Jump to content

Getting WPA WPA2 password idea...

Recommended Posts

Hi everybody,

I upgraded my firmware 1.4.0 and its very nice thank you guys for that.

Now that we can create an AP with WPA or WPA2 would it be possible to get the passwords that people are using to try to connect to it ?

For example if you want to get the password for the AP "NETWORK" , you will create an AP named "NETWORK" on the pineapple with WPA encryption then jammed the real AP "NETWORK" hope for the target to try connect to the pineapple "NETWORK" with his password and then we will have it....

Im not sure if this is actualy possible but if it is ... could be usefull :)

What do you guys think ?

Link to comment
Share on other sites

not possible with the actual firmware and tools we have ? or not possible ever ? and why not ? could we get around it ?

Sorry but "No, this is not possible." is something that if we were blindly believing well we wouldnt be here ? right ?

Link to comment
Share on other sites

No, this is not possible.

To elaborate on this short reply, it is not possible because this isn't how WPA works. The password is never actually transmitted.

Instead, a four-way handshake is done to establish a connection.

You could capture the WPA handshake using your WiFi Pineapple MKV and then bruteforce it on a powerful machine -- but this is simply bruteforcing.

If you want to know more on the subject, I suggest you read up about WPA/WPA2 and the four-way handshake.

Best Regards,


Link to comment
Share on other sites

Thank you i will , what would be more efficient then ? reaver or brute forcing the handshake ?

Wouldnt it be worth it to look into it ? There isnt many ways to crack a WPA at least from what i know ? so maybe that could be worth it ?

An infusions gettting the handshakes then send it to the big boy at home ?

Link to comment
Share on other sites

Start by reading the 'brute force attack' chapter of this Wikipedia article.

You'd assume the PIN was sent from client to server in some way if the router can tell the client which half of the pin was wrong, but if Seb says otherwise I'm inclined to believe him. Can't really find a good quick (i.e. not the spec) description of this particular bit of protocol to prove it either way and I'm an utter noob when it comes to this sort of thing.

What I can tell you is this: When you don't have a valid handshake, you need to do what the wikipedia article says. Due to general idiocy when it comes to the validation algorithm WPS's valid keyspace has gone from 10^8 to just 11000 possibilities.

If the router shuts down access to WPS after X failed attempts for a duration of Y minutes, you can succesfully brute-force the router in 11000/(X*24*(60/Y)) days.

Some common examples (rounding up):

1 failed attempt = 5 minute delay => 38.2 days

3 failed attempts = 5 minute delay => 12.8 days

3 failed attempts = 15 minute delay => 38.2 days

By comparison, an unprotected WPS for which we'll assume it manages 1 PIN per second (i.e. SLOW) can be bruteforced like this in about an hour.

Also note that the numbers given are your worst-case scenarios. Where you had to run through the ENTIRE keyspace. There's a good chance you won't need that much.

Things to test for when trying this: Is WPS turned off completely, or does the MAC simply get blacklisted? In case of blacklisting, try until blacklisted, change MAC, continue.

Link to comment
Share on other sites

  • 10 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...