Trying to capture a 4-way TKIP handshake without help can involve sitting and watching traffic for hours and hours, waiting for a client to connect to a network. By using a tool called aircrack-ng we can forcefully deauthenticate a client who is connected to the network and force them to reconnect back up. During the process of re-exchanging the encrypted WPA key, you will capture a handshake. In order to forcefully capture a 4-way handshake, you will need to deauthenticate a client computer that is actively using services, forcing it to exchange the WPA key and in turn capturing the handshake that can be decrypted.

Things you will need in order to complete this exercise:

  • A copy of Linux with the program aircrack-ng installed and wireless drivers patched for injection (I recommend Backtrack-linux since it has all these things already)
  • A compatible wireless card. You can check the Aircrack-ng HCL for compatible cards
  • A wireless access point with WPA/WPA2 PSK encryption
  • Another device or computer connected to the access point


Step 1: Put the interface in monitor mode.
Assuming you are booted up and ready to go, you’ll need to put the interface in monitor mode and get ready to start dumping packets from your target network.

airmon-ng start wlan0

wlan0 is your network interface device:

1-10-2010-1-01-32-AM

Step 2: Start capturing traffic from the target access point and prepare to deauthenticate a client.
You need to start capturing all the packets in order to capture a 4-way handshake for the target network. You can tell airodump-ng exactly which channel to listen on, and to filter out all other wireless devices except the one we are attacking. Be sure to leave this window open and running.

airodump-ng -c 6 --bssid 00:1D:7E:64:9A:7C --showack -w capture mon0

Required Airodump Switches:

  • -c specifies the channel to listen on
  • –bssid specifies the target MAC address
  • –showack tells airodump to give verbose ACK related information
  • -w specifies the file to save the handshake to

Example airodump-ng output:

1-10-2010-1-03-41-AM

If you do not yet know the bssid of the target you can omit that part of the command to see a list of all access points on the specified channel. You should at this point take note of the mac address or bssid of the target access point and the mac address of the connected client you are going to deauthenticate.

Step 3: Deauthenticate the client who is already connected and force them to exchange the WPA key as they connect.

Open a new terminal and deauthenticate the victim from the target network.

aireplay-ng -0 5 -a 00:1D:7E:64:9A:7C -c 00:25:D3:0B:71:15 mon0

Required Aireplay Switches:

  • -0 6 tells aireplay to inject deauthentication packets. The 6 is the number of packets we wish to send.
  • -a is the wireless access point MAC address
  • -c is the client MAC address.

Example of a deathentication session:

1-10-2010-1-08-59-AM

A successful attack will show ACKs, which indicates that the victim who is connected to the access point has acknowledged the disconnect we just issued. It is possible to send just 1 deauthentication request, but depending on the range of you to the target wireless network sometimes more than 1 request is needed.

Step 4: Ensure you have captured the 4-way handshake.
Going back to the airodump-ng terminal which should still be running and collecting packets we can look in the upper right hand corner to see the programs acknowledgment that we have indeed captured a WPA handshake. This can also be done by running aircrack-ng on the capture file.

aircrack-ng capture-02.cap

Example aircrack-ng output

1-10-2010-1-15-43-AM

Step 5: Upload the handshake to ph33rbot.com
Since running a dictionary attack against a WPA handshake can be a long drawn out cpu intensive process, Question-Defense has a online WPA password cracker which can be used to test your capture. The process is simple. Access the web interface here and fill in the required information. You will be charged a small fee of ten dollars to test your capture against a wordlist made up of around 540 million words and the results will be returned to you in a few hours via email.

Example of correct upload:

1-10-2010-1-18-22-AM

DeliciousStumbleUponDiggTwitterFacebookRedditLinkedInEmail
Tags: , , , , , , , , ,
35 Responses to “How to Capture a 4 way WPA handshake”
  1. Ismail says:

    Hi,

    Nice work for the step by step instructions but towards the end is the part quiet unacceptable. Why cant we do the WPA password cracker, why is that we have to pay 10$..

    Thanks
    Mi2

    [Reply]

    purehate Reply:

    The last step is a service we offer. Services cost money. We have to pay for hardware, bandwidth and electricity so we charge a small fee of 10 dollars. There is no reason you have to use it, we simply included that in the tutorial as a option for people who do not have the hardware we do or do not want to tie up their machines with this type of work. You can visit the aircrack-ng website for tutorials on how to crack your own hand shake. Our service is not mandatory, only a option.

    [Reply]

  2. Submarine says:

    OK. Good service. But i think, it will be better, if people can see RESULT, and give you money AFTER “GREEN” (good) result.

    I mean, that 1-st i can see STATUS (good), and then pay you.

    Sorry for my english.

    [Reply]

  3. macnolias says:

    I’m thinking it’s worth the little money vs. machine strain/electricity cost.

    For example cowpatty in vm with a decent dict file took 3 days for my laptop to get to the letter K and was burning up my laptop.

    It’s a steal compared to the next lowest price on the net!

    [Reply]

    n3xus Reply:

    How come? WPA has at least 7 character

    If you use aricrack under your host OS it will be faster. Airodump doesn’t work under windows for some chips. But aircrack which is actual cracking part works under windows.

    [Reply]

  4. Jeff says:

    When I key the indication of step 3, it have taken over 1 hour but I can never capture the handshake file. I’m using the RT73(Ralink 2571) wireless card.
    Hope to get your support.

    [Reply]

  5. anly11 says:

    hi,
    could you provide more details about your wordlist pls? i mean which languages are included inside? cheers

    [Reply]

  6. Mac Cop says:

    You steal, you pay, I come and get you.

    [Reply]

  7. anti mac cop says:

    Mac Cop shut the F*** up we steal not pay and ya do the worse crimes then criminals themselves, but we wear the badge because we are your paycheck, so i want a refund with your wife…

    [Reply]

  8. some-young-guy says:

    aireplay-ng -0 5 -a 00:1D:7E:64:9A:7C -c 00:25:D3:0B:71:15 m I get that the 10series after -a is the bssid, but what is the second series after -c refer to? Is that a MAC address? Mine or the client? With my router being the only WPA in my zone, the 10 WEPs will provide more than ample coverage, but I just would like to perfect this technique for free, so I will have to decline the offer of $10, but thank you for providing such a service.

    For WEP auditing with BackTrack 4;

    To load BT4 after “root@bt” appears type startx

    KONSOLE#—–> COMMANDS (examples)
    ——————————————————————–
    1 ———–> /etc/init.d/networking start
    1 ———–> airmon-ng
    1 ———–> airmon-ng stop [Wireless Card Name WCN] (wlan0)
    1 ———–> airmon-ng start [WCN]
    1 ———–> airmon-ng
    1 ———–> airodump-ng [WCN] (till page fills then hit Crtl/C)
    1 ———–> airodump-ng -w wep -c [channel#] –bssid [bssid#] [WCN]

    2 ———–> aireplay-ng -1 0 -a [bssid#] [WCN]

    3 ———–> aireplay-ng -3 -b [bssid#] [WCN] (after Konsole#1 show 30,000 data, hit Ctrl/C)
    3 ———–> dir
    3 ———–> aircrack-ng [filename.cap] (usually wep-01.cap)

    Additional notes, never type the brackets [] in any of these commands, Shift/Insert = Paste, I beat my head against the wall for almost 2 weeks with my integrated chips. I suggest getting a USB wifi card. I got an ALFA AWUS036H 802.11 b/g for $40 on Amazon, get one. The above process was done in less than 15 minutes. If you have trouble with this Wifi card during normal PC operations, disable it via

    start/computer/(right click)/properties/device manager/network adapters.

    [Reply]

  9. some-young-guy says:

    Does anyone know the hotkey to Copy? Ctrl/C’s equivalent?

    [Reply]

  10. thewicked1 says:

    Good God!!! What’s up with you people bitchin’ about $10.oo. You obviously don’t appreciate the time, effort and cost of providing this service. I will happily pay a measley $10.00 for this service.

    [Reply]

    alex Reply:

    Hello thewicked1,

    Heh. Thanks! We put in a good amount of work to get it going and on op of that it costs us money in electricity, bandwidth, and paying for GPU’s that die. Anyway it is always nice to hear a response like this!

    Thanks.
    alex

    [Reply]

  11. Payahbleh says:

    we don’t mind pay $10, but the things is that we don’t know that we will get result for sure. what if we pay you $10 and you could just email us back and said like i am sorry the password is not in the list, then what, we pay you for nothin… that mean you just ripped us off dude

    [Reply]

    purehate Reply:

    We can only give you our word as IT professionals that it is not a scam. I can asure we have well paying jobs and are not interested in scamming a few $10.00 here and there. If you really wanted to test it out then create a capture with a easy password and submit it. Once the password is recovered, then you will know the service is legit. Then you can submit your real capture. If you want to use the service its there for you to use, many people from all over the world use it frequently. I would also imagine that after over a year of being online, if it was a scam people would be warming each other.So to sum it up there is really no basis for saying we are scammers.

    [Reply]

  12. Anonymous says:

    I think you provide a needed service and your price is very fair given the cost of the GPU’s to do fast brute force attacks. However, I have to agree with the prior commenter that it is doubly disappointing to not only pay the fee, but get no results. Why not simply charge nothing when you cannot find the key, but a little more when you successfully find the key to make the same return on your investment? I know of another service, which I will not post here, that has their price structure that way and it seems more fair because if there is “no recovery” then that may be attributable to the size or quality of your dictionary, etc. I just think you would have a lot less hard feelings in those cases where you don’t find passwords. And you would not have people suspect you of anything like the first poster here. People will only say good things about you and refer business. Personally, I’d much rather pay $20 for a guaranteed result than $10 for no result. Keep up the good work.

    [Reply]

    purehate Reply:

    The price of the hosting and the electricity does not change for us. Running the crack cost us the same amount of time, money and resources whether we find the password or not. So thats why we charge 10 dollars. If you have found a better service then by all means use it but as far as I know there is no service that even comes close to the amount of words and success rate that we have. In the two years we have been in business , we have seen many of these types of services come and go, they never last long because what happens is they realize that it costs money to run a service like this. I would love to do it for free but the fact of the matter is we are not going to spend hundreds of dollars a month to provide a free service so that we can be “nice guys”. If you do not like our prices and results we highly encourage you to test out some of the other services and see how you far you get.

    [Reply]

  13. kisz says:

    site isnt working i have 10 dollars ! have u got al lthe combinations with alpha numeric until 8 digits ? – i got this wpa2 default code but if i want to generate the dic fil , will ocst me 490 gig of space , and lots of hours , to crack it , so id rather save some money on this with u !

    [Reply]

    purehate Reply:

    Sorry about the problem. There was a small issue with the uploader but it is now fixed.

    [Reply]

  14. anomynous says:

    Website down?

    [Reply]

  15. anonymous says:

    obviously, since nobody wants to pay $10 for something that uncertain, could you share us the dictionary file pls, thx

    [Reply]

  16. Joshua says:

    Everyone should back off and at least try what Purehate is suggesting. I am 13 but I want to learn how to inject packets, capture 4 way wpa handshakes, (etc) for educational purposes. If all you intend to do is criticize him then just don’t check out this tutorial.

    [Reply]

  17. Musket33 says:

    This is directed to purehate from whom I gained much guidance, wisdom and clarity.

    In cracking WPA we are working are an intigrated approach which employs both social engineering and remote viewing to obtain a basic understanding of any key. WPA is an excellant target cypher as the structure of the key is well defined.

    At this time we suggest the following approach which has shown real results.

    Those approaching the WPA problem should first crack as many WEP keys in the area to get an idea of how users select keys. We have found that in over 50% of the cases the key is derived from only one(1) source. This source is totally numeric and easily broken by a crunch-aircrack passthru in BT4R2. A hint of that source can be found below:

    /pentest/passwords/crunch/crunch 10 10 “1234567890″ -t 08@@@@@@@@ | aircrack-ng /root/hanshake.cap -e “bssid” -w -

    When we applied this attack to 100% of the handshakes captured we cracked 50% in less then three hours using GTX360 video cards.

    We are designing Remote Viewing sessions to directly attack cyphers. As the WPA structure is well known we are currently designing random pages to be employed in remote viewing sessions to obtain the basics of the bssid’s WPA cypher key. From remote viewing you will obtain 1. the key length, 2. key types ie numeric, numeric-caps etc(12 variables) and 3. the first three(3) characters of the key. You can then decide whether a pass-thru in cruch or pyrite etc is practicable with the equipment you have available. For those interest turn to Ed Dames, learn rvcom. You will find methods to obtain three numbers in a lottery. We think the average person can employ stage three remote viewing to obtain the basics of a keys structure and then fine tune crunch to obtain the key.

    I will be posting expansions to this theme in fiurther posts.

    SRC – Up All Night

    [Reply]

  18. yodaco says:

    Hi, ive been looking into Cracking WPA for some time now, i have had great success in cracking WEP. ive never found a WEP that Aircrack-ng couldnt crack in 30-45 seconds with enough packets as little as 50000 will do the job .. but WPA is a whole different ball game.. its about capturing the 4 way handshake and then poking it till you find the right word.. often its entirely impossible due to not having a good enough dictionary or just a plain old lack of patience in most cases.. if its not any of those then the key is good and cant be cracked by any workable means.
    but the only WPA’s ive been able to crack have been my own simple keys that i have set up to crack, knowing the word would be in my dictionary and so on..
    for this reason i would suggest rather than slating Purehate or asking for his dictionary list… than just give the guy $10 bucks and be done with it, because at the end of the day if your not getting any joy you ither dont have enough patience.. or you dont have a the right list.. he clearly has more computing power than the average user so its more likely he will find your key faster… but always bare in mind that the key has to be crackable to be cracked… so if you pay $10 and dont get a key… its means that the key is secure… think about it first.. if your doing this to find a key you dont have.. your probably breaking the law anyways… if your doing it for any legitimate reason.. then not being able to crack the key is what you actually want!
    so i would suggest maybe doing it yourself… paying the $10 bucks or shutting the hell up

    [Reply]

  19. bhawesh says:

    when i run airodump-ng it didn`t capture the data means value of data not increases ,pls help me

    [Reply]

  20. drifter says:

    I’m using backtrack with vmware; and want to know if after you capture a wpa handshake and you suspend vm and log back on another day. does it matter if the other computer is logged on??? are do i have to wait for them to log on to run my dictionary decryption…

    [Reply]

  21. drugs says:

    dudn’t work

    [Reply]

    davidit Reply:

    hello drugs the reason it did not work is because this thread is missing some simple steps(aka it was designed in mind for the average backtrack user) if you notice once you do airmon-ng start wlan0 it doesnt tell you how to get the information for the next window aka your targeted network’s mac essid etc.. you have to run airodump-ng mon0 to scan for networks once found copy the bssid and remember the channel thats the info you use to fill in the deauth attack aka you cant use the same veriables he used in the tutorial but i have verified the Deauth Command works 100% for wpa/wpa2 since its the same encryption scheme and it enables you to crack a 4 way handshake of any rouer on the block doesnt matter the cipher

    Guide Verified if you know what your doing :) but for noob backtrack users it wont work :)

    [Reply]

  22. Alfredo says:

    Sorry, reposting, it didn’t go as expected:

    A successful attack will show ACKs (in the deathentication session terminal)

    we can look in the upper right hand corner to see the programs acknowledgment that we have indeed captured a WPA handshake

    Is it possible that we see the ACKS and still not get the acknowledgment in the airodump-ng terminal?

    Thanks in advance

    [Reply]

  23. Chip95 says:

    Am I missing something here? With a title: “How to Capture a 4 way WPA handshake” From reading the instructions provided, I still do not know how to look at or save the HandShake to for example to my desktop, then upload it.

    [Reply]

    Chip95 Reply:

    Ok, I see it in airodump

    [Reply]

  24. Test Anchor says:

    When I originally left a comment I seem to have clicked the -Notify me when new comments are added- checkbox and from now on each time a comment is added I receive four emails with the same comment. Is there a way you are able to remove me from that service? Thanks a lot!

    [Reply]

  25.  
Leave a Reply

*Type the letter/number combination in the abvoe field before clicking submit.

*