Overview
A set of scripts to help perform an online dictionary attack against a WPA3 access point. Wacker leverages the wpa_supplicant control interface to control the operations of the supplicant daemon and to get status information and event notifications ultimately helping speedup connection attempts during brute force attempts.
Virtual Wifi Arena
In lieu of finding a WPA3 AP for testing, consider setting up a local environment using mac80211_hwsim (details below) or by using the VMs provided by the RF Hackers Sanctuary (scoreboard.rfhackers.com).
Local Simulated Radios
To set up your own software simulator of 802.11 radios simply configure and load the correct mac80211_hwsim module.
Choose one of the new interfaces as your WPA3 access point and use the following conf file.
And start hostapd with
Split a wordlist
If you have intentions of farming out your cracking efforts across a series of nics the provided split.sh script will partition a wordlist for you.
Building wpa_supplicant
We’re providing our own wpa_supplicant in order to guarantee that certain configurations are set as well as a few mods that need to occur within the source code itself.
Python Requirement
python3.6+ is required
Finding a target
Wacker should be seen as a complimentary tool to airodump or kismet where target selection is already performed. Wacker intentionally disables background scanning with wpa_supplicant to help speed up authentication attempts.
Running wacker
The wacker.py script is intended to perform all the heavy lifting and requires a few specifics regarding the target.
With any luck… running the attack using just one instance…
Running multiple instances of wacker is easy if you have the spare nics. Don’t forget to parition the wordlist.
Files of interest
wacker is quite verbose. Files of interest are found under /tmp/wacker/
- wlan1 : one end of the uds
- wlan1_client : one end of the uds
- wlan1.conf : initial wpa_supplicant conf needed
- wlan1.log : supplicant output (only when using –debug option)
- wlan1.pid : pid file for the wpa_supplciant instance
- wlan1_wacker.log : wacker debug output
Caution
wacker doesn’t handle acls put in place by the target WPA3 AP. Meaning, the current code always uses the same MAC address. If the target AP blacklists our MAC address then the script won’t differentiate between a true auth failure and our blacklisted MAC being rejected. This will mean that we’ll consider the true password as a failure. One way to solve…. we would have to add macchanger to the source at the expense of slowdown.
Common Problems
- You’ll see this when your client driver doesn’t support the correct AKM. Typically this manifests itself in the wpa_supplicant output after you try and run the wacker script. The supplicant will essentially hang waiting further instructions with the AKM issue detailed below. The needed AKM is 00-0F-AC:8 (SAE) in the cases of WPA3.
