Skip to main content
HashnodeFelix Voigt

Command Palette

Search for a command to run...

Part 3: WPA2 Deauth & 4-Way Handshake (Frame Injection & Offline Cracking)

Published
14 min read
F
Felix Voigt
Part of seriesA Red Teamer's Guide to 802.11 Security, Exploitation & Mitigation

1. Executive Summary

While the WPA2-Personal protocol ensures that the Pre-Shared Key (PSK) is never transmitted in plaintext, its architecture harbors a critical vulnerability: standard 802.11 Management Frames lack cryptographic authentication by default. This technical write-up demonstrates how an attacker can exploit this flaw by injecting forged Deauthentication frames to actively force a legitimate client into reconnecting with the router. By monitoring this forced reconnection, the attacker intercepts the 4-Way Handshake, capturing the plaintext nonces and the cryptographic Message Integrity Code (MIC).

Business Impact: These intercepted cryptographic variables provide all the necessary parameters to execute a highly efficient offline dictionary attack against the PSK. A successful crack completely neutralizes the network's perimeter defense, granting the attacker unauthorized internal access and laying the groundwork for total infrastructure compromise.

2. Lab Architecture (RoE)

  • Target (Authenticator): TP-Link Archer C6 (1.14.30 Build 250729 Rel.74228n(4555))

  • Target (Supplicant): iPhone 13

  • Attacker Infrastructure: Virtualbox Kali Linux 2025.4 (RTL8812AU)

3. Protocol Theory

3.1 Pairwise Master Key (PMK)

Rather than sending the network password over the air, the plaintext password and SSID are used to calculate the Pairwise Master Key (PMK) locally on both the authenticator and supplicant. The aim of this function is to transform a short, human-readable password and network name into a strong, pseudo-random cryptographic key thereby slowing down cryptographic attacks (key stretching). As it is derived from the SSID and password, the PMK itself is not used to encrypt data but rather during the 4-Way Handshakes to calculate the Pairwise Transient Key (PTK), which is then used as a session key to encrypt the data.

$$PMK = PBKDF2(HMAC-SHA1,Passphrase,SSID,4096,256)$$

  • PBKDF2 (Password-Based Key Derivation Function 2): The standardized procedure (RFC 2898) employs key stretching by repeatedly performing calculation steps to derive the result.

  • HMAC-SHA1 (Pseudorandom Function): The mathematical core function used within PBKDF2. HMAC (Hash-based Message Authentication Code) hashes the password and SSID.

  • Passphrase: Network password used by the client to authenticate on the network.

  • SSID: Name of the network (SSID, Service Set Identifier) is used as salt to prevent the use of rainbow tables.

  • 4096: Iterations of the HMAC-SHA1-Function, effectively multiplying the expense for calculating the hash per password by 4096.

  • 256: Key length of 256 Bit the function will return.

3.2 Pairwise Transient Key (PTK)

To ensure that the session key for each connection (client to access point) is unique, the Pairwise Transient Key (PTK) is calculated using cryptographic random numbers (Nonces) and the hardware addresses (MACs) with the help of a pseudorandom function (PRF):

$$PTK = PRF(PMK,Authenticator_MAC,Supplicant_MAC,ANonce,SNonce)$$

  • PMK: Proves that both parties know the password without sending it over the air and it is the only parameter that cannot be intercepted in plain text.

  • Authenticator/Supplicant MAC: Physical hardware address of the access point and client, binding the cryptographic key to these specific devices (spatial separation), ensuring that different clients on the same network cannot decrypt each other's traffic.

  • ANonce/SNonce: Cryptographic random numbers generated by both parties, guaranteeing 'freshness' for every new handshake, ensuring the PTK is unique per session, effectively preventing Replay Attacks

While the Temporal Key (TK) derived from the PTK is responsible for encrypting post-handshake data traffic, a critical sub-key is extracted specifically for the authentication phase: the Key Confirmation Key (KCK). The KCK occupies the first 128 bits of the PTK and is exclusively used to calculate the Message Integrity Code (MIC).

3.3 Message Integrity Code (MIC)

The MIC acts as the cryptographic anchor of the 4-Way Handshake. It is appended to the Extensible Authentication Protocol over LAN (EAPOL) frames (starting in Message 2) to fulfill two fundamental security objectives in an untrusted medium like WLAN:

  1. Data Integrity: It guarantees that the EAPOL frame (including the critical Nonces and MAC addresses) has not been tampered with during transit.

  2. Proof of Possession: It serves as a deterministic, zero-knowledge proof. By generating a valid MIC, the supplicant proves to the authenticator that it possesses the correct PMK (and thus the correct passphrase) without ever transmitting the secret over the air.

The MIC is derived as follows:

$$MIC=HMAC(KCK,EAPOL_Frame_with_zeroed_MIC)$$

  • HMAC: The cryptographic algorithm used to generate the checksum.

  • KCK: The 128-bit Key Confirmation Key derived directly from the PTK. Since the PTK is calculated using the PMK, the KCK mathematically proves knowledge of the correct network password.

  • EAPOL_Frame_with_zeroed_MIC: To solve the logical paradox of hashing an EAPOL frame that must eventually contain the hash (MIC) itself, the protocol dictates a specific sequence. The sender temporarily fills the MIC field within the frame entirely with zeros (0x00) before running the HMAC calculation. The resulting cryptographic checksum is then inserted into the formerly zeroed field, and the frame is transmitted.

3.4 The Architectural Flaw

The WPA2 protocol has a fundamental architectural flaw because, by default, only data frames are encrypted and authenticated using the TK derived from the PTK. Management frames, such as Beacons, Probe Requests, and Deauthentication Packets, are sent in plain text and without authentication.

Due to this flaw, any device with an appropriate Wi-Fi adapter and a spoofed MAC address can send Deauthentication Packets to clients, causing a brief disconnection between the client and access point. The client will accept the forged Deauthentication Packet, disconnect, and then reconnect to the same router within milliseconds.

This effectively triggers the 4-Way Handshake, allowing an attacker to intercept and capture legitimate nonces and the MIC. These can then be used to perform an offline brute-force attack on the password involved in deriving the PMK, PTK, KCK, and ultimately the MIC.

4. The Attack (Execution & OPSEC)

The attack follows a structured sequence: reconnaissance of the target, locking onto it, injecting the Management Frame, capturing the handshake, and finally cracking the password offline.

4.1 Interface Preparation (Monitor Mode)

First, we must set our network adapter to monitor mode to capture all raw frames in the air. The default managed mode discards any packets that don't match the adapter's MAC address.

Ending processes that interfere with packet capture in monitor mode:

sudo airmon-ng check kill

Activating monitor mode:

sudo airmon-ng start wlan0

wlan0 is the name of the wireless interface. The interface names can be verified using 'iwconfig' and note that after starting airmon-ng, the mode changes to Mode:Monitor.

4.2 Passive Reconnaissance

With the interface in Monitor Mode, passive reconnaissance is conducted to survey the 2.4 GHz and 5 GHz spectrum. The objective is to identify the target's Basic Service Set Identifier (BSSID), its current operating channel, and the MAC address of the connected supplicant (the target client). This phase involves strictly passive listening and leaves no detectable footprint on the target network.

Initiate the scan on the monitoring interface:

sudo airodump-ng wlan0

(During monitoring, your interface name might change to include 'mon', such as 'wlan0mon'.)

The tool hops through all WLAN channels capturing every raw packet in the air. The terminal splits into 2 logical sections:

The upper half (Router / Access Points):

  • BSSID: Routers' MAC addresses.

  • ESSID: Network name.

  • PWR: Signal strength, the closer to 0 the stronger the signal.

  • Beacons: Amount of Management Frames sent by the routers.

  • CH: Channel on which the network transmits.

  • ENC/CIPHER/AUTH: Encryption.

The lower half (Clients):

  • BSSID: Router to which the client is currently connected and sending packets to.

  • STATION: Clients' MAC address.

  • Frames: Traffic the client creates.

4.3 Traffic Interception

In this view, target parameters are identified: the authenticator BSSID (8C:90:2D:48:2C:9F), its operating channel (5), and a supplicants BSSID (20:04:84:EF:C1:33) connected to our target router. Since this step is purely passive reconnaissance, repeatedly starting and stopping the monitoring does not generate any suspicious or forensically detectable traffic that would compromise OPSEC.
Disclaimer: The injection of forged 802.11 Management Frames effectively constitutes a localized Denial of Service (DoS) attack. All actions demonstrated in this execution phase were performed within a controlled laboratory environment against owned hardware.

Now that we identified the parameters of our target connection, we narrow our monitoring on this connection and write every captured data to file:

sudo airodump-ng -c 5 --bssid 8C:90:2D:28:4C:9F -w wpa2_handshake wlan0

  • -c: Prevents channel hopping and forces the adapter to listen on channel 5.

  • --bssid: Filtering out all connections that are sent or received by the specified router.

  • -w: Writing out every captured packet to file that can later be analyzed in Wireshark.

4.4 Frame Injection

With the passive listener securely capturing all traffic on channel 5, a second terminal is utilized to execute the active phase of the attack. Using aireplay-ng, forged Deauthentication Management Frames are injected into the network.

sudo aireplay-ng -0 1 -a 8C:90:2D:48:2C:9F -c 20:04:84:EF:C1:33
wlan0

-0 1: Sending 1 Deauthentication-Frame (code 0).

-a: The routers MAC address being spoofed.

-c: Our target supplicant (client) being deauthenticated.

Upon receiving the forged frames, the client drops the connection and immediately initiates a reconnection sequence. In the airodump-ng monitoring terminal, a successful capture is verified by the appearance of the [ WPA handshake: <BSSID> ] banner in the top-right corner. This notification confirms that the crucial EAPOL frames containing the plaintext nonces and the client's cryptographic MIC have been successfully intercepted and written to the .cap file.

From an OPSEC perspective, it is critical to inject the absolute minimum number of forged deauthentication packets required to trigger the handshake. Continuously flooding the network with deauthentication frames (a sustained DoS) causes severe user disruption and creates massive noise in Wireless Intrusion Prevention Systems (WIPS) or router logs, drastically increasing the likelihood of detection.

5. Packet Analysis (Handshake Verification)

Before initiating a resource-intensive offline dictionary attack, it is a mandatory operational procedure to cryptographically verify the integrity of the captured .cap file. Blindly attempting to crack a corrupted or incomplete handshake will inevitably lead to false-negative results.

Using a protocol analyzer such as Wireshark, the raw capture file is inspected to confirm that all necessary variables for the PTK and MIC calculation were successfully intercepted.

By applying the display filter eapol, the view is restricted to the Extensible Authentication Protocol over LAN frames—the core of the 4-Way Handshake. A valid, crackable capture must contain at least the first two messages of this sequence:

  1. Message 1 (Authenticator to Supplicant): This frame is analyzed to extract the ANonce transmitted in plaintext.

  2. Message 2 (Supplicant to Authenticator): This is the most critical frame for the attacker. Inspection of this frame must confirm the presence of the SNonce and, crucially, a populated MIC field.

M1 Authenticator nonce M2 SNonce + Client MIC

If the packet analysis confirms that both MAC addresses, both nonces (highlighted), and the client-generated MIC (image 2; WPA Key MIC: 0ba9f7...) are present and uncorrupted, the mathematical equation is complete. Only the Pre-Shared Key remains the unknown variable, authorizing the transition to the offline cracking phase.

6. Offline Cracking (Dictionary / Brute-Force)

With the integrity of the captured 4-Way Handshake verified, the operation transitions from network interaction to offline cryptographic cracking. This process completely decouples the attacker from the target network, eliminating any further risk of detection.

6.1 Hash Extraction and Processing

Modern GPU-accelerated password recovery tools, such as Hashcat, do not parse raw packet capture files efficiently. The .cap file must first be distilled into a standardized cryptographic format that isolates the necessary variables. Using hcxpcapngtool, the raw capture is parsed to extract the Authenticator MAC, Supplicant MAC, both Nonces, and the intercepted MIC into the hc22000 hash format.

hcxpcapngtool wpa2_handshake-01.cap -o target_hash.hc22000

6.2 Execution of the Dictionary Attack

The extracted hc22000 file is supplied to Hashcat alongside a predefined wordlist (e.g., rockyou.txt) and / or a custom ruleset. Operating in mode 22000, Hashcat's cracking engine systematically iterates through the wordlist, performing the exact cryptographic cascade defined by the WPA2 standard for every single password candidate:

  1. PMK Derivation: It computes the Pairwise Master Key using PBKDF2-HMAC-SHA1, hashing the password candidate and the network SSID through 4096 iterations.

  2. PTK Expansion: Utilizing the intercepted MAC addresses and Nonces, it expands the PMK into the Pairwise Transient Key via the Pseudo-Random Function (PRF).

  3. KCK Extraction: It isolates the first 128 bits of the PTK to obtain the Key Confirmation Key (KCK).

  4. MIC Calculation and Verification: Finally, Hashcat calculates a theoretical MIC using the derived KCK and the payload of the intercepted EAPOL Message 2.

If the calculated MIC matches the intercepted MIC, the mathematical equation is solved. Hashcat halts the process and outputs the plaintext passphrase, granting the attacker full cryptographic access to the target network.

hashcat -m 22000 target_hash.hc22000 rockyou.txt

6.3 Note on Advanced Cracking Methodologies (Out of Scope)

The specific intricacies of advanced password cracking—such as generating targeted wordlists, applying rule-based mutations (e.g., Best64), utilizing mask attacks, or optimizing GPU workloads—are beyond the scope of this write-up. Hashcat is a highly complex, standalone cryptographic engine. The methodology behind effective brute-forcing and dictionary attacks warrants its own dedicated analysis and may be covered in a future article. The focus of this execution was strictly the interception and verification of the WPA2 4-Way Handshake.

6.4 Post-Exploitation Implications (Looking Ahead)

It is crucial to understand that recovering the WPA2 Pre-Shared Key is rarely the attacker's final objective; rather, it serves as the initial foothold. Once the plaintext password is cracked, the attacker can authenticate to the target Access Point, transitioning from an external observer to an internal network participant.

From this privileged position, the typical next phase in a kill chain involves internal network reconnaissance (e.g., utilizing nmap to identify the default gateway and live hosts). The immediate subsequent target is often the router's administrative web interface. While the specific execution of HTTP/HTTPS brute-forcing or dictionary attacks against the router's login panel (using tools like Hydra or Burp Suite) is beyond the scope of this document, it highlights a critical reality: a compromised Wi-Fi passphrase rapidly paves the way for total infrastructure takeover.

7. Remediation / Blue Team

Securing a wireless network requires a defense-in-depth approach. Based on the mechanics of the WPA2 offline dictionary attack demonstrated in this article, the following remediation strategies are recommended to mitigate the risk of unauthorized access.

7.1 Enforce Passphrase Complexity

The fundamental weakness exploited in this attack is not the WPA2 cryptography itself, but rather weak user-generated passwords alongside the architectural flaw of unsigned Management Frames. Because Hashcat performs the cracking process entirely offline, traditional account lockout policies or rate-limiting mechanisms do not apply.

  • Recommendation: Implement a highly complex, pseudo-random Pre-Shared Key (PSK) of at least 16 to 20 characters. A robust passphrase is the simplest mitigation measure, making brute-force and dictionary attacks mathematically improbable within a human lifetime, thus rendering the captured .cap file practically useless.

7.2 Protocol Upgrades: WPA3 and PMF

To address the architectural flaws of WPA2, the network infrastructure should be upgraded to modern standards wherever hardware permits.

  • Enable Protected Management Frames (PMF / 802.11w): Enforcing PMF ensures that deauthentication and management frames are cryptographically signed. This completely neutralizes the active frame injection attack used to force the 4-Way Handshake.

  • Migrate to WPA3: Upgrading to WPA3 replaces the vulnerable PSK exchange with the Simultaneous Authentication of Equals (SAE) handshake. SAE is inherently resistant to offline dictionary attacks; even if an attacker captures the WPA3 handshake, they cannot brute-force the password offline.

7.3 Defense in Depth: Firmware and Configuration Hygiene

While not directly preventing deauthentication attacks, overall router hygiene is critical to prevent post-exploitation lateral movement.

  • Firmware Updates: Regularly patch the Access Point's firmware. Once an attacker is on the network, outdated routers are prime targets for known CVEs to gain administrative control.

  • Disable WPS (Wi-Fi Protected Setup): As discussed in Part 1 of this series, WPS is a legacy feature known to be highly susceptible to pin-brute-forcing (e.g., Pixie Dust attacks). It should be strictly disabled on the router's administrative panel to close another prominent WPA2 attack vector.

8. Troubleshooting

Note on VirtualBox Infrastructure: When passing through high-power USB 3.0 Wi-Fi adapters (like the RTL8812AU), the hypervisor's USB state machine may occasionally stall. Toggling the device off and on via the VirtualBox 'Devices -> USB' menu forcefully reinitializes the connection and allows the Linux kernel to properly probe the interface.
Also make sure to enable USB-3.0-Controller (xHCI) in the VirtualBox settings and add a filter for the adapter.

I used and installed the realtek-rtl88xxau-dkms driver with

sudo apt install realtek-rtl88xxau-dkms
#redteaming#offensive-security#80211
2 views

A Red Teamer's Guide to 802.11 Security, Exploitation & Mitigation

Part 2 of 4

Status: work in progress. This multi-part series provides an evidence-based, technical deep dive into 802.11 protocol security and exploitation from a Red Teaming perspective. Following a strict methodology—combining protocol theory, execution, OPSEC considerations and forensic PCAP analysis—I systematically deconstruct the wireless attack surface. The series covers hardware design flaws (WPS PRNG failures), active WPA2 state machine exploitation, clientless OPSEC attacks (PMKID/802.11r), and the translation of Layer 2 wireless compromises into complete Layer 7 infrastructure kill chains. We conclude with a mathematical analysis of WPA3 (SAE/Dragonfly) and emerging offensive vectors. Designed for security professionals, this guide bridges the gap between theoretical cryptography and real-world network compromise.

Up next

Part 2: WPA2 PMKID (Silent & Clientless Attacks)

1. Executive Summary The PMKID attack represents a significant paradigm shift in 802.11 wireless network exploitation. This vector exploits a historical implementation flaw in the IEEE 802.11i Robust

More from this blog

Felix Voigt

4 posts