HakByte: Capture Wi-Fi Passwords From Smartphones with a Half-Handshake Attack
ฝัง
- เผยแพร่เมื่อ 4 ส.ค. 2021
- In this episode, we show how hackers can abuse convenience features of Wi-Fi to extract passwords from nearby smartphones belonging to Wi-Fi networks they've connected to in the past.
-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆
Our Site → www.hak5.org
Shop → hakshop.myshopify.com/
Subscribe → th-cam.com/users/Hak5Darr...
Support → / threatwire
Contact Us → / hak5
Threat Wire RSS → shannonmorse.podbean.com/feed/
Threat Wire iTunes → itunes.apple.com/us/podcast/t...
Host: Shannon Morse → / snubs
Host: Darren Kitchen → / hak5darren
Host: Mubix → / mubix
-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆-----☆ - วิทยาศาสตร์และเทคโนโลยี
![Hack WPA & WPA2 Wi-Fi Passwords with a Pixie-Dust Attack using Airgeddon [Tutorial]](http://i.ytimg.com/vi/SY0WMHTCCOM/mqdefault.jpg)
Hey! It's the NullByte dude!
Centralization of audience
NullByte really good.
Null Byte Here
Yes! Grabbing money from multiple handshake 🤝
Yeah since when did he start working with Hak5??
Should be named "Capture Wi-Fi Password Hashes..."
once you get the hash, it's relatively easy to get the password
@@crystallava5002 The reason hashes are used is to make it difficult to get the password. The difficulty ranges from easy to impossible depending on the password.
I enjoy watching your videos. You're a good teacher. You should make it a little clearer that you are capturing hashed passwords. That being said, I work a second job cleaning offices at night. Based on passwords people leave lying around on sticky notes it's clear that people persist in using easily crackable passwords. There certainly needs to be more education about this.
*except for Wifi Router-Passwords which are usually not even changed from the default Password! And those are not just in any wordlist out there but need to be bruteforced!
So you're digging under keyboards instead of cleaning? Lol
Love your videos keep up the great work friend
Amazing Bro. Thank you again for this eye opening info
Kody, you’re an S-class hacking video boss.
Thank you for sharing, i really like the Wigle tool
This only works if the password is listed in the wordlist.
You can also use random combinations of characters, but that would, at least for the wpa2 security standard, take quite a lot of time (depending on your cpu and if you use hashcat, wich I would recommend, also your gpu)
yes
Seems like a major omission not to have talked more about this. When Kody grabbed that file (8:36), I was immediately frustrated by the dearth of information about its contents. (Granted, it's named and I can go download it and glean some insights, but like... I wish it had been talked about more in the video, and listed as a shortcoming of this method -- if the password isn't in the wordlist, this attack doesn't work, right? Sigh.)
Hacking youtubers love to omit important information such as "The password needs to be in your worldlist" because that keeps unwarned viewers watching the video thinking their method will work. It's a shame.
@@claudespeed13579 I mean... in _many_ cases, it actually would work. But yeah, definitely not all, by any means. Sigh.
Would you be able to send deauth packets to a network to make, for example a roku device, deauthenticate with the users home Wi-Fi (for example named “MyHomeWifi), but then the roku device would try to connect to your honey pot which is also named “MyHomeWifi” giving you the half handshake? Or would the roku device not try because it would keep trying the actual users home wifi instead of yours?
I really don't see the point in this extra work. Why not just use the de-authentication attack? The bottom line is it still results in having to brute-force the password hash. This method just seems like it has unnecessary additional steps, for example, creating a Wi-Fi network. Just de-authenticate a device from its access point and then capture the handshake when it tries to authenticate. I suppose its good to know another method to capture the same information but it just seems like more work.
this wont require being close to the target.
Deauthentication attacks aren't very stealthy.
Surely, one can wait an arbitrary amount of time for some device to connect and allow for the handshake to be captured, but that's often not viable.
Also, it's a direct attack on the organisation's network, which can be expected to have better security measures.
The approach shown in the above video allows an attacker to target a devcie carried by an individual, and that too, outside the organisation. By doing so, the chances of being countered are significantly lower.
I think that’s what they built in the new pineapple. There’s an option to deauthenticate all users or only specific, so they get reconnected automatically. Most of them didn’t even notice although you captured the Pw hash. A lot of them are possible to solve with common wordlists - not all ;)
THis one doesnt require to have an actual client on the target network. Its nice to know the ways, you could easily end up with a network without clients, where deauth is not possible. With this, you could follow someone and hack him in the restaurant or a mall, totally away from an actual premises you need access to. I can imagine this adds to stealth since the attack wont at all happen anywhere near the target building? Anyway, I will probably stick with wifiphisher until I absolutely cannot anymore.
Works as long as you know an SSID. If you try sniffing for probe requests, only mobile devices before Android 10 and iOS 14 send directed probe requests for non-hidden networks.
Good to know!
Same thing I was thinking doesnt work for android 11 and over.
Great work, thanks for sharing. Could you explain the use of the password list file. It suggests that would have been included, so the password revelation is only as good as the list you have?!
I saw your collection of michael bolten mp3s when you exported packets.
Heya! Love your videos. At 4:35 you mentioned that you were already in “root” then said if you aren’t in root “which you shouldn’t be” use sudo. Is it not good running in root or did I just misunderstand. Thank you for all your videos! Sub’d for sure.
Seamlessly combining Mediatek 5G and Wi-Fi 7 with ATSSS could be a game-changer for rural areas and bridge the digital divide.
So how should one protect against such an exploit? Tbh I am more worried about a back door on my el cheapo router than some hackers hanging about in my apartment lobby or something but it’s good to know that such things exist
Strong and unique password
They can only crack the password if it's in their wordlist
download some wordlists and use a password that's not there
Disable "connect automatically" in your phone so you will have to manually select network to join
@@hellboy7153 Still if someone waits there enough they can still capture the handshake
Very cool to drag files into terminal! I didn't even know that was possible. Hehe
Great video. I gain access to passwords via a access point with no password in a public place. Lesson is dont use public WiFi.
i'm lost
@@DavidBoura Sorry, Let me explain. I do a rouge AP. Its where I configure an Access Point with an SSID of "Cafe WiFi" Give it no password and wait for people to connect. Then I scan the IP range and capture all their passwords. There is many ways of capturing it but my favourite is the auto fill passwords. You would be surprised how easy it is to get past a Admin password.
This is interesting what software do you use to scan their ip addresses and capture passwords?
Nice video, I've got a question tho. So the catch here is, we set up a network with same SSID as a network that we are interested in getting in (obtaining a password), because devices like smartphones and such would connect automatically when in proximity. Makes perfect sense, but now there are 2 networks with same SSID and different BSSID. It would make more sense for a device to remember the BSSID for such cases, and it would be a simple countermeasure, or I amgetting smth wrong?
i thought of it that way, did u find answers
I heard of this on the radio. They said to always disable Wi-Fi when leaving home.
It's odd to me that smartphones don't use a record of your Wi-Fi access point's BSSID/MAC address along with the SSID to avoid getting duped by fakes, or at least provide a pop-up a warning about the mismatch and requiring you to accept or decline allowing the connection before whitelisting or blacklisting the new MAC address. (Would be useful if you have multiple WIFI APs with the same SSID). I'm sure there are methods and gadgets that can spoof an AP's MAC address, but I'd be surprised if typical commercial Android or IOS devices have the ability even if they're rooted.
One easy way to help you avoid falling victim to this trick is to disable "Wi-Fi auto-connect" to all of your stored routers and access points on all of your mobile devices. You'll still be somewhat vulnerable at home or office, but if your phone doesn't auto-connect to your router, SSID spoofing attempts will be ignored while you're out and away from the nest.
I guess the issue is your device gets all the information about the router by what it actually transmits to you; there's no real way to verify that it's authentic, as all the data looks identical to the real AP.
Moreover it is preferable to enable the use of transparent Wi-Fi relay.
in our organization, we have wifi repeaters setup on different locations in order to "eliminate" dead spots. all these repeaters have the same SSID but different MAC addresses, correct? so a device/smartphone just look up the SSID of a "router" with the best signal and connects to it. is this what happens? employees don't really care, much less look at a bunch of letters and numbers with colons in between, about MAC addresses. they just want to connect to a stronger signal. so most people will just press "ACCEPT" without even looking at the MAC address if your suggestion is implemented on smartphones.
Oh snap, I just asked this in the comments.
Beter a half shake than a zero shake!
Any hack with wordlist is useless
What operating system are you using that still uses the wlan0 alias for the nic? They stopped using that several versions of debian ago
I think he's using Kali Linux
@@ancestrall794 I meant what version... Wlan0 hasn't been used since the back track r2 days off I'm not mistaken... Or like debian 7 or something
Nice video, it works!
Pretty much everyone where I live uses the same isp and I know that the default router passcode on the control panel is admin so I’m gonna do this to all my neighbours and enable their guest wifi networks (nobody turns them on) and change the ssid and password to the same as my home network. FREE WIFI ANYWHERE YOU GO
I love poking around in honeypots and leaving all my scent for the bees to smell😁 thx for the tut.
In the end, all depends on having a good password list and a little luck
P.s don’t let people know they have a “BAD”password unless you directly know that person!! And never forget, NO GOOD DEED EVER GOES UNPUNISHED !
What adapters do people recommend in 2022?
I'm a bit confused. Is this like an evil twin wireless access point hack? I also do not quite understand why you need the half handshake to get the password rather than just using a Wireless access point with the same name as the targets host wifi name.
yep, in order to perform a evil twin attack you need to obtain ssid and the password of that network (which is the difficult part). You spin up an access point with such details so when clients disconnect and connects back hopefully they will connect automatically to your evil access point as the password of your evil access point is the same than password stored in the clients machine for that ssid, and they will connect succesfully accomplishing the attack. The most difficult part is cracking the password as it may require extra resources.
So nice
this would be so much fun if I was smart enough to do all of this lol
what's the name of the wifi adapter your using
Wow.... Null is here 😍
honestly while this does give a way of getting the password. thats only for password in the rockyou file, what if its a complex password?
So still brute force right? Since you use Wordlist .
I'm so happy that kody is with hak5 now! I love his tutorials.
anyone have a blink counter
Great👍👏😊
Wait but you are using a list of passwords to verify ? What if the password is not in your bruteforce list of passwords ?
then you just wasted a bunch of time waiting for the dictionary to complete and get nothing
@@DragoSmash i laughed
@Grace Jackson yeah I just wanted to make it evident that bruteforcing has such a low rate of success. Specially if you are aiming a latin american network. You will need a latino-spanish large dictionary.
so, it seems to me that since you're only able to resolve the pw if it's contained in your dic list, and assuming that it wouldn't be such an easily crackable pw, there's really no time advantage to doing it this way over just cracking the full handshake. Especially since, if the password WAS password123, then you would have gotten it in seconds anyway. Now on the other hand, if u were extracting the plaintext pw directly from the pcap dump, NOW you're talking.. if that could be accomplished somehow, or i guess you'd use an "evil" ap tool..
Read my mind sir
I don't see how this is different from capturing Pcap and crack it? Whats new about this technique
I know hashcat does 4 way handshake eapol cracking, but wondering if the half handshake can be used. sounds like it should
Hello, I just wanted to thank you for the great content. I have watched 98% of your video's at least a couple times each haha. I have a couple questions if you don't mind, can you please message me at your earliest convenience? I will explain if given the chance its nothing weird or crazy :) I'm just a fellow computer nerd who could really use a friend. (this is embarrassing lol)
Hello from Germany🇩🇪
Hii from india
hello from Japan🇯🇵
From India🇮🇳
Hello from Oman 🇴🇲
Hello from your moms house
Hello from Kenya🇰🇪
Is it possible to use it on windows OS? Instead of linux?
to be honest i dont get it, do you have introduction to your vidoes? because i dont know how to use any of this tool. Im a beginner
does hak5 ship worldwide? i live in Australia and its kinda hard getting hacking gear like a rubber ducky or a spooftooph any one got any suggestions.
Why are we have to cracking to hash? How can we connect to network with sending same hash which get it from victim ?
Still a brutal force no1 use password123 even by default
It's an example, people do use default credentials - I know people that do and have seen it in many small businesses
theres nothing new here. using a cellphone is the same as using a computer its wifi it has standards for devices to connect . capturing a handshake is easy always has been if theres traffic. i still refer to the 64^120+63^120+62^....10^120+9^120+8^120 ....possible passwords of which only one will work! thats a wordlist of well over 7000 petabytes and a read of years..... so unless theres a hardware vulnerability or social engineering or physical access the odds of having the dammed password in your wordlist are well below being struck by lighting 4 or more times in the same location on earth on different occasions and surviving while on the way to the bank with the winning lottery ticket in your hand every time....the odds of the government randomly giving you money for being a good citizen are so much higher as to be astounding.
They're only 200,000 words in the English language. 7 billion POTENTIAL combos, sure. But 99.99% of people use words and numbers for their password.
@Mike Cartman lol i remember being so excited watching these type of videos, getting my usb wifi adapter to try this stuff out. my plan was to use crunch to generate my lists to crack my own wifi...10 chars consist of uppercase,lowercase,numbers. crunch says it will be 8,137 PB of data..... i didnt even know PB existed LOL didnt know what it stood for until i read your comment, petabytes. thanks
@@kyleernst6657 no problem and my pleasure to have taught something to someone ;] its kinda brain numbing to know more possible passwords than grains of sand on this planet....
@@kyleernst6657 A bit consists of 8 octets of 0's and 1's, which makes up to 255 combinations of 0's and 1's. A byte consists of 4 bits (1024). And from here it goes on, 1024 bytes makes up a kilobyte, 1024 kilobytes is a megabyte, 1024 megabytes is a gigabyte, 1024 gigabytes is a terabyte and the list goes on until the zettabyte (we haven't went higher than that yet, a collection of all data all there makes up 44zb, or 44 trillion gigabytes).
7:28 it is actually an OR operator, not an AND.
OR
OR
OR
Can we decrypt the handshake file without guessing attack, without brute force attack or without wordlist ?
No, you need to use brute force, word list, or a hybrid to crack the hash.
Does this work?
You had me at Wigle
my favourite teacher
On this episode of HackByte
Me: On this episode of Cyber weapons... Damn😑
Do we still need a password list for this? Or is there a way to brute force using half way handshake?
idk about bruteforcing but u need a list for this one
The same intro music as Seytonic channel?
This won’t work against enterprise WiFi
Ok but why not the good old deauth + full handshake spoof? You would get the full 4 ways handshake. Still need to brute force the pass though. A better technique is to set up a rogue AP with the same ssid and no password. The client will connect and then you can ask the password to the user by presenting a nicely formattted html form :-)
Evil portals?
Yep, both work and I believe he covers those in different videos!
I like Cody’s videos.
Even tho he is very knowledgable, he dosnt come across as arrogant
Good Job
This episode is not reiterating an old Darren and Shannon post from many years ago about Backtrack?
aaa backtrack, I love that version!
what is the Rockyou.txt ?when he created this file ?
loved to watch those video, how can i work with you?
Why use a password list when brute force is better ?
The intro sound is similar the one from Seytonic channel lol.
He's a friend
Can we hack wireless without using the network connected to our laptop, whether using an RJ45 cable?
Congrats on the job man. Perfect fit
Man, this so damn good.
airodump-ng not listing nearby networks for me please help me to solve this issue.
i only want to know why u blure everything ?? there's no sensitive info ! i just wanna know why
Yo, you make really great videos- well spoken and thorough, its rad to see hakbyte- thank u so much$$
I just love when they do this Wi-Fi hacking videos, so many dumb and nonsensical comments out here. Great video btw!
May work if you was connected to this wifi previously.
Maybe they should do another hacking learning source that is harder to access for those kids
deauth doesn't work with wpa2 and PFM enabled...
I'm sure I'm too late to the party to get an answer, but I don't understand; do smartphones really just attempt to connect to a network automatically based only off its name?
Can't we do it without the password list? If we have the password in the password list, we may try the BruteForce method instead of capturing packets and all. I thought the packet would reveal the password.
You need to either use a readily available word list like rockyou, or generate your own with different combinations. Anything too complex though and you're pretty much out of luck, unless you can afford a cluster of multiple GPUs.
Why are you sudo'ing when you are logged in as root?
So, how does one protect themselves?
My guess is to use a better password and to turn off WiFi when not in range, but are there other solutions?
You don’t
This video is utterly USELESS, and dumb. Because he is bruteforcing the password, which NEVER works unless you have a password like "mypassword" "12345", ...which nobody has.
@@deckard5pegasus673 A Swedish company lost a lot of sensitive documents, including schematics of client bank vaults and surveillance systems, because they used password01 as a password. So saying nobody has those kinds of passwords isn't really true, many people are incredibly lazy and ignorant when it comes to security.
@@smilo_don If they used the password01, you definately don't need aircrack or kali linux to crack it, much less hashcat. Even a 10 year old kid, with no computer experience could crack it.
@@deckard5pegasus673 And I don't NEED a car to get to work, but why should I walk when I can drive.
ok ok I'm getting impressed now :)
could you make a video just like that but using hashcat to crack the password? there are instructions everywhere on the internet of course but on one nice small video it would be a great thing to have!
Cool Vid
Anything requires a password list is a waste of time. Even with hashcat would take ages.
My network is unhackable!
That definitely doesn't work in my country... Spanish speakers and password as weird as some Russian words
it works in any language and if your using words its even easier... living in spain wont protect you lmao... educate yourself its safer than what you believe to be true
@@mobiousenigma Attacks using a word list is completely useless against uncommon local languages.
@@arry4479 rockyou isnt going to work in russia or china or india...you gotta scrape your own wordlists ffs! and a wordlist is the best bet you have if wps is not enabeled ...and if you read my post you would know what those chances are.....almost none
Oh yeah
Following this through almost exactly the same, I cannot get EAPOL protocols to be found in Wireshark. Only 802.11. What is the issue?
What if the password was not in the rockyou wordlist?
Then you’ve just wasted your time. But the rockyou list is pretty bulky so.. 🤷🏿♂️
Somehow the export packet doesn't seem to work for me
Whyyyy?😤😢
In this episode of cyber…
your system finded simple password like password123 ...handshake methode for strong password wifi not working ...dont try
This is not a actual hack
I once had a phone that checks the MAC address of the SSID and treat same-named networks differently if the MAC address was different. At the time I thought it was a new standard but apparently it was unique to the custom ROM I was running I suppose.
What phone was that ?
@@sushrutmishra a blackberry
Like they say, “There’s an App for that"
This was probably a way back in the day cyanogen mod for the G1 or G2. But it was a while ago. Sorry, this was the only time I got a notification for this. It might even have been an oem rom I flashed tbh. But I think it was on the g2
@@cedricvillani8502 appp plz¿
is your other wifi network called "BOOB" ? xD cool tho
Imagine since most the 80’s is making a comeback a modern day “Kevin” (hacker war games is based off of) gave us another Wargames movie
@Lumpanimal YT wargames was released in 1983. kevin got busted in 1995.
I need some more explain of this…
Can i use hashcat for the password crack