Time for action – AP-less WPA cracking
We will setup a WPA-PSK Honeypot with the ESSID Wireless Lab. The
-z 2
option creates a WPA-PSK access point which uses TKIP:Let's also start
airodump-ng
to capture packets from this network:Now when our roaming client connects to this access point, it starts the handshake but fails to complete it after Message 2 as discussed previously:
But
airodump-ng
reports that the handshake has been captured:We run the
airodump-ng
capture file throughaircrack-ng
with the same dictionary file as before, eventually the passphrase is cracked as shown next:
What just happened?
We were able to crack the WPA key with just the client. This was possible because even with just the first two packets, we have all the information required to launch a dictionary attack on the handshake.
Have a go hero – AP-less WPA cracking
We would recommend setting different WEP keys on the client and trying this exercise a couple of times to gain confidence. You may notice many times that...