Beyond Cracking the Handshake: A Technical Analysis of WPA2 Weaknesses and Router Exposure

In this modern era, the internet is no longer a luxury; it is a utility. Wireless networks serve as the primary gateway to this utility, offering anytime, anywhere connectivity. However, this convenience often comes at the cost of security.

In this article, we will examine the anatomy of a wireless breach.

We will explore how attackers exploit weak passphrases and leverage Open Source Intelligence (OSINT) to identify default credentials for router admin portals.

But before we dive into the offensive side, we must establish a technical foundation by understanding the evolution of wireless security and the framework that governs it today.

Wireless Security Protocols

Wireless security falls into two distinct eras: Pre-RSN and RSN.

The Legacy Era (Pre-RSN)

• WEP (Wired Equivalent Privacy): The original 802.11 security standard. WEP aimed to provide confidentiality comparable to a wired network using the RC4 stream cipher. However, it relied on short Initialisation Vectors (IVs) and static keys, making it trivial to crack using statistical analysis.

The Robust Security Network (RSN) Era

Defined by the IEEE 802.11i amendment, the RSN framework replaced WEP with a scalable, modular security architecture.

• WPA (Wi-Fi Protected Access): A measure designed to run on legacy WEP hardware. It introduced TKIP (Temporal Key Integrity Protocol) and the 4-Way Handshake, but still relied on the vulnerable RC4 cipher.
• WPA2: The first protocol to implement the full RSN framework. It replaced RC4 with AES-CCMP, providing significantly stronger encryption and integrity. While robust, WPA2-PSK remains vulnerable to offline dictionary attacks and the KRACK (Key Reinstallation Attack) vulnerability.
• WPA3: The current gold standard. It enhances RSN with SAE (Simultaneous Authentication of Equals), utilising the Dragonfly Key Exchange. SAE also provides forward secrecy, rendering captured handshakes useless for offline cracking.

Now, let’s take a look behind the scenes of the RSN Framework.

The RSN Framework

The RSN framework follows a strict six-step process to move a client from an unauthenticated state to a secure, encrypted session.

1. Discovery

The Access Point (AP) advertises its security capabilities (cipher suites and AKM (Authentication and Key Management) types) via Beacon frames. The Station (client) identifies these via Beacons or by sending Probe Requests.

2. 802.11 Authentication and Association

A legacy handshake where the client and AP agree to communicate.

The process typically uses Open System Authentication, which is essentially a “null” step that allows any device to proceed to the next phase.

3. Identity Authentication and PMK Derivation

Here, the two parties derive the shared secret Pairwise Master Key (PMK).

• WPA-Enterprise: Uses 802.1X/EAP. The client and a RADIUS (Remote Authentication Dial-In User Service) server perform mutual authentication, resulting in a Master Session Key (MSK), which then derives the PMK.
• WPA-Personal (PSK): The PMK is derived locally using the PBKDF2 (Password-Based Key Derivation Function 2) algorithm, which hashes the network SSID and the passphrase together.

4. The 4-Way Handshake

This phase confirms that both parties possess the same PMK without ever sending it over the air. It derives the Pairwise Transient Key (PTK) to encrypt unicast traffic.

• Msg 1 (AP → STA): AP sends a random value (ANonce).
• Msg 2 (STA → AP): STA generates its own SNonce, derives the PTK, and sends the SNonce and a Message Integrity Check (MIC).
• Msg 3 (AP → STA): AP verifies the MIC, derives the PTK, and sends a command to install the keys, including the encrypted Groupwise Transient Key (GTK).
• Msg 4 (STA → AP): STA acknowledges the installation.

5. Group Key Handshake

If not handled during the 4-Way Handshake, the AP uses this to distribute the GTK (derived from the Groupwise Master Key) to protect broadcast and multicast traffic.

6. Secure Data Transfer

With encryption keys installed, the controlled 802.1X ports become accessible. Traffic now travels encapsulated in AES-CCMP (or TKIP in legacy environments), ensuring data confidentiality and integrity.

Now that you understand the “How” of wireless defence, let us look at how an attacker breaks it.

Offence: Attacking WPA2-Personal Network

The target mentioned in the scenario below is a WPA2-Personal network. While widely used, it is fundamentally vulnerable to offline attacks.

But why is a protocol using Advanced Encryption Standard (AES) so easy to compromise?

The Vulnerability

In a WPA2-Personal, every device shares a single Pre-Shared Key (PSK) or passphrase. To turn that readable passphrase into a 256-bit Pairwise Master Key (PMK), the system uses the PBKDF2 (Password-Based Key Derivation Function 2) algorithm.

The two key inputs in this function are:

1. The Passphrase (The unknown variable)
2. The SSID (The “salt” that makes the hash unique to the network)

The vulnerability lies in the fact that the Message Integrity Check (MIC), found in the second message of the 4-way handshake, is essentially a validator.

An attacker doesn’t need to stay connected to your network to crack it. Once they capture a handshake (or a PMKID), they can take that data home and guess millions of passwords per second. If their guessed password produces a MIC that matches the one they captured, they’ve found your key.

Unlike online attacks, where the AP can detect and block repeated authentication attempts, offline attacks have no rate limiting; attackers can test billions of passwords on their own hardware without ever touching your network again.

The Setup

For the below demonstrations, I am using a Raspberry Pi Zero W in a headless (no monitor) configuration. Instead of traditional tools like airodump-ng, which are largely passive, I am utilising hcxdumptool from the hcxtools.

Unlike older tools, hcxdumptool actively targets reconnaissance. It does not just wait for a user to log in; it can request a PMKID (Pairwise Master Key Identifier) directly from the Access Point, making this a clientless attack; however, capturing the PMKID falls beyond the scope of this post, as most modern routers do not support PMKID caching, and neither does my target.

In order to use the hcxdumptool you need to install the hcxtools suite:

sudo apt install hcxtools

The demonstration below follows a structured three-stage kill chain:

1. Capture and Crack: Use hcxdumptool and hashcat to intercept the WPA handshake and perform an offline brute-force attack.
2. Lateral Movement: Once authenticated, scan the internal network to identify the IP of the router and active services using nmap, and research the router model/brand to identify default factory credentials and known backdoors.
3. Exploitation: Access the web management portal to gain full control over the network traffic.

Now, let’s get hands-on…

Capture and Crack

Before we start, a quick reminder of the prerequisites:

• Basic Linux understanding
• A wireless adapter capable of monitor mode and packet injection
• For detailed requirements, refer to the official hcxdumptool documentation

Hardware Verification:

Since I am running hcxdumptool on my Raspberry Pi Zero W, I first need to ensure the wireless adapter is recognised:

lsusb

Service Management:

Usually, you should kill the wpa_supplicant and NetworkManager processes. However, since I am connected to my Pi via SSH, stopping these services globally would kill my connection and lock me out.

Instead, I will tell NetworkManager to ignore only the specific interface I am using for the pentest. This approach keeps the service running for my SSH connection but gives me full control over the target card:

sudo nmcli device set <interface> managed no

Alternatively, if you don’t have a similar issue, you can run these commands:

List all the actively running services:

sudo systemctl --type=service --state=running

Once found, stop the services:

sudo systemctl stop NetworkManager.service
sudo systemctl stop wpa_supplicant.service

Now, let’s verify the interface:

ip address

Switching To Monitor Mode:

It’s necessary to switch to monitor mode using hcxdumptool itself rather than third-party tools like iw or airmon-ng, ensuring that no other services interfere, as hcxdumptool requires exclusive, low-level access to the driver, and you don't exactly know what the third-party tools do when switching to monitor mode:

sudo hcxdumptool -m <interface>

Capturing Handshake

The first step is gathering intelligence. You cannot hack what you cannot see. I’ll perform an active rcascan (radio channel assignment scan) on all frequencies to discover nearby networks:

sudo hcxdumptool -i <interface> --rcascan=active -F

Now it’s time to target the network. By default, hcxdumptool interacts with every device nearby, sending deauth frames, which can cause network stability issues or even irreparable damage to unintended targets.

To avoid this, we use a BPF (Berkeley Packet Filter).

But what is BPF?

BPF is a kernel-level filtering language that acts like a small virtual machine inside the kernel. It allows for highly efficient, real-time traffic filtering. While it’s technically legacy (succeeded by eBPF), it remains the standard for raw packet tools.

Considering now I have the BSSID and channel of the target, I can go ahead and compile a BPF using the built-in BPF compiler within hcxdumptool itself:

hcxdumptool --bpfc="wlan addr3 <target_bssid> or wlan addr3 ffffffffffff" > target.bpf

Anatomy of the BPF:

A BPF filter consists of primitives and qualifiers. Primitives are the building blocks that reference fields in a packet. These primitives consist of an ID, like a name or number, preceded by one or more qualifiers. Qualifiers tell what the primitives (ID) actually represent. There are three types of qualifiers:

1. Type → These tell the type of the primitive, e.g., host, net, port, portrange, etc.

2. Dir → Or direction, specifies direction of traffic in relation to the ID, e.g., src, dst

3. Proto → Or protocol, restricts match to a specific protocol, e.g., ether, ip, tcp, udp, arp

In the above case:

• wlan : is a proto qualifier (802.11)

• addr3 : is a type qualifier (addr3 represents BSSID)

• or : is a logical operator combining two filters

• ffffffffffff : is a Broadcast address

This filter explicitly tells the kernel to filter traffic where the 802.11 header’s third address field is either my specific Access Point OR a broadcast address.

Launching the attack:

Now, I can start attacking my target. To capture the handshake, I will be using rds (real-time display sorting), which sorts data in real time to keep track. The important thing to remember here is you don’t want to attack anything outside your scope of authorised targets. Even though I used active deauthentication to force a handshake, alternatively, you can go less aggressive by using --disable_deauthentication and running hcxdumptool as a passive tool waiting for natural associations, this is best for capturing PMKID or clientless handshake capturing.

sudo hcxdumptool -i <interface> -c <channel>a -w <output> --rds=1 --bpf=target.bpf

Here --rds=1 sorts the data by the status of the latest EAPOL/PMKID capture.

The top section shows the information regarding the AP. Here, a plus (+) under:

• R: Target is within range

• 1: Got EAPOL M1 from the target

• S: AP uses a hash mode supported by hashcat or jtr (John the Ripper)

• 3: We got an authorised handshake (either M1M2M3 or M1M2M3M4)

• P: We got a PMKID from the AP

In my case, the P column is empty, indicating no PMKID sent. The plus (+) under 3 indicates a handshake has been successfully captured, which either Hashcat or John the Ripper can work with, and the associated client is now visible in the bottom section with a plus (+) under 2 which means M1M2 of the handshake has been captured.

Converting the Handshake:

Before cracking, I need to convert the captured handshake into .hc22000 format compatible with hashcat. I used hcxpcapngtool from hcxtools:

hcxpcapngtool -o <output.hc22000> <input.pcapng/pcap>

In the summary section provided by hcxpcapngtool, we can verify whether the handshake is usable by checking whether the EAPOL pairs are nonzero, making the handshake ready for cracking.

Now, it’s time to crack…

Cracking Handshake

In short, cracking refers to the systematic guessing of all possible keyspaces ( combinations ) for a given password, so instead of manually incrementing through the alphabet and numbers, you are using rulesets, algorithms and computational power.

With the handshake captured and converted to .hc22000 format, it’s time to perform an offline brute-force attack using Hashcat.

Through basic reconnaissance, I discovered that my local ISP assigns default Wi-Fi passwords based on the customer’s 10-digit phone number. Most users never change this because:

• It’s 10 characters long (seems secure)
• It’s easy to remember
• It consists of “random” numbers

The use of a weak, guessable password is a classic case of choosing convenience over security.

A 10-digit numeric password has a keyspace of only 10 billion combinations ( 10¹⁰ ), which is trivially small for modern GPU-accelerated cracking.

Based on this, I used hashcat with a mask attack to target the exact pattern:

hashcat --session wpa_crack -a 3 -m 22000 -w 3 <path/to/file.hc22000> ?d?d?d?d?d?d?d?d?d?d

Parameters:

• -a 3 : Mask attack mode (brute-force with a pattern)

• -m 22000 : WPA-PBKDF2-PMKID+EAPOL hash mode

• -w 3 : High workload profile ( 90% GPU utilisation)

• ?d?d?d?d?d?d?d?d?d?d : Ten digits (0–9)

To view the cracked password, I can use the --show parameter with the .hc22000 file:

hashcat -m 22000 <path/to/file.hc22000> --show

While this took me 5 to 7 hours of running hashcat, depending on the hardware and the entropy of your password, it can take more or less time.

Now, with a foothold on the network…it’s time for some lateral movement.

Lateral Movement

According to the OWASP IoT Top 10, the #1 vulnerability in IoT devices is weak, guessable, or hardcoded passwords. Routers are prime examples of this; they ship with default credentials that users rarely change.

Default credential exploitation falls under lateral movement techniques, these are methods adversaries use to enter and control remote systems on a network. This phase typically enables Discovery (mapping the internal network) and Collection (gathering sensitive data).

MITRE ATT&CK ICS Technique: T0812 — Default Credentials

Default credentials normally appear in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.

Now, my objective is to access the router’s control panel by exploiting the default credentials.

Network Enumeration

Before searching for the default credentials, there are two things to do:

1. Find an entry point to the router’s control panel
2. Get the router’s model/brand name

The gateway IP (router’s IP) is typically XXX.XXX.X.1. There are multiple ways to find it:

Method 1: Using the ip command

ip route show

This not only provides the gateway IP but also the network range.

Method 2: Network scanning with nmap

sudo nmap -sn <ip_range>

Network scanning is a valuable opportunity to map the entire network in order to identify all connected devices. This scan can reveal not only the gateway IP but, in some cases, also the router model/brand (via MAC address vendor lookups).

With the gateway IP identified, I then scanned for open ports and services:

sudo nmap -sV <gateway_ip>

The above result confirms that a web interface is accessible on port 80/443.

Since the target never changed their default PSK (the ISP-assigned phone number), it's reasonable to assume they also left the router's admin credentials at factory defaults.

Users who ignore one security recommendation tend to ignore others.

Now, it's time for some OSINT…

OSINT

Open Source Intelligence (OSINT) refers to gathering information from publicly available sources, which can range from social media posts to documents accidentally exposed online.

A few of the common sources you can get default credentials from are:

• Tools: CIRT.net, RouterPasswords.com
• Official documentation: Manufacturer manuals and setup guides
• Community forums: Reddit, tech support forums, user wikis

I started with a simple Google dork:

"<router_model/brand>" default password

I found several defaults from various official and unofficial sources, but none of them worked. After exhausting the usual sources, I turned to Reddit.

I found a thread where someone had the same router brand and issue ,  none of the “official” default passwords worked for them either. They tried every combination with no luck.

Then I spotted a comment buried in the thread. Someone mentioned trying a variant of the default. I gave it one last shot and…it worked…

Exploitation

With access to the router’s control panel, numerous attack vectors become available. A few examples include:

• Bypassing the firewall by manually tampering with rules

• Uploading self-signed certificates to the router’s trusted CA store (ineffective against modern browsers with certificate pinning)

• Performing man-in-the-middle attacks via DNS poisoning

• Modifying DHCP settings to redirect traffic through attacker-controlled servers

• Installing backdoors in firmware or creating persistent access

However, since my authorised scope ends here, I won’t be changing any of the configurations. Instead, I will use this target as a live example of how to secure a network based on the CISA Project Upskill checklist…

Defence: Securing Your Router

1. Change Your Router Login and Username

As we’ve seen, default credentials are the easiest way for hackers to get in. Change the access control credentials immediately to something strong and unique.

2. Change Your Default SSID

Don’t leave manufacturer defaults (e.g., “NETGEAR-5G”) or use personal information (address, name). Both help attackers identify and target you.

Change it to something unique but non-identifying. The SSID is used as salt in the password hashing algorithm (PBKDF2), so a unique SSID adds an extra layer of security.

Example: “Nebula-7849” or “Cascade-River”

You can also hide the SSID by disabling broadcasting. While this makes your network invisible to devices scanning for networks in range, skilled attackers can still find it using tools like hcxdumptool.

3. Change Your Wi-Fi Password

Password is your frontline defence. A good strategy is to combine 5–7 words into a passphrase; more on this in the conclusion.

4. Upgrade Your Encryption

If your router supports it, move to WPA3 Personal. If not, ensure you are using WPA2-AES. Avoid “TKIP” or “WEP.”

5. Review Remote Management Settings

Many routers have features allowing remote access or ISP auto-configuration.

This target had TR-069 (Technical Report 069) enabled, a protocol ISPs use for remote configuration and to push firmware updates. While convenient, it’s a security trade-off.

6. Enable Automatic Firmware Updates

Check for router firmware updates and set up automatic updates if possible. Keep your firmware up to date to avoid known vulnerabilities.

7. Disable WPS (Wi-Fi Protected Setup)

WPS is a convenience feature designed to simplify device connections without requiring a password. It has a critical design flaw that allows brute-force attacks. Disable it entirely.

8. Disable UPnP (Universal Plug and Play)

UPnP enables devices to automatically open ports in your router without any authentication. While convenient for gaming consoles and smart devices, it means malware on any device can expose your network to the internet.

Disable it unless you have NAT issues with online gaming.

These steps secure your router by reducing the attack surface and disabling non-essential features such as UPnP.

Additionally:

• Enable and configure your firewall to block unsolicited WAN traffic

• Audit open ports, ensure no unnecessary ports are exposed to the internet

Now, it’s time to wrap it up…

Conclusion

We have seen how an attacker can gain unauthorised access to a Wi-Fi network by capturing a WPA handshake and exploiting a weak password. We’ve also seen how that initial foothold allows for lateral movement, leading to full administrative control of a router through default credentials.

By comparing our target’s configuration to the CISA Project Upskill checklist, we secured the network by disabling non-essential features such as WPS, UPnP, and similar features, and by using secure and unique credentials.

However, the biggest lesson here is that security is rarely just a technical problem; it is a human one. It’s about how we interact with technology. A captured handshake is useless if the password is long enough, and lateral movement is stalled the moment an attacker hits a unique, non-default admin login. Convenience almost always comes at the cost of security.

Passwords: Your Frontline Defence

Passwords are your frontline defence. A weak password is similar to having a wooden door for a highly secured vault, a skilled thief can break it down with little effort.

To build a better door, you need two things: memorability and entropy (randomness).

To aid your memory:

Use “cues.” A semantic cue could be a line from a favourite poem; an episodic cue could be a specific memory or an unspoken opinion, while an environmental cue could be the tree outside your office. The goal is to trigger your memory without using information that is publicly associated with you.

Password length requirements:

According to NIST SP 800–63B, when passwords are used as single-factor authentication (which WPA2/WPA3 are), a minimum of 15 characters is required. The 8-character minimum only applies when multi-factor authentication (MFA) is present.

This isn’t arbitrary: as demonstrated in this guide, offline attacks against WPA2 have no rate limiting. A 15-character password exponentially increases crack time compared to shorter passwords.

To increase complexity:

You could transform phrases by shifting letters or replacing characters with symbols (a → @). However, modern cracking tools expect these transformations, making them harder to remember without adding significant security. According to the latest NIST publication, password length matters more than complexity; a combination of 5–7 words can be a better choice.

Password Managers: The Practical Solution

With the sheer number of accounts we manage today, doing this manually is overwhelming and honestly not recommended. Research shows that humans are statistically poor at choosing passwords.

Good password managers allow you to maintain unique, high-entropy passwords for every individual site without needing to remember any; the drawback, however, is trusting a third party with all your passwords.

A Risk-Based Approach

A good strategy is to perform a risk analysis: list all your accounts and assess what an attacker could gain.

• For low-risk accounts (gaming, forums) : use a password manager

• For high-risk accounts (banking, encrypted drives containing confidential data) : consider using manually created, memorable passphrases

This balances security, convenience, and trust.

https://hackernoon.com/youve-learned-to-break-wi-fi-now-learn-to-lock-it-down?embedable=true

Until next time, stay safe and stay secure.