Back to course

Attacking WPA/WPA2 Handshakes

Cyber Security Mastery: From Zero to Hero

The 4-Way Handshake Attack

Cracking WPA/WPA2 passwords does not involve breaking the AES encryption itself. Instead, it targets the 4-Way Handshake used when a client first connects to an access point.

The Handshake

This handshake contains a hash derived from the network password (PSK - Pre-Shared Key) and random data from both the AP and the client.

The Attack Steps

  1. Sniffing: Use airodump-ng in monitor mode to listen for the handshake between a legitimate client and the AP.
  2. Forcing the Handshake (Deauthentication): Send a deauthentication frame (using aireplay-ng) to the client, forcing it to disconnect and immediately reconnect, thereby generating a new handshake packet for us to capture.
  3. Cracking: Feed the captured handshake file (.cap file) and a massive wordlist into aircrack-ng or hashcat to perform an offline dictionary attack against the hashed password.

Defense: Use long, complex passphrases (20+ characters) to defeat dictionary attacks.