Many thanks to INIT_SIX for recommending this quick-hit update to the previous WPA wireless attack article. If you find yourself making packet captures and airodump-ng reports that the handshake was captures, but aircrack-ng (or your tool of choice) is having issues, it’s time to break out some manual packet analysis. Let’s verify that capture!
For this item we’re going to assume that you’ve completed a packet capture as described in the previous article on WPA attacks. If you have, and want to quickly check the status of the handshake itself you can do so with the following command:
pyrit -r /path/to/capture.cap analyze
If everything worked out well we should see something like the following (keeping with the previous article, the MAC address of “99:88:77:66:55:44” below is the AP, and “00:11:22:33:44:55” is the client):
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Parsing file 'capture.cap' (1/1)... Parsed 3617 packets (3617 802.11-packets), got 1 AP(s) #1: AccessPoint 99:88:77:66:55:44 ('WPAVICTIM'): #1: Station 00:11:22:33:44:55, 1 handshake(s): #1: HMAC_SHA1_AES, good, spread 1
Alternatively, you can also use Wireshark to do this. To do so, open Wireshark and then open the capture file. In the filter section enter “eapol” to filter to only the Extensible Authentication Protocol over LAN (EAPOL) packets. A full handshake will have four packets:
- EAPOL Key (Message 1 of 4): AP -> Client
- EAPOL Key (Message 2 of 4): Client -> AP
- EAPOL Key (Message 3 of 4): AP -> Client
- EAPOL Key (Message 4 of 4): Client -> AP
Once you’ve verified that all four packets are there, three more checks need to be made:
- The nonce used in the EAPOL Key (Message 1 of 4) and EAPOL Key (Message 3 of 4) packets should be the same. You can see that by looking in the “802.1X Authentication” section of the packet in Wireshark, and looking for the value in the “WPA Key Nonce” section.
- The “replay counter” value used in the EAPOL Key (Message 1 of 4) and EAPOL Key (Message 2 of 4) packets should be the same (this is also found in the same section as the nonce). The “replay counter” value used by EAPOL Key (Message 3 of 4) and EAPOL Key (Message 4 of 4) should be the same as well, but different from the value used in the first set (Messages 1 and 2).
- Remove the filter for “EAPOL” and you need to see a beacon frame from the AP prior to the first EAPOL message. This will have a source address of the AP’s MAC address, a destination address of broadcast (e.g. “FF:FF:FF:FF:FF:FF”), and Wireshark will decode this in the “Info” field as “Beacon frame, …”
That’s it! Good hunting!