Airgeddon - Audit Wireless Networks [PixieDust, 4Way Handshake & Evil Twin Explained]

Airgeddon is a multi use bash script for Linux systems to audit wireless networks. It is an all in one tool. It can run many attacks on WEP, WPS and WPA networks.
dhcp d or DHCP deemon missing. it is required to provide Dynamic Host Configuration Protocol service to network, when you conduct attacks like evil twin with captive portal.
Clone the git repository.
Go to the newly created directory.
Run airgeddon.sh (remove su do if you already have root permissions)
Select an interface to work with.
First we need to put the interface in monitor mode.
Here is the attack menu. Let's first try with WPS.
Explore for targets, monitor mode is needed for it.
Press control plus C when you are done exploring.
Select the type of WPS pin attack. I am going to try pixie dust attack with bully. Bully and reaver both are WPS brute force attack tools.
With pixie dust attack we can obtain pin and password in seconds, but not all access points are vulnerable.
Provide time out in seconds and then the path to save the file containing password or just hit enter to accept deafault value and path.
As you can see the pin is discovered in a second and which in turn leads to password.
Let's see how it works.
WPS security flaw was found by Dominique Bongard. He found that some Access Points have flaws
in the way the nonces (known as E-S1 and E-S2) are generated, that are supposed to be secret. If we are able to figure out what these nonces are,we can easily find the PIN of an Access Point.
First we need to understand how WPS exchange works. When the Registrar (the client computer) wants to connect to the Enrollee (the Access Point) they exchange a series of request and response messages as part of the negotiation process, these are named M1 to M8.
In the Pixie Dust Attack, the negotiation process can be stopped right after message M3 because we already have all the values needed for the attack. The registrar sends EAPOL start message.
Enrollee sends back EAP-Request Identity message (in response to the EAPOL-Start message), which is used to request identity from the Registrar, for example, user name.
Enrollee sends out EAP-Request Identity periodically, even before receiving an EAPoL-Start message.
As a response to EAP-Request Identity message, the Registrar provides its identity (example user name) in an EAP-Response message to the Enrollee.
Now, Enrollee generates Enrollee Nonce or N1 and DH Public Key of Enrollee or PKE.
Enrollee sends M1 message which is a concatenated string of N1, description and PKE. Upon reception of M1 the Registrar generates PKR and N2.
The Registrar computes the DHKey using SHA-256 and calculate the Key Derivation Key.
Finally AuthKey, KeyWrapKey, and EMSK are derived and the M2 response message is sent.
The M2 message is a concatenated string of N1, N2, description, PKR and Auth.
The M3 request message is sent by Enrollee which is again a concatenated string of E-HASH-1 and E-HASH-2, that is WPS PIN in hashed form, in order to prove that it also knows the PIN, and the client is not connecting to a rouge Access Point.
The real fun starts now, the E-HASHes are calculated by H-MAC-SHA-256 with auth key using E-S1 and E-S2, PSK1 an PSK2, PKE and PKR.
Now in each hash we have two unknowns, the E-S1 and E-S2 ( or 128 bit random nonces), PSK1 and PSK2 or the first and second halves of the pin. Now, if we know the nonces generated by pseudo-random generators (PRNG), we can brute force PSK1 and PSK2 as each of these contain 4 digits of pin.
Dominique Bongard found out that many Access Points chipsets use insecure PRNG to generate the nonces. For example, Broadcom uses the Rand() function from C, and in Ralink E-S1 and E-S2 are never generated and therefore always equals zero. Therefore if PRNG state can be recovered, E-S1 and E-S2 can be calculated and PSK1 and PSK2 be brute forced from E-Hash1 and E-Hash2.
These E-S1 and E-S2 are essentially the "keys to unlock the lock box" containing the WPS pin.
After this, we use reaver or bully to connect to the access point using pin, which in turn throws back
the credentials. I am not going to explain how this exchange works, if you want to know in detail leave a comment.
Due to shortage of time I am going to discuss two more attacks, first one is capturing and bruteforcing the handshake and the other is Evil Twin Attack with Captive Portal.
Let's change our target, go to main menu and explore again for target, or skip this step to continue
with present target.
Now capture the handshake.
First disconnect the client from Access Point and when it reconnects air gaeddon will capture the
handshake as our interface is monitoring the network already.
In the time, air crack n g attemps to crack password, let's see what's happening here.
The four-way handshake is designed so that the access point (or authenticator) and wireless client
(or supplicant) can independently prove to each other that they know the PSK, without ever disclosing the key.
In W P A-PSK,  4 way handshake starts immediately after Open System Authentication & Association state finish.
Message 1.
Authenticator sends EAPOL-Key frame containing an A-Nonce( or Authenticator nonce) to supplicant.
The frame includes the authenticators mac address. Message 1 is sent without any protection.
With this information, supplicant have all  necessary input to generate PTK using PMK, A-Nonce, S Nonce, Authenticator MAC Address, and Supplicant MAC Address.
This is used to encrypt all unicast transmission between client & Access Point.
Message 2.
Supplicant sends an EAPOL-Key frame containing S-Nonce to the Authenticator.
Now authenticator has all the inputs to create PTK.
Supplicant also sent R S N-I E capabilities to Authenticator & MIC.
Authenticator derive PTK & validate the MIC as well.
Message 3.
If necessary, Authenticator will derive GTK.
Authenticator sends EAPOL-Key frame containing A-Nonce, RSN-IE & MIC.
GTK will be delivered (encrypted with PTK) to supplicant.
It contains message to supplicant to install temporal keys.
Message 4.
Supplicant sends final EAPOL-Key frame to authenticator to confirm temporal keys have been installed with MIC.
Let's see how password cracking works.
PTK is concatenation of five different keys.
Key Confirmation Key or KCK,
Key Encryption Key or K E K,
Temporal Encryption Key or T E K and two M I C keys.
KCK is used to construct MIC in EAPOL packets 2,3 and 4.
4-way handshake password "cracking" works by checking MIC in the 4th frame.
4-way handshake is parsed to get MAC addresses, nonces, and EAPOL payload and MIC from 4th frame.
Words from dictionary are used to compute PMK.
PTK is computed from PMK, MAC addresses and nonces.
KCK from computed PTK is used to compute MIC.
Computed M I C is compared to the genuine MIC. If they match, then password is reported as correct.
Let's see what is happening here.
MDK3 process kicks all the clients from the target access point, so they can be lured to connect to the fake access point, and enter the W P A password.
A fake DNS server is launched in order to capture all the DNS requests and redirect them to host running the script.
A captive portal is launched in order to serve a page to all the clients, which prompts all the users
to enter their password.
Each submitted password is verified against the handshake captured earlier.