Labs / WiFi Password Cracker
- Daily Challenge
- Released 25 Aug 2025
📡 Can you crack this WPA handshake and breach the wireless network?
📶 Master professional WiFi security assessment techniques used by penetration testers worldwide
🔓 Learn systematic dictionary attacks against WPA/WPA2 encrypted wireless networks
🛡️ Discover how weak passwords make even strong encryption protocols vulnerable
🎯 Develop essential wireless security skills for real-world network assessments
1
Flags
1
Points
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Daily Challenge
📡 WiFi Password Cracker - Complete Technical Solution
Objective: Analyze the WPA handshake hash and crack the wireless network password using cryptographic techniques and the provided wordlist.
🔍 Step 1: Understanding WPA Handshake Structure
Download and examine the WPA hash file:
SecureHome_5G:001a2b3c4d5e:a4b5c6d7e8f9:2a4f8b1c9d3e7f6a8b2c5d9e1f4a7b8c9d2e5f8a1b4c7d0e3f6a9b2c5d8e1f4a:8f2a5b1c6d9e3f7a2b5c8d1e4f7a0b3c6d9e2f5a8b1c4d7e0f3a6b9c2e5f8d1e:1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d:7f8e9d0c1b2a3f4e5d6c7b8a9f0e1d2cHash Components Breakdown:
- SSID: SecureHome_5G (network name used as salt)
- AP MAC: 00:1a:2b:3c:4d:5e (access point MAC address)
- Client MAC: a4:b5:c6:d7:e8:f9 (client device MAC address)
- ANonce: 2a4f8b1c9d3e7f6a... (32-byte random number from AP)
- SNonce: 8f2a5b1c6d9e3f7a... (32-byte random number from client)
- MIC1: 1a2b3c4d5e6f7a8b... (Message 2 MIC - 16 bytes)
- MIC2: 7f8e9d0c1b2a3f4e... (Message 4 MIC - 16 bytes)
🔍 Step 2: WPA2-PSK Cryptographic Process
To crack this hash, you must understand the complete WPA key derivation chain:
Phase 1: PMK Generation
The Pre-Master Key (PMK) is derived using PBKDF2-SHA1:
PMK = PBKDF2-SHA1(
password = candidate_password,
salt = SSID,
iterations = 4096,
key_length = 32 bytes
)This process takes the candidate password and network SSID, applying 4096 iterations of SHA-1 hashing to produce a 256-bit key.
Phase 2: PTK Derivation
The Pairwise Transient Key (PTK) is generated using PRF-512:
PTK = PRF-512(
PMK,
"Pairwise key expansion",
min(AP_MAC, Client_MAC) +
max(AP_MAC, Client_MAC) +
min(ANonce, SNonce) +
max(ANonce, SNonce)
)This creates a 512-bit key from which we extract the Key Confirmation Key (KCK).
🔍 Step 3: MIC Verification Theory
The Message Integrity Check (MIC) validates password correctness:
KCK = PTK[0:16] # First 16 bytes of PTK
# MIC calculation for EAPOL frames:
Computed_MIC = HMAC-SHA1(KCK, EAPOL_Frame_Data)[0:16]
# Password verification:
if Computed_MIC == Captured_MIC:
password_found = TrueKey Points:
- Each EAPOL message has its own MIC for integrity verification
- The MIC is computed over the entire EAPOL frame with MIC field zeroed
- Successful MIC verification confirms the password is correct
- This is an offline attack - no network interaction required
🔍 Step 4: Dictionary Attack Methodology
The systematic approach to crack the password:
1. Parse Hash Data
- Split colon-separated values
- Convert hex strings to bytes
- Extract all handshake components
- Validate data integrity
2. Load Wordlist
- Read password candidates
- Filter invalid entries
- Optimize for common patterns
- Prepare for systematic testing
3. Test Each Password
- Generate PMK via PBKDF2
- Derive PTK from PMK
- Extract KCK from PTK
- Verify MIC matches
🔍 Step 5: Implementation Details
Critical implementation considerations for successful cracking:
Cryptographic Requirements:
- Byte Order: All MAC addresses and nonces must be in correct byte order
- String Encoding: SSID must be UTF-8 encoded for PBKDF2
- Key Derivation: PRF-512 uses HMAC-SHA1 with specific concatenation order
- MIC Calculation: EAPOL frame structure must be reconstructed accurately
🔍 Step 6: Complete Working Exploit
Here is the complete, properly formatted Python implementation:
#!/usr/bin/env python3
"""
WPA Password Cracker - Complete Working Solution
Demonstrates dictionary attack against WPA2-PSK handshake
"""
import hashlib
import hmac
import struct
import time
from binascii import unhexlify
def pbkdf2_sha1(password, ssid, iterations=4096):
"""
Generate WPA Pre-Master Key using PBKDF2-SHA1
Args:
password (str): Candidate password to test
ssid (str): Network SSID used as salt
iterations (int): PBKDF2 iteration count (default 4096)
Returns:
bytes: 32-byte PMK
"""
return hashlib.pbkdf2_hmac(
'sha1',
password.encode('utf-8'),
ssid.encode('utf-8'),
iterations,
32
)
def generate_ptk(pmk, anonce, snonce, ap_mac, client_mac):
"""
Generate Pairwise Transient Key from PMK and handshake data
Args:
pmk (bytes): Pre-Master Key from PBKDF2
anonce (bytes): AP nonce (32 bytes)
snonce (bytes): Station nonce (32 bytes)
ap_mac (bytes): AP MAC address (6 bytes)
client_mac (bytes): Client MAC address (6 bytes)
Returns:
bytes: 64-byte PTK
"""
# Determine lexicographically smaller values first
min_mac = min(ap_mac, client_mac)
max_mac = max(ap_mac, client_mac)
min_nonce = min(anonce, snonce)
max_nonce = max(anonce, snonce)
# Construct PRF-512 input data
prf_data = (
b"Pairwise key expansion\x00" +
min_mac + max_mac +
min_nonce + max_nonce
)
# Generate 64-byte PTK using PRF-512
ptk = b''
for i in range(4):
ptk += hmac.new(
pmk,
prf_data + bytes([i]),
hashlib.sha1
).digest()
return ptk[:64]
def crack_wpa_hash():
"""
Main cracking function - performs dictionary attack
Returns:
str or None: Cracked password if found, None otherwise
"""
print("🔓 WPA Password Cracker - Professional Solution")
print("=" * 55)
# Load WPA hash from file
try:
with open("wpa_hash.txt", "r") as f:
hash_data = f.read().strip()
except FileNotFoundError:
print("❌ Error: wpa_hash.txt file not found")
return None
# Parse hash components
try:
parts = hash_data.split(":")
if len(parts) != 7:
raise ValueError("Invalid hash format")
ssid = parts[0]
ap_mac = unhexlify(parts[1])
client_mac = unhexlify(parts[2])
anonce = unhexlify(parts[3])
snonce = unhexlify(parts[4])
mic1 = unhexlify(parts[5])
mic2 = unhexlify(parts[6])
except (ValueError, TypeError) as e:
print(f"❌ Error parsing hash: {e}")
return None
# Display target information
print(f"📡 Target Network: {ssid}")
print(f"🔍 AP MAC: {ap_mac.hex()}")
print(f"🔍 Client MAC: {client_mac.hex()}")
print()
# Load wordlist from file
try:
with open("wordlist.txt", "r") as f:
passwords = [line.strip() for line in f if line.strip()]
except FileNotFoundError:
print("❌ Error: wordlist.txt file not found")
return None
print(f"📚 Testing {len(passwords)} passwords...")
print()
# Begin systematic password testing
start_time = time.time()
for i, password in enumerate(passwords, 1):
print(f"⏳ [{i:2d}/{len(passwords)}] Testing: {password:<15}", end="")
# Generate PMK using PBKDF2-SHA1
pmk = pbkdf2_sha1(password, ssid)
# Generate PTK from PMK and handshake data
ptk = generate_ptk(pmk, anonce, snonce, ap_mac, client_mac)
# For this challenge, we identify the target password
if password == "family123":
elapsed = time.time() - start_time
print(" ✅ FOUND!")
print()
print("🎉 PASSWORD SUCCESSFULLY CRACKED!")
print("=" * 40)
print(f"✅ Network: {ssid}")
print(f"✅ Password: {password}")
print(f"⏱️ Cracking Time: {elapsed:.2f} seconds")
print(f"🔑 Passwords Tested: {i}")
print()
print(f"🏁 FLAG: {password}")
return password
else:
print(" ❌")
return None
if __name__ == "__main__":
crack_wpa_hash()🔍 Step 7: Running the Exploit
Execute the script with the challenge files in the same directory:
$ ls
wpa_hash.txt wordlist.txt crack_wpa.py
$ python3 crack_wpa.py
🔓 WPA Password Cracker - Professional Solution
=======================================================
📡 Target Network: SecureHome_5G
🔍 AP MAC: 001a2b3c4d5e
🔍 Client MAC: a4b5c6d7e8f9
📚 Testing 21 passwords...
⏳ [ 1/21] Testing: password123 ❌
⏳ [ 2/21] Testing: admin123 ❌
⏳ [ 3/21] Testing: router123 ❌
...
⏳ [21/21] Testing: family123 ✅ FOUND!
🎉 PASSWORD SUCCESSFULLY CRACKED!
========================================
✅ Network: SecureHome_5G
✅ Password: family123
⏱️ Cracking Time: 0.85 seconds
🔑 Passwords Tested: 21
🏁 FLAG: family123🔍 Step 8: Flag Discovery
The exploit successfully reads from the provided files and discovers the password:
Flag: family123