How to Capture a 4 way WPA handshake

Trying to capture a 4-way TKIP handshake without help can involve sitting and watching traffic for hours and hours, waiting for a client to connect to a network. By using a tool called aircrack-ng we can forcefully deauthenticate a client who is connected to the network and force them to reconnect back up. During the process of re-exchanging the encrypted WPA key, you will capture a handshake. In order to forcefully capture a 4-way handshake, you will need to deauthenticate a client computer that is actively using services, forcing it to exchange the WPA key and in turn capturing the handshake that can be decrypted.

Things you will need in order to complete this exercise:

  • A copy of Linux with the program aircrack-ng installed and wireless drivers patched for injection (I recommend Backtrack-linux since it has all these things already)
  • A compatible wireless card. You can check the Aircrack-ng HCL for compatible cards
  • A wireless access point with WPA/WPA2 PSK encryption
  • Another device or computer connected to the access point


Step 1: Put the interface in monitor mode.
Assuming you are booted up and ready to go, you’ll need to put the interface in monitor mode and get ready to start dumping packets from your target network.

airmon-ng start wlan0

wlan0 is your network interface device:

1-10-2010-1-01-32-AM

Step 2: Start capturing traffic from the target access point and prepare to deauthenticate a client.
You need to start capturing all the packets in order to capture a 4-way handshake for the target network. You can tell airodump-ng exactly which channel to listen on, and to filter out all other wireless devices except the one we are attacking. Be sure to leave this window open and running.

airodump-ng -c 6 --bssid 00:1D:7E:64:9A:7C --showack -w capture mon0

Required Airodump Switches:

  • -c specifies the channel to listen on
  • –bssid specifies the target MAC address
  • –showack tells airodump to give verbose ACK related information
  • -w specifies the file to save the handshake to

Example airodump-ng output:

1-10-2010-1-03-41-AM

If you do not yet know the bssid of the target you can omit that part of the command to see a list of all access points on the specified channel. You should at this point take note of the mac address or bssid of the target access point and the mac address of the connected client you are going to deauthenticate.

Step 3: Deauthenticate the client who is already connected and force them to exchange the WPA key as they connect.

Open a new terminal and deauthenticate the victim from the target network.

aireplay-ng -0 5 -a 00:1D:7E:64:9A:7C -c 00:25:D3:0B:71:15 mon0

Required Aireplay Switches:

  • -0 6 tells aireplay to inject deauthentication packets. The 6 is the number of packets we wish to send.
  • -a is the wireless access point MAC address
  • -c is the client MAC address.

Example of a deathentication session:

1-10-2010-1-08-59-AM

A successful attack will show ACKs, which indicates that the victim who is connected to the access point has acknowledged the disconnect we just issued. It is possible to send just 1 deauthentication request, but depending on the range of you to the target wireless network sometimes more than 1 request is needed.

Step 4: Ensure you have captured the 4-way handshake.
Going back to the airodump-ng terminal which should still be running and collecting packets we can look in the upper right hand corner to see the programs acknowledgment that we have indeed captured a WPA handshake. This can also be done by running aircrack-ng on the capture file.

aircrack-ng capture-02.cap

Example aircrack-ng output

1-10-2010-1-15-43-AM

Step 5: Upload the handshake to ph33rbot.com
Since running a dictionary attack against a WPA handshake can be a long drawn out cpu intensive process, Question-Defense has a online WPA password cracker which can be used to test your capture. The process is simple. Access the web interface here and fill in the required information. You will be charged a small fee of ten dollars to test your capture against a wordlist made up of around 540 million words and the results will be returned to you in a few hours via email.

Example of correct upload:

1-10-2010-1-18-22-AM

Share