Jump to content

WPA2 encrypted network impersonation


Recommended Posts

I have recently purchased a WiFi Pineapple Nano and was wondering if it was possible to not only impersonate open WiFi networks, but also encrypted ones, by accepting whatever password is first entered.

I have attempted to do some quick research about WiFi standards, but did not really find anything about that.

What is stopping this from being done? Is the PSK saved on the device, rendering the pineapple useless?

Link to comment
Share on other sites

If its WPA (not WPA2) and using TKIP, its might be possible to get at the password in the same way you would crack WEP. WPA2 requires the cracking of the password via brute force of the 4 way handshake. You cna always impersonate an AP's SSID, but if the client is expecting something like WPA2, and your an open AP, they won't send you the WPA2 password. They'd still look for the 4 way handshake to take place, but won't prevent them form connecting to your AP. You can try a downgrade attack, forcing them onto your device's open AP, but you'd have to be actively jamming their expected AP and over powering the signal, which if it's a home router, their signal is more than likely closer than you. Cafe and public wifi would be a bit different since you'd have more wiggle room to sit between the client and their expected AP, making the pineapple a much desirable way of siphoning devices actively probing for home networks and the pinapple saying yes, I am your home router or such. 

In recent years, WPS has been the quickest attack method for WPA/WPA2 networks without knowing the password, and the pixie dust attack combined with tools like reaver, or literally just running a single tool wifite, will make this dead simple so long as devices are vulnerable.

This article explains a lot on history side of things and might help http://security.blogoverflow.com/2013/08/wifi-security-history-of-insecurities-in-wep-wpa-and-wpa2/

I believe Offsec also has a video out somewhere, that shows how to attack WPA2 Enterprise but I don't have a link handy.

Link to comment
Share on other sites

As 'cooper' advises, referencing digip, in the post linked by Just_a_User above...


As digip already said in the second post of this topic, you can emulate the real AP to the point where the target will try to connect to you, but the 4-way handshake is there to prove to the other side, in both directions, that the password is known. So the device needs to prove knowledge of the password via a hashed message and the server needs to do the same. Since your fake AP doesn't have this password the client will refuse to connect to you. Your only recourse is to brute-force the crypto which for a WPA2 device is, to put it mildly, a non-trivial challenge.


If you want to clone an Access point and make stations (devices) connect to it without issue, the fake AP must;

  • Have the same SSID
  • Have the same encryption
  • Have the same password
  • (usually) Have the same MAC address
  • Have a stronger signal than the original AP, or you can block/deauth the original AP long enough for the stations to connect to you instead.


So, step 1 for you will be to find out the password for the original AP.

Edited by haze1434
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...