New attack on WPA/WPA2 using PMKID

[ZerBea]

No, the PMKID is not encrypted garbage and can be usefull (in some cases).

Running WPA2, the PMKID is calculated by this function:
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
The PMK is calculated:
PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256)

Running SAE MESH, the PMKID is calculated by this function:
PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128)
The PMK is calculated:
PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r)
Both of them (PMKID and PMK) are secured by KCK algorithm.

...will say, that there is a relationship between PMKID and PMK, regardless of PBKDF2, EAP, SAE and the PMKID is not garbage.
And you're absolutely right:
We must beat the EAP negotiation and/or we must beat the SAE authentication (which is really hard core).

[codeme]

No, the PMKID is not encrypted garbage and can be usefull (in some cases).

Running WPA2, the PMKID is calculated by this function:
PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
The PMK is calculated:
PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256)

Running SAE MESH, the PMKID is calculated by this function:
PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128)
The PMK is calculated:
PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r)
Both of them (PMKID and PMK) are secured by KCK algorithm.

...will say, that there is a relationship between PMKID and PMK, regardless of PBKDF2, EAP, SAE and the PMKID is not garbage.
And you're absolutely right:
We must beat the EAP negotiation and/or we must beat the SAE authentication (which is really hard core).

Gotcha! We cannot compute the PMK because the HMAC-SHA1 is computed on the EAPOL header?

[ZerBea]

If you mean, that we have two steps, you got it:
step1 = derivation of Plainmasterkey (PMK), for example by PBKFD2
step2 = derivation of Pairwise Transient Key (PTK) to get access to the network (EAPOL 4/4 handshake)

Let's take a look at SAE (sae4way.pcapng):
packet 4 and 5 contain the commit messages from client (4) and access point (5)
packet 6 and 7 contain the confirm messages from client (6) and access point (7)
the PMK is calculated from packet 6 and 7 (PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r)) and used by the following EAPOL handshake (packet 10, 11, 12, 13)
packet 10 contain a PMKID calculated by PMKID = L((commit-scalar + peer-commit-scalar) modulo r, 0, 128)

Laboratoy environment:
$ hcxdumptool -I
wlan interfaces:
c83a35c24fbc wlp39s0f3u4u4 (rt2800usb) = SAE client
c83a35ce463f wlp39s0f3u4u1 (rt2800usb) = SAE access point
c83a35cc88c9 wlp3s0f0u1 (rt2800usb) = hcxdumptool

used adapters:
TENDA W311U+ (cheaper than ALFAs, less power consumption, driver well suported, and more... - I like them)

latest hcxdumptool is used to capture traffic:
  sae4way.pcapng.zip (Size: 1.57 KB / Downloads: 23)

Latest hcxpcaptool is able to parse a SAE4way handshake to hashcat. So please use it for this example
$ hcxpcaptool -o saetest.hccapx -z saetest.16800 sae4way.pcapng
summary:
file name....................: sae4way.pcapng
file type....................: pcapng 1.0
file hardware information....: x86_64
file os information..........: Linux 4.18.16-arch1-1-ARCH
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: little endian
read errors..................: flawless
packets inside...............: 15
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 0
beacons (with ESSID inside)..: 1
probe requests...............: 1
probe responses..............: 1
association requests.........: 1
association responses........: 1
authentications (SAE)........: 4
EAPOL packets................: 7
EAPOL PMKIDs.................: 1
best handshakes..............: 1 (ap-less: 0)

1 handshake(s) written to saetest.hccapx
1 PMKID(s) written to saetest.16800

The calculated PMK
(PMK = KDF-512(keyseed, "SAE KCK and PMK", *(commit-scalar + peer-commit-scalar) modulo r))
from the SAE authentication is:
3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
we store it in our wordlist (sae4way.pmkfile)

Let's verfify the PMK by hashcat using hashmode 2501:

$ hashcat -m 2501 saetest.hccapx sae4way.pmkfile
hashcat (v5.0.0-52-g2aff01b2) starting...
Session..........: hashcat
Status...........: Cracked
Hash.Type........: WPA-EAPOL-PMK
Hash.Target......: mynet (AP:c8:3a:35:ce:46:3f STA:c8:3a:35:c2:4f:bc)
Time.Started.....: Sat Nov 10 10:29:28 2018 (0 secs)
Time.Estimated...: Sat Nov 10 10:29:28 2018 (0 secs)
Guess.Base.......: File (sae4way.pmkfile)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     1603 H/s (0.00ms) @ Accel:512 Loops:1024 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
Hardware.Mon.#1..: Temp: 44c Fan: 29% Util: 52% Core:1657MHz Mem:5005MHz Bus:16

c073532f1526da27c4c96b6f8031a027:c83a35ce463f:c83a35c24fbc:mynet:3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b

hashcat verified the PMK, succefully!

Let's verify the PMKID by hashcat suing hashmode 16801 (we will fail epically...):

$ hashcat -m 16801 saetest.16800 sae4way.pmkfile
hashcat (v5.0.0-52-g2aff01b2) starting...
Session..........: hashcat                       
Status...........: Exhausted
Hash.Type........: WPA-PMKID-PMK
Hash.Target......: ea5aad4e27b22c46f883737ca5a058bd*c83a35ce463f*c83a3...6e6574
Time.Started.....: Sat Nov 10 10:28:12 2018 (1 sec)
Time.Estimated...: Sat Nov 10 10:28:13 2018 (0 secs)
Guess.Base.......: File (sae4way.pmkfile)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     2459 H/s (0.00ms) @ Accel:512 Loops:1024 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 1/1 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b -> 3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
Hardware.Mon.#1..: Temp: 39c Fan: 29% Util:  1% Core:1911MHz Mem:5005MHz Bus:16

As expected, we failed to verify the PMKID, because it is not calculated by PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)

Keep in mind:
This example is not(!) a SAE crack!
This example is not(!) a WPA3 crack!

[SoulScavenger]

This questions are allready answered:
https://hashcat.net/forum/thread-7717-po...l#pid41863
https://hashcat.net/forum/thread-7717-po...l#pid41864

To understand hcxtools and hcxdumptool read this complete thread:
https://hashcat.net/forum/thread-7717.html
and that complete thread:
https://hashcat.net/forum/thread-6661.html

Okay. So if i capture PMKID how can i know from which AP is it?

[ZerBea]

All informations are stored in the hashline:
PMKID*MAC_AP*MAC_STA*ESSID
If we use the hashline from this thread: https://hashcat.net/forum/thread-7717-po...l#pid42759
ea5aad4e27b22c46f883737ca5a058bd*c83a35ce463f*c83a35c24fbc*6d796e6574

and feed it to whoismac:
$ whoismac -p ea5aad4e27b22c46f883737ca5a058bd*c83a35ce463f*c83a35c24fbc*6d796e6574
ESSID..: mynet
MAC_AP.: c83a35ce463f
VENDOR.: Tenda Technology Co., Ltd.
MAC_STA: c83a35c24fbc
VENDOR.: Tenda Technology Co., Ltd.

you will get all the informations you need.

BTW:
Added also an improved filter mode (3) to latest hcxdumptool:
3: use filter list as target list in receiving branch
only receive APs and CLIENTs in range,
from the filter list

You will see only the networks from the filter list...

[ZerBea]

If anyone is interested in SAE example (sae4way.pcapng) from here:
https://hashcat.net/forum/thread-7717-po...l#pid42759

This are the SAE keys to calculate it "by hand":
Password: password
KeySeed:1a18989a424cdc2d510a49d87b6d064bf09f195b22efc61d12b4c879fbf72da4
K:a256ed5947222f09e2a01b949b922a62df41273169a21e1dc004f495463f3675
KCK:50e887ab00ddf30e8ed0c89ab9d670c1e1256817ecd76f7180c83ee36ce82788
and the resulting PMK and PMKID:
PMK:3fff2ed5188624e83da421f68562f1f8271884c48ed7036269cbb76480eed19b
PMKID:ea5aad4e27b22c46f883737ca5a058bd

And keep in mind:
This example is not(!) a SAE crack!
This example is not(!) a WPA3 crack!

‎it's just mathematics...

[dojo_mast3r]

Super stuck on this, after spending hours trying to crack a simple 123456789 wifi password I had no luck.
Then I realized when I convert my dump file I get this.

Code:

summary:
--------
file name....................: v1.pcapng
file type....................: pcapng 1.0
file hardware information....: mips
file os information..........: Linux 3.18.84
file application information.: hcxdumptool 5.0.0
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: yes
packets inside...............: 322
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 297
beacons (with ESSID inside)..: 6
probe requests...............: 5
probe responses..............: 6
association requests.........: 7
association responses........: 12
reassociation requests.......: 1
reassociation responses......: 2
authentications (OPEN SYSTEM): 194
authentications (BROADCOM)...: 12
EAPOL packets................: 88
EAPOL PMKIDs.................: 6
best handshakes..............: 4 (ap-less: 0)

Im guessing read errors = yes is a bad thing, that would explain why the hashes are uncrackable.
I am currently creating the dump from my wifi pineapple, I formatted the SD and also reinstalled all the packages with no luck, any advice at all?

[ZerBea]

Read errors mean that the pineapple possible not shutting down correctly. We miss the final interface statistics block. It doesn't mean that the hash is uncrackable. To find out, what's going wrong, we need the pcapng file. Please attach it.

[dojo_mast3r]

Read errors mean that the pineapple possible not shutting down correctly. We miss the final interface statistics block. It doesn't mean that the hash is uncrackable. To find out, what's going wrong, we need the pcapng file. Please attach it.

I am new to using hashcat as a whole so that might be the reason Im not getting any results cracking these hashes. Do pcapng files include the IP addresses or any sensitive data apart from the handshake? Haha wouldn't want to upload a file publicly broadcasting my exact IP or anything

Also this:

• The type of file that you attached is not allowed. Please remove the attachment or choose a different type.
  

EDIT: I created a one time download link http://www.mediafire.com/?1e7rebw2y2sbtz...jbcsce446s here

[ZerBea]

No, the pcapng doesn't contain IP addresses. But it contain MAC addresses of access points and clients and network names.
If you run hcapcaptool you will get four PMKIDs (two networks with one client and one network with 2 clients) and two handshakes (one network with 2 clients). The pcapng file is flawless!
$ hcxpcaptool -o test.hccapx -z test.16800 -E essid v1.pcapng
reading from v1.pcapng
summary:
file name....................: v1.pcapng
file type....................: pcapng 1.0
file hardware information....: unknown
file os information..........: unknown
file application information.: unknown
network type.................: DLT_IEEE802_11_RADIO (127)
endianess....................: big endian
read errors..................: flawless
packets inside...............: 286
skipped packets..............: 0
packets with GPS data........: 0
packets with FCS.............: 259
beacons (with ESSID inside)..: 7
probe requests...............: 8
probe responses..............: 10
association requests.........: 7
association responses........: 13
reassociation requests.......: 1
reassociation responses......: 1
authentications (OPEN SYSTEM): 160
authentications (BROADCOM)...: 7
EAPOL packets................: 78
EAPOL PMKIDs.................: 4
best handshakes..............: 2 (ap-less: 0)

2 handshake(s) written to test.hccapx
4 PMKID(s) written to test.16800

Which of the networks do you assume use the key 123456789?
SHAW-84AA55 (2 handshakes)
Slow Wifi (PMKID)
Birdy (2 PMKIDs)
TELUS3748 (PMKID)

Tested them and none of them use this key.