New attack on WPA/WPA2 using PMKID - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html) +--- Thread: New attack on WPA/WPA2 using PMKID (/thread-7717.html) |
RE: New attack on WPA/WPA2 using PMKID - ZerBea - 09-27-2018 "file or directory not found" means that there is no file test.pcapng in that directory. Just do a $ ls to see what files are present. RE: New attack on WPA/WPA2 using PMKID - Superninja - 09-28-2018 Hello, ls show me only the test.16800 file :-( RE: New attack on WPA/WPA2 using PMKID - freeroute - 09-28-2018 Could you post: "ls -lh" Did you try "cat test.16800" RE: New attack on WPA/WPA2 using PMKID - Superninja - 09-28-2018 cat test.16800 show me the file, that works. ls-lh: insgesamt 1,1M -rw-r--r-- 1 root root 15K Sep 9 11:23 changelog -rw-r--r-- 1 root root 1001 Sep 9 11:23 com_aes.c -rw-r--r-- 1 root root 5,8K Sep 9 11:23 com_formats.c -rw-r--r-- 1 root root 4,4K Sep 9 11:23 com_md5_64.c -rw-r--r-- 1 root root 2,9K Sep 9 11:23 com_md5_64.h -rw-r--r-- 1 root root 6,9K Sep 9 11:23 common.c -rw-r--r-- 1 root root 20K Sep 9 11:23 common.h -rw-r--r-- 1 root root 1,4K Sep 9 11:23 com_wpa.c drwxr-xr-x 7 root root 4,0K Sep 9 11:24 hcxdumptool -rwxr-xr-x 1 root root 23K Sep 9 11:23 hcxhashcattool -rw-r--r-- 1 root root 12K Sep 9 11:23 hcxhashcattool.c -rwxr-xr-x 1 root root 106K Sep 9 11:23 hcxpcaptool -rw-r--r-- 1 root root 129K Sep 9 11:23 hcxpcaptool.c drwxr-xr-x 2 root root 4,0K Sep 9 11:23 include -rw-r--r-- 1 root root 1,1K Sep 9 11:23 license.txt -rw-r--r-- 1 root root 1,7K Sep 9 11:23 Makefile -rw-r--r-- 1 root root 5,7K Sep 9 11:23 README.md -rw-r--r-- 1 root root 82 Sep 27 17:34 test.16800 drwxr-xr-x 2 root root 4,0K Sep 9 11:23 usefulscripts -rwxr-xr-x 1 root root 18K Sep 9 11:23 whoismac -rw-r--r-- 1 root root 8,3K Sep 9 11:23 whoismac.c -rwxr-xr-x 1 root root 19K Sep 9 11:23 wlancap2wpasec -rw-r--r-- 1 root root 5,0K Sep 9 11:23 wlancap2wpasec.c -rwxr-xr-x 1 root root 18K Sep 9 11:23 wlancow2hcxpmk -rw-r--r-- 1 root root 5,6K Sep 9 11:23 wlancow2hcxpmk.c -rwxr-xr-x 1 root root 27K Sep 9 11:23 wlanhashhcx -rw-r--r-- 1 root root 3,2K Sep 9 11:23 wlanhashhcx.c -rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanhc2hcx -rw-r--r-- 1 root root 8,8K Sep 9 11:23 wlanhc2hcx.c -rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanhcx2cap -rw-r--r-- 1 root root 14K Sep 9 11:23 wlanhcx2cap.c -rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanhcx2essid -rw-r--r-- 1 root root 5,1K Sep 9 11:23 wlanhcx2essid.c -rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanhcx2john -rw-r--r-- 1 root root 6,3K Sep 9 11:23 wlanhcx2john.c -rwxr-xr-x 1 root root 68K Sep 9 11:23 wlanhcx2psk -rw-r--r-- 1 root root 33K Sep 9 11:23 wlanhcx2psk.c -rwxr-xr-x 1 root root 31K Sep 9 11:23 wlanhcx2ssid -rw-r--r-- 1 root root 37K Sep 9 11:23 wlanhcx2ssid.c -rwxr-xr-x 1 root root 48K Sep 9 11:23 wlanhcxcat -rw-r--r-- 1 root root 19K Sep 9 11:23 wlanhcxcat.c -rwxr-xr-x 1 root root 22K Sep 9 11:23 wlanhcxinfo -rw-r--r-- 1 root root 18K Sep 9 11:23 wlanhcxinfo.c -rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanhcxmnc -rw-r--r-- 1 root root 6,1K Sep 9 11:23 wlanhcxmnc.c -rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanjohn2hcx -rw-r--r-- 1 root root 7,7K Sep 9 11:23 wlanjohn2hcx.c -rwxr-xr-x 1 root root 23K Sep 9 11:23 wlanpmk2hcx -rw-r--r-- 1 root root 6,3K Sep 9 11:23 wlanpmk2hcx.c -rwxr-xr-x 1 root root 18K Sep 9 11:23 wlanwkp2hcx -rw-r--r-- 1 root root 6,0K Sep 9 11:23 wlanwkp2hcx.c RE: New attack on WPA/WPA2 using PMKID - freeroute - 09-28-2018 So your command was: "hcxpcaptool -z test.16800 test.pcapng" It save only PMKID hashes to the file "test.16800." You can try to find passwords with hashcat: "hashcat -O -m 16800 -a 0 test.16800 wordlist -r rules" But I recommend to use this command: "hcxpcaptool hcxdump.pcapng -z PMKID-list.txt -U usernamelist.txt -T trafficlist.txt -E wordlist.txt -P pmklist.txt -I identitylist.txt -o hcxdump.hccapx " You can get most useful data from the captured packets in this case. hcxdump.hccapx file can test with hashcat mode 2500. PMKID-list.txt can test with hashcat mode 16800 pmkidlist.txt can test with hashcat, also wordlist.txt: maybe contain some password RE: New attack on WPA/WPA2 using PMKID - slyexe - 09-28-2018 (09-27-2018, 05:49 PM)Superninja Wrote: Hello there, I think you're doing this backwards. Did you output the file from hcxdumptool as test.16800 or as test.pcapng? The way you're explaining it seems you have an output file of test.16800 which is incorrect. When outputting from hcxdumptool it is to be .pcapng and to be converted with hcxpcaptool not the otherway around. So judging the conversation that's been happening here I'd say you just need to either rename the file you have test.16800 to test.pcapng. Once that's done just run your hcxpcaptool -z test.16800 test.pcapng and it'll convert the pcap file to a workable 16800 PMKID hashfile for use with hashcat. Otherwise you can simply run: hcxpcaptool -z converted.16800 test.16800 Where converted.16800 is the hashfile. RE: New attack on WPA/WPA2 using PMKID - Superninja - 09-30-2018 Hello there, i tried hashcat64 -m 16800 test.16800 -a 3 -w 3 '?h?h?h?h?h?h?h?h! but this are testing only small letters and numbers, is it possible to test big AND small letters and numbers all in once? RE: New attack on WPA/WPA2 using PMKID - cashhat - 09-30-2018 (09-27-2018, 02:10 AM)slyexe Wrote:(09-26-2018, 09:50 PM)cashhat Wrote: Am I doing this right? slyexe, thanks for the clarification. That does set wlp9s0 to monitor mode (verified with iw dev). Unfortunately it's still giving the same end result. I've tried on two different routers with two different computers. (Computer1 -> Router1, Comptuer1 -> Router2, Computer2 -> Router1, Computer2 -> Router2). The computer I'm running hashcat on is a bit slow so it takes the better part of a day to get a result which is the main reason it took me so long to reply. I think I might be connecting to the network wrong. Both computers already know the wifi network's password and so they automatically complete the login process. If I just do Code: sudo hcxdumptool -o test.pcapng -i wlp9s0 --enable_status=1 (with the device in monitor mode ...or managed mode, btw) it will disconnect within a couple seconds. So what I do is Code: nmcli d connect wlp9s0 which seems to work (hcxdumptool runs and it finds the PMKID) at least 25% of the time. So I just do that a few times until it works and then move on to the rest of the steps. But no where in atom's original post or any of the comments have I seen anyone talking about the need to run those commands back to back or else the interface will disconnect. So I'm guessing that is where I'm doing something wrong. Do you know what's going on with it disconnecting, needing to connect right before running hcxdumptool, or wlp9s0 seeming to want to return to managed mode after being put into monitor mode? RE: New attack on WPA/WPA2 using PMKID - ZerBea - 09-30-2018 From this commit on: https://github.com/ZerBea/hcxdumptool/commit/6b006e022291562b9706f408e01ba2904297846f hcxdumptool will set the interface to monitor mode. That means iw, ip, iwconfig and ifconfig are not needed any longer. After hcxdumtool terminates, it restore the interface to the old values. You must stop unwanted services if they take access to the interface. hcxdumptool will warn you, if they are running: NetworkManager wpa_supplicant If you need NetworkManager to establish a connection on another interface, read more here: https://github.com/ZerBea/hcxtools/issues/40#issuecomment-399211804 If you do not want that this connection is under attack, you must use the filter list option. From README.md: Warning: Do not use a logical interface and leave the physical interface in managed mode. Do not use hcxdumptool in combination with aircrack-ng, reaver, bully or other tools which takes access to the interface. Stop all services which takes access to the physical interface (NetworkManager, wpa_supplicant,...). Do not use tools like macchanger, as they are useless, because hcxdumptool uses its own random mac address space. From option -h (help): do not run hcxdumptool on logical interfaces (monx, wlanxmon) do not use hcxdumptool in combination with other 3rd party tools, which take access to the interface From changelog: iw/ip functionality added! now hcxdumptool will set monitor mode and bring up interface! previous interface settings will be restored, when hcxdumptool terminated and many other informations from here: https://hashcat.net/forum/thread-6661-post-41821.html#pid41821 And some more warnings: hcxdumptool is able to prevent complete wlan traffic hcxdumptool is able to capture PMKIDs from access points (only one single PMKID from an access point required) hcxdumptool is able to capture handshakes from not connected clients (only one single M2 from the client is required) hcxdumptool is able to capture handshakes from 5GHz clients on 2.4GHz (only one single M2 from the client is required) hcxdumptool is able to capture extended EAPOL (RADIUS, GSM-SIM, WPS) (hashcat is able to recover the password of some of them) hcxdumptool is able to capture passwords from the wlan traffic an example is attached here: https://hashcat.net/forum/thread-6661-post-35891.html#pid35891 (wlancap2hcx is deprecated and removed - successor is hcxpcaptool) hcxdumptool is able to capture plainmasterkeys from the wlan traffic hcxdumptool is able to capture usernames and identities from the wlan traffic So it's a good idea to choose hcxpcaptool option -E -I -U together with -z and/or -o RE: New attack on WPA/WPA2 using PMKID - ZerBea - 09-30-2018 @Superninja It is not a good idea to copy hcxtools source and hcxdumptool source into the same directory. Also it is not a good idea to use this directory as your working directory. If you are a beginner, you should use file extensions (pcapng for a captured file, hash.16800 for a PMKID hashfile, hash.hccapx for an EAPOL hashfile). That will make life a little easier for you. |