Capturing WPA/WPA2 Handshakes with WiFi Pineapple

Capturing WPA/WPA2 Handshakes with WiFi Pineapple

This guide is assuming that you have already setup a WiFi Pineapple, and are logged into the administration portal.  This is what the administrative portal should look like once logged in (minus the dark theme which was installed by me).  

Choose the Manage Modules option on the left menu navigational bar.  

Click the Get Modules from button to populate the Modules on the page.

As you can see from the screenshot below the Available Modules will load so you can select Install on the left side of the screen.

The module we want to install is called SiteSurvey.  The SiteSurvey module allows the tester to view Access Points around with information such as: SSID, MAC, Encryption method, Cipher, Authentication method, Channel, Frequency, and Signal Quality.  As well, with starting capture on the Access Point and Deauthentication on the Access Point.  

Once the SiteSurvey module is installed a new Module item will be installed on the navigational menu.  

Choose the SiteSurvey module, and additional dependencies will need to be installed.  It is recommended to install the module to the Internal storage.  There are reports of having linking issues on the SD card storage.

Once the dependencies are installed new menu items will be shown under the SiteSurvey module.  Before we can scan we need to specify the interface to be used.  For this purpose I used the wlan1.  Remember that the Pineapple Nano has two interfaces.  

To find out what Access Ports (AP) are currently nearby we can scan for just APs or also Clients.  For now just scan only for the APs.  

Once the nearby APs are discovered we have multiple options on the far right.  The capture will start listening on the channel of the selected AP and will capture traffic that is currently being sent and received.  The SiteSurvey module will listen specifically for Handshakes.  

Starting the capture process.  

You can tell the process is running by checking the Running Processes menu, and see that airodump-ng is currently running.  

Once the capture begins SiteSurvey will create a new entry under the Capture menu at the bottom of the page.  It will update every 5 seconds to show the number of IVS and WPA Handshakes captured.  

If you are listening for some time and not seeing any Handshakes you can attempt to Deauthenticate clients by sending Deauth packets.  Start the Deauth process.

Once the Deauth process starts you can double check its running by looking at the Running Processes and see that aireplay-ng is running.

Once the WPA Handshake is captured you can stop all of the currently running processes.

You can either view, download, or delete the current captures at the bottom of SiteSurvey module.  For now we will download the Capture to try and crack the hash of the Handshake.  

A compressed file will be downloaded.  Once decompressed you will be left with a folder structure as shown below.  The handshake hash will be contained in the *.cap file.  

Luckily for us, Hashcat has the ability to crack WPA/WPA2 hashes, however they first need to be converted to a format that Hashcat can recognize.  This can be done two different ways.  The first is that you upload the .cap file to Hashcat's online converter, or you can download the Hashcat Utils and build on a machine to perform the conversion offline.  For now we will utilize the online converter since this wireless setup was made purely for educational purposes.  

Once you have the *.hccapx file we can pipe directly into Hashcat using the mode 2500.  

The full command would be similar to this:

./hashcat64.exe -m 2500 hash.hccapx

Now let it run until the hash is cracked.  Your mileage may vary.  

That's it for the first WiFi Pineapple tutorial.  

Ryan Villarreal

About Ryan Villarreal