Since I wrote a blog post recently on how to capture a WPA/WPA2 handshake using the WiFi Pineapple Nano I thought it would be interesting to take a peek under the hood, and see how the SiteSurvey module on the Pineapple achieved this.
Disclaimer: Any actions and or activities related to the material contained within this blog is solely your responsibility. The skills being taught are for educational purposes only. The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.
In order to follow along with this blog post you will need to have a wireless adapter that is able to be put into monitor mode. The first step is to use the airmon-ng command to view the available wireless cards. As you can see from the screenshot below I have one Ralink wireless card using the rt2800usb device driver.
airmon-ng also provides a tool that will check for any currently running processes that might interfere with the wireless adapter. The second screenshot shows the airmon-ng check kill which will also stop any interfering processes that are currently running on the Linux system.
Once the interference is taken away you can start the wireless card in monitor mode by using the airmon-ng start <interface> command. Pro-Tip: If you have killed all the necessary processes using the airmon-ng check kill command you do not have to actually place your card into monitor mode. Which might allow for the wireless adapter to utilize more power and increase the receiving/transmitting power. For the sake of this blog post I will be starting the card in monitor mode though in order to avoid any obstructions.
Now that I have the wireless card in monitor mode I can start looking at the traffic currently being broadcasted in the air by running the command airodump-ng wlan0mon. As you can see from the screenshot below there are quite a few networks nearby. For the sake of privacy I have edited out the information that is not belonging to myself. My current home network has the ESSID of Null, and is what I will be focusing on for the remainder of this blog post.
You will notice the bar at the top in the screenshot below that says CH 1] [Elapsed: 24 s][ 2018-07-05 20:35. This is the informational bar provided by airodump-ng. This informs the user what channel is currently being listened on, the amount of time airodump-ng has been running, and the current date. You might notice your Channel number is different, but without any additional options to airodump-ng the listener will jump from channel-to-channel to try and capture as much traffic as possible. This is called channel jumping, but it should be noted that you can only capture the channel your are currently listening on. Thus, if you are on Channel 1 currently you could be missing important transmissions on Channel 6.
Now that we have picked our target, in this instance the Null ESSID, we need to copy the BSSID which is the MAC address of the wireless access point. As well, take note of what channel the wireless access point is operating on. This will help us limit our listening to only that channel.
Now we can run the command airodump-ng -c 6 --bssid <mac> wlan0mon. This will start airodump-ng, and force it to only listen on channel six as well as only for the bssid of our wireless access point target.
Once we let airodump-ng run for a few seconds there should start to be results of connected clients transmitting and receiving from the access point. You can see the clients connected underneath the MAC address of the ESSID that is focused. Airodump-ng will inform you of the BSSID of the wireless access point, and then under the STATION column will be the MAC of the client. In this instance my Iphone is the client. At this point, we will restart our airodump command, and add in an option for capturing as well. The command will look like this: airodump-ng -c 6 --bssid <mac> -w cap1 wlan0mon. Now that airodump is capturing we will start to see files showing up in the current directory.
One little trick to view the current traffic of the .cap file is to tail the file while piping it into tcpdump. This can be accomplished with tail -c +1 -f <filename>.cap | tcpdump -l -r -. This will give you a running view of the traffic.
Depending on the wireless access point or clients you are listening for there may or may not be traffic currently being broadcasted over the air. This is where we can use the aireplay-ng tool. Aireplay-ng is primarily used to generate or accelerate wireless traffic. We need to make sure that we leave airodump-ng currently running and listening in our terminal, but we can open another terminal and enter the command aireplay-ng -9 -e <ssid> -a <mac> wlan0mon. This command will perform an injection test to make sure the wireless card is able to inject packets.
Viewing our .cap file in the screenshot below we will see the Data IV packets being injected.
Since our wireless card is able to inject packets we can use this to perform a deauthentication attack. This attack type will send disassociation packets to the wireless clients specified. This will cause the clients to break off from the wireless access points. This can help us recover cloaked or hidden ESSIDs, capture the WPA/WPA2 4-way handshake as the client re-authenticates, and will generate ARP requests. The command to run the deauthentication attack is as follows: aireplay-ng -0 1 -a <mac of AP> -c <mac of Client> wlan0mon. Note that the -0 1 will only send one deauthentication packet. If you want to run the attack continuously you can use the flag -0 0. However, it should be noted as long as you are running the deauthentication attack the clients will be disconnected causing a Denial-of-Service.
Taking a look at our .cap file we can view, and make sure the Deauthentication packets are being injected.
Once the deauthentication attack stops the WPA/WPA2 4-way handshake should be caught by airodump that is still running in the other terminal. Airodump-ng will give you a notification when the handshake is caught in the top menu next to the date of the capture.
From here you will need to follow the steps in the WiFi Pineapple post on converting the .cap file to a .hccapx format, and then loading it into Hashcat or JTR for cracking.
