Laughter is the Best Medicine

KRACK Attacks: Bypassing WPA2 against Android and Linux

This video is based on the Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 on the demonstration how weakness we discovered in WPA2 can be used to attack Android and Linux devices First, I will use an Android device to connect to our Wi-Fi testnetwork which now will be the network in present Notice that the network uses WPA2 encryption as indicated by the lock symbol Additionally, on visiting, for example,, Android would use HTTPS as an extra layer of protection This is indicated by the green HTTPS lock and also especially mentioned when viewing the web page info In other words, all transmitted information is securely protected using both WPA2 and HTTPS Let’s now start the tools that will be used to attack Android and Linux device First, the following command is used to start a WPA2 attack script Notice that I include the protected Wi-Fi network that will be attacked on that will only target one specific device. The tools starts by searching for the protected Wi-Fi network we will attack And then we will clone this network on a different channel This malicious clone of the network enables the attacker to reliably manipulate handshake messages which is required to abuse the weakness we discovered. Second, you make sure the victim can access the internet to our malicious network Additionally, a more step of executing the sslstrip tool This tool will try to remove the additional HTTPS protection of improperly configured websites Finally, I am going to use wireshark to capture any data that the client will be transmitting You’re now ready to carry out the attack So let’s go to the smartphone and then connect to the WPA2-protected test network Once the victim enabled the Wi-Fi Android will search for the test network Once that it discover that network, it will try to connect to the real test network, which is not what we want Fortunately, we can solve this by sending special Wi-Fi frames that command the Android into switching to a different channel This tricks Android into connecting with the malicious cloned of the network Essentially, we now have a man in the middle position between the victim and the real Wi-Fi network This allows us to reliably manipulate the messages and carry out the key reinstallation attack against the 4-way handshake Normally, after executing such an attack the victim will reuse nonces when encrypting data frames and this allows us to recover any encrypted data However, due to the implementation bug Android and Linux will not reinstall the actual secret key Instead, they will reinstall an all-zero encryption key This makes a trial to intercept and manipulate all data that is transmitted by these devices When we now go to Wireshark, we can already see that a significant amount of data was intercepted Note that normally all these data encrypted using WPA2 and therefore isn’t readable by the attacker. However, without knowing the password of this protected wifi network we can read all the packets that the victim is sending This clearly demonstrates that we have successfully bypass WPA2 Let’s now visit a website on the Android device of the victim And particular, you will again visit the As you can now see, there is no longer a green HTTPS lock on the address bar of the browser This means the website is no longer using HTTPS as an additional layer of protection Note that you’re able to bypass HTTPS using sslstrip tool although this matter of bypassing HTTPS does not working in proper configured websites it does work against a significance fraction Unfortunately, many users do not realize HTTPS is no longer used and therefore will continue to login using their real e-mail address and password The attacker is now able to intercept the e-mail address and password of the victim. Of course, this is only a demonstration using a fake account meaning the login fails Nevertheless, the attacker is able to see which password we try to use So let’s go to the attacker and search for the login attempt We can see that the attacker was indeed able to intercept the username and password that the victim used To avoid being a victim of this attack against WPA2, you must update all your Wi-Fi devices

100 thoughts on “KRACK Attacks: Bypassing WPA2 against Android and Linux

  1. That is BS. It is one of many security holes in WiFi and other communication channels. This guy made it as if he discovered America. 1. Upgrading won’t help as manufacturers are years behind vulnerabilitys if ever care at all. 2. Most of the public WiFi do not use encryption anyway. For that use VPN.
    The easy solution is to watch out for HTTPS errors (green bar) when you enter passwords. Or at least check for HTTPS errors if password did not fit 2. If HTTPS broken – move to other public WiFi / reset your router and change website password. Most of the antiviruses offer VPN built into the internet security software, for example, F-secure or Avira.

  2. Is there any way to detect KRACK attack? Does attacker leave some kind of trace (syslog for example). I wish to detect that I was under KRACK attack. Is it possible?

  3. Sir
    Can u explain in detail
    Such as is this os kali
    Or can you just tell how can we make main in the middle attack with kali

  4. Need the file when entering the code so it knows what to load in. Any idea as to where the source of such file is?

  5. To protect against people seeing what you're transmitting to the internet, why don't you just use a VPN? It won't protect against stuff transmitted between computers on the local network (LAN), but it should be something you're already doing… especially with everything going on nowadays. OpenVPN is the most secure VPN protocol and can be used to tunnel through networks that other VPNs can't get through, due to how it's set up. (tunnel over port 53, 80, 443, etc.) and it's difficult to block

  6. Ok so as this is usable. Your still not attacking from outside.. Your inside which makes this of NO use……..this is a simple,rouge wifi AP. And nothing,more …..there's nothing new here…..sorry truth hurts

  7. Hahaha such a bullshit. You have to be closer to the client in order to intercept ap's signal. Which means you have to jam original's AP signal. Without this case you will have a very little time before AP checks MIC and returns eligible GTK and self-generated MIC. The only ways to exploit this without jamming the signal from the original AP is if you have non-statefull router which has bad wpa implementation where STA misses MIC check and data frame with GTK sheck where it goes directly to CSMA/CA ACK to the data frame. A good AP should ignore all other authorization packets except EAPOL. In most of the cases (lets say 99,5%) you will be fine.

    That's it. Mr. Robot 2 speaks. You decide whether to believe or not.

  8. Could you put the script in any cloud server? and the link of it of course we neeeeeeeed it for download jeje c on.

  9. Lol, every Skid is want the script…
    Do you know what ?
    This is 0day dude, it mean Mathy gonna create the patch for wpa2 then after all device is under patch… he will release the code for fun 🙂

  10. Just yesterday, I was remembering a conversation I had with a fellow IT technician that we had, probably about 8 years ago, about how WPA2 was absolutely unhackable. Well… that was his take. In the back of my mind, I was saying to myself, "Everything is crackable… it's just a matter of time." Looks like that time has come.

  11. Pero este señor para hacer esto ya esta dentro de la red, osea aquí simplemente te explica los fallos que tiene, pero es únicamente bajo teoría ya que como se supone que van a atacarnos si no están dentro de nuestra red?

  12. While im a poor importantless guy i do not care about wpa2 https cracked intel manage engine bla bla bla hackers will only get my 2 dollar bank account and my private parts

Leave a Reply

Your email address will not be published. Required fields are marked *