judy22 Posted August 8, 2015 Posted August 8, 2015 If I were to create a fake AP with password and give it an SSID like the real AP using a program like hostapd,then when clients connect to this fake AP , they will type the real password and send it to the fake AP.The fake AP gonna check the password and see if it equal to the one in the configuration file.So isn’t possible to ask a program like hostapd to show us the password the client typed?? Quote
digip Posted August 8, 2015 Posted August 8, 2015 WPA requires a 4 way handshake, so if the challenge and response isn't accepted, you'll never see the whole process of keys exchanging, which isn't a plain text password sent in the clear. You'll never see it typed, but if you managed to know the exact password(which if you did, what's the point other than confirmation), and they managed to logon, you're basically brute forcing it by guessing what they expect to have. Easier method would be attacking and brute forcing it, better chances, or in cases where WPS is used, PixieWPS attacks against WPA/WPA2 work and you're pretty much in like flint on most routers. WPS is almost always on by default but it can be disabled. Quote
whitenoise Posted August 8, 2015 Posted August 8, 2015 (edited) If you want to get the WiFi password you need another strategy.You could try the following attack (requires some programming skills): First setup a http server (i.e. apache) with php. Write a python script and include scapy. Check for beacon frames and gather their mac adresses. From the mac adress you can get the vendor. Now you have the mac, vendor and the network name. Now you can generate an index.php in your www directory. The index.php includes i.e. in the headline the name of the vendor. If you want to put very much effort into this you can generate that page from a bunch of router configuration sites so it looks not suspicious at all. Basically it is okay to present a white page with the vendor name in the title and popping up a javascript box saying that there are problems with the router and one should enter the password so it can be restarted. Clone the accesspoint (with slightly different mac) as an open network. If someone gets into the network they should be routed to the index.php (use dnsspoof). Run a deauth attack on the original accesspoint. Once the user recognizes he cannot connect to the original accesspoint he might try the service accesspoint provided from his router (which of course is yours and is fake). Maybe he won't be smart enough and enters the password there. A simple php formular will save the password on your machine. Theoretically you could scan periodically for the password file and as a response of growing size you can stop the deauth. Edited August 8, 2015 by whitenoise Quote
digininja Posted August 8, 2015 Posted August 8, 2015 You are taking their AP offline by the deauth but why would they then connect to your AP? What is the service access point you mention? Quote
digininja Posted August 8, 2015 Posted August 8, 2015 The user would have to manually connect to the AP as most supplicants won't drop to unauthenticated if they expect authentication. Quote
digip Posted August 9, 2015 Posted August 9, 2015 The user would have to manually connect to the AP as most supplicants won't drop to unauthenticated if they expect authentication. Not to mention, unless they are using a cafe hotspot or such and they expect to see a captive portal asking for a wpa password to get on(I've never seen one that asks for the actual WPA password itself, only a general use password for the network via web portal), most home users (I would hope) should know what they did when they setup their own router and what the screens look like. This should be a red flag for any home user, but I imagine it works in some cases or tools wouldn't exist. Quote
whitenoise Posted August 9, 2015 Posted August 9, 2015 (edited) You are taking their AP offline by the deauth but why would they then connect to your AP? What is the service access point you mention? That's kind a social engineering thing. People want to be connected and hate it to get disconnected while chatting for example. At least I'm quite sure most people I know get desperate and probably would have a look at their accesspoint list. Once they see the cloned open one it might be worth a try to connect and see if the connection can be re-established. The service accesspoint is the cloned fake accesspoint which basically leads the user to a dynamically generated phishing page. I would not say it works in 100% of all cases. Also this is more a way to attack private networks and not i.e. a network of a company. Yes the user would have to connect manually ... act of desperation ;) Edited August 9, 2015 by whitenoise Quote
vailixi Posted August 25, 2015 Posted August 25, 2015 (edited) hypothetically create a fake access point have antenna on highest power setting so the client will log into your device as most clients will attempt to log in on the closest or highest signal death client on actually access point client logs in on your access point use arp spoofing use http code injection or maybe make the client think your package is an update own client machine steal stored wifi passwords from compromised client profit Edited August 25, 2015 by vailixi Quote
barry99705 Posted August 25, 2015 Posted August 25, 2015 hypothetically create a fake access point have antenna on highest power setting so the client will log into your device as most clients will attempt to log in on the closest or highest signal death client on actually access point client logs in on your access point use arp spoofing use http code injection or maybe make the client think your package is an update own client machine steal stored wifi passwords from compromised client profit Why would they connect to your ap? It's not going to autoconnect to your ap if it has the same name as the deauthed ap. Quote
digip Posted August 25, 2015 Posted August 25, 2015 client logs in on your access point how? unless your Ap can complete the 4 way handshake(which would require knowing the real password and being set, before learning the password, chicken, egg..) they will never authenticate or be able to connect. They'd have to be on the network for an arp attack to take place. Quote
vailixi Posted August 25, 2015 Posted August 25, 2015 Is there a newer version of mana-toolkit? Was that forked into something else? Anybody using that lately? Quote
digip Posted August 25, 2015 Posted August 25, 2015 Is there a newer version of mana-toolkit? Was that forked into something else? Anybody using that lately? My understanding is that Mana is kind of like the pineapple or karma, except it automatically runs ssl strip. It won't help with WPA as far as I know, and lies more on impersonating open access points, but I could be wrong. It' snot installed with kali by default, but you can "apt-get install mana-toolkit" in older and 2.0 kali. Quote
vailixi Posted August 26, 2015 Posted August 26, 2015 It would be nice to find a way to trick the client into logging in. Many mobile devices will log in on an access point that is familiar. But bear in mind it doesn't really need to authenticate. If the client manually hits the access by mistake that will work just fine. Then I'll just exploit the client and dump the stored passwords. That was the idea anyway. Quote
digip Posted August 26, 2015 Posted August 26, 2015 It would be nice to find a way to trick the client into logging in. Many mobile devices will log in on an access point that is familiar. But bear in mind it doesn't really need to authenticate. If the client manually hits the access by mistake that will work just fine. Then I'll just exploit the client and dump the stored passwords. That was the idea anyway. Maybe I'm the one missing something but what device/softap, even if you manually tried to associate with one that was not yours, would accept and be able to complete the 4 way handshake to make the password visible? Once the authentication mechanism fails because the listening Ap can't complete the process, the client would drop the connection or vice versa. They'd both have to match in case of WPA(and WEP although WEP is easily cracked within minutes). Open access points, yeah, it's not an issue since there is no passowrd requirement, and from there you'd be able to sniff their traffic, but getting them onto a rouge WPA access point I think is not possible. If someone has seen a way, I'd like to know since this should become the most talked about publicly known exploit for WPA since a reaver pixie wps attack. Quote
vailixi Posted August 26, 2015 Posted August 26, 2015 (edited) So if the access point you create has the same channel, BSSID, ESSID, everything, some network managers will autmotically login. This was a thing saw a while back in some current state of wireless security slideshare. Basically it was saying it's fixed in iPhones but not in other smart devices with the way they probe. You basically take the probe and create an access point based on the probe information. Mana is a more current tool than karma but it's essentially the same idea. I can spoof any and every access point within antenna range. For my hack I'm not going to get the client to log in or handshake or anything. I'm going to rely on either the network manager loggin in auto or the client mistakenly logging in manually. They will not need the authenticate with the actual password because. I'm just going to steal the passwords off of their machine once they are on the network. I tried it out for a minute but I was having numerous issues getting mana to run on Kali 2.0. IDK I'm in the midst of a couple of other projects and I think work is going to pick up. If I make this work I'll write up a tutorial. It's kinda like if you were already on the network just fire up subterfuge and use http injection. Inject an applet into whatever page they are visiting with a metasploit signed applet attack. Then dump the stored wifi passwords from the machine post exploit. Then you can log in. No collecting handshakes required. I noticed one of the applications I was running had a wifi lock that would ask for you WPA key. You could always incorporate something like that as well.Only I'm thinking it's going to be easier with a spoofed access point because you're already in the middle. You're just forwarding traffic from one NIC to another so you can just intercept or inject whatever you want. Sorry if this is sounding vague. I'm going to have to hammer out the details at a later time Edited August 26, 2015 by vailixi Quote
deadlyhabit Posted August 27, 2015 Posted August 27, 2015 Wonder if you theoretically had the same bssid, essid channel etc you could capture some of the needed data via wireshark. Quote
cooper Posted August 27, 2015 Posted August 27, 2015 As digip already said in the second post of this topic, you can emulate the real AP to the point where the target will try to connect to you, but the 4-way handshake is there to prove to the other side, in both directions, that the password is known. So the device needs to prove knowledge of the password via a hashed message and the server needs to do the same. Since your fake AP doesn't have this password the client will refuse to connect to you. Your only recourse is to brute-force the crypto which for a WPA2 device is, to put it mildly, a non-trivial challenge. Quote
digininja Posted August 27, 2015 Posted August 27, 2015 I'll also add that even if you get the WPA PSK and sniff traffic at the wifi level you won't be able to decrypt anything unless you captured the 4 wayhandshake for that user's session as each session is protected by their own key which is negotiated during the handshake. You could do normal layer 2 ARP style attacks though. Quote
WPA3 Posted August 27, 2015 Posted August 27, 2015 YOu could look into this, if the user is dumb enough they will enter the wpa key for you. https://github.com/vk496/linset Quote
deadlyhabit Posted August 27, 2015 Posted August 27, 2015 As digip already said in the second post of this topic, you can emulate the real AP to the point where the target will try to connect to you, but the 4-way handshake is there to prove to the other side, in both directions, that the password is known. So the device needs to prove knowledge of the password via a hashed message and the server needs to do the same. Since your fake AP doesn't have this password the client will refuse to connect to you. Your only recourse is to brute-force the crypto which for a WPA2 device is, to put it mildly, a non-trivial challenge.but with the hashes like in a pixie attack we're getting closer Quote
cooper Posted August 27, 2015 Posted August 27, 2015 In this particular context you're challenging the client and I can assure you it has VASTLY better PRNGs than that 'cheaper than physically possible' dinky toy router you get from your ISP. Quote
vailixi Posted August 27, 2015 Posted August 27, 2015 YOu could look into this, if the user is dumb enough they will enter the wpa key for you. https://github.com/vk496/linset Nice. Quote
digip Posted August 27, 2015 Posted August 27, 2015 Nice. I suppose if the end user in question is a bit daft, then yes, phishing after jumping through hoops first is always possible when we have a user who is not paying attention to what happens to their connection, but requires them to do certain things, such as manually typing in their password to a captive portal. The password will never send itself though since this handshake will never happen now, but requires the user to fall for the login page in their browser. I guess some people are not savvy enough to realize their AP password should be typed in the OS and not in a web page, but ok, I'll buy it. Downgrading them off WPA to an Open AP would at least let you MITM their traffic, but you could do all of this setup with the pineapple, airbase-ng, or karma. http://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-evil-twin-wireless-access-point-eavesdrop-data-0147919/ Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.