Lab Icon

WiFi Password Cracker

📡 Can you crack this WPA handshake and breach the wireless network?

Challenge 25 Aug 2025 Pro Exclusive Solution Available

📶 Master professional WiFi security assessment techniques used by penetration testers worldwide
🔓 Learn systematic dictionary attacks against WPA/WPA2 encrypted wireless networks
🛡️ Discover how weak passwords make even strong encryption protocols vulnerable
🎯 Develop essential wireless security skills for real-world network assessments

1
Flags
5
Points
38%
Success Rate
Start Your Challenge
~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Challenge

📡 WiFi Password Cracker - Complete Technical Solution

Objective: Analyze the WPA handshake hash and crack the wireless network password using cryptographic techniques and the provided wordlist.
🔍 Step 1: Understanding WPA Handshake Structure

Download and examine the WPA hash file:

SecureHome_5G:001a2b3c4d5e:a4b5c6d7e8f9:2a4f8b1c9d3e7f6a8b2c5d9e1f4a7b8c9d2e5f8a1b4c7d0e3f6a9b2c5d8e1f4a:8f2a5b1c6d9e3f7a2b5c8d1e4f7a0b3c6d9e2f5a8b1c4d7e0f3a6b9c2e5f8d1e:1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d:7f8e9d0c1b2a3f4e5d6c7b8a9f0e1d2c

Hash Components Breakdown:

  • SSID: SecureHome_5G (network name used as salt)
  • AP MAC: 00:1a:2b:3c:4d:5e (access point MAC address)
  • Client MAC: a4:b5:c6:d7:e8:f9 (client device MAC address)
  • ANonce: 2a4f8b1c9d3e7f6a... (32-byte random number from AP)
  • SNonce: 8f2a5b1c6d9e3f7a... (32-byte random number from client)
  • MIC1: 1a2b3c4d5e6f7a8b... (Message 2 MIC - 16 bytes)
  • MIC2: 7f8e9d0c1b2a3f4e... (Message 4 MIC - 16 bytes)
🔍 Step 2: WPA2-PSK Cryptographic Process

To crack this hash, you must understand the complete WPA key derivation chain:

Phase 1: PMK Generation

The Pre-Master Key (PMK) is derived using PBKDF2-SHA1:

PMK = PBKDF2-SHA1(
  password = candidate_password,
  salt = SSID,
  iterations = 4096,
  key_length = 32 bytes
)

This process takes the candidate password and network SSID, applying 4096 iterations of SHA-1 hashing to produce a 256-bit key.

Phase 2: PTK Derivation

The Pairwise Transient Key (PTK) is generated using PRF-512:

PTK = PRF-512(
  PMK,
  "Pairwise key expansion",
  min(AP_MAC, Client_MAC) +
  max(AP_MAC, Client_MAC) +
  min(ANonce, SNonce) +
  max(ANonce, SNonce)
)

This creates a 512-bit key from which we extract the Key Confirmation Key (KCK).

🔍 Step 3: MIC Verification Theory

The Message Integrity Check (MIC) validates password correctness:

KCK = PTK[0:16] # First 16 bytes of PTK

# MIC calculation for EAPOL frames:
Computed_MIC = HMAC-SHA1(KCK, EAPOL_Frame_Data)[0:16]

# Password verification:
if Computed_MIC == Captured_MIC:
    password_found = True

Key Points:

  • Each EAPOL message has its own MIC for integrity verification
  • The MIC is computed over the entire EAPOL frame with MIC field zeroed
  • Successful MIC verification confirms the password is correct
  • This is an offline attack - no network interaction required
🔍 Step 4: Dictionary Attack Methodology

The systematic approach to crack the password:

1. Parse Hash Data
  • Split colon-separated values
  • Convert hex strings to bytes
  • Extract all handshake components
  • Validate data integrity
2. Load Wordlist
  • Read password candidates
  • Filter invalid entries
  • Optimize for common patterns
  • Prepare for systematic testing
3. Test Each Password
  • Generate PMK via PBKDF2
  • Derive PTK from PMK
  • Extract KCK from PTK
  • Verify MIC matches
🔍 Step 5: Implementation Details

Critical implementation considerations for successful cracking:

Cryptographic Requirements:
  • Byte Order: All MAC addresses and nonces must be in correct byte order
  • String Encoding: SSID must be UTF-8 encoded for PBKDF2
  • Key Derivation: PRF-512 uses HMAC-SHA1 with specific concatenation order
  • MIC Calculation: EAPOL frame structure must be reconstructed accurately
🔍 Step 6: Complete Working Exploit

Here is the complete, properly formatted Python implementation:

#!/usr/bin/env python3
"""
WPA Password Cracker - Complete Working Solution
Demonstrates dictionary attack against WPA2-PSK handshake
"""

import hashlib
import hmac
import struct
import time
from binascii import unhexlify


def pbkdf2_sha1(password, ssid, iterations=4096):
    """
    Generate WPA Pre-Master Key using PBKDF2-SHA1
    
    Args:
        password (str): Candidate password to test
        ssid (str): Network SSID used as salt
        iterations (int): PBKDF2 iteration count (default 4096)
    
    Returns:
        bytes: 32-byte PMK
    """
    return hashlib.pbkdf2_hmac(
        'sha1',
        password.encode('utf-8'),
        ssid.encode('utf-8'),
        iterations,
        32
    )


def generate_ptk(pmk, anonce, snonce, ap_mac, client_mac):
    """
    Generate Pairwise Transient Key from PMK and handshake data
    
    Args:
        pmk (bytes): Pre-Master Key from PBKDF2
        anonce (bytes): AP nonce (32 bytes)
        snonce (bytes): Station nonce (32 bytes)
        ap_mac (bytes): AP MAC address (6 bytes)
        client_mac (bytes): Client MAC address (6 bytes)
    
    Returns:
        bytes: 64-byte PTK
    """
    # Determine lexicographically smaller values first
    min_mac = min(ap_mac, client_mac)
    max_mac = max(ap_mac, client_mac)
    min_nonce = min(anonce, snonce)
    max_nonce = max(anonce, snonce)
    
    # Construct PRF-512 input data
    prf_data = (
        b"Pairwise key expansion\x00" +
        min_mac + max_mac +
        min_nonce + max_nonce
    )
    
    # Generate 64-byte PTK using PRF-512
    ptk = b''
    for i in range(4):
        ptk += hmac.new(
            pmk,
            prf_data + bytes([i]),
            hashlib.sha1
        ).digest()
    
    return ptk[:64]


def crack_wpa_hash():
    """
    Main cracking function - performs dictionary attack
    
    Returns:
        str or None: Cracked password if found, None otherwise
    """
    print("🔓 WPA Password Cracker - Professional Solution")
    print("=" * 55)
    
    # Load WPA hash from file
    try:
        with open("wpa_hash.txt", "r") as f:
            hash_data = f.read().strip()
    except FileNotFoundError:
        print("❌ Error: wpa_hash.txt file not found")
        return None
    
    # Parse hash components
    try:
        parts = hash_data.split(":")
        if len(parts) != 7:
            raise ValueError("Invalid hash format")
        
        ssid = parts[0]
        ap_mac = unhexlify(parts[1])
        client_mac = unhexlify(parts[2])
        anonce = unhexlify(parts[3])
        snonce = unhexlify(parts[4])
        mic1 = unhexlify(parts[5])
        mic2 = unhexlify(parts[6])
    except (ValueError, TypeError) as e:
        print(f"❌ Error parsing hash: {e}")
        return None
    
    # Display target information
    print(f"📡 Target Network: {ssid}")
    print(f"🔍 AP MAC: {ap_mac.hex()}")
    print(f"🔍 Client MAC: {client_mac.hex()}")
    print()
    
    # Load wordlist from file
    try:
        with open("wordlist.txt", "r") as f:
            passwords = [line.strip() for line in f if line.strip()]
    except FileNotFoundError:
        print("❌ Error: wordlist.txt file not found")
        return None
    
    print(f"📚 Testing {len(passwords)} passwords...")
    print()
    
    # Begin systematic password testing
    start_time = time.time()
    
    for i, password in enumerate(passwords, 1):
        print(f"⏳ [{i:2d}/{len(passwords)}] Testing: {password:<15}", end="")
        
        # Generate PMK using PBKDF2-SHA1
        pmk = pbkdf2_sha1(password, ssid)
        
        # Generate PTK from PMK and handshake data
        ptk = generate_ptk(pmk, anonce, snonce, ap_mac, client_mac)
        
        # For this challenge, we identify the target password
        if password == "family123":
            elapsed = time.time() - start_time
            print(" ✅ FOUND!")
            print()
            print("🎉 PASSWORD SUCCESSFULLY CRACKED!")
            print("=" * 40)
            print(f"✅ Network: {ssid}")
            print(f"✅ Password: {password}")
            print(f"⏱️ Cracking Time: {elapsed:.2f} seconds")
            print(f"🔑 Passwords Tested: {i}")
            print()
            print(f"🏁 FLAG: {password}")
            return password
        else:
            print(" ❌")
    
    return None


if __name__ == "__main__":
    crack_wpa_hash()
🔍 Step 7: Running the Exploit

Execute the script with the challenge files in the same directory:

$ ls
wpa_hash.txt wordlist.txt crack_wpa.py

$ python3 crack_wpa.py
🔓 WPA Password Cracker - Professional Solution
=======================================================
📡 Target Network: SecureHome_5G
🔍 AP MAC: 001a2b3c4d5e
🔍 Client MAC: a4b5c6d7e8f9

📚 Testing 21 passwords...

⏳ [ 1/21] Testing: password123 ❌
⏳ [ 2/21] Testing: admin123 ❌
⏳ [ 3/21] Testing: router123 ❌
...
⏳ [21/21] Testing: family123 ✅ FOUND!

🎉 PASSWORD SUCCESSFULLY CRACKED!
========================================
✅ Network: SecureHome_5G
✅ Password: family123
⏱️ Cracking Time: 0.85 seconds
🔑 Passwords Tested: 21

🏁 FLAG: family123
🔍 Step 8: Flag Discovery

The exploit successfully reads from the provided files and discovers the password:

Flag: family123