Jump to content
Rainman_34

WPA Attack

Recommended Posts

I am working on a project for work that will allow me to essentially do a pineapple type attack against a computer looking for a WPA protected network.  Is there any way to do this other than having another router with the same SSID and password and a stronger signal strength.  I need a router to accept whatever password the computer sends to it or send an open network wirelessly to the computer so the computer looks for that open network.  Thanks for the help with this.

Share this post


Link to post
Share on other sites

What I am wanting to do is I know there is a computer on a network that only looks for one wifi ssid.  I can kick that computer off the network but I can't get the password for that network.  The network is WPA protected and I want to kick the computer off the network and make the computer see my router and connect to it instead without knowing the correct WPA password. If that is not possible I want to, without access to the computer, make the computer start looking for an open unprotected network so I can make it connect to my pineapple then.  This computer has vital information on it for the company and I need to try and get a couple of files off of it.

Share this post


Link to post
Share on other sites
46 minutes ago, mojo0243 said:

I can kick that computer off the network but I can't get the password for that network.  The network is WPA protected and I want to kick the computer off the network and make the computer see my router and connect to it instead without knowing the correct WPA password.

You should be able to use the pineapple to capture the handshake and then crack the password that way.  Then you can setup a AP that has the correct password ready.  You can't do it without knowing the correct password because of how the 4way handshake works.

47 minutes ago, mojo0243 said:

without access to the computer, make the computer start looking for an open unprotected network so I can make it connect to my pineapple then.

Impossible as far as i'm aware.  That sensepost that Zylla mentioned looks cool, but I don't believe it's doing what you are trying to do.  Seems like a variation on PineAP with some additional mitm tools built on (some of which are already modules in pineapple) but still can't make a system connect without the system already looking for an open SSID or knowing the password so you can reply with the correct other half of the 4way handshake.

51 minutes ago, mojo0243 said:

This computer has vital information on it for the company and I need to try and get a couple of files off of it.

This makes it sound like what you may be trying to do is illegal, especially since you don't have access to the computer nor the password for the wireless it's connecting to.

Share this post


Link to post
Share on other sites

I understand why you feel my post may sound illegal.  The reason I don't have access to the computer or know the password is it is a pentest I am working on for my organization.  It is perfectly legal and I have written approval to conduct the test.  I was unaware that the pineapple could capture the attempted 4 way handshake by itself.  I knew with a computer and aircrack I can capture the 4 way handshake.  Unfortunately due to non-disclosure agreements I can't really give you any details about current project.

Share this post


Link to post
Share on other sites
30 minutes ago, mojo0243 said:

I understand why you feel my post may sound illegal.  The reason I don't have access to the computer or know the password is it is a pentest I am working on for my organization.  It is perfectly legal and I have written approval to conduct the test.

NP, just mentioning it because they are pretty strict on the forums about that stuff.  Sounds all good to me.

30 minutes ago, mojo0243 said:

I was unaware that the pineapple could capture the attempted 4 way handshake by itself.  I knew with a computer and aircrack I can capture the 4 way handshake.

I believe it's Site Survey module that can do deauth and capture through the interface.  Or you can run the aircrack-ng suite through ssh if you prefer to go that route   I've gotten a few captures with the module though so I can attest it works as advertised :)

Cracking it obviously has to be done on something more powerful, but there is another module where you can upload that capture file to online hash crack (i believe it's called, never used it myself)  But since you are on a targeted attack, it may be better to build the rainbow tables for the ssid yourself and try cracking it yourself.  I've never tried that so I won't be able to help much past that but from what I understand if you know the ssid and have access to a decent hashing machine you would be better off going this route with hashcat or if you think it might be on a dictionary list trying that route.

Share this post


Link to post
Share on other sites

You should be able to capture the handshake by setting up a fake AP with the same SSID and the same encryption, and at the same time forcing the STA off the real AP, while capturing the network traffic.

  • Upvote 1

Share this post


Link to post
Share on other sites

If you want to capture a handshake of an existing access point you can ssh to the pineapple and use the aircrack-ng tools to capture a handshake.  Once captured you would then crack it with something like hashcat.  You can also use the site survey module which provides a GUI interface to capture the handshake.

Setting up a fake AP is usually done to perform man in the middle attacks and not for handshake grabbing.   When you tell the pineapple to advertise your fake AP it will do so without encryption.  This is due to the fact that you cannot setup a WPA/WPA2 PSK access point as you do not have the passphrase.  

Share this post


Link to post
Share on other sites
22 hours ago, Zylla said:

You should be able to capture the handshake by setting up a fake AP with the same SSID and the same encryption, and at the same time forcing the STA off the real AP, while capturing the network traffic.

But how is the client supposed to connect to the fake but encrypted AP?

 

Share this post


Link to post
Share on other sites
19 minutes ago, Foxtrot said:

But how is the client supposed to connect to the fake but encrypted AP?

 

The client is probing for a specific ESSID, and will try to connect if the encryption matches the original AP. (wpa/wpa2)
But if the client is already connected, you will need to deauth it from the AP, while at the same time serving a fake AP.
You should also not be to far away from your target. (Good signal strength=WIN)

Then on to the "magic":
We must capture a WPA four-way handshake to get all the required variables to crack it: the A-nonce, the S-nonce, the client, the AP MAC addresses, and the MIC.

It is not necessary to complete the four-way handshake though, because all these variables are exchanged in the first two packets, and the AP does not need to know the pre-shared key, as can be seen in this pic:
bnEYoM4.jpg

Example fake AP with airbase:

airbase-ng -c 1 -e MYSSID -F wpa -z 2 -W 1 wlan0mon  (WPA+TKIP)
airbase-ng -c 1 -e MYSSID -F wpa -Z 4 -W 1 wlan0mon  (WPA2-CCMP)
-z option means WPA, -Z option means WPA2. 2 means TKIP, and 4 is CCMP encryption.

- Collect handshake as usual
- PROFIT??? ^^

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...