Quote:To answer your question:
2412 = Frequency in MHz
1 = Channel
Sure! I know that! But completely forgot this morning. Flew out of my head.
I think it's a good idea to add a header-reminder to logfile.
Besides, if you shift the internal status line slightly, it will be easier for eyes to find that line.
Especially if the logfile is quite large.
Please see examples below.
# hcxdumptool -i wlan0 -o dump.pcapng --silent --enable_status=95 -c 1
initialization of hcxdumptool 6.2.5-7-g4d7c072...
start capturing (stop with ctrl+c)
...
...
ANONCE....................: d698dfa621a0743336e4e466397418a4e8caccf4ea6af648b14cdd68771677fd
SNONCE....................: cedb8eacf87de069139f3052457e1aee3e48f06d16de9dac2d1632965d0fbadf
--------+-------+-------------+------------+----------------------------------------
Time | Fr/Ch | Dest. MAC | Source MAC | SSID / Description
--------+-------+-------------+------------+----------------------------------------
23:05:56 2412/1 ffffffffffff 020000000001 ap01 [BEACON]
23:05:57 2412/1 506070abfedc 020000000001 ap01 [PROBERESPONSE]
23:06:00 2412/1 ERROR:0 INCOMING:304 AGE:1 OUTGOING:0 PMKIDROGUE:0 PMKID:0 M1M2ROGUE:0 M1M2:0 M2M3:0 M3M4:0 M3M4ZEROED:0 GPS:0
23:06:12 2412/1 020000000020 020000000001 ap01 [AUTHENTICATION]
23:06:12 2412/1 020000000020 020000000001 ap01 [ASSOCIATION]
23:06:12 2412/1 020000000020 020000000001 ap01 [EAPOL:M1M2 EAPOLTIME:1697 RC:0 KDV:2 PSK:12345678]
23:06:12 2412/1 020000000020 020000000001 ap01 [EAPOL:M2M3 EAPOLTIME:8516 RC:1 KDV:2 PSK:12345678]
23:06:12 2412/1 020000000020 020000000001 ap01 [EAPOL:M3M4ZEROED EAPOLTIME:67 RC:1 KDV:2]
23:07:00 2412/1 ERROR:0 INCOMING:5962 AGE:1 OUTGOING:0 PMKIDROGUE:0 PMKID:0 M1M2ROGUE:0 M1M2:1 M2M3:1 M3M4:0 M3M4ZEROED:1 GPS:0
23:07:02 2412/1 708070abab00 000bf4ad5401 To be, or not to be [ROGUE PROBERESPONSE]
Nice feature requests.
Added header by this commit:
https://github.com/ZerBea/hcxdumptool/co...391360eb38
and shift internal messages/warnings by 2 spaces by this commit:
https://github.com/ZerBea/hcxdumptool/co...81d03d96ff
Please notice:
Every new feature has a price tag as well as every activated option:
It will slow down hcxdumptool.
Especially on headless operation (running on a Raspberry Pi Zero), I recommend to use hcxlabtool in combination with a modified Makefile (compile only what you really need).
There is a huge performance difference on all attack modes between hcxdumptool (beautiful status) and hcxlabtool series (high performance attack vector).
(12-08-2021, 10:33 PM)v71221 Wrote: [ -> ]@ZerBea
Please see file Dumps.zip attached.
Concerning the PMKID-attack, are the following statements true ?
1. It doesn't matter if you capture PMKIDROGUE or PMKID. Both are suitable for PMKID-attacks.
2. In my case, pmkid-hash was not cracked (Status: Exhausted), probably due to a bug.
hi i sent you a pm, i need your help
@ZerBea
Here is more information about Windows, Hosted Network and PMKID.
I have found that
- Windows 7 sends PMKID
- Windows 8 sends PMKID
- Windows 10 doesn't send
- Windows 11 doesn't send
Funny, but Windows 7 and 8 send different PMKIDs. Both are calculated incorrectly. This leads to a Hashcat Status of Exhausted, not Cracked.
Windows 7
Code:
TIME FREQ/CH MAC_DEST MAC_SOURCE ESSID [FRAME TYPE]
12:28:31 2412/1 020000000020 020000000001 ap01 [PMKID:f8dc238fb156874627b5ff251b8ab53c KDV:2]
12:28:31 2412/1 020000000020 020000000001 ap01 [EAPOL:M1M2 EAPOLTIME:18142 RC:0 KDV:2 PSK:12345678]
Windows 8
Code:
12:42:34 2412/1 020000000020 020000000001 ap01 [PMKID:6faf75249e6dcaa15d4b8a68a941fe54 KDV:2]
12:42:34 2412/1 020000000020 020000000001 ap01 [EAPOL:M1M2 EAPOLTIME:18275 RC:0 KDV:2 PSK:12345678]
The correct PMKID, as you mentioned, is ca5396d611cf330aebefd48ebbfb0e63
I prefer to use the older version of Hashcat (v5.1.0) because it runs much faster on my 10-year-old laptop than the newest version (v6.2.5)
it takes about 5 seconds
Code:
hashcat64.exe -D 1 -a 3 -m 16800 "ca5396d611cf330aebefd48ebbfb0e63*020000000001*020000000020*61703031" "12345678"
it takes about 16 minutes
Code:
hashcat.exe -D 1 -a 3 -m 22000 "WPA*01*ca5396d611cf330aebefd48ebbfb0e63*020000000001*020000000020*61703031***" "12345678"
P.S.
I tested
- Windows 7 Enterprise
- Windows 8 Single Language
- Windows 10 Enterprise (Version 21H1)
- Windows 11 Enterprise (Version 21H2)
With the wireless Hosted Network, a Windows computer can use a single physical wireless adapter to connect as a client to a hardware access point (AP), while at the same time acting as a software AP allowing other wireless-capable devices to connect to it.
https://docs.microsoft.com/en-us/windows...ed-network
https://docs.microsoft.com/en-us/windows...on-sharing
Good investigation. Thanks for sharing the results.
Now we exactly know that the PMKID calculated by Windows 7 and Windows 8 is garbage.
BTW:
No need to run hashcat to confirm a PSK or a PMK because hcxhashtool can do it
by PSK:
Code:
$ time hcxhashtool -i test.hc22000 --psk=12345678
020000000020:020000000001:ap01:5577866bc5e9778a3ca3d8730e97f258e2a9ae2afd95bbd63c4f383275c8ba93:12345678
OUI information file..........: /home/zerobeat/.hcxtools/oui.txt
OUI entires...................: 30753
total lines read..............: 1
valid hash lines..............: 1
PMKID hash lines..............: 1
real 0m0,152s
user 0m0,149s
sys 0m0,003s
or by PMK:
Code:
$ time hcxhashtool -i test.hc22000 --pmk=5577866bc5e9778a3ca3d8730e97f258e2a9ae2afd95bbd63c4f383275c8ba93
020000000020:020000000001:ap01:5577866bc5e9778a3ca3d8730e97f258e2a9ae2afd95bbd63c4f383275c8ba93
OUI information file..........: /home/zerobeat/.hcxtools/oui.txt
OUI entires...................: 30753
total lines read..............: 1
valid hash lines..............: 1
PMKID hash lines..............: 1
real 0m0,157s
user 0m0,150s
sys 0m0,007s
hcxdumptool is able to confirm a PSK on-the-fly.
Just add --weakcandidate=test_psk (default: 12345678)
@ZerBea
I have wpa2 hc22000 handshake file and I want pmkid so I can get psk from it it looks like
WPA-PBKDF2-PMKID+EAPOL¹
The messagepair is c2 in my case which means it is an authorised messagepair as per my knowledge.
So as per my research it is WPA-PBKDF2-PMKID+EAPOL¹ the PMKID s added with EAPOL so how to seperate PMKID from EAPOL to get pmkid so I can broot force it and get psk.
Plzz help ZerBea.
Sorry if I ask silly question as I am an biggner and forgive me.
WPA-PBKDF2-PMKID+EAPOL means that it can either be a PMKID or an EAPOL MESSAGE PAIR from a4way handshake.
The format identifier at the beginning of the hash line show type:
Code:
WPA*01*..... == PMKID
WPA*02*..... == EAPOL MESSAGE PAIR from a 4way handshake
The hashes are taken from the dump file. WPA*01 if a PMKID is inside the dump file, WPA*02 if an EAPOL MESSAGE PAIR is inside the dump file.
How to filter the hash file by PMKID or by EAPOL MESSAGE PAIRs is described here:
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
It is not possible to calculate a PMKID from an EAPOL MESSAGE PAIR (WPA*02* hash line) if you don't know the PMK.
@zebea how do I get psk from
WPA*02*8b01e5cdce2ceea155bab2d2c890bf6b*6c5940096fb6*8473033aba70*6c686c64*9914f0f49b7947142f74501c1f5dec2b859be7b56be607b8d4e0576acf3d6ffe*0103007502010a000000000000000000013384539f89fec79de93e258534c6bdded858b12fce70158d65841b31afd52ba7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001630140100000fac040100000fac040100000fac020000*02
Is their any way because it is an authorised message pair will u explain it step by step plzzz ZerBea
Basically this is the command line for a dictionary attack attack:
hashfile.hc22000 == your hc22000 hash file
wordlist == your word list
Code:
$ hashcat -m 22000 hashfile.hc22000 wordlist
BTW:
Please do not post hashes, because it is violating the forum rules.
Please do not ask the same question in different threads.
A step by step hashcat how-to and more attack modes (mask attack, rule attack) are explained here:
https://hashcat.net/wiki/