Posts: 1,042
Threads: 2
Joined: Jun 2017
02-28-2021, 06:07 PM
(This post was last modified: 02-28-2021, 06:14 PM by ZerBea.)
Some IoT devices transmit the PSK in the clear.
If a user made a type (PSK instead ESSID), the device transmit the PSK in the clear.
A misconfigured device can cause that the PSK is transmitted in the clear.
-E will store them to a list
-I will store received identities (that include IMEIs) to a list
-U will store received usernames to a list
All this lists can be used to create new wordlists.
BTW:
I decided to make my test tool (hcxpmktool) public.
It provide various tests on a single hash line (-m 22000 WPA 01 and WPA 02) in combination with ESSIDs, PSKs and PMKs. It will help you to understand better how things (PBKDF2) relate. Nearly every PBKDF2 combination (used in WPA) is possible:
ESSID + PSK
ESSID + PMK
ESSID + PSK + 22000 hash line
PSK + 22000 hash line
PMK + 22000 hash line
Some examples (22000 example hash taken from here: https://hashcat.net/wiki/doku.php?id=example_hashes)
Code: $ hcxpmktool -i WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** -p 'hashcat!'
ESSID.............: hashcat-essid
PSK .............: hashcat!
PMK...............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PMKID (calculated): 4d4fe7aac3a2cecab195321ceb99a7d0
PMKID (hash line).: 4d4fe7aac3a2cecab195321ceb99a7d0 (equal)
$ hcxpmktool -i WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** -m 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
ESSID.............: hashcat-essid
PMK...............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PMKID (calculated): 4d4fe7aac3a2cecab195321ceb99a7d0
PMKID (hash line).: 4d4fe7aac3a2cecab195321ceb99a7d0 (equal)
$ hcxpmktool -e hashcat-essid -m 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
ESSID............: hashcat-essid
PMK..............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PBKDF2-HMAC-SHA1.: sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw=
use hashcat -m 12000 to recover the PSK
$ hashcat -m 12000 sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw= -a 3 'hashcat!'
hashcat (v6.1.1-120-g15bf8b730) starting...
sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw=:hashcat!
Session..........: hashcat
Status...........: Cracked
Hash.Name........: PBKDF2-HMAC-SHA1
Hash.Target......: sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnn...OVNdw=
Time.Started.....: Sun Feb 28 17:03:42 2021 (0 secs)
Time.Estimated...: Sun Feb 28 17:03:42 2021 (0 secs)
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 49 H/s (0.22ms) @ Accel:16 Loops:64 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4032-4095
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 50c Fan: 34% Util: 31% Core:1506MHz Mem:5005MHz Bus:16
Started: Sun Feb 28 17:03:41 2021
Stopped: Sun Feb 28 17:03:44 2021
Posts: 23
Threads: 1
Joined: Feb 2021
(02-28-2021, 06:07 PM)ZerBea Wrote: Some IoT devices transmit the PSK in the clear.
If a user made a type (PSK instead ESSID), the device transmit the PSK in the clear.
A misconfigured device can cause that the PSK is transmitted in the clear.
-E will store them to a list
-I will store received identities (that include IMEIs) to a list
-U will store received usernames to a list
All this lists can be used to create new wordlists.
BTW:
I decided to make my test tool (hcxpmktool) public.
It provide various tests on a single hash line (-m 22000 WPA 01 and WPA 02) in combination with ESSIDs, PSKs and PMKs. It will help you to understand better how things (PBKDF2) relate. Nearly every PBKDF2 combination (used in WPA) is possible:
ESSID + PSK
ESSID + PMK
ESSID + PSK + 22000 hash line
PSK + 22000 hash line
PMK + 22000 hash line
Some examples (22000 example hash taken from here: https://hashcat.net/wiki/doku.php?id=example_hashes)
Code: $ hcxpmktool -i WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** -p 'hashcat!'
ESSID.............: hashcat-essid
PSK .............: hashcat!
PMK...............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PMKID (calculated): 4d4fe7aac3a2cecab195321ceb99a7d0
PMKID (hash line).: 4d4fe7aac3a2cecab195321ceb99a7d0 (equal)
$ hcxpmktool -i WPA*01*4d4fe7aac3a2cecab195321ceb99a7d0*fc690c158264*f4747f87f9f4*686173686361742d6573736964*** -m 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
ESSID.............: hashcat-essid
PMK...............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PMKID (calculated): 4d4fe7aac3a2cecab195321ceb99a7d0
PMKID (hash line).: 4d4fe7aac3a2cecab195321ceb99a7d0 (equal)
$ hcxpmktool -e hashcat-essid -m 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
ESSID............: hashcat-essid
PMK..............: 88f43854ae7b1624fc2ab7724859e795130f4843c7535729e819cf92f39535dc
PBKDF2-HMAC-SHA1.: sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw=
use hashcat -m 12000 to recover the PSK
$ hashcat -m 12000 sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw= -a 3 'hashcat!'
hashcat (v6.1.1-120-g15bf8b730) starting...
sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnnlRMPSEPHU1cp6BnPkvOVNdw=:hashcat!
Session..........: hashcat
Status...........: Cracked
Hash.Name........: PBKDF2-HMAC-SHA1
Hash.Target......: sha1:4096:aGFzaGNhdC1lc3NpZA==:iPQ4VK57FiT8KrdySFnn...OVNdw=
Time.Started.....: Sun Feb 28 17:03:42 2021 (0 secs)
Time.Estimated...: Sun Feb 28 17:03:42 2021 (0 secs)
Guess.Mask.......: hashcat! [8]
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 49 H/s (0.22ms) @ Accel:16 Loops:64 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4032-4095
Candidates.#1....: hashcat! -> hashcat!
Hardware.Mon.#1..: Temp: 50c Fan: 34% Util: 31% Core:1506MHz Mem:5005MHz Bus:16
Started: Sun Feb 28 17:03:41 2021
Stopped: Sun Feb 28 17:03:44 2021
Thank you VERY much just updated the repo on my system. git remote update, git pull, git fetch, make, make install for the noobs like myself. (Correct me if you have a better method heh)
Revising everything now and going to start testing
Posts: 23
Threads: 1
Joined: Feb 2021
02-28-2021, 09:35 PM
(This post was last modified: 02-28-2021, 10:59 PM by pr0ph3t.)
[quote="ZerBea" pid='51796' dateline='1614528445']
Some IoT devices transmit the PSK in the clear.
If a user made a type (PSK instead ESSID), the device transmit the PSK in the clear.
A misconfigured device can cause that the PSK is transmitted in the clear.
-E will store them to a list
-I will store received identities (that include IMEIs) to a list
-U will store received usernames to a list
All this lists can be used to create new wordlists.
Ok here's an example I found it in the test.pcapng. Haven't run into any passwords yet, but if I did how would I know what they're associated to ?
In the raw.list it shows up as:
MUHwPerOT
When opening up the test.pcapng in Atom, it is located in this area:
JDoe_8MUHwPerOT7yLh1WrbgRZQNEvHG (This entire string is the SSID name, changed the beginning to JDoe)
Also how did it extract the name from that string ? (SSID is the entire string fyi, name_blahblahblah) Shouldn't it extract the whole string ?
EDIT: meanwhile with hcxpmktool and pasting the wpa* string you can get the ESSID. Liking these tools more and more. Itching to get to the PMK part.
Posts: 1,042
Threads: 2
Joined: Jun 2017
02-28-2021, 11:12 PM
(This post was last modified: 02-28-2021, 11:16 PM by ZerBea.)
Regarding your example, there is nothing to extract. It is a proprietary ESSID.
To get a feeling for PSKs in the clear, get this example:
https://github.com/evilsocket/pwnagotchi...nctest.zip
Decompress it, convert it and run hashcat:
Code: $ hcxpcapngtool -o eapol.22000 -E wordlist test.pcap
$ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist
and you'll know what I mean.
Open the pcap with Wireshark and take a look at frame 2, to get a feeling how this frames could look like.
It wiil take a while, but I'm sure you'll get a sense for it.
Please notice:
The example is from a feature request and was converted to pcap format, because there are still some tools in the wildness which are not able to read the new pcapng format.
That does not apply to tools like Wireshark and tshark. They use pcapng as default format:
https://www.wireshark.org/docs/wsug_html...ction.html
https://wiki.wireshark.org/FileFormatReference
BTW:
It is definitely not a good idea to ignore this frames (e.g. by filter options) or to remove them from a capture file.
hcxpcapngtool will print a warning, if the absence of this frame types is detected:
https://hashcat.net/forum/thread-9908-po...l#pid51792
Posts: 23
Threads: 1
Joined: Feb 2021
(02-28-2021, 11:12 PM)ZerBea Wrote: Regarding your example, there is nothing to extract. It is a proprietary ESSID.
To get a feeling for PSKs in the clear, get this example:
https://github.com/evilsocket/pwnagotchi...nctest.zip
Decompress it, convert it and run hashcat:
Code: $ hcxpcapngtool -o eapol.22000 -E wordlist test.pcap
$ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist
and you'll know what I mean.
Open the pcap with Wireshark and take a look at frame 2, to get a feeling how this frames could look like.
It wiil take a while, but I'm sure you'll get a sense for it.
Please notice:
The example is from a feature request and was converted to pcap format, because there are still some tools in the wildness which are not able to read the new pcapng format.
That does not apply to tools like Wireshark and tshark. They use pcapng as default format:
https://www.wireshark.org/docs/wsug_html...ction.html
https://wiki.wireshark.org/FileFormatReference
BTW:
It is definitely not a good idea to ignore this frames (e.g. by filter options) or to remove them from a capture file.
hcxpcapngtool will print a warning, if the absence of this frame types is detected:
https://hashcat.net/forum/thread-9908-po...l#pid51792
Ah thank you will read up on it now.
Confirmed your pmktool works from start to finish without any problems (5.10.0-k*ali3-amd64). That's a nice assembly line you've got there.
Now for the live exercise though. This time "I don't know the key" so I need to revert to the prior step to get that hash but this time once we get that hash string to put it through your tool. Meanwhile going to read the links you posted.
Posts: 23
Threads: 1
Joined: Feb 2021
03-01-2021, 01:13 AM
(This post was last modified: 03-01-2021, 01:17 AM by pr0ph3t.)
(02-28-2021, 11:23 PM)pr0ph3t Wrote: (02-28-2021, 11:12 PM)ZerBea Wrote: Regarding your example, there is nothing to extract. It is a proprietary ESSID.
To get a feeling for PSKs in the clear, get this example:
https://github.com/evilsocket/pwnagotchi...nctest.zip
Decompress it, convert it and run hashcat:
Code: $ hcxpcapngtool -o eapol.22000 -E wordlist test.pcap
$ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist
and you'll know what I mean.
Open the pcap with Wireshark and take a look at frame 2, to get a feeling how this frames could look like.
It wiil take a while, but I'm sure you'll get a sense for it.
Please notice:
The example is from a feature request and was converted to pcap format, because there are still some tools in the wildness which are not able to read the new pcapng format.
That does not apply to tools like Wireshark and tshark. They use pcapng as default format:
https://www.wireshark.org/docs/wsug_html...ction.html
https://wiki.wireshark.org/FileFormatReference
BTW:
It is definitely not a good idea to ignore this frames (e.g. by filter options) or to remove them from a capture file.
hcxpcapngtool will print a warning, if the absence of this frame types is detected:
https://hashcat.net/forum/thread-9908-po...l#pid51792
Ah thank you will read up on it now.
Confirmed your pmktool works from start to finish without any problems (5.10.0-k*ali3-amd64). That's a nice assembly line you've got there.
Now for the live exercise though. This time "I don't know the key" so I need to revert to the prior step to get that hash but this time once we get that hash string to put it through your tool. Meanwhile going to read the links you posted.
Oh right, I'm sorry. I shouldn't been specific. I was following this procedure not the one from your thread (well I mean it's pretty much the same it's the readme in yer GIT.. the one that says hardware modification required)
Code: Identify interface and processes that interferes with hcxdumptool:
$ hcxdumptool -I
wlan interfaces:
MAC_INTERFACE <wlan_interface> (used_driver)
On a warning like this, stop services:
warning: NetworkManager is running with pid 415
warning: wpa_supplicant is running with pid 515
stop this processes:
$ sudo systemctl stop NetworkManager.service
$ sudo systemctl stop wpa_supplicant.service
Check driver
$ sudo hcxdumptool -i <wlan_interface> --check_driver
starting driver test...
driver tests passed - all required ioctl() system calls are supported by driver
restoring old driver settings
Check that packet injection is working (run it at least 13 * 5 seconds):
$ sudo hcxdumptool -i <wlan_interface> --do_rcascan
INFO: cha=6, rx=351, rx(dropped)=0, tx=47, err=0, aps=21 (13 in range)
if the values increase and APs are in range, start the attack:
$ hcxdumptool -i <wlan_interface> -o test.pcapng --enable_status=1
otherwise hcxdumptool will inform you that packet injection is not working as expected.
If attack finished and hcxdumptool terminated, restart services
$ sudo systemctl start NetworkManager.service
$ sudo systemctl start wpa_supplicant.service
If hcxdumptool is not able to set monitor mode for example on this driver:
https://github.com/aircrack-ng/rtl8188eus
run ip link and iw first - than run hcxdumptool:
$ sudo ip link set <wlan_interface> down
$ sudo iw dev <wlan_interface> set type monitor
$ sudo ip link set <wlan_interface> up
$ sudo iw dev <wlan_interface> info
Most (nearly all) occurring issues are related to the driver (driver doesn't support monitor mode and
full packet injection) and the system configuration (running services that take access to the interface).
The driver of the device must support both: monitor mode and full packet injection!
Otherwise hcxdumptool will fail!
Some of the issues are fixed:
https://bugzilla.kernel.org/show_bug.cgi?id=202241
https://bugzilla.kernel.org/show_bug.cgi?id=202243
https://github.com/openwrt/mt76/issues/2...-500999516
Some of them are partly fixed (or somebody is working on them):
https://github.com/aircrack-ng/rtl8812au/issues/376
Some of them are not fixed, yet:
https://bugzilla.kernel.org/show_bug.cgi?id=202541
Unfortunately many, many drivers do not support monitor mode and full packet injection. Get more information here:
https://wikidevi.com/wiki/Main_Page
But yes I understand what you've done there. What I was saying is now to apply YOUR method to the handshake I'm trying to crack (my network). Except this time I'm pretending I don't know the key. So I need to produce that hash you get in the first steps, and then I can continue your procedure with my new handshake. I know it's all the same but I want to experiment all the methods, see what's best, understand blahblahlah
So now I need to generate a pmk from wordlist etc and try to crack the handshake with hashcat. IT's just I'm doing it a little differently this time. It's going to be mode 12000 with that hash string but I'm curious to see what the PMK converted dictionnary is going to do
Posts: 23
Threads: 1
Joined: Feb 2021
(02-28-2021, 11:12 PM)ZerBea Wrote: Regarding your example, there is nothing to extract. It is a proprietary ESSID.
To get a feeling for PSKs in the clear, get this example:
https://github.com/evilsocket/pwnagotchi...nctest.zip
Decompress it, convert it and run hashcat:
Code: $ hcxpcapngtool -o eapol.22000 -E wordlist test.pcap
$ hashcat -m 22000 --nonce-error-corrections=8 eapol.22000 wordlist
and you'll know what I mean.
Wait a sec. I was just sitting there thinking and it clicked. Sorry man there are SO many moving parts to this perhaps I should've structured my thoughts and intent better.
The reason why I'm so bent on using PMKs, is because passwords naturally to me are extremely difficult to crack. Without a large ruleset there's no way for example it would crack my network auto wpa key. However adding rules to say a 40GB wordlist would take centuries. So I figured if I make a PMK, I can apply heavy rulesets to it and still complete the hashin in a reasonable amount of time. Now generating a rainbow off of 40gb will prolly take like 2 weeks, but after that the tests will be quite quick.
So that's what I've been trying to accomplish here. However, through your hcxtools not only have I gained a much greater understanding but it's the sudo wlanpmk2hcx -e SSID -p HASH that I wanted because that generates the 12000 hash mode. Maybe I'm offbase, but it that made me feel like I skipped a whole bruteforcing step. Still trying to figure out if that's wishful thinking but there you have it.
Posts: 1,042
Threads: 2
Joined: Jun 2017
03-01-2021, 09:21 AM
(This post was last modified: 03-01-2021, 09:34 AM by ZerBea.)
Well, no problem. I have become a little bit "occupationally blind", too. Worked too long in that business.
BTW: Some words about hcxdumptool and hcxtools.
They are designed to be a WiFi pre-processor to hashcat (because hashcat doesn't provide this feature) and JtR (because JtR doesn't provide this feature, too).
They are more analysis tools than "cracking" tools and you must(!) have more than only basic technical knowledge. That include RF technology, 802.11 protocol (and protocol analyzer Wireshark/tshark), Linux (device driver and device handling, system services) and hash algorithms.
They are definitely not designed to be used by beginners or "script kiddies". If someone needs a script of about 1500 lines to do such a simple thing like setting monitor mode (installing pure K A L I and/or running 50.000 stupid deauthentications against an ACCESS POINT is far, far from enough, here) - he/she shouldn't use hcxdumptool/hcxtools.
But if you really know, what to do (starting from an attack vector tailored to the target, converting/and filtering the results tailored to the target and feeding them to hashcat/JtR), they can do magic.
Posts: 23
Threads: 1
Joined: Feb 2021
(03-01-2021, 09:21 AM)ZerBea Wrote: Well, no problem. I have become a little bit "occupationally blind", too. Worked too long in that business.
BTW: Some words about hcxdumptool and hcxtools.
They are designed to be a WiFi pre-processor to hashcat (because hashcat doesn't provide this feature) and JtR (because JtR doesn't provide this feature, too).
They are more analysis tools than "cracking" tools and you must(!) have more than only basic technical knowledge. That include RF technology, 802.11 protocol (and protocol analyzer Wireshark/tshark), Linux (device driver and device handling, system services) and hash algorithms.
They are definitely not designed to be used by beginners or "script kiddies". If someone needs a script of about 1500 lines to do such a simple thing like setting monitor mode (installing pure K A L I and/or running 50.000 stupid deauthentications against an ACCESS POINT is far, far from enough, here) - he/she shouldn't use hcxdumptool/hcxtools.
But if you really know, what to do (starting from an attack vector tailored to the target, converting/and filtering the results tailored to the target and feeding them to hashcat/JtR), they can do magic.
Thank you for that. To be honest I've started to notice that doing things manually along with kismet and wireshark (I'm still learning so I need some gui) is much more effective than running premade scripts. I get it, people want a 'win' button. I was using wifite because it captures handshakes automatically. BUT that's not good because of the amount of DEATHing, apart from the fact that it technically kills your stealth it's unnecessary and I notice it can cause problems with decryption.
K*ali I got because I wanted a base, I didn't want to have to go out and collect all the tools one by one. I'm a slackware guy from the 90s lol I get where you're coming from. Also I'm bit of a digital packrat so I like downloading like EVERYTHING. I want every tool every made lol. I'm going through the sources, studying your scripts and what you've done, trying to understand the reasoning... Don't worry your work is not going to a script kiddie, I'm a professional. It's just I've been detached from this side of the spectrum if you will for many many years. My intent is to fully understand the theory, not to hack my neighbour's wifi and to be honest they'd be much more interested in what I have in my systems than the other way around
Shit I just realized I forgot about tshark, been studying wireshark and kismet. Well I guess that's what's on the menu today.
Posts: 1,042
Threads: 2
Joined: Jun 2017
tshark is the command line version of Wireshark. Very often it is much faster using the command line than starting a GUI tool. Mostly I run tshark in parallel with hcxdumptool to see what's going on, on interface side.
Display filter and capture filter options are on both tools the same.
|