New attack on WPA/WPA2 using PMKID - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: New attack on WPA/WPA2 using PMKID (/thread-7717.html) |
RE: New attack on WPA/WPA2 using PMKID - JCas - 09-01-2018 What's the best practice to feed old pcaps through these tools to scan for PMKIDs? I'm going to add this capability to one of my wifi defeat tools that I'm working on. RE: New attack on WPA/WPA2 using PMKID - ZerBea - 09-01-2018 $ hcxpcaptool -z hash.16800 -E wordlist -I identitylist -U usernamelist *.pcap Works on all pcaps, but do not expect good results if - the pcaps are cleaned - the pcap are merged and contains ESSID changes and/or damaged frames - the capture tool dosn't support PMKID capturing (only EAPOL 2/4 and EAPOL 3/4 stored) RE: New attack on WPA/WPA2 using PMKID - wakawaka - 09-02-2018 (08-21-2018, 10:22 AM)ZerBea Wrote: Filter lists are only used in the transmission branch. Using a filter list means, that we run active attacks against the entries (filtermode=2) or do not run active attacks against them (filtermode=1). But nevertheless hcxdumptool is still a passive dumper and will capture all informations it received. Hi Zerbea, using filtermode=1 to block an AP and its clients, and running hcxdumptool. will we still capture PMKID's and handshakes of the filtered list ? It shouldn't right ? confused with this statement "nevertheless hcxdumptool is still a passive dumper and will capture all informations it received" RE: New attack on WPA/WPA2 using PMKID - ZerBea - 09-02-2018 Hi wakawaka We can control the transmission branch, because we send only a few packets. But we are not able to control the receiving branch. If we are in range of hundreds of access points and hundreds of clients, we can't go through the entire filter list on every received packet. hcxdumptool claimes to be fast: "But woah this thing is FAST! " https://forums.hak5.org/topic/44213-pmkid-attack-on-wifi-pineapples/?tab=comments#comment-310558 "It can easily get the PMKID's from an entire neighbourhood in a minute or less." https://forums.hak5.org/topic/44213-pmkid-attack-on-wifi-pineapples/?tab=comments#comment-310561 We will lose this ability! Anyway you can filter out unwanted hashes in an easy way with wlanhcx2ssid (for hccapx files) or an editor (Geany) for all other hashfiles. > confused with this statement "nevertheless hcxdumptool is still a passive dumper and will capture all informations it received" Why? If something's in the air, I want to know what it is! https://en.wikipedia.org/wiki/Signals_Intelligence RE: New attack on WPA/WPA2 using PMKID - lint - 09-03-2018 (08-26-2018, 05:44 PM)diegodieguex Wrote: thank you ZerBeaI've beefed your shellscript up a little, hope you like it: https://pastebin.com/6zLH3jD7 Now it displays the whole potfile content instead of just the last line, plus no need for any support files. And should also display different (-m 2500) potfile results. RE: New attack on WPA/WPA2 using PMKID - dafez - 09-03-2018 Thanks for this tool. I wrote i little snippet in python ( Nothing fancy ) to show the SSID from a pmkid (.16800) file. Just change the name to what the file is saved as. I couldn't find anyway to see them without using wireshark and i just wanted something easy. It should work in both python2 and python3 because i've tested in both versions Code: import re, binascii @ZerBea Would it be possible to add this to hcxpcaptool so we can see the SSID's for the PMKID's that have been dumped without having to use external tools? Because when i use it to dump the SSID's it shows every AP it sees regardless if it captured data or not thanks. RE: New attack on WPA/WPA2 using PMKID - diegodieguex - 09-03-2018 maybe this help whoismac -p 69d4ec91a19657d64d4ccc869c229bbe*9e3dcf272236*f0a225dab76d*53696c7665724d61676e6f6c6961 ESSID..: SilverMagnolia MAC_AP.: 9e3dcf272236 VENDOR.: unknown MAC_STA: f0a225dab76d VENDOR.: Private or: for i in $(cat 16800.txt ); do whoismac -p $i; done ESSID..: Fibertel WiFi1 MAC_AP.: 8c10d4fc55xx VENDOR.: Sagemcom Broadband SAS MAC_STA: 58c5cbe342xx VENDOR.: Samsung Electronics Co.,Ltd ESSID..: Fibertel WiFi2 MAC_AP.: 0025f1859exx VENDOR.: ARRIS Group, Inc. MAC_STA: a49a5846aaxx VENDOR.: Samsung Electronics Co.,Ltd ESSID..: Fibertel WiFi3 MAC_AP.: 4c72b952fexx VENDOR.: PEGATRON CORPORATION MAC_STA: 60427fa493xx VENDOR.: SHENZHEN CHUANGWEI-RGB ELECTRONICS CO.,LTD RE: New attack on WPA/WPA2 using PMKID - ZerBea - 09-03-2018 As diegodieguex noticed, that function is allready in hcxtools (whoismac) implemented. hcxpcaptool is a conversion tool, only. It will show basic informations about the capture file. But I think about a new hcxpmktool. Right now I'm preparing hcxdumptool/hcxtools 5.0.0. That that has priority. RE: New attack on WPA/WPA2 using PMKID - wakawaka - 09-04-2018 (09-03-2018, 06:19 PM)ZerBea Wrote: As diegodieguex noticed, that function is allready in hcxtools (whoismac) implemented. hcxpcaptool is a conversion tool, only. It will show basic informations about the capture file. But I think about a new hcxpmktool. thanks for all your work on this tool Zerbea RE: New attack on WPA/WPA2 using PMKID - slyexe - 09-05-2018 Just installed this on my Ubiquiti Nano M2 with OpenWRT 15.0.5 Chaos Calmer and ran a few test. Everything ran flawlessly other than an EAPOL request popping up that was about 100 pages long causing the cpu to have a little hissy fit. Otherwise, no issues occurred and was able to run both hcxtools & hcxdumptool perfectly fine on the radio. Copied over the 16800 PMKID file onto the hashing machine to run it with hashcat and encountered nothing but success. Great job everyone involved. |