-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Handshake Snooper Attack
The Handshake Snooper
attack attempts to retrieve WPA/WPA2 authentication hashes (the 4-way handshake), to be used later by the Captive Portal
attack for key verification. It's recommended this attack is done in close to semi-close proximity to the target access point, however, it is definitely possible to do this attack from a fairly long distance, depending on the radio and antenna being used. This is possible because the radio can just go silent (no deauthentication), and listen for a valid 4-way handshake.
To successfully execute a Handshake Snooper
attack with Fluxion, the following steps must be completed.
- From the fluxion directory, execute fluxion, optionally passing parameters:
./fluxion.sh
or with parameters:
# Kills any processes utilizing wireless interfaces selected.
# NOTICE: For a complete list of parameters, read the flags & configuration section.
./fluxion.sh -k
# Or using legacy flags like below.
export FLUXIONWIKillProcesses=1; ./fluxion.sh
-
Select an attack on the target network, in this case, choose
Handshake Snooper
. -
Select a target network; if one was previously selected, you'll have the option to continue with it.
- You must select a network interface which supports monitor mode.
- Optionally, you'll have the chance to select an interface for target-tracking.
- The target-tracking interface must be an independent interface due to the fact it requires channel hopping, which will cause issues for interfaces which require a fixed-channel.
- Select a method of attack.
- A
passive
method of attack forces the radio to go completely silent, making the attack subtle (undetectable), and allowing for better listening. This method should work best for situations where the target is far away. The downside is the fact the radio must keep listening until someone connects to the target access point, which could take a very long time. - An
aggressive
method of attack uses a deauthenticator, eitheraireplay-ng
ormdk3
, and sends deauthentication packets to the target access point's clients. This method is considered aggressive because it is essentially jamming the connection between the target access point and its clients, effectively cutting the connection between the two. Once the connection has been broken, some devices will automatically attempt to reconnect, sending a 4-way handshake which fluxion's radio could catch. This method could be considered illegal. Make sure to follow governing laws applying to you. We're not liable for your irresponsibility.
- Select a hash verifier.
- This sets the tool used to check if a valid hash was caught.
- Select a verification interval.
- This sets how often you want to check for a handshake.
- Select the verifier's synchronicity.
- This sets how verification occurs in relation to capturing data, either simultaneously (
asynchronously
), or back-to-back (synchronously
). - The
asynchronous
option will run the verifier while the computer is still capturing data. This could cause an issue in slow systems, becausepyrit ... stripLive
might be interrupted by the captor overwriting data too early. The probability of encountering that problem increases over time, since more data needs to be examined bypyrit ... stripLive
. I suggest avoiding this if possible, or to limit its use to places were the handshake file will be caught relatively quickly. - The
synchronous
option will halt data capturing before attempting to check for a handshake, to prevent the issues described before. The downside of this method is the fact it'll stop listening while checking for handshakes, meaning it could miss a handshake while checking for one.
Once the attack starts, the log viewer will appear, displaying significant events. If the attack succeeds, the log will display an appropriate message. At that point you may close the log viewer and move on to another attack.
FLUXION WIKI