dxa4481/WPA2-HalfHandshake-Crack
This is a POC to show it is possible to capture enough of a handshake with a user from a fake AP to crack a WPA2 network without knowing the passphrase of the actual AP.
WPA2-HalfHandshake-Crack
Conventional WPA2 attacks work by listening for a handshake between client and Access Point. This full fourway handshake is then used in a dictonary attack. This tool is a Proof of Concept to show it is not necessary to have the Access Point present. A person can simply listen for WPA2 probes from any client withen range, and then throw up an Access Point with that SSID. Though the authentication will fail, there is enough information in the failed handshake to run a dictionary attack against the failed handshake.
Install
$ sudo python setup.py install
Sample use
$ python halfHandshake.py -r sampleHalfHandshake.cap -m 48d224f0d128 -s "no place like 127.0.0.1"
- -r Where to read input pcap file with half handshake (works with full handshakes too)
- -m AP mac address (From the 'fake' access point that was used during the capture)
- -s AP SSID
- -d (optional) Where to read dictionary from
Capturing half handshakes
To listen for device probes the aircrack suite can be used as follows
sudo airmon-ng start wlan0 sudo airodump-ng mon0
You should begin to see device probes with BSSID set as (not associated) appearing at the bottom. If WPA2 SSIDs pop up for these probes, these devices can be targeted
Setup a WPA2 wifi network with an SSID the same as the desired device probe. The passphrase can be anything
In ubuntu this can be done here
http://ubuntuhandbook.org/index.php/2014/09/3-ways-create-wifi-hotspot-ubuntu/
Capture traffic on this interface.
In linux this can be achived with TCPdump
sudo tcpdump -i wlan0 -s 65535 -w file.cap
(optional) Deauthenticate clients from nearby WiFi networks to increase probes
If there are not enough unassociated clients, the aircrack suite can be used to deauthenticate clients off nearby networks http://www.aircrack-ng.org/doku.php?id=deauthentication
from: https://github.com/dxa4481/WPA2-HalfHandshake-Crack/
WPA2半握手包破解-不需要传统完整4步握手也可破解
lxj616 (简介) | 2015-04-29 12:22
https://github.com/dxa4481/WPA2-HalfHandshake-Crack/
传统的WPA2攻击通过侦听客户端与AP接入点之间的一次成功握手实现。
然后抓到的4次握手协商可用来字典攻击。
这个工具展示了不需要AP真实存在即可完成攻击。
一个攻击者可以仅仅通过嗅探任何有效范围内客户端发出的WPA2探测信号,
之后建立那个SSID名称的AP接入点。
尽管认证将会失败,但失败的握手包已经有了足够的信息被用来字典攻击。
测试截图:
各类吐槽:
1#
Blacker | 2015-04-29 12:25
首先得先有个字典
2#
实习白帽子 | 2015-04-29 12:25
重点还是需要字典!
3#
無名老人 (干过开发,日过渗透,江湖人称:少妇杀手) | 2015-04-29 15:07
最后你还是需要字典,各位wifi 牛,求共享高质量字典
4#
小表哥 | 2015-04-29 15:29
@無名老人 字典除了常用弱口令生日 其他的都是本地手机号和固定电话号码,这个需要自己生成
5#
园长 (喵~) | 2015-04-29 15:32
贱贱,喔~
6#
lxj616 (简介) | 2015-04-29 16:10
@园长 喵呜
7#
jeary ((:?办么怎,了多越来越法方象抽的我)) | 2015-04-29 17:02
简单说就是省去传统抓包的麻烦
8#
咖啡 (来自iPhone6s土豪金客户端 | 1分钟前 迪拜帆船酒店 总统套房) | 2015-04-29 17:03
@無名老人 淘宝上有跑包的。。。。。
9#
無名老人 (干过开发,日过渗透,江湖人称:少妇杀手) | 2015-04-29 17:37
@咖啡 比如wifi 共享精灵的裤子 啥的,这个是最好的字典啊
10#
乌云白帽子 | 2015-04-30 09:15
@lxj616 大牛给个字典行不行?还有工具包,菜鸟要偷隔壁的网
11#
我勒个去 | 2015-04-30 19:40
@咖啡 搜啥关键字?没找到啊
12#
灭亡 (-.-) | 2015-04-30 20:10
赞一个 点击感谢
13#
末笔丶 | 2015-04-30 21:35
Passive Karma Attack ?
14#
Sndav | 2015-04-30 21:43
字典才是硬道理
15#
核攻击 (统治全球,奴役全人类!毁灭任何胆敢阻拦的有机生物!) | 2015-05-01 10:34
很早就有类似的功能了,思路淫荡、
留言评论(旧系统):