Getting WPA WPA2 password idea...

[steve3333]

Hi everybody,

I upgraded my firmware 1.4.0 and its very nice thank you guys for that.

Now that we can create an AP with WPA or WPA2 would it be possible to get the passwords that people are using to try to connect to it ?

For example if you want to get the password for the AP "NETWORK" , you will create an AP named "NETWORK" on the pineapple with WPA encryption then jammed the real AP "NETWORK" hope for the target to try connect to the pineapple "NETWORK" with his password and then we will have it....

Im not sure if this is actualy possible but if it is ... could be usefull :)

What do you guys think ?

[Oli]

No, this is not possible.

[steve3333]

not possible with the actual firmware and tools we have ? or not possible ever ? and why not ? could we get around it ?

Sorry but "No, this is not possible." is something that if we were blindly believing well we wouldnt be here ? right ?

[Sebkinne]

No, this is not possible.

To elaborate on this short reply, it is not possible because this isn't how WPA works. The password is never actually transmitted.

Instead, a four-way handshake is done to establish a connection.

You could capture the WPA handshake using your WiFi Pineapple MKV and then bruteforce it on a powerful machine -- but this is simply bruteforcing.

If you want to know more on the subject, I suggest you read up about WPA/WPA2 and the four-way handshake.

Best Regards,

Sebkinne

[steve3333]

Thank you i will , what would be more efficient then ? reaver or brute forcing the handshake ?

Wouldnt it be worth it to look into it ? There isnt many ways to crack a WPA at least from what i know ? so maybe that could be worth it ?

An infusions gettting the handshakes then send it to the big boy at home ?

[cooper]

Start by reading the 'brute force attack' chapter of this Wikipedia article.

You'd assume the PIN was sent from client to server in some way if the router can tell the client which half of the pin was wrong, but if Seb says otherwise I'm inclined to believe him. Can't really find a good quick (i.e. not the spec) description of this particular bit of protocol to prove it either way and I'm an utter noob when it comes to this sort of thing.

What I can tell you is this: When you don't have a valid handshake, you need to do what the wikipedia article says. Due to general idiocy when it comes to the validation algorithm WPS's valid keyspace has gone from 10^8 to just 11000 possibilities.

If the router shuts down access to WPS after X failed attempts for a duration of Y minutes, you can succesfully brute-force the router in 11000/(X*24*(60/Y)) days.

Some common examples (rounding up):

1 failed attempt = 5 minute delay => 38.2 days

3 failed attempts = 5 minute delay => 12.8 days

3 failed attempts = 15 minute delay => 38.2 days

By comparison, an unprotected WPS for which we'll assume it manages 1 PIN per second (i.e. SLOW) can be bruteforced like this in about an hour.

Also note that the numbers given are your worst-case scenarios. Where you had to run through the ENTIRE keyspace. There's a good chance you won't need that much.

Things to test for when trying this: Is WPS turned off completely, or does the MAC simply get blacklisted? In case of blacklisting, try until blacklisted, change MAC, continue.

[Darren Kitchen]

This is why:

It's actually rather elegant.

Here's an old Hak5 episode on the topic:

[fringes]

Here's an old Hak5 episode on the topic:

That link didn't show up in my browser. How odd is that?

[barry99705]

That link didn't show up in my browser. How odd is that?

It's a Chrome issue. Works just fine in internet exploder.

[fringes]

Interesting. I don't use IE, but it showed up in Mantra, a Firefox derivative. It didn't show up for me in Chrome, Iceweasle, or Firefox though.

Well, anyone that didn't see it has it now.

[mod]

Hi seb and Darren. Once the handshake is collected on the pineapple. How do I transfer it to my PC for processing. Probably a silly question

[mod]

Got it winscp