Ecksters
commented
6 years ago According to the site:
Our attacks do not leak the encryption key.
The primary use, as demonstrated by them, would be to set yourself between the client and AP, and strip SSL off of all websites, allowing you to capture and use session packets or other sensitive data. This also would be ineffective against websites that simply do not allow non-HTTPS access.
As most Linux OSs and Windows, and soon Apple have already patched this issue, and none of those were particularly vulnerable to begin with, going forward it will likely only continue to be effective against, of course, unpatched machines.
More specifically, Android devices in particular, which were already the most vulnerable, are the most likely to remain unpatched, as Android OEMs are typically slow or unlikely to release patches, along with access points which act as a client (any AP that uses wireless bridging, including extenders), since users rarely update their firmware, and most likely not all APs will receive updates.
I still would like to see it implemented, but as Wifite in the past has been primarily focused on obtaining wifi keys, rather than other information from a decrypted network, it would require a lot of reworking. It would only be useful if Wifite also implemented a MitM feature with SSL stripping.
For the most convenience it would also need to automatically perform session hijacking or data sniffing, although external programs like Wireshark could potentially be used to do that side of things.
kimocoder
its0x08
Would it be possible to use the newly discovered WPA2 vulnerability to extract the encryption key?
https://www.krackattacks.com/