3.9
- AP-less attack against WPA/WPA2
- In
previous practices WPA/WPA2 was cracked after capturing the 4 way
handshake between AP and client.
- Now,
it will be shown how to crack WPA/WPA2 just using the client, with no
access point. In this case the 4 way handshake packets won't be
necessary, because 2 of them (either the pair 1 and 2, or the pair 3
and 4) will be enough to be known. To achieve that goal, the first
step is to create a honeypot where the client will try to connect,
sending the message 1 and receiving the answer 2.
- Let's
remember a previous picture:
- The
attacker "kali" creates a honeypot imititating the
legitimate AP, with same ESSID "spaniard" and MAC address
00:25:F2:9B:91:23 (both learnt easily with airodump-ng):
- Also,
airodump-ng creates a file called sinAP.cap, where all the
interesting packets will be stored:
- The victim "roch" connects to the honeypot and associates to it, in the false believe that it has connected to the legitimate AP:
- airodump-ng detects the association of the victim "roch":
- Also,
the file sinAP.cap is created:
- Next,
brute-force attack is launched with aircrack-ng:
- A few instants later, the key is found:
- This
practice is even lighter than previous practices trying to find the
WPA/WPA2 key, because there are less steps involved. The legitimate
AP has not been used at all, because no deauthentication packets have
been sent to the AP.
