Jump to content

Wpa Handshake - The Easy Way?


Atomix.Gray

Recommended Posts

I was messing around in my lab last night and - (think) I found a really easy way to get a WPA handshake. However, I want to run this by everyone and see if I am way off base here.

So I had an airodunmp-ng running capturing packets - trying to find way to get a handshake if no clients were available to deauth - so I had a brand new phone - that's never been connected to my lab network before. I enabled Wifi on my new phone and tried to connect to my labs AP - I used the wrong PIN/Pass Phrase on purpose - my phone stated it was the wrong PIN/Pass Phrase - however I noticed that I got a WPA Handshake.

I was able to reproduce this over and over again. Has anyone else seen this? Is this normal? My understanding to get an successful WPA Handshake - you need a client to connect successfully to the AP.

**Note I haven't tried to crack the .cap file yet.

Link to comment
Share on other sites

You only need two packets to crack WPA and you will have captured those two so it should be possible to crack it.

My Wifi Honey ( http://www.digininja.org/projects/wifi_honey.php ) script does something similar. Not sure if aircrack-ng can crack it but coWPAtty can crack them, you used to need to pass -2 as a parameter but might not need to any more.

Link to comment
Share on other sites

I'm am pretty sure that aircrack can crack 2 parts of a 4 way handshake.

Last time I did it, it took 20 hours piping john though aircrack with "password" as my paraphrase. However, I had a full 4 way handshake using a deauthed client.

Great find, I will have to play with it. If you process the cap file let us know if it works.

Link to comment
Share on other sites

My lab is just using an older Linksys wireless-g router. Tested this on a 2wire AT&T one - worked as well.

I will try to process the cap file tonight. I've never used CoWPAtty - so I will find the command and switches to try and process it with that as well. (If aircrack does not work)

Was anyone else able replicate this? This would beat having to deauth or wait for someone to connect.

digininja - thanks for the script - :) been working on a FakeAP + Metaspolit one - just trying to teach myself basic scripting (coming from a strict VBscript background)

Link to comment
Share on other sites

I can't remember exactly which video it is but if you want to know more about this watch the SecurityTube wifi video series. Vivek covers this which is where I got the idea for Wifi Honey.

Link to comment
Share on other sites

  • 5 months later...

I've done the same thing and can say that aircrack-ng can NOT crack the password from a failed authentication handshake.

I just set up my wireless router, my computer with Backtrack and got my phone with the wrong password to try connect to my router. Even though airodump-ng says it's successfully captured a handshake, it's not enough to crack it. Aircrack-ng went through the entire password list without success.

I tried the same password list with a working authentication handshake capture and it got the password in a few seconds (the correct password was near the top of the password list).

I opened the failed password handshake in Wireshark and it says it has captured "Message 1 of 4" and "Message 2 of 4" of the 4 way handshake.

From what I gather, you need at least packets 2 and 3, or packets 3 and 4. Just 1 and 2 will not work.

Link to comment
Share on other sites

You are partially correct, if it fails due to the client having the incorrect password then no you can't, if it is because the server has the wrong password then it can. What you need to capture are the first 2 packets, the nonce (challenge) the server sends to the client and the client response, if the client has the correct key then the server says the challenge is correct and authenticates itself back, if the client has the wrong key the server says failed and the whole thing stops.

This is why having a fake AP which doesn't know the right password can still get you enough to crack the key as the client replies first with their response to the challenge.

Link to comment
Share on other sites

Yea actually you're right. Capturing packets 1 and 2 can crack the password, provided the client has the correct password.

I just set up the an airbase-ng on my computer with a random ESSID on it and got my phone to try to connect to it using the password. Even though my computer didn't know the password, it captured a handshake and through aircrack-ng I was able to crack the password in a few seconds (the correct password was near the top of the list).

I looked through the capture file on Wireshark and saw that it only had packets 1 and 2 of the 4 way handshake as well.

So this means that airodump-ng can sometimes capture incomplete handshakes and say it's legit, and you'll spend days trying to crack the handshake but it'll never find the correct pass because it's a fail handshake? Is there any way to tell that it's a failed handshake (by looking at sharkwire or something)?

Link to comment
Share on other sites

I would guess that airodump is reporting once it has seen the first 2 packets of the handshake as that is all you need to crack the key the client is using. If you want to know if you've got all four packets then I'd suggest opening the pcap in wireshark or using tshark with a filter to check to see if all four packets are there.

You could also try cowpatty, that is usually pretty good at recognising if you've got 2 or 4 packets from the handshake.

And just to be clear, in the situation where you only get 2 packets, you have enough information to crack the PSK the client knows, that isn't always the one the server knows and so doesn't guarantee getting you access to the AP but it will give you the PSK for the client.

Link to comment
Share on other sites

OFFTOPIC:

And just to be clear, in the situation where you only get 2 packets, you have enough information to crack the PSK the client knows, that isn't always the one the server knows and so doesn't guarantee getting you access to the AP but it will give you the PSK for the client.

If this is the case. Then it should be possible with karma to steal (fase 1&2 ) handshakes of all know SSID from a device. And possible crack them. ( not only open networks )

Link to comment
Share on other sites

Yes, that is correct. The problem you have is that you would have to enable WPA on the pineapple for the client to connect to it which means that anything looking for an open network would not be able to connect.

I wrote a script called Wifi Honey which does this using airbase-ng. The concept is based on the work from Vivek in the SecurityTube Megaprimer.

Link to comment
Share on other sites

Just enable WPA support in the hostapd file that the Pineapple uses and it will do what you were asking for. The problem is having hostapd support multiple APs (ie one unencrypted and one encrypted). It basically won't work as you'll have to instances of Karma conflicting with each other.

You could enable it just on its own and have people connect to you and partially complete the handshake then try to crack keys, you won't be able to give then Internet though.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...