Wifite2 Versions Save

Previous timeout for PMKID capture was 15 seconds. This was increased to 30 seconds by-default.

Users can specify the time to wait using --pmkid-timeout X, where X is the number of seconds to wait.

When interrupting an attack, users can choose to:

1. continue attacking the same target with remaining attacks,
2. skip to the next target, or
3. exit Wifite.

Other small changes:

• Wifite passes --force into Bully to bypass warnings
• Wifite detects when --wps-only and --pmkid are both specified, and exits with an error message.

In this version, Wifite will attempt the WPS PIN attack (guessing < 11,000 PINs) after Pixie-Dust fails on WPS-enabled networks.

Wifite summarizes the Reaver (or Bully) output into a single line (updated every second). This includes:

• Number of PINs tried (Number of PINs remaining for --bully)
• Time running (or estimated time remaining for --bully)
• Current status (Trying a PIN, sending packets, etc)
• The number of WPS Timeouts, number of WPS Failures, and if the AP is locked.

There's some new options as well:

• --bully to use bully instead of reaver when doing the Pixie-Dust or PIN Attacks.
• --pixie to avoid the PIN attack and use Pixie-Dust only.
• --no-pixie to skip Pixie-Dust and only do WPS PIN attacks.

Some other changes regarding "Locked" WPS networks:

• Locked networks are no longer hidden; these targets say lock in the WPS column of the targets list.
• Wifite will stop WPS attacks (Pixie or PIN) if the AP is Locked.
  • But you can continue attacking Locked networks using the --ignore-lock option.

--crack improvements:

• Supports john, hashcat, aircrack, or cowpatty
  • Pyrit appears to not work for me at all right now, even after downgrading scapy (see [this thread]
  • Only passes --force into hashcat if no devices are found.(https://github.com/JPaulMora/Pyrit/issues/558#issuecomment-381366559)).
• Only shows available tools, explains why some tools are unavailable (missing dependencies).
• Accepts all as input when selecting handshakes.
• Avoids writing the same cracked password to cracked.txt if it's already been cracked (same bssid, essid, password, handshake, everything).

Wordlist location when using sudo python setup.py install did not match the wordlists checked by the config. Fixed in this version.

Semi-major version bump for significant changes:

1. Wifite can be installed using setup.py (sudo python setup.py install)
   • This installs wifite as a python module to the machine.
   • Includes an executable script in/usr/sbin/wifite
2. The base script ./Wifte.py was moved to bin/wifite
   • But this script can't be executed via python bin/wifite unless wifite is installed.

To run wifite:

1. If installed, just type sudo wifite at any terminal
   • wifite should be found in the current path as it's installed to /usr/sbin
2. If not installed (e.g. git cloned), type sudo python -m wifite in the clone repo directory.

--pmkid option will only attack WPA networks with the new PMKID capture + crack attack

• This option avoids the WPS Pixie-Dust and WPA 4-Way Handshake capture attacks.

Improvements to --crack feature:

• Allows selecting multiple handshakes to crack in bulk.
• Includes captured PMKID "handshakes" (PMKID hash stored in *.16800 files in the hs directory).
• If wordlist (--dict) is not found, prompts user to enter a wordlist file.
• Note: --crack longer prints different ways to crack handshakes (Hashcat/Pyrit/Cowpatty/Aircrack/etc).
  • Wifite will try to crack the handshakes instead.
  • Cracks WPA 4-Way Handshakes using aircrack-ng
  • Cracks PMKID "handshakes" using hashcat.
  • TODO An option to print the commands to crack (as one-liners that can be pasted into terminal)
  • TODOs Options to allow users to specify the cracking methods (hashcat + cuda, pyrit, etc).

Other changes:

• --crack will show cracked results with one target per-line (improves readability).
• Large refactoring of the code base may introduce new bugs.

From #124, Wifite crashes during the PMKID attack if hashcat or hcxdumptool or hcxpcaptool are missing.

This release fixes the crash; wifite will avoid the PMKID attack if any of the tools are missing.

PMKID Attack

More info on the PMKID attack: wifite2/PMKID.md

• Not tested very thoroughly
• Wifite does not detect if the installed version of hashcat can support -m 16800 (the PMKID hash attack).
  • Needs haschat v4.1.2 or higher.
• Requires hcxdumptool and and hcxpcaptool

Fixes

• Attempted to fix Airodump was stopped errors (also AttributeError with Process.__del__ and other similar errors)
  • Problem occurred when user presses ctrl+c while Wifite is analyzing the latest packets (which is every second!).
• Various other fixes that hopefully avoid crashes mentioned in the Issues.

Improvements

• Included a small wordlist (4800 from berzerk0/Probable-Wordlists/Real-Passowrds/WPA-Length)

2.1.6:

• Support non-ASCII ESSIDs (e.g. Unicode/UTF8).

2.1.5:

• Leave devices in Monitor Mode at exit (informs user).
• --keep-ivs option to retain IVS files between attacks (#27)

2.1.4:

• Fix bug in macchanger
• More-stable parsing of airmon-ng output

2.1.3:

• Do not restart NetworkManager when finished (informs user)
• Changes to CLI switches:
  • --wps-time X: Total time for WPS attack to complete
  • --wps-timeouts X: Max number of timeouts before failing
  • --wps-fails X: Max number of WPSFails before failing
  • Removed unused WPS switches.
  • Improved --help messaging for WPS switches.
  • Fail/Timeout threshold default is 100
• Bully now outputs useful information:
  • Current PIN + status
  • Time remaining
  • Number of Timeout messages
  • Number of "WPSFail" messages
  • If AP is locked
• Better reaver output.
  • Looks more like Bully's output.
  • Timer shows time remaining for attack.
  • Mentions "Running pixiewps" during "M2 message" step.
  • pixiewps failure looks like this: "Reaver says: 'WPS pin not found'"
  • Counts Timeouts and "WPS Transaction Failure" (WPSFail)

2.1.2:

• Quieter --help message, full help available with --help -v or -hv
• Quiet decloak. Support ESSIDs with commas and trailing spaces
  • Decloaked ESSIDs will have a "*" next to their name. For #78
  • Fixed ESSID parsing caused by Airodump's CSV format.
  • Also fixed hidden ESSID detection introduced by the new CSV parsing logic.

2.1.1:

• Option to ignore APs without clients (--clients-only or -co)

Now that I have the script working consistently on my machine, it's time to open up to Beta & start fixing bugs other users are seeing.