Description
Capture a WPA handshake from the supplied pcap and crack the network key using rockyou.txt. The discovered passphrase becomes the picoCTF flag.
Setup
Fetch the capture file and ensure you have the rockyou.txt wordlist installed (commonly at /usr/share/wordlists/rockyou.txt).
Use aircrack-ng to test each candidate password against the handshake contained in the pcap.
wget https://artifacts.picoctf.net/c/41/wpa-ing_out.pcapaircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-ing_out.pcapSolution
- Step 1Run aircrack-ngThe tool automatically identifies the captured handshake frames and begins testing rockyou passwords until one matches. Copy the recovered key.
Learn more
WPA2 (Wi-Fi Protected Access 2) uses the 4-way handshake to establish a session key between a client and an access point. During this handshake, both parties exchange nonces (random values) and prove knowledge of the PSK (Pre-Shared Key) - the Wi-Fi password - by computing a MIC (Message Integrity Code) using PBKDF2-SHA1. Crucially, the handshake can be captured passively by anyone within radio range.
aircrack-ngis the premier open-source wireless auditing suite. Its core cracking function works by taking a candidate password, computing the same PBKDF2 derivation the access point uses, and checking whether the resulting MIC matches what's in the captured handshake. If it matches, the password is correct. This is an offline attack - once the handshake is captured, cracking proceeds without further interaction with the network.
PBKDF2(Password-Based Key Derivation Function 2) is deliberately slow, iterating SHA1 4096 times to derive the PMK (Pairwise Master Key) from the password. This makes cracking expensive: a modern GPU can try roughly 500,000 WPA2 passwords per second, compared to billions per second for simple MD5. With rockyou.txt's ~14 million entries, an exhaustive search takes about 30 seconds on a GPU - but against a truly random 12-character password, a dictionary attack is hopeless.
- Step 2Wrap as picoCTF flagPlace the cracked password inside picoCTF{...} to form the final answer as instructed in the prompt.
Learn more
rockyou.txt is the most famous password wordlist in the security community. It was leaked in 2009 from the RockYou social gaming site, which stored ~32 million user passwords in plaintext. The list covers the most commonly chosen passwords across millions of real users, making it highly effective against human-chosen passwords. It ships by default with Kali Linux at
/usr/share/wordlists/rockyou.txt.gz(decompress withgunzipbefore use).Wireless security recommendations: The successful crack here demonstrates why WPA2-PSK with a short or common password is dangerous. Best practices include:
- Use a passphrase of at least 20 random characters to make dictionary and brute-force attacks infeasible
- Prefer WPA3, which uses Simultaneous Authentication of Equals (SAE) instead of PSK - resistant to offline dictionary attacks even with a captured handshake
- For enterprise environments, use WPA2/3-Enterprise with RADIUS authentication and per-user credentials rather than a shared PSK
- Regularly rotate the PSK, especially after staff changes
Legal note: Capturing Wi-Fi traffic and cracking handshakes is only legal on networks you own or have explicit permission to test. Unauthorized interception of wireless communications is illegal in most jurisdictions under computer fraud and wiretapping laws.
Flag
picoCTF{mick...}
Aircrack-ng prints the recovered PSK explicitly; use that exact text between picoCTF{...}.