Search the Community
Showing results for tags 'wpa'.
Found 4 results
PMKID Attack WPA/WPA2 on WiFi Pineapples! Pineapple NANO + TETRA WARNING! This attack is EXTREMELY effective on the Pineapples! And is capable of capturing an entire neighborhood of PMKID's in a minute or less, no clients needed! ONLY use hcxdumptool on networks you have permission to, because of this: hcxdumptool is able to prevent complete wlan traffic! hcxdumptool is able to capture PMKID's from access points (only one single PMKID from an access point required) hcxdumptool is able to capture handshakes from not connected clients (only one single M2 from the client is required) hcxdumptool is able to capture handshakes from 5GHz clients on 2.4GHz (only one single M2 from the client is required) hcxdumptool is able to capture extended EAPOL (RADIUS, GSM-SIM, WPS) hcxdumptool is able to capture passwords from the wlan traffic hcxdumptool is able to capture plain master-keys from the wlan traffic hcxdumptool is able to capture usernames and identities from the wlan traffic This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame. At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers)! The main advantages of this attack are as follow: No more regular users required - because the attacker directly communicates with the AP (aka "client-less" attack) No more waiting for a complete 4-way handshake between the regular user and the AP No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results) No more eventual invalid passwords sent by the regular user No more lost EAPOL frames when the regular user or the AP is too far away from the attacker No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds) No more special output format (pcap, hccapx, etc.) - final data will appear as regular hex encoded string The RSN IE is an optional field that can be found in 802.11 management frames. One of the RSN capabilities is the PMKID. This attack is quite new, and gets updated regularly. I've compiled it for the Pineapples and uploaded it to GitHub. As the tools gets updated often, i will have to update the packages often. So please check back for updates! Download: hcxtools (v4.2.1-16) Download: hcxdumptool (v4.2.1-17) Download and install both tools automatically by using this command on your Pineapple: wget -qO- https://raw.githubusercontent.com/adde88/hcxtools-hcxdumptool-openwrt/master/INSTALL.sh | bash -s -- -v -v Last update: 06.10.20618 Changelog: Updated hcxdumptool to follow changes from upstream (@ZerBea) Install procedure: Download the IPK's to your Pineapple and install them using opkg. (If you're using the Nano remember to install them to your SD-card) How do i use this? Chose an interface, and make sure it's not being used on anything else, let's use wlan1 in this example! (It will set the interface to monitor mode while working) hcxdumptool -o test.pcapng -i wlan1 --enable_status 3 This will use wlan1 to perform the attack and create a file named test.pcapng containing the PMKID. (You can try other options for --enable_status (1, 2, 4, 16 ?. Use --help for more info) Filters can also be applied with --filterlist and --filtermode (Again, read --help for details) You can then use hcxpcaptool to convert the PMKID to a hash readable by hashcat. hcxpcaptool -z test.16800 test.pcapng The next step would be to transfer test.16800 to a desktop, capable of running the latest version of hashcat. (Version 4.2.0 or higher) And then run the attack, for example like this: (This is NOT done on the Pineapple!!!) hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!' Github repo. + source-codes: https://github.com/adde88/hcxtools-hcxdumptool-openwrt https://github.com/adde88/openwrt-useful-tools The first repo. contains the IPK files, and the SDK Makefiles needed to compile the project yourelf. The second repo contains alot of other useful tools i've compiled over time for the Pineapples if you're interested in taking a peek. Donations are very helpful, and would help me contribute towards keeping all of these custom tools ported and up-to-date.
Hello all. I have been a fan of the hak5 team for a while and over the last 2-3 years have collected pretty much everything in the hak5 shop. I have all the things that do the things. ? Recently during a fever dream, I imagined that I had a new device. One that magically grabbed 4 way WPA handshakes with the push of a button and was small enough to hold in my tiny pen testing fist. We have all been there right? We know there is a network with clients but we are just too far away to effectively do a deauth airodump attack. Sure we could get closer and open our Linux laptop, plug in a wonky antenna and fire up a couple terminals, but as if our hoody wasn't enough of an indication, now we'd really be drawing attention. Ok maybe we all haven't been there but at least I have and when I awoke from that fever dream I thought to myself, damn why didn't I think of this sooner. I need this thing to be as real as all my other things. Anyway, I went right to my work bench and started soldering away. I have started a GitHub repo for this thing that I'm tentatively calling FistBump. It's in it's beta stage for sure and a fairly simple device really, but would love some feedback. Please be constructive with your feedback, it's my first try at prototyping my own device. https://github.com/eliddell1/FistBump
BESSIDE-NG - Customized for Pineapple TETRA I'm writing a relative short post, as i don't feel like writing an entire article explaining how-to install this and use this. I've compiled a customized version of besside-ng, that will automatically scan all the channels from 1 to 165. The scan will take almost a minute to complete, compared to some seconds when only scanning the 2.4GHz range. Also added option to only scan WEP or WPA networks. I've also changed the directory that the logs gets saved to. They can now be found in /tmp The files are as usual: wep.cap, wpa.cap, besside.log As usual, you can find it ready and compiled on my GitHub repo: (source-code is there as well) https://github.com/adde88/besside-ng_pineapple I will not be providing heavy support on this. I might take a couple short questions, or if you have a good idea for any improvements i might take my time and implement it. Cheerio!
Hi There, Does anyone know how to broadcast only the SSID without security, so only the open networks? My nano is now broadcasting all networks, so all the networks with password will also be broadcasted without password from my nano. Thanks!