Capturing Handshake Address

Setting up Network Adapter in Monitor Mode

First, using the following command check for all available interfaces and name of our Network Adapter

iwconfig

Explanation:

‘iwconfig’ command lists all the available network interfaces in the operating system with some of their basic information

As we can see the name of our network adapter is wlan0, and the adapter is in Managed Mode, to monitor and inject deauth packets we have to put the adapter in monitor mode using the following command:

sudo airmon-ng start wlan0

Explanation:

‘sudo’ : gives higher level priviledges to perform some actions related to configuration of system settings

‘airmon-ng’ : it is the script that is used to enable/disable monitor mode for network adapters

‘start’ : the argument instructs airmon-ng to start monitor mode

‘wlan0’ : it is the default name of the network adapter to be used for the attack

Now, we have to start monitoring all nearby WiFi networks for information about them.

We can monitor all available networks using:

sudo airodump-ng wlan0

Explanation:

‘sudo’ : gives higher level priviledges to perform some actions related to configuration of system settings

‘airodump-ng’ : it is the tool to monitor wifi networks

‘wlan0’ : the default name of the network adapter to be used for the attack

As we can see all nearby networks are listed with their BSSID (MAC), Channel they are operating on (CH), Encryption Type (ENC) etc.

Here, our target is the third network in the list HARSH JIO 4G .

So after setting the target and copying the BSSID we will specifically only monitor that network while also constantly trying to intercept Handshake Address if any using the following command:

sudo airodump-ng --bssid <BSSID of Network> -c <Channel> -w psk wlan0

Explanation:

Here, we are giving ‘–bssid’ argument to pass the BSSID of our target, ‘-c’ argument to specifying the channel our target is operating on ‘-w’ to specify the prefix of the output file, which means any output files generated having network information or handshakes will be saved in a file with the specified prefix

The monitoring and checking for handshakes has been started on the target and now we will deauthenticate all the client devices from the router, so they automatically try to reconnect, and airodump-ng captures the handshake address.

To deauthenticate using aireplay-ng, we can use following command:

sudo aireplay-ng -0 <number of deauth packets to send> -a <BSSID of Target> wlan0

Explanation:

‘-0 argument’ : specifies the number of deauthentication packets to send to the router and passing 0 means to send the packets continuously until interrupted.

‘-a argument’ : sets the BSSID/MAC of the target to deauthenticate clients from

‘-c (optional) argument’ : is used to deauthenticate a specific client from the network by their MAC address and if not specified it disassociates all clients from the network

As the attack starts, it disassociates all the clients connected to the network and as a result the devices will automatically try to reconnect to the network and this attempt to reconnect with the handshake address will be captured by the ‘airodump-ng’ script running.

As it can be seen at the top right of the screen, airodump-ng fetched the WPA Handshake for the Access Point with that specific BSSID.
We can see all the captured Handshake files in the current directory using:

ls

Now, these are all the handshake files captured during the transmission of data packets between router and the client device.

We can look through the handshake file for information using:

aircrack-ng <name of file>.cap

In this article, we are going to use Airodump-ng and Aireplay-ng to get the Handshake address passed between the router and the client.

Before starting with the actual process, it is important to first understand how a connection initialization in a WiFi router works and how clients are authenticated to get connected to the router.