Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To

Active Attack

Passive attacks have the advantage of being undetectable because they only listen to traffic from the target network. But if your target doesn't have a lot of traffic, you can wait a long time to capture the four-way handshake. Fortunately, you have the faster, but less-stealthy option of running an active attack.

Using the information we gathered with Kismet during the recon step, we can send associated client(s) of the target AP forged deauthentication packets, which should cause the client(s) to disassociate from the AP. We then listen for the reassociation and subsequent authentication.

After identifying our target AP with associated clients, we need to set up the wireless hardware for packet injection. The aircrack suite has a little bash script to do just that.

First bring down the managed VAP (Virtual Access Point) with:

airmon-ng stop ath0

Bringing down the managed interface

Figure 2: Bringing down the managed interface

Next, start up a VAP in "Monitor" mode:

airmon-ng start wifi0

Creating a monitor mode interface

Figure 3: Creating a monitor mode interface

Now we need to simultaneously deauthenticate a client and capture the resulting reauthentication. Open up two terminal windows. Start airodump-ng in one terminal:

General Form:

airodump-ng -w capture_file_prefix --channel channel_number interface


airodump-ng -w cap --channel 6 ath0

airodump-ng, up and running

Figure 4: airodump-ng, up and running
NOTE!Note: You can find the interface that is in monitor mode by using iwconfig.

Next, run the deathentication attack with aireplay-ng in the other terminal:

General Form:

aireplay-ng --deauth 1 -a MAC_of_AP -c MAC_of_client interface


aireplay-ng --deauth 1 -a 00:18:E7:02:4C:E6 -c 00:13:CE:21:54:14 ath0

A successfully sent deathentication packet

Figure 5: A successfully sent deathentication packet

If all goes well, the client should be deauthenticated from the AP and will usually reauthenticate. If remaining undetected is important, send only one deauth and be patient. This helps keep you under the radar, since programs like Kismet can detect deauthentication floods.

If the deauthentication was successful, airodump-ng displays a notification of the captured reauthentication event (boxed in red in Figure 6).

Successful WPA handshake capture

Figure 6: Successful WPA handshake capture

Finding the Four-way Handshake

To make sure we captured an authentication handshake, we can use the network protocol analyzer Wireshark (formerly Ethereal). Wireshark allows us to view packet contents and sort by type of packet captured to pull out the WPA handshake.

Open up Wireshark (Backtrack > Privilege Escalation > Protocol Analysis > Network Sniffers > WireShark) and open the Kismet capture "dump" file (Kismet-.dump) to view all the captured packets. The WPA four-way handshake uses the Extensible Authentication Protocol over LAN (EAPoL).

Using Wireshark, we can filter the captured packets to display only EAPoL packets by entering "eapol" in the filter field (Figure 7).

EAPoL filter applied to captured packets

Figure 7: EAPoL filter applied to captured packets

Here, we're basically looking for four packets that alternate source, client-AP-client-AP (I've highlighted them in red in Figure 7).

Now that we've confirmed that we've captured a four-way handshake, it's time to perform the crack.

More Wireless

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

RT-AC88U configured with the following. Just enabled dnsycrypt and when I run the dns leak test it still shows up my IP Address in the list of DNS ser...
Asuswrt-Merlin 384.19 is now available for all supported models, except for the RT-AX56U (no up-to-date GPL available for that model).The main changes...
Version MBytesASUS RT-AC68U Firmware version Fixed RCE vulnerability.
I plan to make available a beta version of the next kamoj add-on - if there is enough interest.N.B: Voxel firmware is a pre-requisite, not an option!I...
Main goal of this release: additional boost of the router performance as I hope (slight boost ). I succeed to change GCC compiler from the version 9....

Don't Miss These

  • 1
  • 2
  • 3