How to Get a WiFi Handshake: A Security Audit Guide

Collecting a handshake, or handshake, is a fundamental step in the wireless network security audit process. This four-step data exchange between the client and the access point contains the encrypted information needed to test the password strength using brute-force attacks. Understanding how this mechanism works is critical for system administrators and information security professionals seeking to protect their infrastructure from unauthorized access.

In modern data security practices, obtaining this data packet is often the first step in legal penetration testing (Pentest). If attackers can intercept this data, they gain the ability to launch an offline password attack without being within the network's range. Therefore, network owners need to understand not only the theoretical aspects but also practical interception methods to promptly assess the vulnerability of their networks. routers and access points.

It's important to note that all actions described in this material should be performed solely for educational purposes or on your own equipment. Unauthorized collection of traffic from other people's networks is a violation of the law. We will examine the technical details of the protocol. WPA2, the necessary tools and methods to force a connection break to initiate a reconnection.

⚠️ Warning: Using packet sniffers and deauthentication tools on networks you do not own or do not have written permission to test may result in legal liability.

Theoretical foundations of the WPA2 handshake

The WPA2 security protocol uses a four-way handshake to establish a secure connection. When a client device (laptop, smartphone) attempts to connect to an access point, a key exchange occurs, allowing both parties to verify they know the correct password without transmitting it in cleartext over the air. This process generates a unique PMK (Pairwise Master Key) and PTK (Pairwise Transient Key), which encrypt all further traffic.

The intercepted packet contains critical data including Nonce (a random number) from the access point and the client, as well as hashes derived from the password. These hashes are what allow a brute-force attack to be launched. The brute-force program takes a dictionary of words, applies the same hashing algorithms to them, and compares the result with the intercepted value. If the values ​​match, the password has been found.

The difficulty of hacking directly depends on the complexity of the password and the encryption algorithm used. For networks of the standard WPA2-PSK This is the primary attack vector. However, it's important to understand that packet interception alone doesn't provide instant access to the network; it merely provides a "hook" for further cryptanalytic work.

An analysis of the packet structure reveals that data is transmitted unencrypted only within the control frames, but the actual handshake is already protected. However, the metadata needed to verify the password is available for analysis by any device in monitoring mode within range.

Necessary equipment and software

Successfully auditing a wireless network requires specialized equipment capable of operating in monitoring mode. Standard built-in WiFi modules in laptops often don't support packet injection or have a limited range. The most popular and reliable solution is to use external USB adapters based on chipsets. Atheros AR9271, Ralink RT3070 or Realtek RTL8812AU.

As for the operating system, the de facto standard for such tasks is Kali LinuxThis distribution contains a pre-installed set of tools necessary for working with network interfaces and analyzing traffic. Although versions exist for Windows and macOS, the drivers' stability in monitoring mode under Linux is significantly higher, which is critical for successful packet capture.

📊 What equipment do you plan to use for the audit?
Built-in laptop adapter: Alfa AWUS036NHA USB adapter: TP-Link TL-WN722N (v1) USB adapter: Raspberry Pi with external module: Other

The key software in the set is aircrack-ngThis is not just one program, but a whole set of utilities, including airmon-ng to control map modes, airodump-ng for traffic sniffing and aireplay-ng for packet injection. You may also need a utility wash or reaver for WPS analysis, although in the context of handshake we are interested in the functionality of the air family.

When choosing equipment, pay attention to frequency band support. Modern networks often operate in the 5 GHz band, and older adapters that only operate in 2.4 GHz will be useless for such purposes. Furthermore, an external antenna with a high gain (e.g., 5 dBi or higher) significantly increases the chances of successfully capturing a signal from a distance.

Setting the network interface to monitor mode

The first practical step is to put the network adapter into monitor mode. In normal operation, the card filters frames, leaving only those addressed to it. Monitor mode allows the card to capture All packets passing through the air, whether they are destined for your network or not.

To get started, you need to open the terminal and enter the command sudo airmon-ngThis utility will scan the system and display a list of available interfaces. They are usually labeled as wlan0, wlan1 or wlp2s0Before starting the monitoring mode, it is highly recommended to stop processes that may conflict with the network card, such as NetworkManager or wpa_supplicant.

sudo airmon-ng check kill

sudo airmon-ng start wlan0

After executing the command to start monitoring, the interface name will change. A suffix is ​​often added to the original name. mon, For example, wlan0monNow the adapter is ready to listen to the broadcast.

☑️ Interface preparation

Completed: 0 / 1

If the interface doesn't enter monitoring mode, this may indicate driver issues. In such cases, manually installing drivers from repositories or compiling them from source code may be necessary. For chipsets Realtek This is a common situation that requires attention and searching for current driver versions on GitHub.

Scanning the airwaves and selecting a target

After configuring the interface, you need to detect the target network. Utility airodump-ng Allows you to visualize all available wireless networks within range. It can be launched with the command sudo airodump-ng wlan0mon (replace the interface with yours).

A list of networks with their parameters will appear on the screen: BSSID (MAC address of the access point), PWR (signal level), Beacons (number of lighthouses), #Data (number of captured data packets) and CH (channel). We are interested in encrypted networks. WPA2The signal level (PWR) must be high enough (the smaller the absolute value, the better the signal, for example -40 is better than -80).

Parameter Description Importance for attack
BSSID MAC address of the router High (for filtration)
PWR Signal strength (dBm) Critical (capture quality)
#Data Number of data packets Average (shows activity)
ENC Encryption type High (requires WPA2)
MB Maximum speed Low (technical information)

Once you've selected the target network, you need to lock the scan to a specific channel and BSSID. This is done to ensure that the handshake is not missed and that only relevant traffic is recorded. The command will look like this:

sudo airodump-ng --bssid 00:11:22:33:44:55 --channel 6 -w capture wlan0mon

Here --bssid indicates the target address, --channel fixes the channel, and -w capture specifies the prefix for the filename where the data will be saved. After running this command, the utility will wait for someone to connect to the network.

Methods of intercepting a handshake

There are two main ways to obtain a handshake: passive waiting and active deconnection. The passive method involves waiting for a legitimate client to connect to the network. This can take minutes, hours, or even days, making it ineffective for a quick audit.

The active method involves using deauthentication. We send a special control frame on behalf of the access point to the client (or vice versa), which forcibly terminates the connection. The client, having lost the connection, will automatically attempt to reconnect, at which point a handshake will occur, which we intercept.

Why does deauthentication work?

The 802.11 protocol does not require authentication of management frames, such as deauthentication. This allows any device within range to terminate the connection between the client and the router simply by spoofing the sender's MAC address.

To implement the attack, a utility is used aireplay-ngThe command syntax for sending deauthentication packets is as follows:

sudo aireplay-ng --deauth 10 -a 00:11:22:33:44:55 wlan0mon

Parameter --deauth 10 specifies the number of packets sent (in this case 10 series). The parameter -a Specifies the BSSID of the access point. If there are multiple clients on the network, you can specify a specific client using the parameter -c, so as not to disturb unnecessary devices. When sending packets, the window airodump-ng an inscription will appear in the upper right corner [ WPA handshake: 00:11:22:33:44:55 ]This is a signal of success.

⚠️ Warning: Excessive use of deauthentication packets can cause a temporary denial of service (DoS) for legitimate network users. Use this method sparingly and only within the test window.

If you can't get a handshake on the first try, try increasing the number of deauthentication packets or adjusting the antenna position to improve signal reception from the client. Sometimes it's useful to use broadcast deauth to terminate the connection with all clients at once.

Analysis of captured data and password verification

After successfully capturing the handshake, the file capture-01.cap (or with a different number if the files are numbered automatically) contains the necessary data. Before launching a tedious brute-force process, it's worth verifying that the handshake is indeed recorded correctly. To do this, you can use the command:

aircrack-ng capture-01.cap

If the file contains a valid handshake, the program will notify you, displaying the network name (ESSID) and the number of handshakes found. If no handshake is found, the program will prompt you to continue searching or exit. The presence of a valid handshake is the "green light" to begin checking the password strength.

The verification process itself (brute force) can be performed on the same computer or offloaded to powerful GPU clusters. A dictionary of words is used for local verification. The quality of the dictionary directly impacts success: the more common passwords and their variations it contains, the higher the chances.

The command to start the enumeration looks like this:

aircrack-ng -w /path/to/wordlist.txt capture-01.cap

Where -w Specifies the path to the dictionary file. If the password is in the dictionary, it will be displayed on the screen. If the dictionary is exhausted and the key is not found, the password is too complex or is not in the word database being used.

Protective measures and prevention of interception

Understanding vulnerabilities helps build effective defenses. The first and most important step is using complex passwords. A password less than 10 characters long and consisting entirely of letters can be cracked in seconds with modern equipment. It is recommended to use combinations of upper and lowercase letters, numbers, and special characters, 12-14 characters long.

In addition, you should disable the function WPS (Wi-Fi Protected Setup) in the router settings. While convenient, this protocol has critical vulnerabilities that allow PIN recovery and network access without the WiFi password. It's also useful to limit the number of connected devices by MAC addresses, although this method isn't completely secure, as MAC addresses are easily spoofed.

Regularly updating your router firmware is another important measure. Manufacturers frequently patch security holes and improve packet processing algorithms. For corporate networks, switching to WPA3-Enterprise using a RADIUS server, which makes intercepting the handshake useless for an attacker, since authentication occurs via certificates or username/password, and not a shared key.

⚠️ Please note: Router management interfaces and encryption methods are constantly being updated. Always check your security settings against your equipment manufacturer's current recommendations and industry standards.

Using a guest network for visitors also minimizes risks. Even if the guest connection is compromised, the main network with production computers and data storage remains isolated. Network segmentation is one of the most effective ways to mitigate the damage from a potential hack.

Is it possible to get a handshake if no one is connected to the network?

No, the handshake is generated only when a client connects to the access point. If there are no active clients on the network, intercepting the handshake is impossible because no key exchange occurs. In this case, an attack on WPA2/WPA3-PSK is impossible without physical access or vulnerabilities in the router itself.

What is the best dictionary to use for checking?

The dictionary is considered the most popular and effective rockyou.txt, which contains millions of passwords leaked from various databases. For deeper analysis, specialized dictionaries tailored to specific regions or language groups are used, as well as hashcat rules that modify words in the dictionary.

Does this method work on 5GHz networks?

Yes, the handshake interception method works exactly the same for both 2.4 GHz and 5 GHz frequencies. The only difference is the required hardware: your WiFi adapter must support the 5 GHz band and have the appropriate drivers to operate in monitor mode on these frequencies.

How long does it take to crack a password after receiving a handshake?

Brute-force times vary from a fraction of a second to infinity. Simple passwords (e.g., "12345678") are brute-forced instantly. Complex passwords can take years to brute-force, even on powerful clusters. Everything depends on the password's entropy and the computing power of the hardware used.