New attack on WPA/WPA2 using PMKID

New attack on WPA/WPA2 using PMKID - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: New attack on WPA/WPA2 using PMKID (/thread-7717.html)

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

RE: New attack on WPA/WPA2 using PMKID - ZerBea - 09-22-2018

Hi marcou3000.
There can be different reasons:
1) To much power consumption of an USB high gain adapter (for example AWUS036NH connected to an USP port of a Raspberry PI) - in that case reduce power output to 20dBm.
2) Runing hcxdumptool on a virtual interface like monX or wlanXmon
3) Interface isn't fully set into monitor mode
4) Not all services that take access to the device are stopped
5) Unsupported driver (Intel, Broadcom, some Atheros).

From the bug tracker, I noticed that most of the issues (nearly all of them) are related to K*A*L*I (btw, the same applies to hashcat). Only a few issues are related to UBUNTU or Debian (NetworkManager and/or wpa-supplicant active on the same physical interface like hcxdumptool). No issues related to the recommended operating system Arch Linux and the recommended drivers.

BTW:
you can check how the access to the physical interface works:
- set your interface to monitor mode (by iw and ip commands)
- run wireshark and capture traffic from that physical interface
- start hcxdumptool on that physical interface
Now you can notice that hcxdumptool disconnect wireshark from the physical interface.
That will not work if they are running on different virtual interfaces.

It's important to choose a network adapter with good driver support (stable, full monitor mode support incl. injection capabilities).
Read more here:
https://wireless.wiki.kernel.org/en/users/drivers
Do not trust in the technical VENDOR information. Sometimes they change the chipset (if you're lucky, they choose a different version number xxx.1 or rev. b).

aircrack-ng suite is much better to use by inexperienced users than hcxdumptool/hcxtools/hcxkeys. The suite supports more operating systems and more interface adapters and is easier to use (for example airmon-ng to set monitor mode). hcxdumptool/hcxtools/hcxkeys are analysis tools and parsing tools (next to the conversation, we also do some kind of pre-hashing) for hashcat and JtR. They are designed to discover weak points within the system (and they do this very well: PMKID attack vector, nonce-error-corection, ...).
There is a feature request to implement PMKID attack vector:
https://github.com/aircrack-ng/aircrack-ng/issues/1937
There is also a feature request to solve the zeroed timestamp issue:
https://github.com/aircrack-ng/aircrack-ng/issues/1958
So I'm sure, we find this features in the next aircrack-ng version.

RE: New attack on WPA/WPA2 using PMKID - marcou3000 - 09-22-2018

I'm using laptop dual boot Debian 9 with Alfa Awus036NHA and RTL8723AE

RE: New attack on WPA/WPA2 using PMKID - ZerBea - 09-22-2018

From the WikiDevi:

Supported modes:
STA (Station) mode: supported
IBSS (Ad-Hoc) mode: supported
AP (Master) mode: supported
Mesh (802.11s) mode: supported
P2P mode: supported
Monitor mode: supported
Packet injection: unknown

read more here:
https://wikidevi.com/wiki/Rtl8723ae

hcxdumptool require fully functional packet injection, but status of this driver is unknown.

RE: New attack on WPA/WPA2 using PMKID - marcou3000 - 09-22-2018

Problem solved, it was the wpa-supplicant.
Thank you

RE: New attack on WPA/WPA2 using PMKID - Superninja - 09-23-2018

Hello,

after i read about problems with The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali), i installed ubuntu in virtual box.

I am using Awus036NHR with RTL8188RU Chipeset

For monitor mode i use iplink now.

and "sudo iw dev" show me that i am in monitor mode

Also changed enable_status=3

targed AP is in range.

But now more bad, it look like it doesnt scan, after start, the main message "start capturing" comes, but thats all, no scan results, nothing.

Maybe RTL8188RU chipset is not compatible?

see you

(09-07-2018, 04:55 AM)dafez Wrote:
(09-03-2018, 06:10 PM)diegodieguex Wrote: maybe this help

whoismac -p 69d4ec91a19657d64d4ccc869c229bbe*9e3dcf272236*f0a225dab76d*53696c7665724d61676e6f6c6961

ESSID..: SilverMagnolia
MAC_AP.: 9e3dcf272236
VENDOR.: unknown
MAC_STA: f0a225dab76d
VENDOR.: Private

or:

for i in $(cat 16800.txt ); do whoismac -p $i; done

ESSID..: Fibertel WiFi1
MAC_AP.: 8c10d4fc55xx
VENDOR.: Sagemcom Broadband SAS
MAC_STA: 58c5cbe342xx
VENDOR.: Samsung Electronics Co.,Ltd

ESSID..: Fibertel WiFi2
MAC_AP.: 0025f1859exx
VENDOR.: ARRIS Group, Inc.
MAC_STA: a49a5846aaxx
VENDOR.: Samsung Electronics Co.,Ltd

ESSID..: Fibertel WiFi3
MAC_AP.: 4c72b952fexx
VENDOR.: PEGATRON CORPORATION
MAC_STA: 60427fa493xx
VENDOR.: SHENZHEN CHUANGWEI-RGB ELECTRONICS CO.,LTD
I appreciate it thanks.

(09-18-2018, 06:37 PM)ZerBea Wrote: Hi Superninja
wlan0mon is a typical logical interface type, created by airmon-ng for broadcom devices.
Do you use a broadcom interface?
read more here:
"You are using the Broadcom STA (wl) official driver; this does not support monitor or promiscuous modes (regardless of whatever airmon-ng tells you.)"
https://askubuntu.com/questions/155528/why-cant-i-set-monitor-mode-with-the-wl-sta-driver-on-a-broadcom-wireless-card

How do you set monitor mode? hcxdumptool doesn't like logical interfaces while the physical interface is leaving managed. So, do not set monitor mode by airmon-ng!
I added this to the help menu on latest commit:
do not run hcxdumptool on logical interfaces (monx, wlanxmon)
do not use hcxdumptool in combination with other 3rd party tools, which take access to the interface
Read more why I did it that way here:
https://github.com/ZerBea/hcxdumptool/commit/df3992c1935f63611dd20a79573b84e52ae7579e#commitcomment-30554020

Is the interface really in monitor mode?
$ sudo iw dev <your physical interface> info
Interface wlp3s0f0u2
ifindex 3
wdev 0x1
addr c8:3a:35:xx:xx:xx
type monitor
wiphy 0
channel 3 (2422 MHz), width: 20 MHz (no HT), center1: 2422 MHz
txpower 20.00 dBm

--enable_status=2 doesn't show EAPOL messages!
--enable_status=<digit> : enable status messages
bitmask:
1: EAPOL
2: PROBEREQUEST/PROBERESPONSE
4: AUTHENTICATON
8: ASSOCIATION
16: BEACON

So if you like to see EAPOL messages (this includes PMKIDs) and PROBEREQUEST/PROBERESPONSE messages use:
--enable_status=3 ( 1 + 2)

Is the target access point in transmit range?
hcxdumtool -i <physical interface> --do_rcascan -t 5

[18:26:00] xxxxxxxxxxxx networkname [CHANNEL 1, AP IN RANGE]

If you still don't get a PMKID, the access point might not be vulnerable.

RE: New attack on WPA/WPA2 using PMKID - ZerBea - 09-23-2018

Read more here:
https://wikidevi.com/wiki/Rtl8xxxu
Supported modes
STA (Station) mode: supported
IBSS (Ad-Hoc) mode: unknown
AP (Master) mode: unknown
Mesh (802.11s) mode: unknown
P2P mode: unknown
Monitor mode: unknown
Packet injection: unknown

That applies to RTL8188EU, RTL8188RU, RTL8191EU, RTL8192EU, RTL8723AU, RTL8723BU

There are two firmware versions (v1 and v2)

And from several google hits:
https://www.google.de/search?source=hp&ei=1F6nW6ukAYWjsgHXvYjwDg&btnG=Suche&q=RTL8188RU+monitor+mode

Alfa Adapters – AWUS036NHR V2 -AVOID!!
Note the chipset – RTL8188RU. This chipset is known to have issues.

Beini 1.2.3 built for RTL8188RU
Even though this was built especially for my chipset I had massive problem with this. This might be because it's pretty outdate. I was able to put my card into monitor mode but when scanning for networks, I couldn't pick up any AP's

RE: New attack on WPA/WPA2 using PMKID - cashhat - 09-26-2018

Am I doing this right?

Step 0: Device is in monitor mode:

Code:
$ iw dev

    phy#0

        Interface mon0

            ifindex 9

            wdev 0x3

            addr my:v6:ip:addr

            type monitor

            txpower 0.00 dBm

    Interface wlp9s0

        ifindex 3

        wdev 0x1

        addr my:v6:ip:addr

        ssid MyWifiStation

        type managed

        channel 1 (2412 MHz), width: 20 MHz, center1: 2412 MHz

        txpower 22.00 dBm

Step 1: hcxdumptool:

Code:
$ hcxdumptool -o test.pcapng -i mon0 --enable_status=1

    start capturing (stop with ctrl+c)

    INTERFACE:...............: mon0

    FILTERLIST...............: 0 entries

    MAC CLIENT...............: l390234ko230 (client)

    MAC ACCESS POINT.........: 460i32102l15 (start NIC)

    EAPOL TIMEOUT............: 150000

    REPLAYCOUNT..............: 63861

    ANONCE...................: 3d95f1cfaa3c68be23f65966754ab537462e132abee5ec55f3882

    INFO: cha=5, rx=1479, rx(dropped)=2, tx=4, powned=0, err=15

This doesn't seem to work no matter how long it runs. But this does:

Code:
$ nmcli d connect wlp9s0

$ sudo hcxdumptool -o test.pcapng -i wlp9s0 --enable_status=1

    start capturing (stop with ctrl+c)

    INTERFACE:...............: wlp2s0

    FILTERLIST...............: 0 entries

    MAC CLIENT...............: l390234ko230 (client)

    MAC ACCESS POINT.........: 460i32102l15 (start NIC)

    EAPOL TIMEOUT............: 150000

    REPLAYCOUNT..............: 65136

    ANONCE...................: dm102893jdy7192o0cmnf9938dc6a1dl10278ejcy16d6dk2028dkl1d

    [16:06:07 - 001] e3kd09njf739 -> fcc233f999e3 [FOUND PMKID CLIENT-LESS]

    [16:06:07 - 001] e3kd09njf739 -> 74c63be0c659 [FOUND PMKID]

    [16:06:07 - 001] a0e4cb92b48f -> wew3dcdew329 [FOUND PMKID CLIENT-LESS]

    [16:06:07 - 001] 74c63be0c659 -> e3kd09njf739 [FOUND HANDSHAKE AP-LESS, EAPOL TIMEOUT 8539]

    [16:06:08 - 001] e4186bb35776 -> d07714a05d13 [FOUND PMKID]

That only works if you run nmcli d connect wlp9s0 right before running hcxdumptool. But as you can see it does find a PMKID. It generates three test.pcapng files (test.pcapng, test.pcapng-0, test.pcapng-1). I've tried using all three files without any success.

Step 3: hcxpcaptool -z test.16800 test.pcapng

Code:
    192mf83df23fae35dj6cfa19dj72903j*20fkehi8ejfe*fmj3289urfe3*fjo3i13893u21jfi3723

    1kf923j7fmad75eekd961denfy1823hj*fk038dj8ye9w*fj02po3jijid*fo2309ifjewo8ewyuroe

    2j29d731j35862dfde923kj399d63bdr*ak0dk28eej09*e03j9j9df2e2*o390jfro2309d34243fj

Step 4: hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'

Code:
    Approaching final keyspace - workload adjusted.  

    Session..........: hashcat                       

    Status...........: Exhausted

    Hash.Type........: WPA-PMKID-PBKDF2

    Hash.Target......: test.16800

    Time.Started.....: Wed Sep 24 14:12:30 2018 (25 hours, 8 mins)

    Time.Estimated...: Thu Sep 25 15:20:07 2018 (0 secs)

    Guess.Mask.......: ?l?l?l?l?l?lt! [8]

    Guess.Queue......: 1/1 (100.00%)

    Speed.#1.........:    14467 H/s (24.94ms) @ Accel:1024 Loops:512 Thr:1 Vec:8

    Recovered........: 0/3 (0.00%) Digests, 0/2 (0.00%) Salts

    Progress.........: 617831552/617831552 (100.00%)

    Rejected.........: 0/617831552 (0.00%)

    Restore.Point....: 11881376/11881376 (100.00%)

    Restore.Sub.#1...: Salt:1 Amplifier:25-26 Iteration:0-1

    Candidates.#1....: xpgjqxt! -> xqxvqxt!

    Started: Mon Sep 24 14:12:30 2018

    Stopped: Tue Sep 25 15:18:07 2018

It's going wrong somewhere but I can't tell where.

RE: New attack on WPA/WPA2 using PMKID - diegodieguex - 09-27-2018

whoismac -h

-p <hashline> : input PMKID hashline
- - - - -

for i in $(cat ~/Desktop/PMKID.txt); do
whoismac -p $i; done

wrong ESSID fjo3i13893u21jfi3723
wrong ESSID fo2309ifjewo8ewyuroe
wrong ESSID o390jfro2309d34243fj

- - - - -

echo fjo3i13893u21jfi3723 | xxd -r -p
â!7#

echo fo2309ifjewo8ewyuroe | xxd -r -p
# é

echo o390jfro2309d34243fj | xxd -r -p
9# ”BC

RE: New attack on WPA/WPA2 using PMKID - slyexe - 09-27-2018

(09-26-2018, 09:50 PM)cashhat Wrote: Am I doing this right?

Step 0: Device is in monitor mode:

Code:
$ iw dev phy#0 Interface mon0 ifindex 9 wdev 0x3 addr my:v6:ip:addr type monitor txpower 0.00 dBm Interface wlp9s0 ifindex 3 wdev 0x1 addr my:v6:ip:addr ssid MyWifiStation type managed channel 1 (2412 MHz), width: 20 MHz, center1: 2412 MHz txpower 22.00 dBm

You do not want a virtual interface (mon0). You are not doing it right. Setup your wireless interface into monitor mode:

Code:
ifconfig wlp9s0 down

iwconfig wlp9s0 mode monitor

ifconfig wlp9s0 up

Then check that its in monitor and not managed with iwconfig wlp9s0. Once the wireless interface is in monitor mode AND SUPPORTS IT, then you can use:

Code:
hcxdumptool -i wlp9s0 -o test.pcapng --enable_status 1

Should solve your issue.

RE: New attack on WPA/WPA2 using PMKID - Superninja - 09-27-2018

Hello there,
so i use other adapter, with rt3070, and it look likes it works. got pmkid.

But now it convert not the file to pcapng

i wrote:

hcxpcaptool -z test.16800 test.pcapng
cat test.pcapng

and get error : "file or directory not found"

it look likes it convert not the file, even i get no error...hmh

sorry for so much question, i am still learning :-)