4-Way Handshake
Modern days wireless networks and providers follow a 4-way handshake protocol which includes the following steps:
- The client device sends a request to the router to allow the connection along with some information about the device and a nonce generated by the device.
- Once the router receives the initial request from the client, it also generates a new nonce and sends it along with some WiFi network information and GTK, which is encrypted with the password of the Wi-Fi.
- As the client device receives the response from the router, it then decrypts the data packets sent by the router using the password for connecting to Wifi. After decryption, the client device combines the nonce that it generated and the one it got in response from the router hence creating a new PTK. It then encrypts this information using the Wi-Fi password and sends it to the router.
- Upon response from the client device, the router decrypts the information using Wifi password and thereby matching the PTK it got from the client and the one which it evaluated. If the PTK matches, then it authenticates the connection request and allows the device to connect to the wireless network.
Now, it is important to understand more about Airodump-ng and Aireplay-ng packages.
Capture Handshake Address with Airodump-ng and Aireplay-ng
In this article, we are going to use Airodump-ng and Aireplay-ng to get the Handshake address passed between the router and the client.
Before starting with the actual process, it is important to first understand how a connection initialization in a WiFi router works and how clients are authenticated to get connected to the router.