-
Notifications
You must be signed in to change notification settings - Fork 128
MANA WPA 2 Options (handshakes)
Pre-shared key networks can have the password cracked if you capture enough of the WPA/2 4-way handshake. Typically, this is done by watching stations connect to the actual target network, and capturing the handshake that way. However, it’s possible to create a rogue AP of the same name as the target, and capture the first two messages of the handshake the client sends when attempting to connect to it. You won’t see the next two messages, as the AP and station don’t have the same key configured (since we don’t know it), but it’s enough to crack it.
This isn’t new, airbase-ng documented it years ago. Now you can do it all in one tool without needing monitor mode captures, multiple devices, and messy format conversions.
mana will output captured handshakes to the terminal like this:
MANA: Captured a WPA/2 handshake from: 22:5e:dc:49:b7:aa
MANA WPA2 HASHCAT | WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*00mana can write them to a file, ready to be cracked. You can enable this with the following config option:
mana_wpaout=wpa.credsThis will append handshakes to the file wpa.creds in hashcat’s WPA-PBKDF2-PMKID+EAPOL format (-m22000) like this:
[WPA2-EAPOL HASHCAT] WPA*02*024022795224bffca545276c3762686f*6466b38ec3fc*225edc49b7aa*54502d4c494e4b5f484153484341545f54455354*10e3be3b005a629e89de088d6a2fdc489db83ad4764f2d186b9cde15446e972e*0103007502010a0000000000000000000148ce2ccba9c1fda130ff2fbbfb4fd3b063d1a93920b0f7df54a5cbf787b16171000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac028000*00Previously, this would use Hashcat’s mode 2500 hccapx binary format, but this mode was deprecated along with the hccapx format.
|
Warning
|
At the moment, this only works if mana mode is disabled because when mana is enabled we can’t be sure what SSID was being connected to. You can usually work this out from context (you’d see a device probe for foo then attempt to associate) but I haven’t implemented it in code yet. Contributors always welcome …
|
hashcat documents how to crack these handshakes here.
The handshake was designed to be hard to crack in this way, so don’t expect it to happen quickly. I usually recommend trying to find the key another way, since a shared secret is usually a bad secret (call the helpdesk and ask?).
The mana_wpaout file has a header on purpose, so you don’t send multiple handshakes for the same network and consume expensive cracking time. Make sure to extract the right handshakes to crack.
Since we are using a rogue AP, if a client tries to associate using the wrong password, we won’t know, because we never see the real AP acknowledge it. So you may successfully crack a password, but it won’t work. This can be because the client is using an old password, or because a user tried to manually associate and typed in a password they fat fingered. Protip to WIPS vendors, spam bad handshakes at rogue APs and you’ll tie up their cracking cycles :)