How to capture handshakes of Wi-Fi networks automatically
Programs for automatic capture of Wi-Fi handshakes
There are already several options available for automatically capturing handshakes from Wi-Fi access points, for example:
- Besside-ng – works great, saves the file only with good handshakes, suitable for password cracking. Disadvantage: it scans the network once and, in the case of new Wi-Fi networks in the availability range, does not see them. That is, when moving around the city, this program is ineffective.
- zizzania is the same main drawback; when new Access Points appear, it most likely does not see them. Capture efficiency is not always the best.
Hashcatch deauthenticates clients connected to all nearby Wi-Fi networks and tries to capture the handshakes. It can be used in any Linux device including Raspberry Pi and Nethunter devices so that you can capture handshakes while walking your dog. Hashcatch runs indefinitely until keyboard interrupt.
The Hashcatch script from time to time repeatedly scanning new Wi-Fi networks and add them to attack. That is, if you want to get a handshake in automatic mode, then this script can be run, simply put, not being in front of this AP, but when leaving the house. That is, the program will try to capture handshakes from all Access Points that will meet along the entire route of your way. It is clear that you need to move slowly enough, stopping in front of possible places of Wi-Fi networks congestion.
How to install Hashcatch on Kali Linux
sudo apt install hcxtools jq
Creating the necessary folders and files for the program:
sudo mkdir -p /usr/share/hashcatch/handshakes/ /etc/hashcatch/ sudo touch /usr/share/hashcatch/db
git clone https://github.com/staz0t/hashcatch cd hashcatch/
Now you need to generate the configuration file, for this run the command:
sudo ./hashcatch --setup
The script will ask you for the name of the wireless interface, if you do not remember it, then use the command:
In the future, if you need to choose a different wireless interface to use, then run the command again:
sudo ./hashcatch --setup
Or simply open the /etc/hashcatch/hashcatch.conf file with any text editor and enter the name you need.
By the way, when operating, the program saves the captured handshakes to the /usr/share/hashcatch/handshakes/ folder, and information about the APs for which it was possible to catch handshake is written to the /usr/share/hashcatch/db file. These settings are hard-coded:
If you wish, you can edit them to more convenient locations:
To do this, replace the values of these variables:
f_config="/etc/hashcatch/hashcatch.conf" f_db="/usr/share/hashcatch/db" d_handshakes="/usr/share/hashcatch/handshakes/"
If you have only one Wi-Fi interface, it is recommended to close programs that may affect it:
sudo systemctl stop NetworkManager sudo airmon-ng check kill
If the interface is down, set it to up (replace wlan0 with your interface name)
sudo ip link set wlan0 up
Continuous Wi-Fi Handshake Capture
Run the program:
The Hashcatch program puts the interface in monitor mode a little unusual, as follows:
sudo aireplay-ng --test INTERFACE
This command does enable monitor mode, but also perform checks whether the Wi-Fi card supports wireless injection. If the test fails, then Hashcatch will quit and write that it could not be put into monitor mode. Therefore, each launch of Hashcatch requires some time and, if it did not work out the first time, it makes sense to try to launch it several more times.
Immediately after this, it will begin to search for wireless networks, then to deauthenticate clients of these networks and will try to capture handshakes.
The program will run continuously until you press CTRL+c. During operation, as well as after completion, it will be written exactly how many hashes were captured:
[*] Handshakes captured this session: 1
Location details of a router's MAC address
Access points for which handshakes are captured, Hashcatch writes to the /usr/share/hashcatch/db file to view the contents of this file:
Values are separated by commas. By latitude and longitude, you can search on Google maps: https://www.google.com/maps/, just enter these two numbers, for example:
By the way, you can directly access the address of the form: https://www.google.com/maps/place/LATITUDE,LONGITUDE, for example https://www.google.com/maps/place/55.96663351105,37.41517074071
There are many Wi-Fi geolocation services, Hashcatch uses a service from Alexander Mylnikov. The API does not require a key, just enter the BSSID (MAC address) of the Access Point of interest and open a link of the form https://api.mylnikov.org/geolocation/wifi?v=1.2&bssid=BSSID, for example, https://api.mylnikov.org/geolocation/wifi?v=1.2&bssid=C8:38:70:AD:BB:48.
You can also add an ‘ignore’ field to mention the WiFi networks you want hashcatch to ignore while running.
If you have already captured handshakes for some wireless networks, then it makes sense to ignore them. Another example of the use of ignore list: I launched Hashcatch, put the laptop in my backpack and went for a walk, see how many handshakes I could get. In order for the computer to be constantly connected to the Internet, I created a Wi-Fi hot spot on my mobile phone and connected to it from my laptop with a second (built-in) Wi-Fi card. I needed this so that Hashcatch is able to receive coordinates for APs.
In order not to attack some APs, open the configuration file /etc/hashcatch/hashcatch.conf:
And add the ignore directive there and list the APs that do not need to be attacked. For example, I have this AndroidAP:
If you want to exclude several APs, then separate them with a comma. It's okay if the names of the AP contain spaces, but there should not be spaces next to the equal sign (=) and between commas, for example:
interface=wlan0 ignore=Google Starbucks,AndroidAP
By the way, so that the computer does not turn off after some “downtime”, and does not turn off immediately after you close the lid of the laptop, you need to set the power settings correctly.
Captured Handshake Analysis
You can view the list of handshakes with the command:
ls -l /usr/share/hashcatch/handshakes/
Each handshake is placed in a separate file.
To verify them, you can run the following command:
sudo aircrack-ng /usr/share/hashcatch/handshakes/*
Hacking Wi-Fi Hashes
You can brute-force password for captured hashes by different programs, the fastest of them is Hashcat.
To start dictionary attack against Wi-Fi hash, a command of the form is used:
hashcat -m 2500 '/usr/share/hashcatch/handshakes/HASH.hccapx' DICTIONARY.txt
To start mask attack against Wi-Fi hash, a command of the form is used:
hashcat -m 2500 -a 3 '/usr/share/hashcatch/handshakes/HASH.hccapx' MASK
For example, with the following command, I launched an attack against the 14:9D:09:CF:F5:08.hccapx hash using the mask 6?d?d?d?d?d?d?d?d. This mask means 9 characters, the first of which is the number 6, and the rest can be any numbers – these are typical phone numbers for places where the handshake is captured:
hashcat -m 2500 -a 3 --hwmon-temp-abort=100 '/usr/share/hashcatch/handshakes/14:9D:09:CF:F5:08.hccapx' 6?d?d?d?d?d?d?d?d
Hacking was successful, the found Wi-Fi password is in the line:
3BB-SAYJAI is the name of the Access Point, and 670323273 is the password for it.
Additionally, continue reading about Hashcat:
- Hashcat manual: how to use the program for cracking passwords
- Cracking WPA/WPA2 handshakes using GPU on Windows
- Hashcat Help
[-] Could not set wireless adapter to monitor mode. Run with --setup and try again!
Means that you need to run the program with the --setup switch and then specify the name of the Wi-Fi interface.
[-] Could not set the given wireless adapter to monitor mode!
It means that the program cannot: 1) set the interface into monitor mode; or 2) cannot successfully complete the wireless injection test. If your adapter supports both monitor and wireless injection, then try starting up again.
[-] Interface not mentioned in config file. Run with --setup and try again!
It means that: 1) the Wi-Fi interface is not specified in the configuration file, or 2) the specified Wi-Fi dongle is not plugged to the computer at the moment. Therefore, plug the wireless adapter or run the program with the --setup switch to specify the name of another interface.
Please note that in BlackArch, where the program is installed from the standard repository, each update of the program deletes all previously captured handshakes, deletes the /usr/share/hashcatch/db file and erases the configuration file!
In general, the script is quite simple, but the task of capturing handshakes is quite simple as well, so it copes with it. I especially like the fact that each captured handshake is saved in a separate file – it is very convenient, you can immediately proceed to password brute-force.
In one of the following articles, I will talk about another excellent program for automatically capturing handshakes while constantly monitoring the emergence of new Wi-Fi networks with the addition of them to attack. In addition, that program also automatically captures PMKID!
Last Updated on
- How to hack Wi-Fi in Windows (100%)
- Fluxion 4 Usage Guide (100%)
- WiFi-autopwner 2: user manual and overview of new features (93.8%)
- WiFi-autopwner: script to automate searching and auditing Wi-Fi networks with weak security (90.5%)
- Mass and endless handshake capture from all Access Points in a range (90.5%)
- Reaver cracked WPS PIN but does not reveal WPA-PSK password (SOLVED) (RANDOM - 56.2%)