In this article, we are going to use Airodump-ng and Aireplay-ng to get the Handshake address passed between the router and the client.

Before starting with the actual process, it is important to first understand how a connection initialization in a WiFi router works and how clients are authenticated to get connected to the router.

Working on WiFi Authentication and Connection

Typically, connection between a wireless router and client device works as follows:

1. The client device searches for all the available networks nearby and displays their Service Set Identifier (SSID) which can be possibly connected by the device.
2. Then the user chooses a wireless network to connect to.
3. The client device requests the router for connection which further follows a 4-way handshake.
4. After the router acknowledges the request, a connection gets established between the client and the wireless network.

Now before moving forward, it is essential to understand all the terminologies:

Service Set Identifier (SSID)

A Service Set Identifier (SSID) is a distinct label assigned to a wireless router, serving to distinguish and identify it amidst the presence of multiple nearby Wi-Fi networks.

Nonce

Nonce is a pseudo-random number generated by devices during the authentication process for smooth communication and verification, which can only be used once so even if this nonce is captured in the middle by conventional intercepting methods, it cannot be reused to establish the same connection again.

Group Temporal Key (GTK)

Group Temporal Key (GTK) is used to encrypt all the traffic to and fro between the wireless router and the client devices connected to it. All the client devices connected has this GTK and this is unique so all the access point would have a different GTK.

Pairwise Transient Key (PTK)

Pairwise Transient Key (PTK) is a unique key generated by combining nonces during the authentication process between the two devices used for the encryption of all the data between the router and the client device.

4-Way Handshake

Modern days wireless networks and providers follow a 4-way handshake protocol which includes the following steps:

1. The client device sends a request to the router to allow the connection along with some information about the device and a nonce generated by the device.
2. Once the router receives the initial request from the client, it also generates a new nonce and sends it along with some WiFi network information and GTK, which is encrypted with the password of the Wi-Fi.
3. As the client device receives the response from the router, it then decrypts the data packets sent by the router using the password for connecting to Wifi. After decryption, the client device combines the nonce that it generated and the one it got in response from the router hence creating a new PTK. It then encrypts this information using the Wi-Fi password and sends it to the router.
4. Upon response from the client device, the router decrypts the information using Wifi password and thereby matching the PTK it got from the client and the one which it evaluated. If the PTK matches, then it authenticates the connection request and allows the device to connect to the wireless network.

Now, it is important to understand more about Airodump-ng and Aireplay-ng packages.

Airodump-ng

Airodump-ng is a command line tool which is under the suite of Aircrack-ng which is used to assess Wifi network security. This tool is specifically developed and designed to monitoring and intercept the wireless network traffic, including but not limited to Wifi Access points.

A few key distuinguishing features of Airodump-ng are:

Network Scanning

It provides functionality for scanning WiFi networks available nearby and displays information about networks like its MAC Address, ESSID, the channel on which Access Point is operating and the encryption type of the network.

Detecting Connected Client

It can be used to detect the number of devices conmected to the wireless router network along with their MAC Adresses for further analysis.

Intercepting the Data Packets

This also provides functionality to intercept the transmission of Data packets between the client device and the wireless router.

Aireplay-ng

Similar to Airodump-ng, Aireply-ng is a command line tool available under Aircrack-ng suite for various purposes like packet injecting network packets, deauthentication attacks and testing vulnerabilities on the network. The tool is valuable for evaluating the security of wireless networks and enhancing penetration testing capabilities.

A few characteristics of Aireplay-ng are:

Packet Injection

It is designed to send or inject specially designed custom crafted packets which may include but not limited to deauthentication and disassociation, making client devices to disconnect and hence revealing potential vulnerabilities.

Deauthentication Attacks

The most popular use of Aireplay-ng is to perform Deauthentication Attacks which includes sending deauth packets to the router to disconnet a client with specific MAC Address or every client connected to the network

Approach

Capturing Handshake Address includes various steps to be followed.

First, we will setup our network adapter to monitor mode to analyse different networks around, monitor and fetch information related to the routers, then we will deauthenticate all/specific clients from the WiFi Network and setup Airodump-ng to intercept any Handshake Addresses transmitted between the client device and the router.

Now, after client device is deauthenticated from the WiFi network, the device will automatically try to reconnect to the same network, by attempting to initiate the 4-way Handshake process, during which Airodump-ng tool will intercept the Handshake Address transmitted between and save it in a file.

Installation

Though, aircrack-ng and all its command line tools come by default, it can be downloaded using the following commands:

Updating package repository:

sudo apt update

Installing aircrack-ng:

sudo apt install aircrack-ng

Capturing Handshake Address

Setting up Network Adapter in Monitor Mode

First, using the following command check for all available interfaces and name of our Network Adapter

iwconfig

Explanation:

‘iwconfig’ command lists all the available network interfaces in the operating system with some of their basic information

As we can see the name of our network adapter is wlan0, and the adapter is in Managed Mode, to monitor and inject deauth packets we have to put the adapter in monitor mode using the following command:

sudo airmon-ng start wlan0

Explanation:

‘sudo’ : gives higher level priviledges to perform some actions related to configuration of system settings

‘airmon-ng’ : it is the script that is used to enable/disable monitor mode for network adapters

‘start’ : the argument instructs airmon-ng to start monitor mode

‘wlan0’ : it is the default name of the network adapter to be used for the attack

Now, we have to start monitoring all nearby WiFi networks for information about them.

We can monitor all available networks using:

sudo airodump-ng wlan0

Explanation:

‘sudo’ : gives higher level priviledges to perform some actions related to configuration of system settings

‘airodump-ng’ : it is the tool to monitor wifi networks

‘wlan0’ : the default name of the network adapter to be used for the attack

As we can see all nearby networks are listed with their BSSID (MAC), Channel they are operating on (CH), Encryption Type (ENC) etc.

Here, our target is the third network in the list HARSH JIO 4G .

So after setting the target and copying the BSSID we will specifically only monitor that network while also constantly trying to intercept Handshake Address if any using the following command:

sudo airodump-ng --bssid <BSSID of Network> -c <Channel> -w psk wlan0

Explanation:

Here, we are giving ‘–bssid’ argument to pass the BSSID of our target, ‘-c’ argument to specifying the channel our target is operating on ‘-w’ to specify the prefix of the output file, which means any output files generated having network information or handshakes will be saved in a file with the specified prefix

The monitoring and checking for handshakes has been started on the target and now we will deauthenticate all the client devices from the router, so they automatically try to reconnect, and airodump-ng captures the handshake address.

To deauthenticate using aireplay-ng, we can use following command:

sudo aireplay-ng -0 <number of deauth packets to send> -a <BSSID of Target> wlan0

Explanation:

‘-0 argument’ : specifies the number of deauthentication packets to send to the router and passing 0 means to send the packets continuously until interrupted.

‘-a argument’ : sets the BSSID/MAC of the target to deauthenticate clients from

‘-c (optional) argument’ : is used to deauthenticate a specific client from the network by their MAC address and if not specified it disassociates all clients from the network

As the attack starts, it disassociates all the clients connected to the network and as a result the devices will automatically try to reconnect to the network and this attempt to reconnect with the handshake address will be captured by the ‘airodump-ng’ script running.

As it can be seen at the top right of the screen, airodump-ng fetched the WPA Handshake for the Access Point with that specific BSSID.
We can see all the captured Handshake files in the current directory using:

ls

Now, these are all the handshake files captured during the transmission of data packets between router and the client device.

We can look through the handshake file for information using:

aircrack-ng <name of file>.cap

Frequently Asked Questions:

Q1. Are there alternatives to Airodump-ng and Aireplay-ng for capturing handshake addresses?

Answer:

Yes there multiple alternatives to Airodump-ng and Aireplay-ng available in the market, two prominent among them are Wireshark and Airgeddon

Q2. How to decrypt the password from the Handshake Address?

Answer:

This Handshake Address can be decrypted into usable password by employing Dictionary Attack where the address can be checked against all the possible passwords in a dictionary or Bruteforce attack where the address is compared against all possible permutations of characters to get password.

Q3.Can it be used to capture Handshake address for any WiFi Network?

Answer:

Yes it can be used to intercept Handshake address for any WiFi Network, but it is illegal to use them against any WiFi network without permissions. It is necessary to always have proper authorization before using these methods.

Q4.How to secure Network?

Answer:

While it is not completely possible to avoid these types of attacks, but to make the network secure, it is advisable to use latest encryption type like WPA3 and using a Strong and lengthy password, so even if attacker gains Handshake Address, it is very difficult to crack the address to get the password.

Q5.What to do if WiFi network security has been compromised?

Answer:

The First and Foremost thing to do is to change the password, check for any unauthorized change on the Admin page of Router and consult a Network Security professional.

Conclusion:

Capturing the Handshake Address is an essential step in assessing the security of a Wi-Fi network. By using already available tools like Airodump-ng and Aireplay-ng, one can monitor and intercept the Network Authentication process between a client device and a Wi-Fi router to gain information about the network. This information is very important for network administrators, as it can help them identify potential vulnerabilities and weaknesses in the network’s security. But on the other hand, this information can also be used by attackers with malicious intent to break into someone’s private network by exploiting these vulnerabilities.

By understanding this techniques and tools involved in capturing handshake addresses and how an attacker can use it to evade someone’s privacy, network administrators and users can take necessary steps to strengthen their network security to prevent any unauthorised person to access their private network.