HakByte: Capture Wi-Fi Passwords From Smartphones with a Half-Handshake Attack
Вставка
- Опубліковано 4 сер 2021
- In this episode, we show how hackers can abuse convenience features of Wi-Fi to extract passwords from nearby smartphones belonging to Wi-Fi networks they've connected to in the past.
-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆
Our Site → www.hak5.org
Shop → hakshop.myshopify.com/
Subscribe → ua-cam.com/users/Hak5Darr...
Support → / threatwire
Contact Us → / hak5
Threat Wire RSS → shannonmorse.podbean.com/feed/
Threat Wire iTunes → itunes.apple.com/us/podcast/t...
Host: Shannon Morse → / snubs
Host: Darren Kitchen → / hak5darren
Host: Mubix → / mubix
-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆ - Наука та технологія
![Automate Wi-Fi Hacking with Wifite2 in Kali Linux [Tutorial]](/img/n.gif)
Hey! It's the NullByte dude!
Centralization of audience
NullByte really good.
Null Byte Here
Yes! Grabbing money from multiple handshake 🤝
Yeah since when did he start working with Hak5??
I enjoy watching your videos. You're a good teacher. You should make it a little clearer that you are capturing hashed passwords. That being said, I work a second job cleaning offices at night. Based on passwords people leave lying around on sticky notes it's clear that people persist in using easily crackable passwords. There certainly needs to be more education about this.
*except for Wifi Router-Passwords which are usually not even changed from the default Password! And those are not just in any wordlist out there but need to be bruteforced!
So you're digging under keyboards instead of cleaning? Lol
Should be named "Capture Wi-Fi Password Hashes..."
once you get the hash, it's relatively easy to get the password
@@crystallava5002 The reason hashes are used is to make it difficult to get the password. The difficulty ranges from easy to impossible depending on the password.
Love your videos keep up the great work friend
Kody, you’re an S-class hacking video boss.
Thank you for sharing, i really like the Wigle tool
Amazing Bro. Thank you again for this eye opening info
Great work, thanks for sharing. Could you explain the use of the password list file. It suggests that would have been included, so the password revelation is only as good as the list you have?!
Works as long as you know an SSID. If you try sniffing for probe requests, only mobile devices before Android 10 and iOS 14 send directed probe requests for non-hidden networks.
Good to know!
Same thing I was thinking doesnt work for android 11 and over.
Would you be able to send deauth packets to a network to make, for example a roku device, deauthenticate with the users home Wi-Fi (for example named “MyHomeWifi), but then the roku device would try to connect to your honey pot which is also named “MyHomeWifi” giving you the half handshake? Or would the roku device not try because it would keep trying the actual users home wifi instead of yours?
Seamlessly combining Mediatek 5G and Wi-Fi 7 with ATSSS could be a game-changer for rural areas and bridge the digital divide.
I saw your collection of michael bolten mp3s when you exported packets.
I really don't see the point in this extra work. Why not just use the de-authentication attack? The bottom line is it still results in having to brute-force the password hash. This method just seems like it has unnecessary additional steps, for example, creating a Wi-Fi network. Just de-authenticate a device from its access point and then capture the handshake when it tries to authenticate. I suppose its good to know another method to capture the same information but it just seems like more work.
this wont require being close to the target.
Deauthentication attacks aren't very stealthy.
Surely, one can wait an arbitrary amount of time for some device to connect and allow for the handshake to be captured, but that's often not viable.
Also, it's a direct attack on the organisation's network, which can be expected to have better security measures.
The approach shown in the above video allows an attacker to target a devcie carried by an individual, and that too, outside the organisation. By doing so, the chances of being countered are significantly lower.
I think that’s what they built in the new pineapple. There’s an option to deauthenticate all users or only specific, so they get reconnected automatically. Most of them didn’t even notice although you captured the Pw hash. A lot of them are possible to solve with common wordlists - not all ;)
THis one doesnt require to have an actual client on the target network. Its nice to know the ways, you could easily end up with a network without clients, where deauth is not possible. With this, you could follow someone and hack him in the restaurant or a mall, totally away from an actual premises you need access to. I can imagine this adds to stealth since the attack wont at all happen anywhere near the target building? Anyway, I will probably stick with wifiphisher until I absolutely cannot anymore.
How ridiculous! That coward didn't put "brute force attack" in the title or anywhere else, and even calls that kiddie stuff "extract".
Heya! Love your videos. At 4:35 you mentioned that you were already in “root” then said if you aren’t in root “which you shouldn’t be” use sudo. Is it not good running in root or did I just misunderstand. Thank you for all your videos! Sub’d for sure.
This only works if the password is listed in the wordlist.
You can also use random combinations of characters, but that would, at least for the wpa2 security standard, take quite a lot of time (depending on your cpu and if you use hashcat, wich I would recommend, also your gpu)
yes
Seems like a major omission not to have talked more about this. When Kody grabbed that file (8:36), I was immediately frustrated by the dearth of information about its contents. (Granted, it's named and I can go download it and glean some insights, but like... I wish it had been talked about more in the video, and listed as a shortcoming of this method -- if the password isn't in the wordlist, this attack doesn't work, right? Sigh.)
Hacking youtubers love to omit important information such as "The password needs to be in your worldlist" because that keeps unwarned viewers watching the video thinking their method will work. It's a shame.
@@claude3957 I mean... in _many_ cases, it actually would work. But yeah, definitely not all, by any means. Sigh.
So how should one protect against such an exploit? Tbh I am more worried about a back door on my el cheapo router than some hackers hanging about in my apartment lobby or something but it’s good to know that such things exist
Strong and unique password
They can only crack the password if it's in their wordlist
download some wordlists and use a password that's not there
Disable "connect automatically" in your phone so you will have to manually select network to join
@@hellboy7153 Still if someone waits there enough they can still capture the handshake
I heard of this on the radio. They said to always disable Wi-Fi when leaving home.
Very cool to drag files into terminal! I didn't even know that was possible. Hehe
It's odd to me that smartphones don't use a record of your Wi-Fi access point's BSSID/MAC address along with the SSID to avoid getting duped by fakes, or at least provide a pop-up a warning about the mismatch and requiring you to accept or decline allowing the connection before whitelisting or blacklisting the new MAC address. (Would be useful if you have multiple WIFI APs with the same SSID). I'm sure there are methods and gadgets that can spoof an AP's MAC address, but I'd be surprised if typical commercial Android or IOS devices have the ability even if they're rooted.
One easy way to help you avoid falling victim to this trick is to disable "Wi-Fi auto-connect" to all of your stored routers and access points on all of your mobile devices. You'll still be somewhat vulnerable at home or office, but if your phone doesn't auto-connect to your router, SSID spoofing attempts will be ignored while you're out and away from the nest.
I guess the issue is your device gets all the information about the router by what it actually transmits to you; there's no real way to verify that it's authentic, as all the data looks identical to the real AP.
Moreover it is preferable to enable the use of transparent Wi-Fi relay.
in our organization, we have wifi repeaters setup on different locations in order to "eliminate" dead spots. all these repeaters have the same SSID but different MAC addresses, correct? so a device/smartphone just look up the SSID of a "router" with the best signal and connects to it. is this what happens? employees don't really care, much less look at a bunch of letters and numbers with colons in between, about MAC addresses. they just want to connect to a stronger signal. so most people will just press "ACCEPT" without even looking at the MAC address if your suggestion is implemented on smartphones.
Oh snap, I just asked this in the comments.
Great video. I gain access to passwords via a access point with no password in a public place. Lesson is dont use public WiFi.
i'm lost
@@DavidBoura Sorry, Let me explain. I do a rouge AP. Its where I configure an Access Point with an SSID of "Cafe WiFi" Give it no password and wait for people to connect. Then I scan the IP range and capture all their passwords. There is many ways of capturing it but my favourite is the auto fill passwords. You would be surprised how easy it is to get past a Admin password.
This is interesting what software do you use to scan their ip addresses and capture passwords?
Pretty much everyone where I live uses the same isp and I know that the default router passcode on the control panel is admin so I’m gonna do this to all my neighbours and enable their guest wifi networks (nobody turns them on) and change the ssid and password to the same as my home network. FREE WIFI ANYWHERE YOU GO
Nice video, I've got a question tho. So the catch here is, we set up a network with same SSID as a network that we are interested in getting in (obtaining a password), because devices like smartphones and such would connect automatically when in proximity. Makes perfect sense, but now there are 2 networks with same SSID and different BSSID. It would make more sense for a device to remember the BSSID for such cases, and it would be a simple countermeasure, or I amgetting smth wrong?
i thought of it that way, did u find answers
Beter a half shake than a zero shake!
I'm so happy that kody is with hak5 now! I love his tutorials.
anyone have a blink counter
P.s don’t let people know they have a “BAD”password unless you directly know that person!! And never forget, NO GOOD DEED EVER GOES UNPUNISHED !
I'm a bit confused. Is this like an evil twin wireless access point hack? I also do not quite understand why you need the half handshake to get the password rather than just using a Wireless access point with the same name as the targets host wifi name.
In the end, all depends on having a good password list and a little luck
I just love when they do this Wi-Fi hacking videos, so many dumb and nonsensical comments out here. Great video btw!
what's the name of the wifi adapter your using
"(We) don't have the other half the handshake, we actually cannot verify..." In practice, however, it doesn't take much to complete the other half of the handshake by luring the device to connect again. If password list can be combined with some other brute-force techniques, this can be really powerful!
Isn't the other half from the router? This is based on that attack that used the full handshake
Actually the problem actually starts at the password list if someone doesn't have enough computational power then it would take ages to crack it by brute forcing!
@@alles_moegliche73 true AF😂
Not for internet bro, to enter network, enumerate and find vulns
Nice video, it works!
What adapters do people recommend in 2022?
Congrats on the job man. Perfect fit
So still brute force right? Since you use Wordlist .
Wow.... Null is here 😍
I love poking around in honeypots and leaving all my scent for the bees to smell😁 thx for the tut.
7:28 it is actually an OR operator, not an AND.
OR
OR
OR
Great👍👏😊
this would be so much fun if I was smart enough to do all of this lol
I like Cody’s videos.
Even tho he is very knowledgable, he dosnt come across as arrogant
Good Job
Man, this so damn good.
Is it possible to use it on windows OS? Instead of linux?
Love the new intro
What operating system are you using that still uses the wlan0 alias for the nic? They stopped using that several versions of debian ago
I think he's using Kali Linux
@@ancestrall794 I meant what version... Wlan0 hasn't been used since the back track r2 days off I'm not mistaken... Or like debian 7 or something
my favourite teacher
Ok but why not the good old deauth + full handshake spoof? You would get the full 4 ways handshake. Still need to brute force the pass though. A better technique is to set up a rogue AP with the same ssid and no password. The client will connect and then you can ask the password to the user by presenting a nicely formattted html form :-)
Evil portals?
Yep, both work and I believe he covers those in different videos!
to be honest i dont get it, do you have introduction to your vidoes? because i dont know how to use any of this tool. Im a beginner
So nice
honestly while this does give a way of getting the password. thats only for password in the rockyou file, what if its a complex password?
On this episode of HackByte
Me: On this episode of Cyber weapons... Damn😑
could you make a video just like that but using hashcat to crack the password? there are instructions everywhere on the internet of course but on one nice small video it would be a great thing to have!
Thanks for the tips, I didn't know you could drag and drop files in the terminal to get the command.
oh i learned a lot from this robot.. is this what they mean by machine learning?
(Big fan Kody)
S? E? Timestamp?
Hello, I just wanted to thank you for the great content. I have watched 98% of your video's at least a couple times each haha. I have a couple questions if you don't mind, can you please message me at your earliest convenience? I will explain if given the chance its nothing weird or crazy :) I'm just a fellow computer nerd who could really use a friend. (this is embarrassing lol)
I don't see how this is different from capturing Pcap and crack it? Whats new about this technique
what is the Rockyou.txt ?when he created this file ?
airodump-ng not listing nearby networks for me please help me to solve this issue.
Cool Vid
Why are we have to cracking to hash? How can we connect to network with sending same hash which get it from victim ?
The same intro music as Seytonic channel?
I know hashcat does 4 way handshake eapol cracking, but wondering if the half handshake can be used. sounds like it should
Awesome
so, it seems to me that since you're only able to resolve the pw if it's contained in your dic list, and assuming that it wouldn't be such an easily crackable pw, there's really no time advantage to doing it this way over just cracking the full handshake. Especially since, if the password WAS password123, then you would have gotten it in seconds anyway. Now on the other hand, if u were extracting the plaintext pw directly from the pcap dump, NOW you're talking.. if that could be accomplished somehow, or i guess you'd use an "evil" ap tool..
Read my mind sir
Can we hack wireless without using the network connected to our laptop, whether using an RJ45 cable?
You had me at Wigle
Hello from Germany🇩🇪
Hii from india
deauth doesn't work with wpa2 and PFM enabled...
does hak5 ship worldwide? i live in Australia and its kinda hard getting hacking gear like a rubber ducky or a spooftooph any one got any suggestions.
I once had a phone that checks the MAC address of the SSID and treat same-named networks differently if the MAC address was different. At the time I thought it was a new standard but apparently it was unique to the custom ROM I was running I suppose.
What phone was that ?
@@sushrutmishra a blackberry
Like they say, “There’s an App for that"
This was probably a way back in the day cyanogen mod for the G1 or G2. But it was a while ago. Sorry, this was the only time I got a notification for this. It might even have been an oem rom I flashed tbh. But I think it was on the g2
@@cedricvillani8502 appp plz¿
theres nothing new here. using a cellphone is the same as using a computer its wifi it has standards for devices to connect . capturing a handshake is easy always has been if theres traffic. i still refer to the 64^120+63^120+62^....10^120+9^120+8^120 ....possible passwords of which only one will work! thats a wordlist of well over 7000 petabytes and a read of years..... so unless theres a hardware vulnerability or social engineering or physical access the odds of having the dammed password in your wordlist are well below being struck by lighting 4 or more times in the same location on earth on different occasions and surviving while on the way to the bank with the winning lottery ticket in your hand every time....the odds of the government randomly giving you money for being a good citizen are so much higher as to be astounding.
They're only 200,000 words in the English language. 7 billion POTENTIAL combos, sure. But 99.99% of people use words and numbers for their password.
@Mike Cartman lol i remember being so excited watching these type of videos, getting my usb wifi adapter to try this stuff out. my plan was to use crunch to generate my lists to crack my own wifi...10 chars consist of uppercase,lowercase,numbers. crunch says it will be 8,137 PB of data..... i didnt even know PB existed LOL didnt know what it stood for until i read your comment, petabytes. thanks
@@kyleernst6657 no problem and my pleasure to have taught something to someone ;] its kinda brain numbing to know more possible passwords than grains of sand on this planet....
@@kyleernst6657 A bit consists of 8 octets of 0's and 1's, which makes up to 255 combinations of 0's and 1's. A byte consists of 4 bits (1024). And from here it goes on, 1024 bytes makes up a kilobyte, 1024 kilobytes is a megabyte, 1024 megabytes is a gigabyte, 1024 gigabytes is a terabyte and the list goes on until the zettabyte (we haven't went higher than that yet, a collection of all data all there makes up 44zb, or 44 trillion gigabytes).
Imagine since most the 80’s is making a comeback a modern day “Kevin” (hacker war games is based off of) gave us another Wargames movie
@Lumpanimal YT wargames was released in 1983. kevin got busted in 1995.
Oh yeah
May work if you was connected to this wifi previously.
Wait but you are using a list of passwords to verify ? What if the password is not in your bruteforce list of passwords ?
then you just wasted a bunch of time waiting for the dictionary to complete and get nothing
@@DragoSmash i laughed
@Grace Jackson yeah I just wanted to make it evident that bruteforcing has such a low rate of success. Specially if you are aiming a latin american network. You will need a latino-spanish large dictionary.
ok ok I'm getting impressed now :)
Anything requires a password list is a waste of time. Even with hashcat would take ages.
Maybe they should do another hacking learning source that is harder to access for those kids
Does this work?
My network is unhackable!
In this episode of cyber…
Yo, you make really great videos- well spoken and thorough, its rad to see hakbyte- thank u so much$$
loved to watch those video, how can i work with you?
Still a brutal force no1 use password123 even by default
It's an example, people do use default credentials - I know people that do and have seen it in many small businesses
Can i use hashcat for the password crack
hello from Japan🇯🇵
From India🇮🇳
Hello from Oman 🇴🇲
Hello from your moms house
Hello from Kenya🇰🇪
TIL you can drop a file into terminal to enter its path. Thats really handy.
Somehow the export packet doesn't seem to work for me
Whyyyy?😤😢
Let's go
Following this through almost exactly the same, I cannot get EAPOL protocols to be found in Wireshark. Only 802.11. What is the issue?
I need some more explain of this…
Why are you sudo'ing when you are logged in as root?
Moral of the story: Don't use a short/easy wifi password, or one on a known list. Want a secure password? Mash you hands down on the keyboard and get a nice secure 30-50 character quasi-random password. It's a real b*tch to enter correctly on a device, but nobody's likely to ever crack it. ;)
The intro sound is similar the one from Seytonic channel lol.
He's a friend
This episode is not reiterating an old Darren and Shannon post from many years ago about Backtrack?
aaa backtrack, I love that version!
Can we decrypt the handshake file without guessing attack, without brute force attack or without wordlist ?
No, you need to use brute force, word list, or a hybrid to crack the hash.
To avoid random people from connecting you could also tail a car or pull up next to them at a light within wifi range couldn't you?
Ooh ooh or wait un the parking lot so it's the first and strongest signal to connect to automatically before entering the building and moving into range of the actual network and out of the fake one
or hack the adapter and have it boost its signal to 25 or 30 ....and run from the government radio/transmission agencies police were limited in canada to 15 watt output other countries allow different ammounts .
Kodi. I left some ports open just in case you wanna pentest em.
let me guess 21 80 8080 and a few more lol
dang
sus
Leakage
Still open? Asking for a friend.
YOUR PASSWORD NEEDS TO BE IN YOUR TEXT FILE IN ORDER TO FIND IT ... PERIOD
That definitely doesn't work in my country... Spanish speakers and password as weird as some Russian words
it works in any language and if your using words its even easier... living in spain wont protect you lmao... educate yourself its safer than what you believe to be true
@@mobiousenigma Attacks using a word list is completely useless against uncommon local languages.
@@arry4479 rockyou isnt going to work in russia or china or india...you gotta scrape your own wordlists ffs! and a wordlist is the best bet you have if wps is not enabeled ...and if you read my post you would know what those chances are.....almost none