WPA2 Half Handshake (half handshake): WiFi password hacking software and attack scripts
Each Client connection (Station) to a WiFi access point is a rather complicated process of exchanging random data (generated for a particular connection) and keys. This data set is called WPA handshake. There are four elements in it that various authors call messages (messages), exchanges, or packages. Also, message 1 is usually denoted M1, message 2 is M2, message 3 is M3 and message 4 is M4.
The WiFi password is not transmitted in open form at any stage, however, the handshake contains enough information for brute-force selection of a password. As already mentioned, there should be four elements in the handshake. You can view the composition of the handshake with various tools, for example, using Wireshark , for this purpose the tool has an “ eapol ” filter:


And this is only the second and third:

In fact, to crack a WiFi password, all four elements are not required. Breaking a WPA password is possible even if some messages are missing in a handshake. Nevertheless, full handshake is preferred: it allows you to check the password in two different ways, it ensures that the client trying to connect has entered the correct password.
There are two possible combinations of messages transmitted during the handshake process that can be used to break authentication.
The most important message of the four is the second (M2). It is always necessary. In addition to it, in addition to receiving information about beacon requests / responses (request / response beacons) that give us the network name (known as ESSID) and the MAC address of the access point (known as BSSID), we need at least one of the following messages:
- The first (M1): packet from the access point (AP) to the client (STA), which initiates a connection request
- Third (M3): packet from the access point (AP) to the client (STA), which is a response to message 2 (M2).
If the third exchange packet (M3) was captured, this is proof that the password was correct and, therefore, a handshake for us can be marked as verified (it is also called “authenticated” – authenticating handshake).
On the other hand, if we possess only the first and second, we cannot say with certainty whether a connection has been established, we cannot even tell if the password was correct. However, such half-hearted handshakes have their uses. For example, if you see that the Client sends probe requests in search of its AP, then it usually shows the ESSID, i.e. allows us to find out the name of the network to which the Client wants to connect. Being an attacker, you can now configure your AP with exactly the same ESSID. If the Client does not check the MAC address (most do not check), it will try to connect to your AP. Of course, the connection will fail because your AP does not use the same password that the Client uses. However, the Client will use the correct password. The result is a so-called “non-authenticated” handshake. Those. a handshake containing M1 and M2. If you successfully hack it, you will find out the true password from the AP to which the client wants to connect. Now you can re-raise your AP with a cracked password, and the Client will be able to successfully connect to it. This will give you access to the Client from a more “internal” network position or allow you to carry out any man-in-the-middle attack. Alternatively, you can connect to this AP, in case you know where it is. This will give you access to the Client from a more “internal” network position or allow you to carry out any man-in-the-middle attack. Alternatively, you can connect to this AP, in case you know where it is. This will give you access to the Client from a more “internal” network position or allow you to carry out any man-in-the-middle attack. Alternatively, you can connect to this AP, in case you know where it is.
To see Clients that are not connected to any of the available access points in the radius and who are looking for their own access point:
sudo systemctl stop NetworkManager
sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon
At the bottom you will see not connected to any customers.
Since I can see a very large list of access points that do not even fit into the screen, I have no clients at all. To fix this, I filter the AP (-N nonono), and also record the listening to one channel (-c 6), the following command is obtained:
sudo airodump-ng -N nonono -c 6 wlan0mon
Clients not connected to the access point (labeled as (associated) ) are shown at the bottom of the list. Clients sending probe requests with a BSSID (Probe column) may be the target of this attack.
Raise the WPA2 WiFi network with the exact same SSID (name) as the access point that the Client is looking for. This can be done in various ways. One of the easiest is using create_ap . Your access point must have a password (otherwise the attack will fail), you can choose a password by anyone.
You need to capture traffic on the wireless network interface. On Linux, this can be done with TCPdump:
sudo tcpdump -i wlan0 -s 65535 -w file.cap
The resulting capture file can be directly cracked in WPA2-HalfHandshake-Crack .
Or, after the conversion, it can be hacked in the Hashcat tool .
Leave a Reply