SKA icon indicating copy to clipboard operation
SKA copied to clipboard

Published 20 hours ago verified publisher icon Leviathan36

A WPA 2 karma attack (saved network handshaker )

Open minanagehsalalma opened this issue 4 years ago • 4 comments

as karma attacks works on saved open networks only and not secured ones so we will need to have the password first to get it work although this seems a bit hard... the number of saved networks Guarantee that there is a one with a weak password... so will need to make the karma attack start two networks of the targeted prob one open and the second secured and the victim will auto connect to the one with the correct configuration with the saved obviously correct password and we save that handshake with the other handshakes captured form the same device to brute force and break the ones with the weak passwords.

minanagehsalalma avatar Jan 23 '20 00:01 minanagehsalalma

Hi minanagehsalalma, first of all thanks for your feedback.

The karma attack, generally, works correctly for all mobile devices; in fact, mobile devices connect automatically to open networks even they already have a saved password for them. The case that you reported, probably, refers to desktop devices; in these cases, as you say, the best approach could be aircrack-ng suite (to catch and decrypt handshake). However, my script was designed to work with mobile devices, to attack on the fly; so, I have written it following KISS philosophy, with the minimal number of functions (i.e. lines of code). You could make me a pull request with your code so I can evaluate the idea of a merge. In any case, please, report me the OS against my script fail, so I can understand the situation.

Please, write me again if you find the solution to your problem or if you find other problems. Bye :-)

Leviathan36 avatar Jan 26 '20 10:01 Leviathan36

all mobile devices; in fact, mobile devices connect automatically to open networks even they already have a saved password for them.

Are you sure about this ? Why would it connect to a not saved network that just it's ssid or bssid matches !?

as you say, the best approach could be aircrack-ng suite (to catch and decrypt handshake).

Here is an similar repo although it suggested that we do the part that we are talking about in a manually way https://github.com/dxa4481/WPA2-HalfHandshake-Crack

with the minimal number of functions (i.e. lines of code)

I think this won't add match to at it would be a couple of commands Airodump and airbase then aircrack And we can capture the probs directly using https://github.com/xdavidhu/probeSniffer And then do a loop on the output file.

The steps should be as simple as this 1-capture the prob requests

2- launch 2 version of the ssids one open and one secure if it connects to the open one put a red check mark on it (in the list of the probed networks ) and if connects to the secure one capture the handshake and put a green check mark on it (in the same list )

3-after capturing a Good number of handshakes then start brute forcing

4- when it cracks a weak one.. broadcast it to get the victims connected @Leviathan36 thanks for your response ;)

minanagehsalalma avatar Jan 26 '20 13:01 minanagehsalalma

Hi minanagehsalalma,

Are you sure about this ? Why would it connect to a not saved network that just it's ssid or bssid matches !?

I read about it here: https://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-evil-twin-wireless-access-point-eavesdrop-data-0147919/ In the comment section, someone says that this approach doesn't work; so I've just retried the script and I found the problem: I saved an open network with the same name that I used for the fake AP; this is why it worked for me (sorry XD).

It is necessary to add the feature that you proposed, but I don't think that a couple of lines are sufficient. If you want to do a reliable code you need to add more than two lines. If you want, you could try to code this piece of script and make me a merge request ;). I written something similar into my first repository: https://github.com/Leviathan36/wifibang. Now, I'm too busy to work on it, maybe in the future. I also found a bug into select_target() fuction. I will report it in the issue section.

And we can capture the probs directly using https://github.com/xdavidhu/probeSniffer

I'd avoid to add external repository to this. The code must be entirely written in bash with the least amount of external (not native) software; this is an important requirement to simplify the installation. It also must be simple to read, so anyone could read it and trust it.

Thank you so much for this issue. Please, write me again if you find other. Bye :-)

Leviathan36 avatar Feb 02 '20 17:02 Leviathan36

I saved an open network with the same name that I used for the fake AP; this is why it worked for me (sorry XD).

Yup I knew it no problem..

I'm too busy to work on it, maybe in the future

So I am ... Maybe in the late months of this year or the next ..

Thank you so much for this issue.

You are welcome

minanagehsalalma avatar Feb 02 '20 17:02 minanagehsalalma