dxa4481/WPA2-HalfHandshake-Crack

This is a POC to show it is possible to capture enough of a handshake with a user from a fake AP to crack a WPA2 network without knowing the passphrase of the actual AP.

WPA2-HalfHandshake-Crack

Conventional WPA2 attacks work by listening for a handshake between client and Access Point. This full fourway handshake is then used in a dictonary attack. This tool is a Proof of Concept to show it is not necessary to have the Access Point present. A person can simply listen for WPA2 probes from any client withen range, and then throw up an Access Point with that SSID. Though the authentication will fail, there is enough information in the failed handshake to run a dictionary attack against the failed handshake.

Install

$ sudo python setup.py install

Sample use

$ python halfHandshake.py -r sampleHalfHandshake.cap -m 48d224f0d128 -s "no place like 127.0.0.1"
  • -r Where to read input pcap file with half handshake (works with full handshakes too)
  • -m AP mac address (From the 'fake' access point that was used during the capture)
  • -s AP SSID
  • -d (optional) Where to read dictionary from

Capturing half handshakes

To listen for device probes the aircrack suite can be used as follows

sudo airmon-ng start wlan0
sudo airodump-ng mon0

You should begin to see device probes with BSSID set as (not associated) appearing at the bottom. If WPA2 SSIDs pop up for these probes, these devices can be targeted

Setup a WPA2 wifi network with an SSID the same as the desired device probe. The passphrase can be anything

In ubuntu this can be done here

http://ubuntuhandbook.org/index.php/2014/09/3-ways-create-wifi-hotspot-ubuntu/

Capture traffic on this interface.

In linux this can be achived with TCPdump

sudo tcpdump -i wlan0 -s 65535 -w file.cap

(optional) Deauthenticate clients from nearby WiFi networks to increase probes

If there are not enough unassociated clients, the aircrack suite can be used to deauthenticate clients off nearby networks http://www.aircrack-ng.org/doku.php?id=deauthentication

from: https://github.com/dxa4481/WPA2-HalfHandshake-Crack/


WPA2半握手包破解-不需要传统完整4步握手也可破解

lxj616 (简介) | 2015-04-29 12:22

https://github.com/dxa4481/WPA2-HalfHandshake-Crack/

传统的WPA2攻击通过侦听客户端与AP接入点之间的一次成功握手实现。

然后抓到的4次握手协商可用来字典攻击。

这个工具展示了不需要AP真实存在即可完成攻击。

一个攻击者可以仅仅通过嗅探任何有效范围内客户端发出的WPA2探测信号,

之后建立那个SSID名称的AP接入点。

尽管认证将会失败,但失败的握手包已经有了足够的信息被用来字典攻击。

测试截图:

[原文地址]

各类吐槽:

1#

Blacker | 2015-04-29 12:25

首先得先有个字典

2#

实习白帽子 | 2015-04-29 12:25

重点还是需要字典!

3#

無名老人 (干过开发,日过渗透,江湖人称:少妇杀手) | 2015-04-29 15:07

最后你还是需要字典,各位wifi 牛,求共享高质量字典

4#

小表哥 | 2015-04-29 15:29

@無名老人 字典除了常用弱口令生日 其他的都是本地手机号和固定电话号码,这个需要自己生成

5#

园长 (喵~) | 2015-04-29 15:32

贱贱,喔~

6#

lxj616 (简介) | 2015-04-29 16:10

@园长 喵呜

7#

jeary ((:‮?办么怎,了多越来越法方象抽的我)) | 2015-04-29 17:02

简单说就是省去传统抓包的麻烦

8#

咖啡 (来自iPhone6s土豪金客户端 | 1分钟前 迪拜帆船酒店 总统套房) | 2015-04-29 17:03

@無名老人 淘宝上有跑包的。。。。。

9#

無名老人 (干过开发,日过渗透,江湖人称:少妇杀手) | 2015-04-29 17:37

@咖啡 比如wifi 共享精灵的裤子 啥的,这个是最好的字典啊

10#

乌云白帽子 | 2015-04-30 09:15

@lxj616 大牛给个字典行不行?还有工具包,菜鸟要偷隔壁的网

11#

我勒个去 | 2015-04-30 19:40

@咖啡 搜啥关键字?没找到啊

12#

灭亡 (-.-) | 2015-04-30 20:10

赞一个 点击感谢

13#

末笔丶 | 2015-04-30 21:35

Passive Karma Attack ?

14#

Sndav | 2015-04-30 21:43

字典才是硬道理

15#

核攻击 (统治全球,奴役全人类!毁灭任何胆敢阻拦的有机生物!) | 2015-05-01 10:34

很早就有类似的功能了,思路淫荡、

留言评论(旧系统):

何家小鸡 @ 2015-05-31 17:37:54

在抓包的这一步会出错。不知道哪里的问题。建议把外文翻译下,出一个完整的教程,按照楼主的截图根本不可能成功

本站回复:

谷歌翻译…… -_-!!!