Wifi - Half-Handshake module request

[cyrus104]

Prerequisites

• Read the Readme
• Running latest stable version
• Searched open and closed issues

---

Feature request description:

There are times that we are doing pentesting and cannot get into range to collect a handshake. We are using a method called the half handshake crack. This method allows us to generate our own beacon and collect packet 1 and 2 for cracking. I've included a list of line to the git that we got this from.
Our method is to to generate a hostapd.conf that has the right configs and ssid for the network of interest. Start airodump, then start hostapd.conf on another card, confirm the packets are collected and shutdown hostapd (airbase-ng does something similar too).

The request would be to implement something like this in bettercap using injected cracked packets, this will reduce the need to use multiple interface cards. A module would need to keep track of state for the association and the first two WPA packets.

HalfHandshake Crack

Environment

Latest stable bettercap
Kali 2018 and Ubuntu 17.10

♥ ANY INCOMPLETE REPORT WILL BE CLOSED RIGHT AWAY ♥

[evilsocket]

@cyrus104 I just implemented and pushed a new wifi.ap module that can be used to inject management beacons in order to create a fake access point. This will not handle DHCP and DNS and will not keep track of the state of association (this is not hostapd basically), but it might be enough for this attack .... thoughts?

[cyrus104]

Thanks, looking over the code right now and it looks like it's a great start. I don't think a client will get far enough along to exchange EPOL packet 1 and 2. I think an additional state will be needed. The Association exchange is needed, I found some scapy code as an example. One that is done, EPOL packet 1 can be sent with the PMK from a junk password that should never be used with a random Anounce value. We should be able to send the packet out and write it out to the handshake log. Then wait for packet 2 to come in.

No problem with this not handling DHCP or DNS, we wouldn't be able to compute the authentication. Hopefully what this module will be able to do is pull out the handshake anywhere the device is. After that we can work to do an offline crack, then stand up and evilap afterwards that will do DHCP and DNS. Instead of doing EvilAP, we could just associate with the real network and use the rest of the modules in this great tool.

Fake A WLAN connection via SCAPY

[evilsocket]

A wifi.mana module which can handle the full state machine (and more as you can imagine from the name :D) is WIP, I guess once pushed it'll also close this issue :D

[cyrus104]

Thanks, looking forward to it.

My concern with mana is that it uses hostapd, which can only host one ssid at a time. If injection is used in monitor mode you could run multiple instances at a time. I'm sure there will be limits based on the hardware performance.

[evilsocket]

I'll implement the feature, than it's up to the user to decide how to scale it ( multiple wifi cards for multiple aps on a single bettercap process, single card with single process, etc ) depending on hardware, scenario, etc.