Finding the Four-way Handshake
To make sure we captured a authentication handshake, we can use the network protocol analyzer Wireshark (formerly Ethereal). Wireshark allows us to view packet contents and sort by type of packet captured to pull out the WPA handshake.
Open up Wireshark (Backtrack > Privilege Escalation > Sniffers) and open the Kismet capture "dump" file (Kismet-<date>.dump) to view all the captured packets. The WPA four-way handshake uses the Extensible Authentication Protocol over LAN (EAPoL).
Using Wireshark, we can filter the captured packets to display only EAPoL packets by entering "eapol" in the filter field (Figure 7).
Figure 7: EAPoL filter applied to captured packets
Here, we're basically looking for four packets that alternate source, client-AP-client-AP (I've highlighted them in red in Figure 7).
Now that we've confirmed that we've captured a four-way handshake it's time to perform the crack.
Most Read This Week
- AC1900 First Look: NETGEAR R7000 & ASUS RT-AC68U
- D-Link DIR-895L/R AC5300 Ultra Wi-Fi Router Reviewed
- Linksys EA9500 Max-Stream AC5400 MU-MIMO Gigabit Router Reviewed
- New To The Wireless Charts: TRENDnet TEW-691GR 450Mbps Wireless N Gigabit Router
- TP-LINK Talon AD7200 Multi-Band Wi-Fi Router Reviewed
Top Performing Routers
Top Performing NASes
Over In The Forums
Don't Miss These