We covered the basics of WIFI penetration testing with aircrack-ng and the concept of WPA 4 Way-Handshake.

The core of WPA(2) authentication is the 4 way handshake.

Most home WiFi networks, and many others, use WPA(2) personal. If you have to log in with a password and it’s not WEP, then it’s WPA(2) personal. WPA2-EAP uses RADIUS servers to authenticate, so if you have to enter a username and password in order to connect then it’s probably that.

Previously, the WEP (Wired Equivalent Privacy) standard was used. This was shown to be insecure and can be broken by capturing enough packets to guess the key via statistical methods.

The 4 way handshake allows the client and the AP to both prove that they know the key, without telling each other. WPA and WPA2 use practically the same authentication method, so the attacks on both are the same.

The keys for WPA are derived from both the ESSID and the password for the network. The ESSID acts as a salt, making dictionary attacks more difficult. It means that for a given password, the key will still vary for each access point. This means that unless you precompute the dictionary for just that access point/MAC address, you will need to try passwords until you find the correct one.

Challenge Answers

What type of attack on the encryption can you perform on WPA(2) personal?

Can this method be used to attack WPA2-EAP handshakes? (Yea/Nay)

What three letter abbreviation is the technical term for the “wifi code/password/passphrase”?

What’s the minimum length of a WPA2 Personal password?

How do you put the interface “wlan0” into monitor mode with Aircrack tools? (Full command)

What is the new interface name likely to be after you enable monitor mode?

What do you do if other processes are currently trying to use that network adapter?

What tool from the aircrack-ng suite is used to create a capture?

What flag do you use to set the BSSID to monitor?

And to set the channel?

And how do you tell it to capture packets to a file?

What flag do we use to specify a BSSID to attack?

What flag do we use to specify a wordlist?

How do we create a HCCAPX in order to use hashcat to crack the password?

Using the rockyou wordlist, crack the password in the attached capture. What’s the password?

Where is password cracking likely to be fastest, CPU or GPU?

Video WalkThrough


About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles