Hacking Wi-Fi: Obtaining a Two-Way Handshake from WPA2 Networks


One of the methods of obtaining access to a network is by penetrating into the Wireless Access Point. WPA2 has a vulnerability where an attacker can obtain the two-way handshake between a client and an access point (AP). In this tutorial, I will demonstrate how to obtain a 3-way handshake from an AP and the Client.

Please keep in mind that you should only do these types of attacks to a network that you were previously given permission or one of your own.

In order to do this attack, I bought the Alfa AWUS036ACHcard which is capable of monitor mode. Monitor mode is crucial during this process because it allows us to monitor all the traffic received from the wireless network.

First, we need to make sure that we install the Alfa card into our host machine with all the necessary drivers. Then we load up VirtualBoxwith Kali Linuxand install the Virtual Box Extension Pack. To complete the VirtualBox set up, we enable the USB 3.0 controller and add our Alfa Realtek card as demonstrated below:

After VirtualBox is configured, we can go ahead and open a terminal Window in Kali Linux:

We will need the drivers for the Alfa Wireless Card and reboot the system after installation

Once the system comes back up, we are ready to enable monitor mode on our wireless card. Airmon-ngis the utility that allows us to get our wireless card ready. We’ll need to first check if there are any processes that might interfere with the process and then start the card in monitor mode.

sudo airmon-ng check kill

sudo airmon-ng         # This will check for compatible wireless cards

sudo airmon-ng start wlan0  # This command will start the wireless card in monitor mode

Once we have enabled our interface to be listening in monitor mode, we are ready to start listening for wireless connection. In order to listen, we need the utility called airodump-ng.

sudo airodump-ng wlan0 #This command will listen for network traffic

Let’s take a quick moment to analyze these results.

  • The BSSID columns shows the MAC addresses of the Wireless Access points
  • The PWR is the signal power that we are getting from the connection
  • Beacons are frames which contain information about the network
  • #Data is the number of captured data packets
  • CH is the channel that the AP is using
  • MB is the maximum communication speed
  • ENC is the encryption protocol that the AP is using
  • CIPHER is the cipher that the AP is using
  • ESSID is the name of the wireless AP

We now need to pick a network to start out attack. It is best to pick a network that has good PWR strength such as “Castro.”

Before we proceed, we need to make sure that our Alfa wireless card has the same channel as the Victim’s AP. In order to change the channel, we run the following command:

sudo iwconfig wlan0 channel 1              # 1 is the channel number of the victim’s AP.

sudo airodump-ng -c 1 –bssid “AP mac adress” -w handshakefilename wlan0

At the same time, we need to open a new Terminal Window and type:

sudo airodump-ng wlan0   #This windows will listen for the handshake.

Now we need to kick off one of the devices that are connected to the “Castro” network in order to have that device reauthenticated and reconnect to the AP. By doing this, we will be able to capture the three way handshake. From the previous image, we can see that the AP has multiple stations. These stations are network devices currently connected to the AP.  We can kick off one of these network devices using aireplay-ng:

sudo aireplay-ng -0 0 -a <MacOfAP> -c <MacOfClient> wlan0

If the above command does not force a three way handshake, you can remove the -c and MacOfClient. Please keep in mind that this will force a broadcast disconnection and will make much more network noise.

Once the handshake is capture, the following notice will be shown:

The message that we are looking for is “WPA Handshake: ” followed by the MAC address of the access point. This command will be shown in the window where we opened “sudo airmon-ng wlan0.” The handshake has been successfully saved into the filename that we previously added with the extension .cap.

In the next blog, I will be going over the different types of methods on how to crack the .cap file and successfully obtain the password for the victim’s WPA2 AP.




Leave a Reply

Your email address will not be published. Required fields are marked *