Académique Documents
Professionnel Documents
Culture Documents
469 2.2K
In this post, I’ll talk about the new WiFi related features that have been re‐
cently implemented into bettercap, starting from how the EAPOL 4-way handshake
capturing has been automated, to a whole new type of attack that will allow us
to recover WPA PSK passwords of an AP without clients.
We’ll start with the assumption that your WiFi card supports monitor mode and
packet injection (I use an AWUS1900 with this driver), that you have a work‐
ing hashcat (v4.2.0 or higher is required) installation (ideally with GPU sup‐
port enabled) for cracking and that you know how to use it properly either for
dictionary or brute-force attacks, as no tips on how to tune the masks and/or
generate proper dictionaries will be given :)
On newer macOS laptops, the builtin WiFi interface en0 already supports
monitor mode, meaning you won’t need a Linux VM in order to run this :)
First thing first, let’s try a classical deauthentication attack: we’ll start
bettercap, enable the wifi.recon module with channel hopping and configure
the ticker " Menu our#screen
module to refresh TOC $ Share
every %with
second Top an updated view of
the nearby WiFi networks (replace wlan0 with the interface you want to use):
1
2 # this will set the interface in monitor mode and start channel hopping on
4 > wifi.recon on
5 # we want our APs sorted by number of clients for this attack, the default
1 > wifi.recon.channel 1
What we want to do now is forcing one or more of the client stations (we can
see 5 of them for this AP) to disconnect by forging fake deauthentication pack‐
ets. Once they will reconnect, hopefully, bettercap will capture the needed
EAPOL frames of the handshake that we’ll later pass to hashcat for cracking
(replace e0:xx:xx:xx:xx:xx with the BSSID of your target AP):
1 > wifi.deauth e0:xx:xx:xx:xx:xx
If everything worked as expected and you’re close enough to the AP and the
clients, bettercap will start informing you that complete handshakes have been
captured (you can customize the pcap file output by changing the
wifi.handshakes.file parameter):
Not only bettercap will check for complete handshakes and dump them only
when all the required packets have been captured, but it will also append
to the file one beacon packet for each AP, in order to allow any tool
reading the pcap to detect both the BSSIDs and the ESSIDs.
The downsides of this attack are obvious: no clients = no party, moreover, giv‐
en we need to wait for at least one of them to reconnect, it can potentially
take some time.
Once we have succesfully captured the EAPOL frames required by hashcat in order
to crack the PSK, we’ll need to convert the pcap output file to the hccapx
format that hashcat can read. In order to do so, we can either use this online
service, or install the hashcat-utils ourselves and convert the file locally:
You can now proceed to crack the handshake(s) either by dictionary attack or
brute-force. For instance, to try all 8-digits combinations:
And this is it, the evergreen deauthentication attack in all its simplicity,
performed with just one tool … let’s get to the fun part now :)
Client-less PMKID Attack
In 2018 hashcat authors disclosed a new type of attack which not only relies on
one single packet, but it doesn’t require any clients to be connected to our
target AP or, if clients are connected, it doesn’t require us to send deauth
frames to them, there’s no interaction between the attacker and client sta‐
tions, but just between the attacker and the AP, interaction which, if the
router is vulnerable, is almost immediate!
It turns out that a lot of modern routers append an optional field at the end
of the first EAPOL frame sent by the AP itself when someone is associating, the
so called Robust Security Network , which includes something called PMKID :
As explained in the original post, the PMKID is derived by using data which is
known to us:
Since the “PMK Name” string is constant, we know both the BSSID of the AP and
the station and the PMK is the same one obtained from a full 4-way handshake,
this is all hashcat needs in order to crack the PSK and recover the passphrase!
Here’s where the new wifi.assoc command comes into play: instead of deauthen‐
ticating existing clients as shown in the previous attack and waiting for the
full handshake to be captured, we’ll simply start to associate with the target
AP and listen for an EAPOL frame containing the RSN PMKID data.
All nearby vulnerable routers (and let me reiterate: a lot of them are vulnera‐
ble), will start sending you the PMKID, which bettercap will dump to the usual
pcap file:
PMKID Cracking
We’ll now need to convert the PMKID data in the pcap file we just captured to a
hash format that hashcat can understand, for this we’ll use hcxpcaptool:
Recap
Goodbye airmon, airodump, aireplay and whatnots: one tool to rule them
all!
Goodbye Kali VMs on macOS: these modules work natively out of the box,
with the default Apple hardware <3
Full 4-way handshakes are for n00bs: just one association request and most
routers will send us enough key material.
Enjoy :)
11 Comments evilsocket.net !
1 Login
Name
1△ ▽ • Reply • Share ›
On my Titan X Pascal cards, I get 5-600 kH/s (each) for both WPA-EAPOL-PBKDF2
(mode 2500) and WPA-PMKID-PBKDF2 (mode 16800) as they basically attack the
same algo :)
see more
3△ ▽ • Reply • Share ›
see more
△ ▽ • Reply • Share ›
see more
4△ ▽ • Reply • Share ›
✉ Subscribe d Add Disqus to your siteAdd DisqusAdd 🔒 Disqus' Privacy PolicyPrivacy PolicyPrivacy
Copyright © 2019 Simone Margaritelli
Copyright © 2019 Simone Margaritelli
~/ rss