KRACK Detector is a tool to detect and prevent KRACK attacks in your network

Pierluigi Paganini November 06, 2017

How to discover if your network is vulnerable to KRACK attack?
KRACK Detector is a script that can detect attacks against client devices on your network.

Last week I published a post warning of many industrial networking devices from various vendors are still vulnerable to the recently disclosed KRACK attack (Key Reinstallation Attack).

The Belgian researcher Mathy Vanhoef of imec-DistriNet, KU Leuven and his team of researchers discovered in the middle-October several key management flaws in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network and eavesdrop on the Internet communications stealing sensitive information (i.e. credit card numbers, passwords, chat messages, emails, and pictures).

The researchers devised an attack method dubbed KRACK attack (Key Reinstallation Attack) that works against almost any WPA2 Wi-Fi network.

The KRACK attack allows attackers to decrypt WiFi users’ data without cracking or knowing the password.

According to the researchers, the KRACK attack works against:

  • Both WPA1 and WPA2,
  • Personal and enterprise networks,
  • Ciphers WPA-TKIP, AES-CCMP, and GCMP

The KRACK attack works by exploiting a 4-way handshake of the WPA2 protocol that’s used to establish a key for encrypting traffic.

“When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value,” explained Vanhoef. “Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.”

KRACK Detector

The attacker just needs to trick a victim into re-installing an already-in-use key, which is achieved by manipulating and replaying cryptographic handshake messages.

How to discover if your network is vulnerable to KRACK attack?

KRACK Detector is a script written in Python Language that can detect possible KRACK attacks against client devices on your network. It uses Python 2 for backward compatibility with older operating systems.

“KRACK Detector is a Python script to detect possible KRACK attacks against client devices on your network. The script is meant to be run on the Access Point rather than the client devices. It listens on the Wi-Fi interface and waits for duplicate message 3 of the 4-way handshake. It then disconnects the suspected device, preventing it from sending any further sensitive data to the Access Point.” states the description of the tool.

Network administrators have to run the script on the Access Point rather than the client devices, it listens on the Wi-Fi interface and waits for duplicate message 3 of the 4-way handshake. Once it detects a device sending the handshake message it then disconnects it in order to prevent it from sending any further sensitive data to the Access Point.

The presence of message 3 of the 4-way handshake is a necessary condition for the Krack attack, however, it might be retransmitted even if no attack is ongoing.

“In such a case the client device will be disconnected from the Wi-Fi network. Some client devices will take some time to re-authenticate themselves, losing the Wi-Fi connection for a few seconds.” reported the Kitploit.com.

No external Python packages are required, network administrators have to run the script as root and pass the Wi-Fi interface as a single argument.

Administrators need to use the actual Wi-Fi interface and not any bridge interface it connects to.

python krack_detect.py wlan0

The tool also allows avoiding suspending suspected devices by using the “-n” flag

python krack_detect.py -n wlan0

The tool is available on Github at the following link:

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – KRACK attack, KRACK Detector )

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment