During a recent event I decided to setup a passive monitoring station to check for any attempts to impersonate, hi-jack, or deny service to our WiFi . For this task I decided to use an Alpha card, and Kismet (which comes already installed on Kali linux). To deploy for wireless intrusion detection (WIDS)
Kismet worked as advertised and I was able to monitor channel utilization and for wireless anomalies (think pwnagotchi or hak5 pineapple)
Channel Utilization Monitoring
Kismet WIDS alerting
This worked great, but I soon noticed that Kismet also was logging WPA handshakes for client connections. Which made me wonder, could kismet be used as an attack platform?
Captured WPA key exchange
After some quick googling I found indeed its very possible using this 3 step process.
Export PCAP data out of the kismet session database (by default stored at the root of a user home dir) by issuing the command kismet_log_to_pcap — in foo.kismet — out foo.pcap
Convert that PCAP into something consumable by hashcat by issuing the command cap2hccapx.bin foo.pcap foo.hccapx
Setup hashcat to crack the stored key exchanges by using the command hashcat64.exe -m 2500 foo.hccapx rockyou.txt -r rules/rockyou-30000.rule
What was surprising was that it took seconds or less to crack many of the captured sessions. Whats more interesting is that its possible to deploy kismet on extremely cheap hardware such as a Raspberry Pi and form fleets of sensors that all log to a central point, and that are all cracked and monitored.
hashcat output
Today’s key take away? If you use a portable access point such as your phone as a hotspot you still need to use an extremely long and complex password. It used to take an exorbitant amount of time to crack WPA2 but that is no longer true. Modern techniques for cracking the pairwise master key have been developed which combined with GPU based password cracking means weak passwords can often be instantly cracked.
