Attack on WPA2 Protocol (Installation-Review)


Moderasyon Tim Lideri
7 Tem 2013

What is Krack Vulnerability and How Does It Work?


Krack (Key Reinstallation Attacks method) In this vulnerability, networks using the WPA2 protocol will be targeted for attack. The biggest feature of this attack is that the attacker can sniff traffic analysis without connecting to the target network system. Creates a fake network that has the same SSID as the wireless network that the attacker wants to attack and runs on a different channel. When the victim wants to connect to the real network, the packets sent by the attacker are connected to the fake network due to the CSA beacon method. After that, the encryption key is changed using the pass vulnerability.

Visual Analysis

Victim Sends Request To Real AP


The attacker performs a CSA Beacon Injection attack


As a result of the CSA Beacon Injection attack, the victim is redirected to the Fake AP.


Target Network Vulnerability Tests


The creator of vulnerability is a programmer named Mathy Vanhoef.

He published it to understand whether the network connection with the published script received an attack or was available for attack.

Script Address: Github

Key Reinstallation Attacks


The test that you'll see is currently tested on the TP-LINK TL-wn722n/Ubuntu 14.04 system.


git clone

Before the test, it's necessary to turn off the system's Wi-fi function with a short command.
The script should be able to use this feature.
For this, let's type the command:

sudo rfkill unblock wifi

later, hardware encryption is disabled with the "" command.


When our system is opened after the restart, we'll prepare a configuration file to connect to the target network using the wpa_supplicant command.


SSID: name of the publication to be tested
Key_Mgmt: this section should be FT-PSK because the Fast Transaction feature will be tested.
PSK: broadcast password

sudo wpa_supplicant -D nl80211 -i wlan0 -c network.conf

we can select the driver with the -d command. and with the the-i command, we can select the wireless broadcast card. we select the configuration file that is prepared with the -c command.

this is important! if there is an error-free connection here, we can move on to other steps. If there is a connection problem, we'll understand that the network doesn't support the fast transaction.


If there is a certain link, "wpa_supplicant" the command is executed. A virtual monitor is created to observe the test.

sudo ./ wpa_supplicant -D nl80211 -i wlan0 -c network.conf


sudo wpa_cli -i wlan0

After connecting with Wpa_cli, you can switch to a different AP on the same network.


with the the-i command, we can select the network card


you can see if there are any other AP scanned with the scan_results command


when a successful connection is created, the terminal will list all vulnerabilities in the wireless network.


Attack Determination

  • By detecting Fake APS.
  • If the keys only have a value of 0.
  • If nonce values are repeated

Translator Gauloran
Üst internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır.; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.