Capturing WiFi Handshake with aircrack-ng (Original)
1. Terminate interfering processes
airmon-ng check killDisconnect the wireless network card from the AP it is currently connected to, before entering monitor mode.
2. Check the name of the wireless network card
ifconfigFor example, wlan0.
3. Enter monitor mode
airmon-ng start wlan0If successful, running ifconfig will show a new interface named mon0.
4. Scan for nearby WiFi networks
CodeBlock Loading...
After scanning, the terminal displays two sections: top and bottom. Press the Spacebar to toggle dynamic refresh on/off, press 'a' to adjust the display view, and use the Up/Down arrow keys to select a row for easier viewing.
In the default view:
- Top section: Lists the detected Access Points (APs) and their attributes, such as signal strength, channel, BSSID, ESSID, etc.
- Bottom section: Shows which devices (identified by their MAC address in the STATE column) are connected to the AP (identified by the ESSID).
5. Monitor a specific AP
To execute the following command, you must first stop the scanning from Step 4. This is because scanning continuously switches channels, whereas monitoring a specific AP requires staying on that AP's fixed channel.
CodeBlock Loading...
Parameter explanation:
--bssid: Specifies which AP to monitor (provided by AP's mac)-c: Specifies the channel of this AP-w: Saves the captured packets to a file named capfile
Important: Selecting the right AP:
In the bottom section of Step 4, you should see both a BSSID and a STATE (MAC address) present. This means you have detected a WiFi BSSID, and that WiFi network has one or more devices connected to it (the STATE column indicates their MAC addresses).
6. Force reconnection to trigger the handshake
CodeBlock Loading...
| Parameter | Description |
|---|---|
-0 | Number of deauthentication attacks |
-a | The WiFi's BSSID |
-c | The MAC address of the phone connected to this WiFi |
mon0 | The monitor interface |
This attack will disconnect the phone from the WiFi.
Why capture the handshake?
The handshake packet contains password information.
The Handshake Process
Assume my phone is connecting to the WiFi. The first time, it will definitely ask for a password:
- Phone: I want to connect to your WiFi.
- WiFi: What is your password?
- Phone: Here is my password.
- WiFi: Checking password... Correct, establishing connection; Incorrect, go away.
For a phone and WiFi that have already passed password verification, the data exchanged after connection is just regular internet traffic, which is useless for cracking. You need to capture the handshake packet that contains the password. How do you trigger a handshake for an already verified connection? The fastest way is to kick the phone offline. The phone will then automatically reconnect, or the user will notice the loss of internet and manually reconnect. At that moment, the handshake packet appears. This is why it is important to select a WiFi network that has active devices connected to it for monitoring.
Soon, you will see "WPA handshake: ..." appear at the end of the first line in the terminal from Step 5. If it doesn't appear, repeat the attack after a few minutes.
7. Run the dictionary attack
CodeBlock Loading...