How do hackers or remote attackers obtain the WPA or WPA2 Handshake from a wireless access point easily?
By launching a WiFi bomb they can force all users to disconnect the access point for a few seconds.
Their software will automatically reconnect and this way they sniff the connection handshake.
Then they can go to another location and safely brute force it with a 1 billion entries. WiFi Penetration Testing Software here
When the connection is first established between two modems, the negotiation of communication restrictions and boundaries occurs for a brief period of time.
Afterwards, the infamous "squealing" noise that people hear from old, dial-up modems sporting speaker outputs (it's a sound that modifies its pitch a hundred times every second) once the connection has been successfully made is the aural manifestation of two modems engaging in the handshake process.
Thereafter, once everything has been agreed upon in regards to parameters, they are (the parameters) are used to offer streamlined information transmission over the channel as a function of its capacity and quality.
Although handshakes are more often than not what hackers need to capture in order to gain unauthorized access to systems and networks—or at the very least, get free, high-quality WiFi superior to those found in coffee shops and libraries—its a necessary and unavoidable step to ensuring smooth connections from two otherwise different and normally mismatched systems.
In turn, a Wired Protected Access or WPA handshake to keep intruders or unauthorized users from accessing the network (e.g., a four-way Temporal Key Integrity Protocol or TKIP handshake, with TKIP referring to one of many encryption algorithms that WPA supports).
As for using WPA handshakes as exploits for security breaches, there are a variety of methods suited for this hacking task.
Any hacker who wants to capture a four-way TKIP handshake without any help will probably have to observe Internet traffic for hours-on-end, patiently stalking for a client to link to a network. As easier way to capture handshakes for hacking purposes involves the use of a hacking tool called Aircrack-ng and forced deauthentication of a connected client PC in order to make him reconnect back up to the server exactly when you want him to connect.
Ironically enough, its during the procedure wherein the encrypted WPA key is re-exchanged that a connection is most vulnerable for hacker attack—the very process needed to protect a network can open it up to attack, like barging into a house while someone is in the middle of bolting the locks on his doors.
Once the full authentication handshake has been captured from the client and an access point, the hacker can easily decrypt the information behind the handshake, thus allowing him the key to access the previously impenetrable network.