Portable Handshake grabbing device.

[Onus]

Hello all.  I have been a fan of the hak5 team for a while and over the last 2-3 years have collected pretty much everything in the hak5  shop. I have all the things that do the things. ?

Recently during a fever dream, I imagined that I had a new device. One that magically grabbed 4 way WPA handshakes with the push of a button and was small enough to hold in my tiny pen testing fist. We have all been there right? We know there is a network with clients but we are just too far away to effectively do a deauth airodump attack.  Sure we could get closer and open our Linux laptop, plug in a wonky antenna and fire up a couple terminals, but as if our hoody wasn't enough of an indication, now we'd really be drawing attention. Ok maybe we all haven't been there but at least I have and when I awoke from that fever dream I thought to myself, damn why didn't I think of this sooner.  I need this thing to be as real as all my other things.  

Anyway, I went right to my work bench and started soldering away.  I have started a GitHub repo for this thing that I'm tentatively calling FistBump.  It's in it's beta stage for sure and a fairly simple device really, but would love some feedback.

Please be constructive with your feedback, it's my first try at prototyping my own device. 

https://github.com/eliddell1/FistBump

Edited October 28, 2018 by Onus

[b0N3z]

why not just use your Pineapple Nano with a script to run besside-ng with the button script?  

[Onus]

Well I could use besside-ng in my script sure, instead of aircrack suite directly.  I really just wanted a handshake device. I love my nano and my tetra but some times it's a little more like a flame thrower in that unless I manually set it specifically for this task in advance it's likely going to start broadcasting open APS.  This device would serve just that one purpose and merely needs to be powered on and it's ready to go.  Plus I wanted to build something!

 

[icarus255]

Some initial thoughts:

Positives:

* Doesn't look like a sinister wifi exploitation device ?

* Seems easy to use (after you remember all the different colour codes);

* Could be a solution for some automated handshake capturing without needing a gui or terminal to punch in commands;

Negatives:

* There are many automated wifi tools out there already (as bonez mentioned) so could be some tough competition if you're planning on commercialising this;

* Seems a bit reckless to deauth anything that comes your way i.e. can you just leave it in monitor mode and switch to deauth attacks at a certain point in time?;

* Deauth attacks are becoming less effective with protected management frames;

Suggestions:

* Why not use hcxdumptool to also incorporate PMKID attacks? You will be able to target more devices i.e. client-less APs and have additional attacks to deauth.

 

I like it for the look and the concept so you have my blessing (whatever that's worth) ?

[Onus]

@icarus255 all very good feedback and thank you. 

To your negatives:

* I am NOT looking to commercialize it.  Really just built it for fun and to play around / make use of the plethora of pi zeros i have laying around.   thus the github repo.

* yeah i thought about that.  That is why it only deauths for like 10 seconds on APs with clients and then reverts back to a ready mode. with no attacking.  I wanted to make it as automated as possible. I guess i could make the deauth specific to a client on that AP instead of the AP itself.. (thoughts?) The use case i imagine is that you have a target and you know you can physically get rather close to the router and hang there for a minute.  You get close, press the trigger, it grabs BSSIDs with clients (sorted by power/strength) does a quick 30 second deauth attack and goes back to ready mode.. you walk away.. The indicators just let you know if you caught valid handshake or if you need to try again..

* Noted.. but in my experience this attack is still very effective,

To your suggestion:  I absolutely thought about the hcxdumptool/PMKID attacks and i have been experimenting with them.  There are a lot of variables time wise involved and by that i mean it can take a considerable amount of time to capture a PMKID.  I did notice though that it seems to capture handshakes as well, and  a bit more passively, though i have not got as far as sorting handshakes and pmkid.  Also in my experiments i am not getting hashcat to crack the pmkid in most cases even with a short list that includes the known pw.  Maybe  next revision. 

blessings always welcome as is the constructive feedback.. again thank you.

 

Edited October 28, 2018 by Onus

[Onus]

@icarus , looking into hcxdumptool a little further this morning, i am seeing that i indeed am getting and able to sort handshakes and pmkid with rather ease.  Im wondering though how that tool gets handshakes?  is it passive? does it still use deauths?   I will have to investigate a little more as to how long on average i should let it run, and if i there is an efficent way for me to monitor it.  Definitely going to migrate in that direction..  Now that i really look into it, it definitely seems a bit more robust and would make my attack script rather clean.

thanks again

 

[icarus255]

All good my friend. I'll just say that I'm not a professional pen-tester or anything so keep my feedback in context ? 

17 minutes ago, Onus said:

I wanted to make it as automated as possible. I guess i could make the deauth specific to a client on that AP instead of the AP itself.. (thoughts?) 

I think you have the right idea already in terms of keeping it simple and for what you need. I was just saying that's the disadvantage of having it automated. Aircrack user guide says that deauths work better against associated clients rather than broadcast deauth (which can sometimes be ignored by clients). I had successes using both methods in my limited experience.

31 minutes ago, Onus said:

capture handshakes as well, and  a bit more passively, though

hcxdumptool can be very aggressive and it will do deauth attacks on any authenticated AP/client it finds by default. It also does passive collection of handshakes as well.

The default setting is basically a scatter gun approach where it will try every attack that it can on any AP and clients in range (regardless of whether they are associated or not). It will literally try to hack the neighborhood if you don't use any filters or specify which attacks you want to carry out.

I cracked a few known and unknown PSKs on hashcat -m 2500 and -m 16000 (or whatever MPKID is) captured with hcxdumptools so I can verify that it works (example from my PMKID potfile below).

dd85857fda9d49f79344a055926333cd*000c42d54356*f0a2257ca5c3*4d696b726f54696b2d443534333536:Test1234

I've even captured a plaintext pass with it but I don't know if that's because the PSK was the bssid or if it was because of anything that hcxdumptools did (I only used it a couple of times so not an expert in how it works). The biggest drawback I found with hcxdumptools is that it doesn't output the essids to the potfile so you have to manually match mac addresses or run some scripts to match it all up. Can be a headache if you have multiple pcap files and potentially dozens/hundreds of PMKIDs.

I think the new aircrack version comes with PMKID attack as well but if you're after automation, I recommend giving hcxdumptool a 2nd chance. It's very particular about the wifi drivers/chipsets so just check yours against the compatible list first.

[icarus255]

27 minutes ago, Onus said:

@icarus , looking into hcxdumptool a little further this morning, i am seeing that i indeed am getting and able to sort handshakes and pmkid with rather ease.  Im wondering though how that tool gets handshakes?  is it passive? does it still use deauths?   I will have to investigate a little more as to how long on average i should let it run, and if i there is an efficent way for me to monitor it.  Definitely going to migrate in that direction..  Now that i really look into it, it definitely seems a bit more robust and would make my attack script rather clean.

thanks again

 

Yea I liked it as well and I don't normally like automated wifi tools like wifite etc. It just seems to be efficient in terms of trying all the possible attack vectors against so many targets and in such a short amount of time. You can change the attack parameters to only passive ones or not do deauth etc so those could maybe the options on the buttons of your device.

When you convert the captured handshakes/PMKIDs use the following:

hcxpcaptool -P plainmasterkeys.txt -E outputwordlist.txt -I identitylist.txt -U usernames.txt -o wpa2handshakes.hccapx yourhcxdumptoolfile.cap

That's how I found the plaintext pass.

I got a couple of 1080x lying around so let me know if you have a large list of handshakes and/or PMKIDs you want me to run against some dictionaries or some digit combos. A list of handshakes and PMKIDs from your devices that is...

Peace out brother ?

[Onus]

Lol yeah I have a rig set up with 3 1080s and 5 1070s so I'm all set.  But thanks. FYI I was just about done migrating to hxcdump and then I corrupted my boot image while trying to fix an auto mounting USB issue.. lol, but it was considerably cleaner and faster.  Update coming soon 

Edited October 28, 2018 by Onus

[icarus255]

lol fair enough. It sounds like I should be hitting YOU up for some cracking power ?

Yes, please keep me posted with updates.

[Onus]

@icarus255 Here is your first update.  I have migrated to hcxdump and published my first major version! Thanks again for inspiring me to take another look at that tool set. It proved to be a huge improvement in so many ways.

And as a thanks for your constructive feedback, by all means feel free to throw some hashes my way, that won't kill my electric bill with some unreasonable permutations that take a year or 11, lol

 

[icarus255]

lol i was jk but thanks for the offer anyway. I'm just glad I could help a fellow hak5 member. I learnt a lot from the forum posts here and the hak5 tools over the last couple of years so just glad that I could give back to the community.

[Onus]

D!tt0

[Newbier]

Hi see if this night tickle your fancy https://null-byte.wonderhowto.com/how-to/automate-hacking-raspberry-pi-with-usb-rubber-ducky-0177088/