Four-way Handshake in WPA-Personal (WPA-PSK)
This book is a very good resource on wireless security. This section explains the details of the four-way handshake, but you really need to read the whole chapter to understand it.
Both WPA2-PSK and WPA2-EAP result in a Pairwise Master Key (PMK) known to both the supplicant (client) and the authenticator (AP). (In PSK the PMK is derived directly from the password, whereas in EAP it is a result of the authentication process.) The four-way WPA2 handshake essentially makes the supplicant and authenticator prove to each other that they both know the PMK, and creates the temporal keys used to actually secure network data.
Capturing the four-way handshake will not divulge the PMK or PSK (since capturing the handshake is trivial over wireless this would be a major vulnerability). The PMK isn't even sent during the handshake, instead it is used to calculate a Message Integrity Check (MIC). You basically need to perform a dictionary or bruteforce attack on the handshake until you find a password which results in the same MIC as in the packets.
The four way handshake is actually very simple, but clever:
- The AP sends a value to the Client. (This is not protected in any way).
- The client generates a key and sends back its own random value and as code to verify that value using the value that the AP sent.
- The AP generates a key and if needed sends back a group key and another verification code.
- The Client sends back a message to confirm everything is okay.
It is actually really hard to crack the key using this method, it would take roughly 4 million years to break the key using brute force. If you still want to try I have attached a guide linking directly to the crack page, this guide also details how to find the handshake packets.
http://www.smallnetbuilder.com/wireless/wireless-howto/30278-how-to-crack-wpa--wpa2?start=4
what you normally configure on the UI is called a passphrase. The 256 bit Master key (PMK) is generated using a combination of passphrase and the SSID (the network name that u connect to). However this PMK is not exchanged during the handshake (well, both parties have that already). What is exchanged are a couple of Nonce values (random numbers). AP sends A-Nonce in message1. Station sends S-Nonce in message 2.
The session key is generated using a combination of things: The 2 Nonces + PMK + and Mac address.
From sniffer traces u can gather Macs, the SSID and the Nonces but not the PMK.
If you want to break that u ll need to break the encryption cipher that is used underneath (AES/RC4).
Good luck with that! and let me know if you manage it.
However if you already have the passphrase then there are tools that can give you the decrypted version of the packet capture. Wireshark or Omnipeek already have the provision for this (newer versions, just update).