hashcat Forum

Full Version: PMKID Captured.....what now?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
I am a little confused here.
I run:
airodump-ng -c 3 -w capturefilename --bssid 00:00:00:00:00:00 wlan0mon

This sometimes result in an output in the terminal saying "PMKID Captured", but it is still stored as a .cap file.

What do I have to do to use the PMKID in this .cap file in some kind of attack in Hashcat?
How to is here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

The hash format (22000 - WPA-PBKDF2-PMKID+EAPOL) is explained here:
https://hashcat.net/forum/thread-10253.html

The PMKID attack is explained here:
https://hashcat.net/forum/thread-7717.html

This command is aircrack-ng specific:
Code:
I run:
airodump-ng -c 3 -w capturefilename --bssid 00:00:00:00:00:00 wlan0mon
This sometimes result in an output in the terminal saying "PMKID Captured", but it is still stored as a .cap file.
How to use aircrack-ng suite options to handle PMKIDs, you should ask here:
https://forum.aircrack-ng.org
Test 22000 OK 

Test  22001   NO
22001 mode does not seem to work properly
Know the password, I will write the correct password into dic
The password was not found after executing the command!
Test v 6.2.3

Code:
D:\hashcat-6.2.3>hashcat  -m 22001  -a 0  WPA.hc22000  dic.txt
hashcat (v6.2.3) starting

CUDA API (CUDA 11.4)
====================
* Device #1: NVIDIA GeForce RTX 2070, 6744/8192 MB, 36MCU
* Device #2: NVIDIA GeForce RTX 2070, 6744/8192 MB, 36MCU

OpenCL API (OpenCL 3.0 CUDA 11.4.125) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #3: NVIDIA GeForce RTX 2070, skipped
* Device #4: NVIDIA GeForce RTX 2070, skipped

Minimum password length supported by kernel: 64
Maximum password length supported by kernel: 64

Hashes: 2 digests; 2 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Salt
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1264 MB

Dictionary cache hit:
* Filename..: dic.txt
* Passwords.: 99
* Bytes.....: 1086
* Keyspace..: 99

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Name........: WPA-PMK-PMKID+EAPOL
Hash.Target......: WPA.hc22000
Time.Started.....: Fri Oct 22 15:50:30 2021 (0 secs)
Time.Estimated...: Fri Oct 22 15:50:30 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (dic.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        0 H/s (0.00ms) @ Accel:64 Loops:256 Thr:1024 Vec:1
Speed.#2.........:        0 H/s (0.00ms) @ Accel:64 Loops:256 Thr:1024 Vec:1
Speed.#*.........:        0 H/s
Recovered........: 0/2 (0.00%) Digests
Progress.........: 99/99 (100.00%)
Rejected.........: 99/99 (100.00%)
Restore.Point....: 0/99 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-0 Iteration:0-256
Restore.Sub.#2...: Salt:0 Amplifier:0-0 Iteration:0-256
Candidate.Engine.: Device Generator
Candidates.#1....: [Copying]
Candidates.#2....: [Copying]
Hardware.Mon.#1..: Temp: 43c Fan:  0% Util: 20% Core:1949MHz Mem:6794MHz Bus:1
Hardware.Mon.#2..: Temp: 38c Fan:  0% Util:  6% Core:1736MHz Mem:6794MHz Bus:1

Started: Fri Oct 22 15:50:27 2021
Stopped: Fri Oct 22 15:50:32 2021

D:\hashcat-6.2.3>pause


Test v6.2.4 returned an error

Code:
cuMemAlloc(): out of memory
Hash mode 22000 take a PSK as input, while hash mode 22001 take a PMK as input.

Running hash mode 22001, all your PSKs, stored in your dictionary are rejected and hashcat (both versions) told you that:
Code:
Rejected.........: 99/99 (100.00%)

Try the 22001 example hash from here:
https://hashcat.net/wiki/doku.php?id=example_hashes
Code:
echo "WPA*01*5ce7ebe97a1bbfeb2822ae627b726d5b*27462da350ac*accd10fb464e*686173686361742d6573736964***" > test.hc22000

get the PMK as mentioned in footnote 18:
Code:
echo "88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc" > pmk.dict

run hashcat
Code:
$ hashcat -m 22001 test.hc22000 pmk.dict

Try it, running latest git head of hashcat:
https://github.com/hashcat/hashcat
If you still get an error, I recommend to open an issue report here:
https://github.com/hashcat/hashcat/issues


Please notice that hash mode 22001 is designed for analysis purpose only, to verify an existing PMK (already calculated by PBKDF2 function):
Code:
$ wlangenpmk -p "hashcat!" -e "hashcat-essid"

essid (networkname)....: hashcat-essid
password...............: hashcat!
plainmasterkey (SHA1)..: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
To calculate a PMK by PBKDF2 function it is mandatory to know PSK and ESSID.

From hashcat --help:
Code:
22000 | WPA-PBKDF2-PMKID+EAPOL                              | Network Protocol
22001 | WPA-PMK-PMKID+EAPOL                                 | Network Protocol
Your WPA*01***** has also tried, but still returns an error as above
It should be a bug
you look carefully at the execution of the command, it returns a message that the minimum length of the password is 64, which should be a BUG


Code:
Minimum password length supported by kernel: 64

Maximum password length supported by kernel: 64
The length of a PSK is always 8 -> 63 (hash mode 22000) and hashcat will tell you that:
Code:
Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

The length of a PMK is always 64 (hash mode 22001) and hashcat will tell you that:
Code:
Minimum password length supported by kernel: 64
Maximum password length supported by kernel: 64

The PMK is calculated via PBKDF2 function from ESSID and PSK:
PMK = PBKDF2(PSK, ESSID, 4096)
as described here:
https://en.wikipedia.org/wiki/Pbkdf2

Running hash mode 22001 the dictionary should contain only PMKs of length 64 (HEX).

The example is working as expected:
Code:
$ echo "WPA*01*5ce7ebe97a1bbfeb2822ae627b726d5b*27462da350ac*accd10fb464e*686173686361742d6573736964***" > test.hc22000
$ echo "88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc" > pmk.dict
$ hashcat -m 22001 test.hc22000 pmk.dict
hashcat (v6.2.4-95-g707bff5c2) starting

CUDA API (CUDA 11.4)
====================
* Device #1: NVIDIA GeForce GTX 1650, 3857/3911 MB, 16MCU

OpenCL API (OpenCL 3.0 CUDA 11.4.136) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce GTX 1650, skipped

Minimum password length supported by kernel: 64
Maximum password length supported by kernel: 64

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1198 MB

Dictionary cache built:
* Filename..: pmk.dict
* Passwords.: 1
* Bytes.....: 65
* Keyspace..: 1
* Runtime...: 0 secs

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.          

5ce7ebe97a1bbfeb2822ae627b726d5b:27462da350ac:accd10fb464e:hashcat-essid:88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22001 (WPA-PMK-PMKID+EAPOL)
Hash.Target......: test.hc22000
Time.Started.....: Fri Oct 22 13:03:32 2021 (0 secs)
Time.Estimated...: Fri Oct 22 13:03:32 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (pmk.dict)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     5508 H/s (0.00ms) @ Accel:1024 Loops:1024 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc -> 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
Hardware.Mon.#1..: Temp: 47c Util: 32% Core:1965MHz Mem:4001MHz Bus:8

Started: Fri Oct 22 13:03:31 2021
Stopped: Fri Oct 22 13:03:33 2021
@ZerBea
Thanks.
start task:
Code:
$ hashcat -m 22001 test.hc22000 pmk.dict

request checkpoint:
Code:
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => c

Checkpoint enabled. Will quit at next restore-point update.

resume task:
Code:
$ hashcat --session=hashcat --restore

Hash mode 22001 is a very special hash mode that should be used by analysts to verify a large number of given PMKs.
It is not possible to recover an unknown PSK running hash mode 22001.
@ZerBea  Thanks
BTW:
22000 recover a PSK from a PMKID or EAPOL MESSAGE PAIR
22001 verify a PMK

If you're interested in working with PMKs, please take a look at hash mode 12000, too.
This mode will recover a PSK from a PMK and an ESSID.
From hashcat --help
Code:
12000 | PBKDF2-HMAC-SHA1                                    | Generic KDF

Let's use the example from above and prepare a 12000 hash line from ESSID and PMK hascat can work on:
Code:
$ hcxpmktool -m 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc -e hashcat-essid

ESSID............: hashcat-essid
PMK..............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PBKDF2-HMAC-SHA1.: sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw=

and recover the PSK:
Code:
$ hashcat -m 12000 sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw= -a 3 'hashcat!'
hashcat (v6.2.4-95-g707bff5c2) starting

CUDA API (CUDA 11.4)
====================
* Device #1: NVIDIA GeForce GTX 1650, 3857/3911 MB, 16MCU

OpenCL API (OpenCL 3.0 CUDA 11.4.136) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce GTX 1650, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Brute-Force
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 908 MB

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.          

sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw=:hashcat!
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 12000 (PBKDF2-HMAC-SHA1)
Hash.Target......: sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnn...OVNdw=
Time.Started.....: Fri Oct 22 15:29:06 2021 (0 secs)
Time.Estimated...: Fri Oct 22 15:29:06 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       43 H/s (0.17ms) @ Accel:256 Loops:128 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:3968-4095
Candidate.Engine.: Device Generator
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 54c Util:  7% Core:1815MHz Mem:4001MHz Bus:8

Started: Fri Oct 22 15:29:04 2021
Stopped: Fri Oct 22 15:29:06 2021
Pages: 1 2