Wifi Handshake Cracking

Some of the basics: If you want to use a wifi secured by encryption, you need the password or pre-shared-key (PSK) to establish a connection to it. The client (supplicant) connects to the access point (authenticator) using the Extensible Authentication Protocol (EAP, RFC 3748). The packets are interchanged via EAPoL (Extensible Authentication Protocol over Local Area Network) frames between the two participants.

Establishing a secure wifi connection in an environment where potential attackers may have access to the communication works like most encryption protocols do: Use some random numbers from both sides, the PSK and generate a temporal key to use (Pairwise-Temporal-Key, PTK). This is necessary because we don’t want every other client who has the PSK to be able to decrypt our communication.

The parameters for the PTK are the MAC addresses of the supplicant and authenticator, a random generated number from each of them (nonce) and the PSK (in this context usually called Pairwise Master Key or PMK). All of them, except the PMK, are shared via a 4-way handshake. Since wifi handshakes are transmitted via air, an attacker could easily sniff these handshakes and try to bruteforce the PMK.

Bruteforcing Handshakes

Bruteforcing a 256-Bit key with all possibilities and zero-knowledge would take forever (about 3×10^51 years with fancy supercomputers). Luckily for the attacker most of the keys are not generated at random and most of the time are human readable. The combination of a poorly chosen passphrase, a sophisticated dictionary/cracker and enough collected handshakes can speed up the recovery of lost passphrases significantly.

John the Ripper has been around for ages and supports a vast majority of common and uncommon used hash formats. Have a look at the source code repository of the Jumbo version to get an idea of supported formats.

The self-proclaimed fastest password cracking tool is hashcat which got more and more popular after the release of its code as open source under the MIT license. At the moment it supports >220 hash formats and makes heavy use of GPUs.

If you want to bruteforce handshakes locally and the keys are not something easy guessable like 123456789 you will need solid hardware with GPU power and a nice dictionary collection. In case you don’t have access to local gaming hardware, AWS offers accelerated computing instances like their P3 instance type with NVIDIA V100 Tensor Core GPUs.

Another option is to use distributed cracking services like the Distributed WPA PSK auditor or SaaS-Services like OnlineHashCrack (which has interesting pricing).

PMKID

The downside of attacks on the handshakes is that you need to collect them in the first place. This takes a client and time to collect the handshakes, and you may need to convert the data to clean it up on any replay counter measures.

To make it easier for a client to decide if its own PSK works for a specific wifi, there is a part of the protocol which describes how to publish a list of supported PSKs. For each supported PSK the authenticator generates a Pairwise Master Key Identifier (PMKID):

HMAC-SHA1-128(PMK, "PMK Name" | MAC AccessPoint | MAC Station)

Depending on the access point’s configuration, these PMKIDs will be sent unencrypted via the 802.11RSN information element.

If we try to associate with the access point, we will get the PMK Name and the required MACs with the first part of the handshake. This makes it possible to crack the PMKIDs HMAC-SHA1-128 Hash without any other clients involved.

This kind of attack was discovered by Jens Steube, one of the hashcat authors, and posted on the hashcat forum in 2018, “New attack on WPA/WPA2 using PMKID”. For another attack example, see @evilsockets blogpost “pwning WPA/WPA2 networks with bettercap and the PMKID client-less attack”.

Bettercap

Bettercap is tooling for various MITM / Spoofing attacks on Wifi, Bluetooth or 2,4 Ghz HIDs. It does network host probing, can capture and manipulate traffic and do port scanning. It also has a nice web ui included, if you prefer that over the CLI. It is written in Go by evilsocket and provides an easy to use API for further tooling.

The Wifi Stack supports scanning and automated sniffing and saving key material from 4-way handshakes. It can create fake access points and supports the PKMID association attacks to collect the proper packets.

Since Deauthentication Management frames are not encrypted, this can be used for another attack. The attacker notifies the supplicant that he got disconnected from the network. The source of the notification is spoofed, so that the supplicant thinks it is from the authenticator. Most of the time this leads to a reconnect from the supplicant with another 4-way handshake to collect.

Read more about the other features in the corresponding modules documentation.

Pwnagotchi

Pwnagotchi is another project from evilsocket combining bettercaps API with an AI, varying scanning parameters to collect more handshakes. For extra fun: Put it on a Raspberry Pi-Zero, add an e-paper screen and if you want a battery pack.

Picture of a raspberry pi with an e-ink display showing a little smiling face, some status information and a text Generating keys, do not turn off.

The pwnagotchi will start scanning for wifis, collect handshakes and frames with PMKID and store them on the Pi’s sd-card. You can download the .pcap files via a network connection to your local computer. To get more handshakes it will deauthenticate clients from time to time.

Showing the face with sunglasses and a message Just decided that XX:XX needs no Wifi!

A web ui shows some status information and the cute little face.

You could also run it in manual mode, which exposes the underlying bettercap web ui for manual usage.

The AI part

If you try to get many wifi handshakes there are a some parameters you can adjust in order to get better results. These include the signal strength, different timeout and retry values and periods of waiting. We know that we may have found a good configuration if we collect many handshakes. In a scenario with an access point nearby and many access points far away a rule could be to focus on the access points with the better signal strength.

A neural network can yield pretty good results if you can clearly define some kind of score for achieving what you want. In our case this is simply the count of captured handshakes. If we vary our configuration and get good results, why not keep it for a little while and tweak the parameters. A nice example is SethBling’s MarI/O Machine Learning implementation. See “Neural Network Learns to Play Snake” for another great example. According to pwnagotchi’s Intro, it uses a LSTM network with Advantage Actor Critic (A2C). Have a look at the link to the wonderful “Intro to Advantage Actor Critic” comic.

See Training the AI for a more in-depth view of which parameters get changed and how this affects the neural network.

Picture of the face smiling and the message AI ready.

Pwnagotchi Hardware

Since pwnagotchi is a python package installed via pip, you could just run it on your laptop and access the display via a web ui. Of course it is more fun and a lot more practical to have a dedicated device for it, like the Pi-Zero Configuration mentioned above. The documentation provides an extensive hardware guide with different configurations.

The Pi is reachable via Bluetooth Tethering or a USB connection. You can use the web ui or login directly via SSH.

Picture of a raspberry pi-zero with added e-ink shield and battery pack. Also a small IC RTC is lying around.

Pwngrid and Plugins

pwnagotchi is written in python and can be easily extended with custom plugins. For gamification there is a running pwngrid where the units can report found access points and the location country. No private information is transmitted, and if you wanted you could inspect the source code and build the binaries for yourself.

During the first boot, your pwnagotchi creates a public/private keypair to identify itself. After that in can send and receive small text messages from other units via the grid. Every message is encrypted with the corresponding key, so nobody should be able to decrypt the content.

The pwngrid provides some stats of collected handshakes and a country map for registered units.

The best way to get an overview of available plugins is to have a look at the plugins folder in the github repository.

A nice combination are the net-pos and webgpsmap plugins. Net-pos uses the Mozilla Location Services to lookup geopositions. These positions are then shown on a map interface:

A screenshot of a map showing different access points spread out.

It can use the connection of your host laptop or bluetooth tethering via mobile phone to get the required internet access.

Writing your own plugin is straight forward and you can get started by modifying a provided example. The running pwnagotchi itself also exposes a http API.

Peers

For the fun factor, pwnagotchis can announce their presence to other units. If this is enabled meeting other units and making friends may influence the mood of your unit. Here is Axolotl meeting Fuxi:

Picture of two pwnagotchis next to each other, showing the presence of fuxi and axolotl on their e-ink screen. Axolotls message reads: So many networks.

Running your own

If you intend to run your own pwnagotchi, follow the install documentation. Everything should be straight forward and even without an e-ink display it’s a nice little tool running linux with an wifi chip and bettercap.

Remember: If you want to capture 5Ghz wifi traffic, you will need an additional USB dongle for your Pi.

For updates you can follow @pwnagotchi on twitter or have a look at the disqus board or /r/pwnagotchi. For more insights and details on future releases you can fund the author on patreon.