Explained the Handshake Snooper attack and its options.
parent
1ef8dfe2d7
commit
21c28f3a4e
|
@ -0,0 +1,33 @@
|
|||
The `Handshake Snooper` attack attempts to retrieve WPA/WPA2 authentication hashes (the 4-way handshake), to be used later by the `Captive Portal` attack for key verification. It's recommended this attack is done in close to semi-close proximity to the target access point, however, it is definitely possible to do this attack from a fairly long distance, depending on the radio and antenna being used. This is possible because the radio can just go silent (no deauthentication), and listen for a valid 4-way handshake.
|
||||
|
||||
To successfully execute a `Handshake Snooper` attack with Fluxion, the following steps must be completed.
|
||||
|
||||
1. From the fluxion directory, execute fluxion, optionally including special `flags`:
|
||||
```
|
||||
./fluxion.sh
|
||||
```
|
||||
or with flags:
|
||||
```
|
||||
# FLUXIONWIKillProcesses kills any wireless-interface (WI) blocking processes (its usage is DISCOURAGED):
|
||||
export FLUXIONWIKillProcesses=1 # Run once, flags will persist throughout your shell session.
|
||||
# export FLUXIONWIKillProcesses="" # Running this will clear the flag.
|
||||
|
||||
./fluxion.sh
|
||||
```
|
||||
|
||||
2. When prompted, select a network interface which supports injection.
|
||||
3. Run a scan utilizing the selected wireless interface & select a target network.
|
||||
4. Select an attack on the target network, in this case, choose `Handshake Snooper`.
|
||||
5. Select a method of attack.
|
||||
* A `passive` method of attack forces the radio to go completely silent, making the attack subtle (undetectable), and allowing for better listening. This method should work best for situations where the target is far away. The downside is the fact **the radio must keep listening until someone connects to the target** access point, which could take a very long time.
|
||||
* An `aggressive` method of attack uses a deauthenticator, either `aireplay-ng` or `mdk3`, and sends deauthentication packets to the target access point's clients. This method is considered aggressive because it is essentially jamming the connection between the target access point and its clients, effectively cutting the connection between the two. Once the connection has been broken, some devices will automatically attempt to reconnect, sending a 4-way handshake which fluxion's radio could catch. **This method could be considered illegal.** Make sure to follow governing laws applying to you. We're not liable for your irresponsibility.
|
||||
6. Select a hash verifier.
|
||||
* This sets the tool used to check if a valid hash was caught.
|
||||
7. Select a verification interval.
|
||||
* This sets how often you want to check for a handshake.
|
||||
8. Select the verifier's synchronicity.
|
||||
* This sets how verification occurs in relation to capturing data, either simultaneously (`asynchronously`), or back-to-back (`synchronously`).
|
||||
* The `asynchronous` option will run the verifier while the computer is still capturing data. **This could cause an issue in slow systems**, because `pyrit ... stripLive` might be interrupted by the captor overwriting data too early. **The probability of encountering that problem increases over time**, since more data needs to be examined by `pyrit ... stripLive`. I suggest avoiding this if possible, or to limit its use to places were the handshake file will be caught relatively quickly.
|
||||
* The `synchronous` option will halt data capturing before attempting to check for a handshake, to prevent the issues described before. The downside of this method is the fact it'll stop listening while checking for handshakes, meaning it could miss a handshake while checking for one.
|
||||
|
||||
Once the attack starts, the log viewer will appear, displaying significant events. If the attack succeeds, the log will display an appropriate message. At that point you may close the log viewer and move on to another attack.
|
Loading…
Reference in New Issue