hashcat Forum
New attack on WPA/WPA2 using PMKID - Printable Version

+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: New attack on WPA/WPA2 using PMKID (/thread-7717.html)

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 09-27-2018

"file or directory not found"
means that there is no file test.pcapng in that directory.
Just do a
$ ls
to see what files are present.


RE: New attack on WPA/WPA2 using PMKID - Superninja - 09-28-2018

Hello,

ls show me only the test.16800 file :-(


RE: New attack on WPA/WPA2 using PMKID - freeroute - 09-28-2018

Could you post: "ls -lh"
Did you try "cat test.16800"


RE: New attack on WPA/WPA2 using PMKID - Superninja - 09-28-2018

cat test.16800 show me the file, that works.

ls-lh:

insgesamt 1,1M

-rw-r--r-- 1 root root 15K Sep 9 11:23 changelog
-rw-r--r-- 1 root root 1001 Sep 9 11:23 com_aes.c
-rw-r--r-- 1 root root 5,8K Sep 9 11:23 com_formats.c
-rw-r--r-- 1 root root 4,4K Sep 9 11:23 com_md5_64.c
-rw-r--r-- 1 root root 2,9K Sep 9 11:23 com_md5_64.h
-rw-r--r-- 1 root root 6,9K Sep 9 11:23 common.c
-rw-r--r-- 1 root root 20K Sep 9 11:23 common.h
-rw-r--r-- 1 root root 1,4K Sep 9 11:23 com_wpa.c
drwxr-xr-x 7 root root 4,0K Sep 9 11:24 hcxdumptool
-rwxr-xr-x 1 root root 23K Sep 9 11:23 hcxhashcattool
-rw-r--r-- 1 root root 12K Sep 9 11:23 hcxhashcattool.c
-rwxr-xr-x 1 root root 106K Sep 9 11:23 hcxpcaptool
-rw-r--r-- 1 root root 129K Sep 9 11:23 hcxpcaptool.c
drwxr-xr-x 2 root root 4,0K Sep 9 11:23 include
-rw-r--r-- 1 root root 1,1K Sep 9 11:23 license.txt
-rw-r--r-- 1 root root 1,7K Sep 9 11:23 Makefile
-rw-r--r-- 1 root root 5,7K Sep 9 11:23 README.md
-rw-r--r-- 1 root root 82 Sep 27 17:34 test.16800
drwxr-xr-x 2 root root 4,0K Sep 9 11:23 usefulscripts
-rwxr-xr-x 1 root root 18K Sep 9 11:23 whoismac
-rw-r--r-- 1 root root 8,3K Sep 9 11:23 whoismac.c
-rwxr-xr-x 1 root root 19K Sep 9 11:23 wlancap2wpasec
-rw-r--r-- 1 root root 5,0K Sep 9 11:23 wlancap2wpasec.c
-rwxr-xr-x 1 root root 18K Sep 9 11:23 wlancow2hcxpmk
-rw-r--r-- 1 root root 5,6K Sep 9 11:23 wlancow2hcxpmk.c
-rwxr-xr-x 1 root root 27K Sep 9 11:23 wlanhashhcx
-rw-r--r-- 1 root root 3,2K Sep 9 11:23 wlanhashhcx.c
-rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanhc2hcx
-rw-r--r-- 1 root root 8,8K Sep 9 11:23 wlanhc2hcx.c
-rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanhcx2cap
-rw-r--r-- 1 root root 14K Sep 9 11:23 wlanhcx2cap.c
-rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanhcx2essid
-rw-r--r-- 1 root root 5,1K Sep 9 11:23 wlanhcx2essid.c
-rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanhcx2john
-rw-r--r-- 1 root root 6,3K Sep 9 11:23 wlanhcx2john.c
-rwxr-xr-x 1 root root 68K Sep 9 11:23 wlanhcx2psk
-rw-r--r-- 1 root root 33K Sep 9 11:23 wlanhcx2psk.c
-rwxr-xr-x 1 root root 31K Sep 9 11:23 wlanhcx2ssid
-rw-r--r-- 1 root root 37K Sep 9 11:23 wlanhcx2ssid.c
-rwxr-xr-x 1 root root 48K Sep 9 11:23 wlanhcxcat
-rw-r--r-- 1 root root 19K Sep 9 11:23 wlanhcxcat.c
-rwxr-xr-x 1 root root 22K Sep 9 11:23 wlanhcxinfo
-rw-r--r-- 1 root root 18K Sep 9 11:23 wlanhcxinfo.c
-rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanhcxmnc
-rw-r--r-- 1 root root 6,1K Sep 9 11:23 wlanhcxmnc.c
-rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanjohn2hcx
-rw-r--r-- 1 root root 7,7K Sep 9 11:23 wlanjohn2hcx.c
-rwxr-xr-x 1 root root 23K Sep 9 11:23 wlanpmk2hcx
-rw-r--r-- 1 root root 6,3K Sep 9 11:23 wlanpmk2hcx.c
-rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanwkp2hcx
-rw-r--r-- 1 root root 6,0K Sep 9 11:23 wlanwkp2hcx.c


RE: New attack on WPA/WPA2 using PMKID - freeroute - 09-28-2018

So your command was: "hcxpcaptool -z test.16800 test.pcapng"
It save only PMKID hashes to the file "test.16800."

You can try to find passwords with hashcat: "hashcat -O -m 16800 -a 0 test.16800 wordlist -r rules"

But I recommend to use this command:
"hcxpcaptool hcxdump.pcapng -z PMKID-list.txt -U usernamelist.txt -T trafficlist.txt -E wordlist.txt -P pmklist.txt -I identitylist.txt -o hcxdump.hccapx "

You can get most useful data from the captured packets in this case.

hcxdump.hccapx file can test with hashcat mode 2500.
PMKID-list.txt can test with hashcat mode 16800
pmkidlist.txt can test with hashcat, also
wordlist.txt: maybe contain some password


RE: New attack on WPA/WPA2 using PMKID - slyexe - 09-28-2018

(09-27-2018, 05:49 PM)Superninja Wrote: Hello there,
so i use other adapter, with rt3070, and it look likes it works. got pmkid.

But now it convert not the file to pcapng

i wrote:

hcxpcaptool -z test.16800 test.pcapng
cat test.pcapng

and get error : "file or directory not found"

it look likes it convert not the file, even i get no error...hmh

sorry for so much question, i am still learning :-)

I think you're doing this backwards. Did you output the file from hcxdumptool as test.16800 or as test.pcapng? The way you're explaining it seems you have an output file of test.16800 which is incorrect. When outputting from hcxdumptool it is to be .pcapng and to be converted with hcxpcaptool not the otherway around. So judging the conversation that's been happening here I'd say you just need to either rename the file you have  test.16800 to test.pcapng. Once that's done just run your hcxpcaptool -z test.16800 test.pcapng and it'll convert the pcap file to a workable 16800 PMKID hashfile for use with hashcat. 

Otherwise you can simply run:  hcxpcaptool -z converted.16800 test.16800 
Where converted.16800 is the hashfile.


RE: New attack on WPA/WPA2 using PMKID - Superninja - 09-30-2018

Hello there,

i tried hashcat64 -m 16800 test.16800 -a 3 -w 3 '?h?h?h?h?h?h?h?h!

but this are testing only small letters and numbers,

is it possible to test big AND small letters and numbers all in once?


RE: New attack on WPA/WPA2 using PMKID - cashhat - 09-30-2018

(09-27-2018, 02:10 AM)slyexe Wrote:
(09-26-2018, 09:50 PM)cashhat Wrote: Am I doing this right?

Step 0: Device is in monitor mode:


Code:
$ iw dev
    phy#0
        Interface mon0
            ifindex 9
            wdev 0x3
            addr my:v6:ip:addr
            type monitor
            txpower 0.00 dBm
    Interface wlp9s0
        ifindex 3
        wdev 0x1
        addr my:v6:ip:addr
        ssid MyWifiStation
        type managed
        channel 1 (2412 MHz), width: 20 MHz, center1: 2412 MHz
        txpower 22.00 dBm


You do not want a virtual interface (mon0). You are not doing it right. Setup your wireless interface into monitor mode: 
Code:
ifconfig wlp9s0 down
iwconfig wlp9s0 mode monitor
ifconfig wlp9s0 up


Then check that its in monitor and not managed with iwconfig wlp9s0. Once the wireless interface is in monitor mode AND SUPPORTS IT, then you can use:

Code:
hcxdumptool -i wlp9s0 -o test.pcapng --enable_status 1

Should solve your issue.



slyexe, thanks for the clarification. That does set wlp9s0 to monitor mode (verified with iw dev). Unfortunately it's still giving the same end result. I've tried on two different routers with two different computers. (Computer1 -> Router1, Comptuer1 -> Router2, Computer2 -> Router1, Computer2 -> Router2). The computer I'm running hashcat on is a bit slow so it takes the better part of a day to get a result which is the main reason it took me so long to reply.

I think I might be connecting to the network wrong. Both computers already know the wifi network's password and so they automatically complete the login process. If I just do

Code:
sudo hcxdumptool -o test.pcapng -i wlp9s0 --enable_status=1

(with the device in monitor mode ...or managed mode, btw) it will disconnect within a couple seconds. So what I do is

Code:
nmcli d connect wlp9s0

sudo hcxdumptool -o test.pcapng -i wlp9s0 --enable_status=1


which seems to work (hcxdumptool runs and it finds the PMKID) at least 25% of the time. So I just do that a few times until it works and then move on to the rest of the steps. But no where in atom's original post or any of the comments have I seen anyone talking about the need to run those commands back to back or else the interface will disconnect. So I'm guessing that is where I'm doing something wrong.

Do you know what's going on with it disconnecting, needing to connect right before running hcxdumptool, or wlp9s0 seeming to want to return to managed mode after being put into monitor mode?


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 09-30-2018

From this commit on:
https://github.com/ZerBea/hcxdumptool/commit/6b006e022291562b9706f408e01ba2904297846f
hcxdumptool will set the interface to monitor mode.
That means iw, ip, iwconfig and ifconfig are not needed any longer.
After hcxdumtool terminates, it restore the interface to the old values.

You must stop unwanted services if they take access to the interface. hcxdumptool will warn you, if they are running:
NetworkManager
wpa_supplicant

If you need NetworkManager to establish a connection on another interface, read more here:
https://github.com/ZerBea/hcxtools/issues/40#issuecomment-399211804
If you do not want that this connection is under attack, you must use the filter list option.

From README.md:
Warning:
Do not use a logical interface and leave the physical interface in managed mode.
Do not use hcxdumptool in combination with aircrack-ng, reaver, bully or other tools which takes access to the interface.
Stop all services which takes access to the physical interface (NetworkManager, wpa_supplicant,...).
Do not use tools like macchanger, as they are useless, because hcxdumptool uses its own random mac address space.

From option -h (help):
do not run hcxdumptool on logical interfaces (monx, wlanxmon)
do not use hcxdumptool in combination with other 3rd party tools, which take access to the interface

From changelog:
iw/ip functionality added!
now hcxdumptool will set monitor mode and bring up interface!
previous interface settings will be restored, when hcxdumptool terminated

and many other informations from here:
https://hashcat.net/forum/thread-6661-post-41821.html#pid41821

And some more warnings:
hcxdumptool is able to prevent complete wlan traffic
hcxdumptool is able to capture PMKIDs from access points (only one single PMKID from an access point required)
hcxdumptool is able to capture handshakes from not connected clients (only one single M2 from the client is required)
hcxdumptool is able to capture handshakes from 5GHz clients on 2.4GHz (only one single M2 from the client is required)
hcxdumptool is able to capture extended EAPOL (RADIUS, GSM-SIM, WPS)
(hashcat is able to recover the password of some of them)
hcxdumptool is able to capture passwords from the wlan traffic
an example is attached here:
https://hashcat.net/forum/thread-6661-post-35891.html#pid35891
(wlancap2hcx is deprecated and removed - successor is hcxpcaptool)
hcxdumptool is able to capture plainmasterkeys from the wlan traffic
hcxdumptool is able to capture usernames and identities from the wlan traffic

So it's a good idea to choose hcxpcaptool option -E -I -U together with -z and/or -o


RE: New attack on WPA/WPA2 using PMKID - ZerBea - 09-30-2018

@Superninja
It is not a good idea to copy hcxtools source and hcxdumptool source into the same directory.
Also it is not a good idea to use this directory as your working directory.
If you are a beginner, you should use file extensions (pcapng for a captured file, hash.16800 for a PMKID hashfile, hash.hccapx for an EAPOL hashfile). That will make life a little easier for you.