or AiroPeek. Just choose the right sniffing filters and you catch just what you need. At the same time this is the answer to old questions from discussions, from forum and other places where the unsucsesful (interaktive) test to get handshake was being solved.

Catching Handshake – Crack WPA

The process works on drivers hostap, madwifi a madwifi-ng. At first we switch the card into the monitor mode. There exists few methods, application airmon-ng does it with madwifi-ng this way

sudo airmon-ng start wifi0 10

If you use wlanconfig I suggest scratch out the interface at first

sudo wlanconfig ath0 destroy

and then create it again

sudo wlanconfig ath0 create wlandev wifi0 wlanmode monitor

If you want to monitor the only canal by the command

sudo iwconfig ath0 channel 10

set the canal number on which Wireshark is going to listen

Wireshark

Set off the application Wireshark. In the interface configuration unmark (according to original setting) automatical scrolling of catched datas in the main window, MAC translation and hiding referential window (according to your preference). Try to filter the data right from the beginning. Don´t forget that in heavily populated area your sobor will be overfilled shortly by catching all the traffic :) For filtration and displaying WPA autentizations (handshake) in Wireshark use filter

proto=eapol

You are not losing the other data. The filter is only hiding unasked datas. To display them just cancel the filter. The monitoring can be runed for random time and if the interactive technology doesn’t work this will be the only way.

The card can be swithched back into mode managed by command

sudo wlanconfig ath0 create wlandev wifi0 wlanmode managed

Or fully cancel the interface

sudo wlanconfig [int] destroy

Use the passive tapping if the interactive hack with aireplay-ng fails, mdk or you are not sure how to get the handshake from ether. The card on chip Atherosu is rather stable. But if you use MDK it gets stuck time to time, mainly after a longer period :)

Interactive teq – Syntax for Aireplay-ng & MDK

sudo airmon-ng wifi0 start [X]

sudo airodump-ng -c 6 --bssid 00:0A:A2:D0:E6:3A -w soubor ath0

sudo aireplay-ng -0 5 -a 00:0A:A2:D0:E6:3A -c 00:0B:A2:D0:E6:3B ath0

If you are using special exploit tool mdk you can use for example

./mdk3 ath0 m -t 00:3B:A2:D0:E6:3A

I will probably add some pictures.. but the process is so easy that I think it isn’t necessary :) What is going to be added for sure in this text is the key crack by control sum, so don’t forget to check the Airdump.net.

Useful links

Everything about WiFi hacking is detaily described in tutorial Hacking wireless networks, some tricks about sniffing can be found in Capturing and data analysys. How to crack WPA-PSK with alternative way.

Download

All the application for WEP, WPA pentest you can download at download section (download.airdump.net -> DIR software/wep-crack)